AS9206 UM 2.3.R1 A00 en

AS9206
Version 2.3.R1
User Manual
492006-2414-023-A00
AS9206 User Manual
V2.3.R1
Catalog No: X38694
1st Edition, February 2012
© Copyright by ECI Telecom, 2012. All rights reserved worldwide.

This is a legal agreement between you, the end user, and ECI Telecom Ltd. (“ECI Telecom”). BY OPENING THE
DOCUMENTATION AND/OR DISK PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS
AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY RETURN THE
UNOPENED DOCUMENTATION AND/OR DISK PACKAGE AND THE ACCOMPANYING ITEMS (INCLUDING
WRITTEN MATERIALS AND BINDERS OR OTHER CONTAINERS), TO THE PLACE FROM WHICH YOU
OBTAINED THEM.
The information contained in the documentation and/or disk is proprietary and is subject to all relevant copyright,
patent, and other laws protecting intellectual property, as well as any specific agreement protecting ECI Telecom's
rights in the aforesaid information. Neither this document nor the information contained in the documentation and/or
disk may be published, reproduced, or disclosed to third parties, in whole or in part, without the express prior
written permission of ECI Telecom. In addition, any use of this document, the documentation and/or the disk, or the
information contained therein for any purposes other than those for which it was disclosed, is strictly forbidden.
ECI Telecom reserves the right, without prior notice or liability, to make changes in equipment design or
specifications. Information supplied by ECI Telecom is believed to be accurate and reliable. However, no
responsibility whatsoever is assumed by ECI Telecom for the use thereof, nor for the rights of third parties, which
may be affected in any way by the use and/or dissemination thereof.
Any representation(s) in the documentation and/or disk concerning performance of ECI Telecom product(s) are for
informational purposes only and are not warranties of product performance or otherwise, either express or implied.
ECI Telecom's standard limited warranty, stated in its sales contract or order confirmation form, is the only warranty
offered by ECI Telecom.
The documentation and/or disk is provided “AS IS” and may contain flaws, omissions, or typesetting errors. No
warranty is granted nor liability assumed in relation thereto, unless specifically undertaken in ECI Telecom's sales
contract or order confirmation. Information contained in the documentation and in the disk is periodically updated,
and changes will be incorporated in subsequent editions. If you have encountered an error, please notify ECI
Telecom. All specifications are subject to change without prior notice.
The documentation and/or disk and all information contained therein is owned by ECI Telecom and is protected by
all relevant copyright, patent, and other applicable laws and international treaty provisions. Therefore, you must
treat the information contained in the documentation and disk as any other copyrighted material (for example, a
book or musical recording).
Other Restrictions. You may not rent, lease, sell, or otherwise dispose of the documentation and disk, as
applicable. YOU MAY NOT USE, COPY, MODIFY, OR TRANSFER THE DOCUMENTATION AND/OR DISK OR
ANY COPY IN WHOLE OR PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS LICENSE. ALL RIGHTS NOT
EXPRESSLY GRANTED ARE RESERVED BY ECI TELECOM.
All trademarks mentioned herein are the property of their respective holders.
ECI Telecom shall not be liable to you or to any other party for any loss or damage whatsoever or howsoever
caused, arising directly or indirectly in connection with this documentation and/or disk, the information contained
therein, its use, or otherwise. Notwithstanding the generality of the aforementioned, you expressly waive any claim
and/or demand regarding liability for indirect, special, incidental, or consequential loss or damage which may arise
in respect of the documentation and/or disk and/or the information contained therein, howsoever caused, even if
advised of the possibility of such damages.
The end user hereby undertakes and acknowledges that they read the "Before You Start/Safety Guidelines"
instructions and that such instructions were understood by them.
It is hereby clarified that ECI Telecom shall not be liable to you or to any other party for any loss or damage
whatsoever or howsoever caused, arising directly or indirectly in connection with you fulfilling and/or failed to fulfill
in whole or in part the "Before You Start/Safety Guidelines" instructions.
Contents
About This Manual .................................................................... xi
Overview ............................................................................................................. xi
Key Features ...................................................................................................... xii
Using This Document ........................................................................................ xiii
Organization ...................................................................................................... xiv
Document Conventions ...................................................................................... xv
Obtaining Technical Documentation ................................................................ xvii
Technical Assistance....................................................................................... xviii
Administrating the Device ...................................................... 1-1

Features Included in this Chapter .................................................................... 1-1
MAC-Address Table (FDB) .............................................................................. 1-2
Files System ..................................................................................................... 1-7
System Time and Date ................................................................................... 1-15
Domain Name System (DNS) Client .............................................................. 1-19
VTY (Virtual Terminal) .................................................................................... 1-20
License Configuration ..................................................................................... 1-21
Supported Standards, MIBs, and RFCs ......................................................... 1-22
Device Authentication ............................................................. 2-1

Features Included in This Chapter ................................................................... 2-1
Managing User Privilege-Levels ....................................................................... 2-2
Remote Authentication Dial in User Service (RADIUS) ................................... 2-6
Terminal Access Controller Access-Control System Plus (TACACS+) .......... 2-13
Physical Ports and Logical Interfaces ................................... 3-1

Features Included in this Chapter .................................................................... 3-1
Device Interface Types ..................................................................................... 3-2
Fast and Giga Ethernet Ports ........................................................................... 3-2
Link Aggregation Groups (LAGs) ..................................................................... 3-9
Link Aggregation Control Protocol (LACP) ..................................................... 3-11
Resilient Links ................................................................................................ 3-20
Configuration Example ................................................................................... 3-22
MAC Learning Security Policies ..................................................................... 3-23
492006-2414-023-A00 ECI Telecom Ltd. Proprietary i

Contents AS9206 User Manual
Virtual LANs (VLANs) .............................................................. 4-1

Features Included in This Chapter ................................................................... 4-1
Virtual LAN (VLAN)—IEEE 802.1Q .................................................................. 4-2
Super VLANs .................................................................................................. 4-12
Transparent LAN Services (TLS) ........................................... 5-1

Transparent LAN Services (TLS) ..................................................................... 5-1
TLS Configuration Flow .................................................................................... 5-4
TLS Commands ............................................................................................... 5-5
TLS Configuration Example ........................................................................... 5-11
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) ........ 6-1

Overview .......................................................................................................... 6-1
MSTP Regions ................................................................................................. 6-1
The MSTI Parameters ...................................................................................... 6-4
Interoperability with 802.1D STP ...................................................................... 6-6
Fast Ring Modes .............................................................................................. 6-6
MSTP Commands ............................................................................................ 6-9
Configuration Examples ................................................................................. 6-15
Internet Group Multicast Protocol (IGMP) Snooping ........... 7-1

Overview .......................................................................................................... 7-1
IGMP Snooping Commands ............................................................................. 7-5
Access Control Lists (ACLs) .................................................. 8-1

Overview .......................................................................................................... 8-1
ACL Types ........................................................................................................ 8-2
ACL Process Options ....................................................................................... 8-2
Access Control Groups (ACG) ......................................................................... 8-3
ACL Processing Rules ..................................................................................... 8-3
Traffic Rate Limit .............................................................................................. 8-4
ACLs Configuration Flow .................................................................................. 8-6
ACLs Commands ............................................................................................. 8-7
ACLs Configuration Example ......................................................................... 8-52
ii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

AS9206 User Manual Contents
Quality of Service (QoS) ......................................................... 9-1

Overview .......................................................................................................... 9-1
Overview .......................................................................................................... 9-2
QoS Default Configuration ............................................................................. 9-21
QoS Configuration Flow ................................................................................. 9-23
Traffic Storm-Control ...................................................................................... 9-24
QoS Commands ............................................................................................. 9-24
Configuration Examples ................................................................................. 9-39
Operations, Administration, and Maintenance (OAM) ....... 10-1

Features Included in this Chapter .................................................................. 10-1
802.1ag Connectivity Fault Management (CFM) ............................................ 10-2
802.3ah Ethernet in the First Mile (EFM-OAM) ............................................ 10-27
Supported Standards, MIBs, and RFCs ....................................................... 10-49
Simple Network Management Protocol (SNMP) ................. 11-1

Overview ........................................................................................................ 11-1
SNMP Commands ........................................................................................ 11-11
SNMP Configuration Example ...................................................................... 11-19
SNMP Reference Guide ......................................................... 12-1

Features Included in This Chapter ................................................................. 12-1
Device Administration via SNMP .................................................................... 12-3
Configuration Management via SNMP ........................................................... 12-8
Configuring Interfaces via SNMP ................................................................... 12-9
Configuring Link Aggregation Groups (LAGs) via SNMP ............................. 12-14
Configuring Resilient Links via SNMP .......................................................... 12-19
Configuring Virtual LANs (VLANs) via SNMP .............................................. 12-20
Configuring Layer 2 Protocol Tunneling (L2PT) via SNMP .......................... 12-23
Configuring 802.1ag Connectivity Fault Management (CFM) via SNMP ..... 12-26
Retrieving Manufacturing Details via SNMP ................................................ 12-46
Troubleshooting and Monitoring via SNMP .................................................. 12-50
Remote Monitoring (RMON) ................................................. 13-1

Overview ........................................................................................................ 13-1
RMON Commands ......................................................................................... 13-2
492006-2414-023-A00 ECI Telecom Ltd. Proprietary iii

Contents AS9206 User Manual
System Logs .......................................................................... 14-1

Overview ........................................................................................................ 14-1
System Logs Message Format ....................................................................... 14-1
Settings and Values ....................................................................................... 14-2
System Log Commands ................................................................................. 14-4
Troubleshooting .................................................................... 15-1

Features Included in this Chapter .................................................................. 15-1
Periodic Monitoring ......................................................................................... 15-2
Diagnosing Connectivity Problems ............................................................... 15-10
Port Mirroring (Port Monitoring) .................................................................... 15-13
Technical Support Information ..................................................................... 15-16
Specifications ......................................................................... A-1
Acronyms Glossary................................................................ B-1
iv ECI Telecom Ltd. Proprietary 492006-2414-023-A00

List of Figures
Figure 2-1: User Privilege Levels Configuration Flow .................................................... 2-3
Figure 2-2: A RADIUS Communication Example........................................................... 2-7
Figure 2-3: RADIUS Configuration Flow ........................................................................ 2-9
Figure 2-4: TACACS+ Configuration Flow ................................................................... 2-16
Figure 3-1: Four Ports Combined into a Link Aggregation Group ................................. 3-9
Figure 3-2: Example of Two LAGs Configured on the Same Device........................... 3-16
Figure 4-1: IEEE 802.1Q Frame Tag Structure ............................................................. 4-3
Figure 4-2: VLANs in Ingress Traffic .............................................................................. 4-4
Figure 4-3: VLANs in Egress Traffic .............................................................................. 4-5
Figure 4-4: VLAN Configuration Flow ............................................................................ 4-7
Figure 4-5: Switching Decisions without the Super VLAN Agent................................. 4-13
Figure 4-6: Switching Decisions with the Super VLAN Agent...................................... 4-13
Figure 4-7: Super VLAN Ring Mode Configuration Example....................................... 4-15
Figure 5-1: 802.1Q Tunneling Configuration.................................................................. 5-2
Figure 5-2: TLS Configuration Flow ............................................................................... 5-4
Figure 5-3: TLS Interface Example .............................................................................. 5-11
Figure 6-1: MSTP within a Region ................................................................................. 6-2
Figure 6-2: MSTP in Ring Topology in a Link-Down Event ........................................... 6-7
Figure 6-3: MSTP in Ring Topology with a Device in Link-Down Event ........................ 6-8
Figure 6-4: Schematic MSTI Configuration .................................................................. 6-15
Figure 6-5: Link Failure between Two Devices ............................................................ 6-24
Figure 6-6: Fast Ring Topology.................................................................................... 6-28
Figure 7-1: Initial IGMP Join Message ........................................................................... 7-2
Figure 7-2: IGMP Configuration Flow ............................................................................ 7-4
Figure 8-1: ACLs Configuration Flow ............................................................................. 8-6
Figure 9-1: Basic QoS Architecture................................................................................ 9-4
Figure 9-2: 802.1p Priority Header Fields ...................................................................... 9-5
Figure 9-3: Type of Service (ToS) Header Fields .......................................................... 9-6
Figure 9-4: IPv4 Header Structure ................................................................................. 9-8
Figure 9-5: ToS Octet Fields .......................................................................................... 9-8
Figure 9-6: Strict Priority Queuing ................................................................................ 9-14
Figure 9-7: Weighted Round-Robin Queuing............................................................... 9-15
Table 9-4: Modified Deficit Round-Robin Queuing Algorithms .................................... 9-17
Table 9-5: Hybrid Scheduling Algorithms..................................................................... 9-17
Figure 9-8: QoS Configuration Flow ............................................................................ 9-23
492006-2414-023-A00 ECI Telecom Ltd. Proprietary v

List of Figures AS9206 User Manual
Figure 10-1: OAM Ethernet Tools ................................................................................ 10-3

Figure 10-2: MEP1 and MEP3 Send a Multicast CC Frame........................................ 10-4
Figure 10-3: MEP4 and MEP2 Send a Multicast CC Frame........................................ 10-5
Figure 10-4: Loopback Operation ................................................................................ 10-6
Figure 10-5: Link Trace Operation ............................................................................... 10-7
Figure 10-6: CFM-OAM Configuration Flow ................................................................ 10-9
Figure 10-7: End-to-End OAM Configuration ............................................................. 10-27
Figure 10-8: Managing Provider Devices using the EFM 802.3ah Standard ............ 10-28
Figure 10-9: Managing Customer Devices (passive) using the EFM 802.3ah
Standard ..................................................................................................................... 10-29
Figure 10-10: EFM-OAM Configuration Flow............................................................. 10-34
Figure 10-11: Example Configuring of Two Devices using EFM-OAM ...................... 10-44
Figure 11-1: SNMP Agent and Manager Communications.......................................... 11-2
Figure 11-2: Trap Sent to SNMP Manager Successfully ............................................. 11-5
Figure 11-3: Inform Request Sent to SNMP Manager Successfully ............................ 11-5
Figure 11-4: Trap Unsuccessfully Sent to SNMP Manager ......................................... 11-6
Figure 11-5: Inform Request Successfully Resent to SNMP Manager ........................ 11-6
Figure 11-6: Obtaining the snmpEngineID................................................................... 11-8
Figure 11-7: Obtaining the snmpEngineBoots and snmpEngineTime ......................... 11-8
Figure 15-1: Periodic Monitoring Configuration Flow ................................................... 15-4
Figure 15-2: Port Mirroring ......................................................................................... 15-13
vi ECI Telecom Ltd. Proprietary 492006-2414-023-A00

List of Tables
Table 1-1: MAC-Address Table Commands .................................................................. 1-4
Table 1-2: File System Commands ................................................................................ 1-8
Table 1-3: System Time and Date Commands ............................................................ 1-17
Table 1-4: DNS Client Commands ............................................................................... 1-20
Table 1-5: VTY Session Commands ............................................................................ 1-21
Table 1-6: License Commands .................................................................................... 1-22
Table 2-1: The Default Local Users’ Privilege-Levels .................................................... 2-2
Table 2-2: Default Device Usernames and Passwords ................................................. 2-2
Table 2-3: Users and Privilege-Level Commands ......................................................... 2-4
Table 2-4: RADIUS Commands ................................................................................... 2-10
Table 2-6: A comparison between TACACS+ and RADIUS ........................................ 2-14
Table 2-7: TACACS+ Commands ................................................................................ 2-17
Table 3-1: Ports Configuration Commands.................................................................... 3-4
Table 3-2: IP Interface Configuration Commands.......................................................... 3-5
Table 3-3: Commands Used to Display and Clear Port Settings and Statistics ............ 3-6
Table 3-4: LAGs Configuration Commands ................................................................. 3-13
Table 3-5: Commands Used to Display and Clear LAG Settings and Statistics.......... 3-15
Table 3-6: Resilient Links Commands ......................................................................... 3-21
Table 3-7: Layer-2 Port Security Commands............................................................... 3-24
Table 4-1: VLAN Commands ......................................................................................... 4-8
Table 4-2: 802.1Q Service Commands ........................................................................ 4-10
Table 4-3: Super-VLAN Commands ............................................................................ 4-16
Table 5-1: TLS Commands ............................................................................................ 5-6
Table 5-2: Predefined Protocols..................................................................................... 5-9
Table 5-3: Default Multicast MAC Addresses .............................................................. 5-10
Table 6-1: MSTI Parameters .......................................................................................... 6-4
Table 6-2: MSTP Commands....................................................................................... 6-10
Table 6-3: Default Path Cost Configuration (IEEE802.1s) ........................................... 6-14
Table 7-1: IGMP Snooping Commands ......................................................................... 7-6
Table 8-1: Monitoring Profile Commands .................................................................... 8-13
Table 8-2: IP ACLs Configuration Commands ............................................................. 8-14
Table 8-3: IP ACLs Show Commands ......................................................................... 8-29
Table 8-4: MAC ACLs Configuration Commands ........................................................ 8-30
492006-2414-023-A00 ECI Telecom Ltd. Proprietary vii

List of Tables AS9206 User Manual
Table 8-5: MAC ACLs Show Commands..................................................................... 8-37

Table 8-6: EtherType ACLs Configuration Commands ............................................... 8-38
Table 8-7: EtherType ACLs Show Commands ............................................................ 8-45
Table 8-8: Traffic Types ............................................................................................... 8-46
Table 8-9: Monitoring Profiles ...................................................................................... 8-46
Table 8-10: Valid ToS Values ...................................................................................... 8-47
Table 8-11: Valid Precedence Values .......................................................................... 8-47
Table 8-12: Valid ICMP Message Type Values ........................................................... 8-48
Table 8-13: Valid ICMP Code Values .......................................................................... 8-49
Table 8-14: Valid TCP Port Literal Values ................................................................... 8-49
Table 8-15: Valid UDP Port Literal Values ................................................................... 8-50
Table 8-16: Valid FC Values ........................................................................................ 8-51
Table 8-17: Known EtherType Values ......................................................................... 8-51
Table 9-1: ToS Fields ..................................................................................................... 9-9
Table 9-2: ToS Precedence Levels ................................................................................ 9-9
Table 9-3: DSCP Values and Corresponding Drop Precedence, by AF PHB
Class Drop Precedence ............................................................................................... 9-12
Table 9-6: QoS Default Configuration .......................................................................... 9-21
Table 9-7: Congestion Avoidance Tail-Drop Profiles Default Configuration ................ 9-21
Table 9-8: Mapping Profile Default Configuration ........................................................ 9-21
Table 9-9: Mapping Profile Default Configuration ........................................................ 9-22
Table 9-10: Port Policies Profiles Default Configuration .............................................. 9-22
Table 9-11: Descriptions of the QoS Profiles Configuration Commands ..................... 9-25
Table 9-12: Descriptions of the QoS Policy Configuration Commands ....................... 9-30
Table 9-13: Descriptions of the QoS Port Configuration Commands .......................... 9-34
Table 9-14: Descriptions of the Storm-Control Configuration Commands .................. 9-35
Table 9-15: Descriptions of the QoS Display Configuration Commands ..................... 9-38
Table 10-1: Defects and Priorities ................................................................................ 10-9
Table 10-2: CFM Configuration Commands .............................................................. 10-12
Table 10-3: CFM Configuration Display Commands ................................................. 10-24
Table 10-4: EFM Configuration Commands .............................................................. 10-36
Table 10-5: EFM Display Commands ........................................................................ 10-41
Table 10-6: Log messages employed by the EFM-OAM protocol ............................. 10-42
Table 11-1: SNMP Versions......................................................................................... 11-9
Table 11-2: Security Levels Available in the SNMPv3 Security Models .................... 11-10
Table 11-3: SNMP Configuration Commands............................................................ 11-12
Table 12-1: List of Notification Argument Values ....................................................... 12-48
viii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

AS9206 User Manual List of Tables
Table 13-1: RMON Commands.................................................................................... 13-2

Table 13-2: Counters Displayed by the show rmon statistics Command ......... 13-3
Table 14-1: System Message Fields ............................................................................ 14-2
Table 14-2: Severity Levels.......................................................................................... 14-2
Table 14-3: Syslog Message Facilities ........................................................................ 14-3
Table 14-4: System Log Commands ........................................................................... 14-4
Table 15-1: Periodic Monitored Operational Indicators ............................................... 15-2
Table 15-2: Periodic Monitoring Commands................................................................ 15-6
Table 15-3: The Monitor Indicators .............................................................................. 15-8
Table 15-4: Connectivity Diagnostic Commands ....................................................... 15-12
Table 15-5: Network Traffic Monitoring Commands .................................................. 15-15
Table 15-6: Technical Support Commands ............................................................... 15-17
492006-2414-023-A00 ECI Telecom Ltd. Proprietary ix

List of Tables AS9206 User Manual
x ECI Telecom Ltd. Proprietary 492006-2414-023-A00

About This Manual
Overview
The AS9206 is a wire speed, cost-effective 24 port standalone Layer 3
Manageable Switch. The AS9206 is purposely built for Carrier Ethernet and
Small-Medium Enterprise (SME) applications.
AS9206 is ideal for triple-play service aggregation and business Ethernet
services. This cost-effective, advanced access device includes extensive
multilayer Ethernet OAM, an array of network resiliency protocols, and
advanced QoS features.
The AS9206 device supports industry-standards OAM tools: IEEE 802.3ah
Ethernet First Mile (EFM-OAM) and IEEE 802.1ag Connectivity Fault
Management (CFM). With these protocols, the service provider can remotely
identify connectivity issues, isolate problems, as well as monitor end-to-end
services to ensure that service level agreements are met.
A wide set of QoS features give the service provider granular control over the
behavior of traffic and services in the network.
To ensure non-stop networking, the AS9206 boasts a wide variety of resiliency
protocols offering link-level mechanisms such as Resilient-link and LAG with
LACP as well as network-wide mechanisms such as MSTP and Fast-Ring.
492006-2414-023-A00 ECI Telecom Ltd. Proprietary xi

About This Manual AS9206 User Manual
Key Features
The AS9206 device offers the following features:
 Wirespeed, non-blocking Carrier Ethernet access device
 IEEE, ITU-T and IETF standards compliance for multi-vendor
interoperability
 Enhanced Quality-of-service (QoS) and service granularity support
 Highly available carrier class resiliency:
 Fast Ring for sub 50ms switch over
 Industry standard MSTP
 Link aggregation (802.3ad & LACP)
 Resilient-Link for 1+1 link redundancy
 Comprehensive set of security features for authentication, connectivity and
access control
Following are some of the AS9206 hardware characteristics:
 24 x 10/100 Mbps 100BASE-TX ports
 4x-Combo port 1000BASE-T 1000BASE-X
 Operating temperature range : 0°–50°C
 Both AC and DC models available
xii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

AS9206 User Manual About This Manual
Using This Document

This user guide includes information needed to configure AS9206
functionalities.
It provides the complete syntax for the commands available in the currently-
supported software version and describes the features supplied with the device.
For more information regarding device installation, refer to the Installation and
Maintenance chapter.
For the latest software updates, see the Release Notes for the relevant release.
The release notes may contain supplemental or conflicting information. In all
cases, information contained in the release notes supersedes material contained
in this user guide.
Intended Audience
This user guide is intended for network administrators responsible for installing
and configuring network equipment.
To use this guide, you must already be familiar with Ethernet and local area
networking (LAN) concepts and terminology.
Documentation Suite
This document is just one part of the full documentation suite provided with
this product.
You are: Document Function Function

Installation Guide Contains information about installing the
hardware and software including site preparation,
testing, and safety information.
User Guide Contains information on configuring and using
the system.
Release Notes Contains information about the current release,
including new features, resolved issues (bug
fixes), known issues, and late-breaking
information that supersedes information in other
documentation.
492006-2414-023-A00 ECI Telecom Ltd. Proprietary xiii

Organization
The AS9206 User Guide includes the following chapters, each focusing on a
different feature or set of features. Each chapter begins with a brief overview of
the feature/s, followed by the configuration flow, and concluding with the
configuration details for the corresponding commands.
Chapter Name Description

Introduction Overview of product and document.
Installation and Maintenance Setting up the AS9206 device, login information, the
devices' reloading options, upgrading, and the basic
CLI commands required to get started.
Administrating the Device Using the CLI.
Administering AS9206 devices, performing initial
device configuration (such as the device’s time and
date, software upgrade, and protecting the device
from outside attacks), MAC address table, NTP,
DNS Resolver, and understanding the files system.
Device Authentication Understanding and configuring the privileged access
levels to commands used for protecting the device
from unauthorized access.
The chapter describes RADIUS and TACACS+.
Physical Ports and Logical Understanding and configuring device interface
Interfaces types The chapter also offers information on static
Link Aggregation Groups (LAGs), establishing
resilience across the network segments
Virtual LANs (VLANs) Understanding and configuring VLANs
Transparent LAN Services The deployment of Transparent LAN services.
(TLS)
Multiple Spanning Tree The IEEE 802.1S Multiple STP standard and its
Protocol (MSTP, IEEE configuration.
802.1s)
Internet Group Multicast Understanding and configuring Internet Group
Protocol (IGMP) Snooping Multicast Protocol (IGMP) Snooping
Access Control Lists (ACLs) Understanding and configuring ACLs, traffic rate-
limit, and applying QoS using ACLs.
Quality of Service (QoS) Understanding and configuring QoS features.
Operations, Administration, Understanding and configuring various tools used
and Maintenance (OAM) for monitoring and troubleshooting the network:
 802.3ah Ethernet in the First Mile (EFM-OAM)
 802.1ag Connectivity Fault Management (CFM)
Simple Network Management Understanding and configuring Simple Network
Protocol (SNMP) Management Protocol (SNMP), community strings,
and enabling trap managers and traps.
xiv ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Chapter Name Description

SNMP Reference Guide The detailed list of MIBs and objects for controlling,
monitoring, and managing the device and its features
from a remote location.
Remote Monitoring (RMON) Configuring the Remote Monitoring (RMON)
feature.
System Logs Logging information such as understanding and
configuring system message logging.
Troubleshooting Troubleshooting and monitoring tools used to detect
and solve system related problems.
Appendix A: Specifications An abbreviated version of device’s specifications.
Appendix B: Acronym The list of acronyms used in this user guide and their
Glossary meaning.
Document Conventions
When applicable, this manual uses the following conventions.
Convention Indicates Example

Bold Names of windows, dialog In the Alarms menu...
boxes, menus, buttons and
most other GUI elements
Menu > Option Selection from a menu, or Select Update > View Objects
leading to another
command
Courier New Code syntax and code >>Starting default
Font examples, UNIX primary application,
commands, user-typed please wait...
information
Italics New terms and emphasized Examples in text
text
Borders around text Notes, cautions, warnings, See examples below
laser warnings, EDS
warnings, tips, and
important notes
492006-2414-023-A00 ECI Telecom Ltd. Proprietary xv

The table below explains the conventions used within the document text:
Conventions Description
commands CLI and SNMP commands
command example CLI and SNMP examples
<Variable> user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
NOTE: Text set off in this manner presents clarifying

information, specific instructions, commentary, sidelights, or
interesting points of information.
CAUTION: Text set off in this manner indicates that failure

to follow directions could result in damage to equipment or
loss of information.
WARNING: Text set off in this manner indicates that failure

to follow directions could result in bodily harm or loss of life.
DANGER: Text set on this manner indicates special

instructions to avoid possible injury or death.
LASER WARNING: Text set off in this manner indicates

how to avoid personal injury. All personnel involved in
equipment installation, operation, and maintenance must be
aware that laser radiation is invisible. Therefore, although
protective devices generally prevent direct exposure to the
beam, personnel must strictly observe the applicable safety
precautions and, in particular, must avoid staring into optical
connectors, either directly or using optical instruments.
ESD: Text set off in this manner indicates information on

how to avoid discharge of static electricity and subsequent
damage to the unit.
xvi ECI Telecom Ltd. Proprietary 492006-2414-023-A00

TIP: Text set off in this manner includes helpful information

and handy hints that can make your task easier..
IMPORTANT: Text set off in this manner presents essential

information you must pay attention to.
Obtaining Technical
Documentation
To obtain technical documentation related to ECI Telecom products, please
contact:
ECI Telecom Ltd.
Documentation Department
30 Hasivim St.
Petach Tikva 49130
Israel
Fax: +972-3-9268060
Email: mailto:techdoc.feedback@ecitele.com
492006-2414-023-A00 ECI Telecom Ltd. Proprietary xvii

Technical Assistance
The configuration, installation, and operation of ECI Telecom products in a
network are highly specialized processes. Due to the different nature of each
installation, some planning aspects may not be covered in this manual.
If you have questions or concerns about your network design or if you require
installation personnel to perform the actual installation process, ECI Telecom
maintains a staff of design engineers and highly trained field service personnel.
The services of this group are available to customers at any time.
If you are interested in obtaining design assistance or a network installation
plan from ECI Telecom's Customer Support team, contact your ECI Telecom
sales representative. With any support related issues, technical or logistic,
please contact the ECI Telecom Customer Support center at your location. If
you are not familiar with that location, please contact our central customer
support center action line at:
Telephone +972-3-9266000
Telefax +972-3-9266370
Email mailto:on.support@ecitele.com
xviii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

1
Administrating the Device
Features Included in this

Chapter
This chapter describes how to perform operations to administer your AS9206
devices.
This chapter consists of these sections:
 MAC-Address Table (FDB)
The MAC-address table contains address information that the device uses
to forward traffic between ports. The AS9206 devices maintain a database
of MAC addresses, manually configured (static) and dynamically learned
entries. During troubleshooting, it may be helpful to investigate the entries
in the MAC-address table.
 Files System
This section describes some fundamental tasks you perform to maintain the
configuration files and system images used by AS9206 devices.
 System Time and Date

You can manage the system time and date on your device using automatic
configuration, such as the Network Time Protocol (NTP). NTP allows the
synchronization of device clocks over TCP/IP networks. Having a common
view of time on the network makes many things easier, from correlating log
files from different devices to keeping file timestamps consistent.
492006-2414-023-A00 ECI Telecom Ltd. Proprietary 1-1

Administrating the Device AS9206 User Manual
 Domain Name System (DNS) Client

The client-side of the DNS is responsible for initiating and sequencing the
queries that lead to a translation of a domain name into an IP address.
 VTY (Virtual Terminal)

This section provides commands for configuring the virtual terminal line
settings.
MAC-Address Table (FDB)
Overview
The MAC (Media Access Control) address is the unique hardware number that
identifies the computer on a local area network (LAN) or other network.
MAC addresses are 12-digit hexadecimal numbers (48 bits in length) in the
following format:
MM:MM:MM:SS:SS:SS
Whereas MAC addressing works at the data link layer (layer 2), IP addressing
functions at the network layer (layer 3). MAC addresses are also known as
hardware or physical addresses.
The MAC-address table contains the destination VLAN ID, MAC address, port
number associated with each address, entry type, and MAC address priority.
MAC-Address Table Entry Types

The following entry types can exist in the MAC-address table:
 Dynamic entries—to learn a dynamic entry, the device examines the
packets to determine the source MAC address, VLAN, and port
information. Initially, all entries in the database are dynamic, except for
certain entries created by the device.
Dynamic entries are flushed and updated when any of the following occurs:
 A VLAN is removed
 A VLAN ID is changed
 A port mode is changed (tagged/untagged)
 A port is disabled
1-2 ECI Telecom Ltd. Proprietary 492006-2414-023-A00

AS9206 User Manual Administrating the Device
 A port goes down

 A new dynamic entry is created when the device identifies a source
MAC address that does not yet have an entry in the MAC-address table.
Dynamic entries are deleted from the database if the device is reset or a
power off/on occurs.
 Static entries—permanent entries are retained in the database if the device
is reset or a power off/on cycle occurs. A permanent entry can be a filtered,
multicast, secure, self, static, or unknown MAC address. These entries are
created through the CLI.
 Secure entries—a secure entry is configured to a secured port to allow only
secured MAC address to be learned by this port.
 Self entries—a self entry is automatically created by the device software for
various reasons.
 Filtered entries—a filtered entry can be created in two ways. One way is to
configure filter entry statically for blocking the traffic from and to specific
MAC address on the device. The second way is to use the Port Security or
the Port Limit feature. The MAC addresses in the filtered entries are the
MAC addresses that caused security violation.
 Multicast entries—Multicast entries are multicast MAC addresses that were
created dynamically by multicast protocol.

MAC-Address Table Configuration

Commands

Commands’ Hierarchy
+ root
+ config terminal
+ [no] port UU/SS/PP
- [no] learn-new-mac-addresses
- [no] mac-address-table aging-time <time>
+ [no] mac-address-table static <vlan-id>

<mac:hexList>
- port UU/SS/PP
- [no] priority <priority>
- type { filtered | multicast | secure | self

| static | unknown}
- clear fdb [interface UU/SS/PP] [mac HH:HH:HH:HH:HH:HH]

[vlan <vlan-id>]
- show fdb

Commands’ Descriptions
Table 1-1: MAC-Address Table Commands
Command Description
config terminal Enters the Configuration mode
port UU/SS/PP Enters the Specific Port’s Configuration
mode
no port [UU/SS/PP] Removes the port configurations
learn-new-mac-addresses Enables the learning of new MAC
addresses in the MAC-address table
• Enabled
no learn-new-mac-addresses Restores to default

Command Description
mac-address-table aging-time Defines the length of time that a dynamic
<time> entry remains in the MAC-address table
since the last time it was updated/used:
• time: in the range of
<10–1000000> seconds
• 300 seconds
no mac-address-table aging-time Restores to default
mac-address-table static <vlan- Adds a static MAC address to the MAC-
id> <mac:hexList> address table:
• vlan-id: the VLAN, in the
range of <1-4092>, for
which the packet with the
specified MAC address is
received
• mac:hexList: the
destination
unicast/multicast MAC
address
(HH:HH:HH:HH:HH:HH) added
to the MAC-address table
• None configured
no mac-address-table static Removes a static entry:
<vlan-id> <mac:hexList>
• vlan-id: on the
specified VLAN in the
range of <1–4092>
• mac:hexList: a specific
MAC address
(HH:HH:HH:HH:HH:HH)
port UU/SS/PP Defines a port to which the received
packet is forwarded:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
priority <priority> Defines the MAC-address table priority:
• priority: in the range of
<0–7>
• 0
no priority Restores to default
type { filtered | multicast | Specifies the MAC-address learning
secure | self | static | unknown}
type:
• filtered, multicast,
secure, self, static, and
unknown
• Static

Command Description
clear fdb [interface UU/SS/PP] Removes all or specific entries from the
[mac HH:HH:HH:HH:HH:HH] [vlan MAC-address table:
<vlan-id>]
• UU/SS/PP: (optional) all
MAC addresses for the
specified port
• HH:HH:HH:HH:HH:HH:
(optional) a specific MAC
address
• vlan-id: (optional) all
MAC addresses for the
specified VLAN in the
range of <1–4092>
show fdb Displays the content of the MAC-address
table
MAC-Address Table Configuration Example

device-name(config)#mac-address-table static 1 00:0a:01:02:03:04
device-name(config-static-1/00:0a:01:02:03:04)#port 1/1/2
device-name(config-static-1/00:0a:01:02:03:04)#priority 6
device-name(config-static-1/00:0a:01:02:03:04)#commit
Commit complete.
device-name(config-static-1/00:0a:01:02:03:04)#end
device-name#show fdb
+========+=====================+============+==========+==========+
| VID | Mac | PORT | STATUS | PRIORITY |
+========+=====================+============+==========+==========+
| 001 | 00:00:C8:00:00:02 | 1/1/3| dynamic | 000 |
| 001 | 00:0A:01:02:03:04 | 1/1/2| static | 006 |
| 001 | 00:A0:12:64:07:01 | | self | 000 |
+--------+---------------------+------------+----------+----------+

Files System
Overview
The file system provides commands for defining, downloading, and deleting
software images and configuration files stored in a Flash memory.
File System Configuration Commands
File System Configuration Commands’

Hierarchy
+ root
- file activate-os-image FILE-NAME
- file backup binary-running-config flash
- file backup binary-running-config

PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp os-image
- file cp from FILE-NAME1

PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME2
- file cp from
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME1
FILE-NAME2
- file cp from FILE-NAME1 FILE-NAME2
- file cp technical-support
- file cp technical-support FILE-NAME
- file cp running-configuration
- file cp running-configuration FILE-NAME
- file ls
- file ls os-image
- file rm from FILE-NAME
- file rm os-image FILE-NAME

- file more FILE-NAME
- file mv FILE-NAME1 FILE-NAME2
- file merge FILE-NAME
- file diff FILE-NAME1 FILE-NAME2
- file restore binary-running-config flash
- file restore binary-running-config

- file vi FILE-NAME
File System Configuration Commands’

Description
Table 1-2: File System Commands
Command Description
(root)
file activate-os-image FILE-NAME Specifies the name of the software

image file to be loaded upon next
restart:
• FILE-NAME: name of the
software image file
file backup binary-running-config Backs up the binary running
flash
configuration to the local file system
(see the Installation and Maintenance
chapter of this UG):
• The name of the backup file is
backup.tar.gz

Command Description
file backup binary-running-config Backs up the binary running
PROTOCOL[USER[:PASSWORD]@]IPv4[ configuration to a TFTP/FTP server (see
:PORT]/FILE-NAME
the Installation and Maintenance
chapter of this UG):
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
file to be backed up
file cp os-image Downloads a new software image from
PROTOCOL[USER[:PASSWORD]@]IPv4[ a TFTP/FTP server:
:PORT]/FILE-NAME
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
software image file

Command Description
file cp from FILE-NAME1 Uploads a configuration file from the
PROTOCOL[USER[:PASSWORD]@]IPv4[ local file system to a TFTP/FTP server:
:PORT]/FILE-NAME2
• FILE-NAME1: name of the
source file
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
destination file
file cp from Downloads a configuration file from a
PROTOCOL[USER[:PASSWORD]@]IPv4[ TFTP/FTP server to the local file
:PORT]/FILE-NAME1 FILE-NAME2
system:
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
source file
destination file

Command Description
file cp from FILE-NAME1 FILE- Saves a copy of any file to the local file
NAME2 system:
copied image file
new file
file cp technical-support Uploads the output of the show
PROTOCOL[USER[:PASSWORD]@]IPv4[ technical-support command to a
:PORT]/FILE-NAME
TFTP/FTP server (see the
Troubleshooting chapter of this UG):
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
file
file cp technical-support FILE- Saves the output of the show
NAME technical-support command to
the local file system (see the
Troubleshooting chapter of this UG):
file

Command Description
file cp running-configuration Uploads the running configuration file
PROTOCOL[USER[:PASSWORD]@]IPv4[ to a TFTP/FTP server:
:PORT]/FILE-NAME
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
file
file cp running-configuration Saves the running configuration file to
FILE-NAME the local file system:
file
file ls Lists the content of the local file system
file ls os-image Lists the available software images
located on the local file system
file rm from FILE-NAME Removes a configuration file from the
local file system:
file
file rm os-image FILE-NAME Removes a software image from the
local file system:
image file
file more FILE-NAME Displays the content of a configuration
file:
file
file mv FILE-NAME1 FILE-NAME2 Renames the selected configuration file:
• FILE-NAME1: old
(current) name of the
file
• FILE-NAME2: new name of
the file

Command Description
file merge FILE-NAME Merges the content of a specified
configuration file into the current
running configuration:
configuration file to be
merged
file diff FILE-NAME1 FILE-NAME2 Compares the content of two files
ignoring character case (returns matches
disregarding upper or lower case):
• FILE-NAME1, FILE-NAME2:
names of the files to be
compared
file restore binary-running-config Restores the binary running
flash
configuration from a backup file located
on the local file system:
• The name of the backup file is
backup.tar.gz
file restore binary-running-config Restores the running configuration from
PROTOCOL[USER[:PASSWORD]@]IPv4[ a backup file located on a TFTP/FRP
:PORT]/FILE-NAME
server:
• PROTOCOL type:
tftp://A.B.C.D or
is required.
must be immediately
followed by the ape
symbol (@).
TFTP/FTP server in
A.B.C.D format
the TFTP transfer
file to be restored
file vi FILE-NAME Opens the selected file for editing in a
standard VI editor:
file

Software Upgrade Example

NOTE: It is recommended to first verify that the free space
available on the local file system is enough to store the new
software image. To display the amount of free space and to
list the currently stored software image files, use the file
ls os-image command, as illustrated below.
In the following example, the 2.3.R1. AS9206.tar.bz2 software image is being

downloaded from an FTP server with IP address 10.3.71.17:
1. Downloading the desired file from the FTP server to the local file system:
device-name#file cp os-image
ftp://user:pass123@10.3.71.17/2.3.R1.AS9206.tar.bz2
Downloading the image '2.3.R1.AS9206.tar.bz2' from ftp://10.3.71.17
(9050642 bytes copied)... OK
Image file 2.3.R1.AS9206.tar.bz2 is tested for validity, please
wait... OK
Installing the image file... OK
The new image has been installed successfully!

Use the 'file activate-os-image' command to activate this image.
NOTE: In case there is not enough free space on the local

file system for storing the new software image file the
operation will fail with the following error message:
Installing the image file... Failed! (cp: write
error: No space left on device)
2. Activating the new image:

device-name#file activate-os-image 2.3.R1.AS9206.tar.bz2
Image file 2.3.R1.AS9206.tar.bz2 is tested for validity, please
wait... OK
Activating image 2.3.R1.AS9206.tar.bz2...
3. (Optional) Listing the available software images:

device-name#file ls os-image
* 1 Jan 01:05 8.5M 2.3.R1.AS9206.tar.bz2
1 Jan 2010 8.6M 2.2.R1.AS9206.tar.bz2
1 Jan 01:56 8.6M 2.1.R1.AS9206.tar.bz2
Number of files: 3, 25.7M
Flash Size: Size
51.4M
Used Space: Used
26.0M
Free Space: Available
25.4M
4. Reloading the device:

device-name#config terminal
Entering configuration mode terminal
device-name(config)#system reload

System Time and Date

The device internal clock runs from the moment the system starts up and keeps
track of the date and time.
The internal clock is set from the following sources:
 Network Time Protocol
 Manual configuration
Network Time Protocol (NTP)

Network Time Protocol (NTP) provides a reliable way of transmitting and
receiving the time over IP networks. NTP is organized as a client-server model.
An NTP network usually gets its time from an authoritative time source, such
as a radio clock or an atomic clock connected to a Time server. NTP then
distributes this time across the network.
Time Representation in NTP

The time is the number of seconds since 00:00 (midnight) 1 January 1970
GMT, such that the time 1 is 12:00:01 AM on 1 January 1970 GMT; this base
serves until the year 2038.
Summer Time (Daylight Saving Time)

You can configure your device to observe the Daylight Saving Time (DST).
The DST is followed by the U.S. standards. You can have the device advance
the clock one hour at 2:00 a.m. on the first Sunday in April and move back the
clock one hour at 2:00 a.m. on the last Sunday in October. You can also
explicitly specify the start and end dates and times and whether or not the time
adjustment recurs every year.

System Time and Date Configuration

Commands

Commands’ Hierarchy
NOTE: The device’s system time is reset after it reloads.
The device’s system time must be defined manually when
NTP is not configured.
+ root
+ config terminal
+ system
+ [no] time
- [no] date CCYY-MM-DDTHH:MM:SS
- [no] summer-time recurring [start-at
{day-of-the-week DAY | month MONTH |
week-of-the-month <week> | time
HH:MM:SS} | end-at {day-of-the-week DAY
| month MONTH | week-of-the-month
<week> | time HH:MM:SS}]
- [no] summer-time recurring offset
<offset>
+ [no] ntp
+ [no] remote-server-ip A.B.C.D
- [no] authentication key-id
<key-id> [key-string STRING]
- refresh-interval <interval>
- timezone <-12–+12>
- [no] time-out <value>
- [no] min <min>
- [no] shutdown


Commands’ Descriptions
Table 1-3: System Time and Date Commands
Command Description
system Enters the System Configuration Mode
time Enters the Time Server Configuration
mode
no time Removes the system time configurations
date CCYY-MM-DDTHH:MM:SS Manually sets the device’s system time:
• CCYY-MM-DDTHH:MM:SS: CC
represents the century,
YY the year, MM the
month and DD the day
• T: date/time separator
• HH, MM, and SS represent
hour, minute and second
respectively
summer-time recurring {start-at Defines that the summer time starts and
{day-of-the-week DAY | month ends on specified days every year:
MONTH | time HH:MM:SS | week-
of-the-month <week>} | end-at
• start-at: start settings
{day-of-the-week DAY | month • end-at: end settings
MONTH | time HH:MM:SS | week- • DAY: the start/end day
of-the-month <week>}} of the week (Sunday,
Monday...)
• MONTH: the start/end
month (January,
February...)
• HH:MM:SS: the start/end
time (24-hour format)
• week: the week of the
month to start/end
(first, second, third,
forth and last)
• The summer time is disabled
summer-time recurring offset Defines the number of minutes added
<offset> during the summer time:
• offset: in the range of
<1-1440>
no summer-time recurring Restores to default
ntp Configures the device’s system time to
be synchronized by an NTP server
• Enabled
no ntp Disables the NTP

Command Description
remote-server-ip A.B.C.D Defines the NTP server’s IP address:
• A.B.C.D: NTP server’s IP
address
no remote-server-ip Removes the NTP server’s IP address
authentication key-id <1- Configures the MD5 authentication key
65535> [key-string STRING] used by the device to authenticate the
NTP server to prevent rogue server
intervention:
• key-id: in the range of
<1-65535>
• key-string STRING:
(optional) a string of
<1-20> characters (blank
spaces and question
marks are not allowed)
no authentication key-id Removes the MD5 authentication key
refresh-interval <interval> Defines the number of minutes to
synchronize the device’s system time to
the NTP server:
• interval: in the range
of <10–44640> minutes
(the upper limit is
equivalent to 31 days)
timezone <-12–+12> Defines the number of hours of offset
from the Coordinated Universal Time
(UTC, formerly Greenwich Mean Time
or GMT):
• -12: corresponds to time
zones west of UTC
• +12: corresponds to time
zones east of UTC
time-out <value> Defines the NTP server session timeout:
• value: in the range of
<2-20> seconds
no time-out Removes the timeout
min <min> Defines the number of minutes of offset
from UTC:
• min: in the range of <1-
59> minutes
no min Removes the configured minutes
shutdown Stops the NTP configuration
no shutdown Starts the NTP configuration

Domain Name System (DNS)

Client
DNS is a client-server hierarchical naming system used for mapping domain
names to IP addresses.
AS9206 acts as a DNS client, resolving and caching DNS domain names.
When receiving a request for resolving a domain name, the device attempts to
resolve the IP address from its cache. If it does not locate the domain name, it
queries the DNS server for the corresponding IP address. When the DNS server
responds with the domain’s IP address, the device forwards the information to
the requesting agent and caches this response for future reuse.
DNS Client Configuration Commands
DNS Client Configuration Commands’

Hierarchy
+ root
+ config terminal
+ system
- [no] dns-resolver A.B.C.D [shutdown]

DNS Client Configuration Commands’

Descriptions
Table 1-4: DNS Client Commands
Command Description
system Enters the System Configuration mode
dns-resolver A.B.C.D [shutdown] Defines the DNS server’s IP address
used for domain name and address
resolution.
You can specify up to 3 DNS servers.
The device sends DNS queries to the
primary server first. If that query fails,
the backup servers are queried.
• A.B.C.D: DNS server’s IP
address
• shutdown: (optional)
shuts down the selected
DNS server
• No DNS servers are configured
no dns-resolver Remove the configured DNS server’s IP
address
VTY (Virtual Terminal)

Virtual Terminal interface (VTY) is used solely to control inbound
connections. They are a function of software - there is no hardware associated
with them.
VTY Session Configuration Commands
VTY Session Configuration Commands’

Hierarchy
+ root
- idle-timeout <timeout>
- screen-length <number-of-rows>
- screen-width <number-of-columns>

VTY Session Configuration Commands’

Descriptions
Table 1-5: VTY Session Commands
Command Description
idle-timeout <timeout> Defines the VTY connection timeout value:
• timeout: in the range of <0-
8192> seconds
screen-length <number-of- Defines the number of row lines displayed on
rows> the terminal screen.
• number-of-rows: in the range
of <0-32000>
• 24 lines
screen-width <number-of- Defines the number of column lines displayed
columns> on the terminal screen.
• number-of-columns: in the
range of <1-512>
License Configuration
NOTE: The device is shipped with full license capabilities.
License Configuration Commands
License Configuration Commands’ Hierarchy

+ root
+ config terminal
+ system
- license [id <value>]
- show system license

License Configuration Commands’

Descriptions
Table 1-6: License Commands
Command Description
config terminal Enters Configuration mode
system Enters System Configuration mode
license [id <value>]
Defines a new software license identifier. The

command without argument displays the software
license of the device:
• value: (optional) in the range of
<0-4294967294>
show system license Displays the software license of the device
Supported Standards, MIBs, and

RFCs
Features Standards MIBs RFCs
Managing the No Standards are Standard MIB, No RFCs are
MAC-Address supported by this 8021Q_d6.mib supported by this
Table feature feature
Files System No standards are No MIBs are No RFCs are
supported by this supported by this supported by this
feature feature feature
Managing the No standards are No MIBs are RFC 867, Daytime
System Time and supported by this supported by this Protocol
Date feature feature RFC 868, Time
Protocol
DNS Resolver No standards are No MIBs are RFC 1034, Domain
supported by this supported by this Names—Concepts
feature feature and Facilities
RFC 1035, Domain
Names—
Implementation
and Specification
VTY (Virtual No standards are No MIBs are RFC 884, Telnet
Telnet Type) supported by this supported by this terminal type
Commands feature. feature. option

2
Device Authentication
Features Included in This

Chapter
This chapter provides information on the variety of security features
incorporated in the AS9206software to protect it from unauthorized access.
This chapter includes the following features:
 Managing User Privilege-Levels
You can control users’ access to the device and the functions they can
perform by maintaining a local list of authorized users, assigning them to
appropriate privilege levels.
 Remote Authentication Dial in User Service (RADIUS)

RADIUS is an authentication, authorization, and accounting protocol for
securing networks against unauthorized access.
 Terminal Access Controller Access-Control System Plus (TACACS+)

TACACS+ is a security protocol for remote authentication, authorization,
and accounting that communicates between network devices and an
authentication database.

Device Authentication AS9206 User Manual
Managing User Privilege-Levels

The CLI is protected by five predefined privilege profiles, preventing
unauthorized access to the different CLI modes.
Each CLI command is associated to a privilege level (see Table 2-1). Only
users with privilege levels equal or higher than this privilege level can execute
the command.
Table 2-1: The Default Local Users’ Privilege-Levels
Privilege Description
Administrators Full read/write privileges (with no restrictions) for Layer 2
and Layer 3.
Network-Admins Read/write privileges for Layer 2 and Layer 3, without
access to security (usernames and passwords), debug
commands, and other administrative settings (such as
software upgrade, and device reload).
Technicians Read/write privileges for Layer 2 and read-only privileges
for Layer 3.
Users Read-only privileges for Layer 2 and Layer 3. Users with
this privilege level have access to all the show commands
and general commands (such as exit, quit, ping,
and traceroute commands).
Guests Read-only privileges in Root mode.
Table 2-2: Default Device Usernames and Passwords
Username Password
admin admin
You can configure one of the below methods for authenticating users accessing
the device:
 Local database—authenticates the user using a local database of user names
and passwords, located on the local file system
 Remote RADIUS or TACACS+ server—authenticates the user using a
remote server lookup database of user names and passwords
NOTE: In case the remote RADIUS or TACACS+ server

is shut down or disconnected from the device, the device
retransmits the request for three times. After the
retransmission timeout, the device attempts to authenticate
the user with the local database.

AS9206 User Manual Device Authentication
Users Privilege-Level Configuration Flow
Figure 2-1: User Privilege Levels Configuration Flow
Users and Privilege-Level Commands

Hierarchy
+ root
+ config terminal
+ system
+ security
+ [no] password preferred-authentication {local |
radius | tacacs}
+ [no] privilege-profile PRIVILEGE-PROFILE-NAME
+ [no] command-access-rule <number>
- action {permit | permit_log |
deny}
- match COMMAND-STRING
- agent [cli]
- operation {r | x | rx}
+ [no] user USER-NAME
- member PRIVILEGE-PROFILE-NAME
- password PASSWORD

Users and Privilege-Level Configuration

Commands
Table 2-3: Users and Privilege-Level Commands
Command Description
security Enters the Security Configuration mode
password preferred-authentication Defines the device login-authentication
{local | radius | tacacs}
method:
• local: local
authentication method
• radius: RADIUS
• tacacs: TACACS+
• Local authentication method
no password Restores to default
privilege-profile PRIVILEGE- Defines a new privilege profile and
PROFILE-NAME enters the Profile Configuration mode:
• PRIVILEGE-PROFILE-NAME: a
string of <1-256>
characters. You can use
predefined privilege
profiles (see Table 2-1)
no privilege-profile PRIVILEGE- Removes the defined privilege profile
PROFILE-NAME
command-access-rule <number> Defines a command access rule:
• number: in the range of
<1-4294967295>
NOTE: Before executing the command-access-rule

command, you must commit all changes.
no command-access-rule Removes the command access rule

<number>
action {permit | permit-log Defines the access rule type:
| deny}
• permit: permits the rule
• permit-log: permits log
messages for all
permitted rules
• deny: denies the rule

Command Description
match COMMAND-STRING Defines a command matching the
specified access rule:
• COMMAND-STRING: a command
string
agent [cli Defines the management agent for the
specified rule:
• CLI
•
operation {r | x | rx} The operation type that is
permitted/denied by the specified rule:
• r: read
• x: execute
• rx: read-execute
user USER-NAME Creates a new username in the local
database, and enters the User
Configuration mode:
• USER-NAME: a case-
sensitive string of <1-
100> characters (blank
spaces and question marks
(?) are not allowed)
no user USER-NAME Removes the defined username
member PRIVILEGE-PROFILE- Assigns a user to a profile:
NAME • PRIVILEGE-PROFILE-NAME: a
string of <1-256>
characters. You can use
predefined privilege
profiles (see Table 2-1)
password PASSWORD Defines an user's password:
• PASSWORD: case-sensitive
string of <1-64>
characters (blank spaces
are not allowed)

Configuration Example
1. Define a privilege profile ECI which denies the access to the device via
CLI:
device-name(config)#system
device-name(config-system)#security privilege-profile ECI
device-name(config-privilege-profile-ECI)#commit
Commit complete.
device-name(config-privilege-profile-ECI)#command-access-rule 1
device-name(config-command-access-rule-1)#action deny
device-name(config-command-access-rule-1)#agent cli
device-name(config-command-access-rule-1)#match "show port"
device-name(config-command-access-rule-1)#operation rx
device-name(config-command-access-rule-1)#commit
Commit complete.
device-name(config-command-access-rule-1)#exit
device-name(config-privilege-profile-ECI)#exit
2. Create an user ECI and assign it to a profile:

device-name(config-security)#user ECI password ECI member ECI
device-name(config-user-ECI)#commit
Commit complete.
login as: eci

eci@10.3.171.101's password:
AS9206
eci connected from 10.3.71.96 using ssh on AS9206
3. Display the port status after applying the access rule:

device-name#show port
Aborted: permission denied
Remote Authentication Dial in

User Service (RADIUS)
RADIUS is a client-server protocol for controlling remote users’ access to the
device. The protocol provides the following services, also known as the AAA
services:
 Authentication: determining who a user (or entity) is.
 Authorization: determining what a user is allowed to do.
 Accounting: keeping track of each user’s network activity.
The RADIUS client (typically a Network Access Server, NAS), exchanges
UDPs with the RADIUS server (usually a UNIX or Windows NT daemon
process) to authenticate user-connection requests.

The NAS sends user-connection requests to the designated RADIUS servers.

The RADIUS server responds by returning configuration information necessary
for the NAS to provide access to the user. All user passwords exchanged
between the NAS and the RADIUS server are encrypted using the RSA MD5
algorithm.
The NAS and the RADIUS server use a shared secret-key to authenticate
transactions between them. This secret is never sent over the network.
The RADIUS Negotiation Procedure

The below figure demonstrates a typical RADIUS negotiation procedure. In
this example:
1. The user sends a Telnet request to connect to an AS9206 device (the NAS).
2. The device sends an Access Request packet to the RADIUS server. The
Access Request packet includes the username, encrypted password, NAS IP
address, and port. The request also provides information about the type of
session the user wants to initiate.
Figure 2-2: A RADIUS Communication Example
3. The RADIUS server first validates the NAS (based on the shared secret-
key). Then it validates the user request against a local database, matching
the user’s password (and in some cases, other parameters, such as the port
number). The RADIUS server then responds with:
 an accept reply, if the user information is validated
 a reject reply if the user is not found in the database or its information is
not matched. The reject reply might include the rejection reason.
Based on this reply, the NAS accepts or rejects the user’s request. The
accept reply includes a list of attributes that should be used in the session.
An important parameter is the authenticated user’s privilege level.

Defining User Privileges on the RADIUS

Server
Follow the below steps on the RADIUS server to ensure correct user privileges.
The example refers only to a FreeRADIUS server authentication.
1. Complete the RADIUS configuration (as described in the FreeRADIUS
README file) on the RADIUS server.
2. Copy an additional dictionary.eci file (with the below information) to the
folder containing the RADIUS configuration files. The free RADIUS
server version is 2.1.0.
-------------------------------------------------
dictionary.eci
-------------------------------------------------
VENDOR ECI Telecom 738
ATTRIBUTE ECI Telecom-privilege-profile 2 string

ECI Telecom
3. Assign a privilege level to all other users; in the users configuration file, as
shown in the below example:
-------------------------------------------------
raddb/users
-------------------------------------------------
admin Auth-type := Local, Cleartext-Password := "adminpass"

Reply-Message = "Hello, administrator!",
ECI Telecom-privilege-profile =admin
net-admins Auth-type := Local, Cleartext-Password := "net-
adminspass"
Reply-Message = "Hello, NET admin!",
ECI Telecom-privilege-profile =net-admins
tech Auth-type := Local, Cleartext-Password := "techpass"
Reply-Message = "Hello, technician!",
ECI Telecom-privilege-profile = technicians
users Auth-type := Local, Cleartext-Password := "userspass"
Reply-Message = "Hello, user!",
ECI Telecom-privilege-profile = users
guests Auth-type := Local, Cleartext-Password := "guestspass"
Reply-Message = "Hello, guests!",
ECI Telecom-privilege-profile = guests
4. Add the following line to the dictionary file (in the RADIUS-configuration
folder):
$INCLUDE dictionary.eci
5. Add the subnetwork address from which NAS is connected to the

clients.conf:
-------------------------------------------------
raddb/clients.conf
-------------------------------------------------
client 10.3.0.0/16 {
secret = secretkey
}

The RADIUS Configuration Flow
Figure 2-3: RADIUS Configuration Flow
RADIUS Configuration Commands
RADIUS Configuration Commands’

Hierarchy
+ root
+ config terminal
+ system
+ security
- [no] radius-server
- [no] host A.B.C.D
- [no] port <number>
- [no] deadtime <minutes>
- [no] key KEY
- key-file FILE-NAME
- [no] key-storage-type {local | file}
- [no] retransmit <count>
- [no] timeout <seconds>

RADIUS Configuration Commands’

Descriptions
Table 2-4: RADIUS Commands
Command Description
security Enters the Security Configuration mode
radius-server Enters the RADIUS Server
Configuration mode
no radius-server Removes the RADIUS Server
configurations
host A.B.C.D
Selects RADIUS server(s), up to 5

RADIUS severs.
The device connects to the RADIUS
servers in the order, you define them:
• A.B.C.D: the RADIUS
server's IP address
• No RADIUS servers are configured
NOTE: In case the RADIUS server is shut down or

disconnected from the device, the device retransmits the
request for three times. After the retransmission timeout,
the device attempts to authenticate the user with the local
database.
no host A.B.C.D Remove the configured RADIUS

server’s IP address
port <number> Defines the UDP-authentication port
number:
<1024–65535>
• 1812
no port Restores to default
deadtime <minutes> Defines the number of minutes the
device waits for an authentication
response before declaring the RADIUS
server unavailability and skips to the
next RADIUS server:
• minutes: in the range of
<0–1440> minutes
• 3 minutes
no deadtime Restores to default

Command Description
key KEY
Defines an encryption key for

encrypting and decrypting the traffic
between the device and the RADIUS
server:
• KEY: a string of <1-255>
characters
no key Removes the configured key
key-file FILE-NAME Specifies the name of a file that
contains the encryption key
information:
file
key-storage-type {local | file} Defines the type of the encryption key
storage:
• local: the encrypted key
is stored in the running
configuration as you
entered it
• file: the encryption key
is stored in a separate
file in the Flash
memory. Only the name of
the file containing the
key is displayed in the
running configuration
• Local
no key-storage-type Restores to default
retransmit <count> Defines the number of times the device
transmits an authentication request to
the RADIUS server, before declaring its
unavailability:
• count: in the range of
<1–30>
• 3 retries
no retransmit Restores to default
timeout <seconds> Defines the number of seconds the

device waits for the RADIUS server
reply before retransmitting the request:
• seconds: in the range of
<1–60> seconds
• 3 seconds
no timeout Restores to default

RADIUS Configuration Example

1. Select the RADIUS server and define the shared secret key:
device-name(config-system)#security
device-name(config-security)#radius-server host 10.2.42.137
device-name(config-host-10.2.42.137)#exit
device-name(config-security)#radius-server key eci
2. Create local user localuser and password mypass:

device-name(config-security)#user localuser password mypass member
users
device-name(config-user-localuser)#exit
3. Configure the RADIUS timers:

device-name(config-security)#radius-server retransmit 3
device-name(config-security)#radius-server timeout 10
device-name(config-security)#radius-server deadtime 3
4. Define the device login-authentication method:

device-name(config-security)#password prefered-authentication radius
device-name(config-security)#commit
device-name(config-security)#end
5. Display the RADIUS configuration:

device-name#show running-config system security radius-server
system
security radius-server host 10.2.42.137
!
security radius-server key eci
security radius-server timeout 10
!
Configuration Results:
1. When accessing the device using username richy, the RADIUS server
sends a REJECT reply:
Username:richy
Password:
Username:
2. When accessing the device using username admin and password

adminpass, the RADIUS server sends an ACCEPT reply, authenticating the
user:
Username:admin
Password:adminpass
device-name#

Terminal Access Controller

Access-Control System Plus
(TACACS+)
TACACS+ is a security protocol for remote authentication, authorization, and
accounting that communicates between network devices and an authentication
database. This protocol is based on the communication between a NAS
(AS9206 device) and the TACACS+ authentication server.
The TACACS+ is based on TCP communication, what is considered to be a
more reliable protocol than UDP (used in RADIUS).
The TACACS+ Negotiation Procedure

A user’s attempt to connect to the device triggers the following procedure:
1. The NAS mediates between the user and the TACACS+ server requesting
and obtaining a username prompt.
2. When the user types a username at the prompt, the NAS requests and
obtains a password prompt.
3. When the user types a password, the NAS sends the username and
password to the TACACS+ server.
4. Besides a username and password, the TACACS+ server may also request
other required identifying items to authenticate the user.
5. After typing the required information, the TACACS+ server responds with
one of the below options:
Table 2-5: TACACS+ Server Responses
Response Description
ACCEPT The user is authenticated. Based on configuration, the NAS might
need to start the authorization phase.
REJECT The user is not authenticated. Depending on the TACACS+ server
configuration, the user is either prompted to retry login or denied from
accessing the network.
ERROR An error occurred during the authentication procedure (such as a
network connection issue). In this case the NAS typically tries to
authenticate the user by an alternative method.
CONTINUE The TACACS+ server prompts the user for further authentication
information.

Comparing TACACS+ and RADIUS

Table 2-6: A comparison between TACACS+ and RADIUS
Feature RADIUS TACACS+

Communication UDP TCP
Protocol
Authentication and Combined AAA processes AAA architecture—three
Authorization separate processes:
Authentication,
Authorization, and
Accounting
Packet Encryption Encrypts only the password Encrypts the entire packet
sent by the user to the server body but leaves a standard
TACACS+ header
Router Management Sends the device a privilege Controls the command
level used for command authorization on a per-user or
authorization per-group basis by assigning
privilege levels to commands
Multiprotocol Does not support some Offers multiprotocol support
Support protocols, such as:
 AppleTalk Remote
Access (ARA)
 NetBIOS Frame
Protocol Control
 Novell Asynchronous
Services Interface
(NASI)
 X.25 PAD connection

Defining User Privileges on the TACACS+

Server
The TACACS+ usernames and privilege levels are defined in the TACACS+
configuration file.
The following example displays the contents of a TACACS+ server
configuration file. The free TACACS+ server version is F4.0.3.alpha.
-------------------------------------------------
tac_plus.conf
-------------------------------------------------
key = "secretkey"
user = admin {
login = cleartext "adminpass"
service = eci {
Group = "admin"
}
}
user = tech {
login = cleartext "techpass"
service = eci {
Group = "technicians"
}
}
user = guest {
login = cleartext "guestpass"
service = eci {
Group = "guests"
}
}

TACACS+ Configuration Flow
Figure 2-4: TACACS+ Configuration Flow
TACACS+ Configuration Commands
TACACS+ Configuration Commands’

Hierarchy
+ root
+ config terminal
+ system
+ security
- [no] tacplus
- [no] host A.B.C.D
- [no] description DESCRIPTION
- [no] key KEY
- [no] timeout <seconds>

TACACS+ Configuration Commands’

Descriptions
Table 2-7: TACACS+ Commands
Command Description
security Enters the Security Configuration
mode
tacplus Enters the TACACS+ Server
Configuration mode
no tacplus Removes the TACACS+ Server
configurations
host A.B.C.D
Selects TACACS+
server(s), up to 5 RADIUS severs
The device connects the TACACS+
servers in a predefined order:
• A.B.C.D: the TACACS+
server's IP address
• No TACACS+ servers are
configured
•
NOTE: In case the TACACS+ server is shut down or
disconnected from the device, the device retransmits the
request for three times. After the retransmission timeout,
the device attempts to authenticate the user with the local
database.
no host Remove the configured TACACS+
server’s IP address
description DESCRIPTION TACACS+ server description:
• DESCRIPTION: a string of
<1–255> characters
no description Removes the TACACS+ server
description
key KEY
Defines an encryption key for

encrypting and decrypting the traffic
between the device and the TACACS+
server:
• KEY: a string of <1-255>
characters

Command Description
no key Removes the configured key
timeout <seconds> Defines the number of seconds the
device waits for an authentication
response from the TACACS+ server
before declaring its unavailability:
• seconds: in the range of
<1–60> seconds
• 3 seconds
TACACS+ Configuration Example

Device Configuration:
1. Select the TACACS+ server and define the shared encryption key:
device-name(config-system)#security
device-name(config-security)#tacplus host 10.2.42.137
device-name(config-security)#tacplus key TacacsPlus
2. Define the device login-authentication method:

device-name(config-security)#password prefered-authentication tacacs
device-name(config-security)#commit
device-name(config-security)#end
3. Display the TACACS+ configuration:

device-name#show running-config system security tacacs-server
system
security
tacplus host 10.2.42.137
!
tacplus key TacacsPlus
Configuration Results:
1. When accessing the device using username richy, the TACACS+ server
sends a REJECT reply:
Username:richy
Password:
Username:
2. When accessing the device using username admin and password

adminpass, the TACACS+ server sends an ACCEPT reply, authenticating
the user:
Username:admin
Password:adminpass
device-name#

When the TACACS+ server is unreachable/down, the local authentication is

used.

RFCs
Feature Standards MIBs RFCs
User- No Standards are No MIBs are No RFCs are
Privilege supported by this supported by this supported by this
Levels feature. feature. feature.
RADIUS No standards are No MIBs are  RFC 2865,
supported by this supported by this Remote
feature. feature. Authentication
Dial In User
Service
(RADIUS)
 RFC 2869,
Remote
Authentication
Dial In User
Service
(RADIUS)
Extensions
TACACS+ No Standards are No MIBs are draft-grant-tacacs-
supported by this supported by this 02—tac-rfc.1.78.txt
feature. feature. draft


3
Physical Ports and Logical
Interfaces

Chapter
This chapter describes the AS9206 device interface types, which includes load
sharing, resiliency, and security solutions, and provides configuration
examples.
The chapter includes the following sections:
 Fast and Giga Ethernet Ports
This section details the physical AS9206 device ports and lists
configuration commands.
 Link Aggregation Groups (LAGs)

Link Aggregation Groups (LAGs) combine several ports in one logical
link. LAGs provide increased bandwidth and redundancy as well as higher
availability.
 Resilient Links
A resilient link consists of a main link and a standby (backup) link that
together form a resilient-link pair. Resilient links protect critical links and
prevent network downtime.
 MAC Learning Security Policies

Port security and port limit policies control how many addresses the device
can learn from a particular port.

Physical Ports and Logical Interfaces AS9206 User Manual
Device Interface Types

There are two device interface types, one physical and the other logical:
 Device Port: Device ports are Layer 2 only interfaces associated with a
physical port.
 Software Interface: A logical, Layer 3 (IP) interface specifying various
attributes such as IP address and mask. A single port can be associated with
more than one IP interface via Virtual Local Area Network (VLAN)
configuration.
Fast and Giga Ethernet Ports

With this AS9206 device, service providers can deliver multiple services on
separate user ports. A single port can support multiple application flows with
each flow mapped to a different traffic class.
The AS9206 device supports:
24 Fast Ethernet copper ports (10/100 Mbps)
 One of the following four Ethernet combo ports:
 Fiber SFPs (100 Mbps and 1 Gbps)
 Triple-speed copper ports (10 Mbps, 100 Mbps, and 1 Gbps)

AS9206 User Manual Physical Ports and Logical Interfaces
Ports and IP Interface Commands

This section defines the command hierarchy used by both the physical port and
the logical IP interface as well the available commands for both. Also included
are configuration examples for both.
Command Hierarchy
+ root
+ config terminal
- [no] speed {10 | 100 | 1000 | auto}
- [no] duplex {auto | full | half}
- [no] default-vlan <vlan-id>
- [no] flow-control
- [no] mtu <mtu-value>
- [no] shutdown
+ [no] router
+ [no] interface {eth0 | loN | swN}
- [no] address A.B.C.D/M
- [no] shutdown
- show interface [name]
- show interface statistics
- show port [UU/SS/PP] [statistics | detailed]
- clear port UU/SS/PP statistics
Command Descriptions
The following tables list separate configuration commands for ports and
interfaces. Commands used to display/clear port settings and statistics are also
included:
 Table 3-1: Ports Configuration Commands
 Table 3-2: IP Interface Configuration Commands
 Table 3-3: Commands Used to Display and Clear Port Settings and
Statistics

Table 3-1: Ports Configuration Commands
Command Description
port UU/SS/PP Enters Configuration Mode for a specific
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port [UU/SS/PP] Removes port configurations:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-1/2/4
description DESCRIPTION Description of the port:
<1-256> characters
no description Removes the port description
speed {10 | 100 | 1000 | auto} Defines the speed of the port:
• 10, 100, 1000: duplex
speed, in Mbps
• auto: the port
automatically finds the
highest supported speed
• Auto
no speed Restores to default
duplex {auto | full | half} Defines the port’s duplex mode.
• auto: auto detect mode
• full: full duplex mode
• half: half duplex mode
• Auto
no duplex Restores to default
default-vlan <vlan-id> Defines the default VLAN for the port
(only one default VLAN allowed per
port):
• vlan-id: in the range of
<1–4092>
• 1
no default-vlan Restores to default
flow-control Controls the amount of data sent from the
transmitting port to the receiving port
(also called Flow Control Mode).
• Disabled
no flow-control Restores to default

Command Description
mtu <mtu-value> Defines the maximum packet size allowed
for the port.
This parameter (minus 44 Bytes) is
applied automatically on participating IP-
interfaces.
• mtu-value: in the range of
<64–9216>
• 1544 Bytes
no mtu Restores to default
shutdown Disables the port (the port no longer
receives, forwards, or learns)
no shutdown Enables the port
Table 3-2: IP Interface Configuration Commands
Command Description
router Enters Router Configuration mode
no router Removes router configurations
interface {eth0 | loN | swN} Creates an IP interface and enters
Configuration Mode for the IP-Interface:
• eth0: an Ethernet network
interface
• loN: an internal logical
loopback IP-interface. N:
in the range of <0–9>
• swN: an IP interface
number in the range of
<0–9999>
no interface {eth0 | loN | swN} Removes the created IP interface:
interface
<0–9999>
NOTE: To remove the created IP interface, remove the IP

interface from all VLANs of which it is a member.
description DESCRIPTION Describes the IP interface:

up to 256 characters
(spaces are allowed)

Command Description
no description Removes the IP interface description
address A.B.C.D/M Defines the IP address for the IP
interface:
• A.B.C.D/M: the IP address
of the IP interface and
subnet mask (M) in the
range of <1–30>
no address Removes the IP address of the IP
interface:
• A.B.C.D/M: the IP address
of the IP interface and
subnet mask (M) in the
range of <1–32>
shutdown Disables the interface
no shutdown Enables the interface
Table 3-3: Commands Used to Display and Clear Port Settings and Statistics
Command Description
show port [UU/SS/PP] Displays the status and configuration of
[statistics | detailed] all ports or a specific port:
1/1/1-1/1/24, 1/2/1-1/2/4
• statistics: (optional)
displays port statistics
and packet counters
• detailed: (optional)
displays detailed
configuration information
for the port
show interface name {eth0 | loN Displays the status and configuration of
| swN} the selected interface:
interface
<0–9999>
show interface statistics Displays interface statistics and packet
counters
clear port UU/SS/PP statistic Clears all current statistics from the
selected port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4

Port Configuration Example

1. Enter the Configuration mode of port 1/1/1:
device-name(config)#port 1/1/1
2. Specify the speed of the port:

device-name(config-port-1/1/1)#speed 1000
device-name(config-port-1/1/1)#commit
3. Specify the duplex type for the port:

device-name(config-port-1/1/1)#duplex full
4. Describe the port as port-1/1/1:

device-name(config-port-1/1/1)#description port-1/1/1
5. Set the MTU for the port to 4096:

device-name(config-port-1/1/1)#mtu 4096
6. Display the configuration of the port:

device-name#show port 1/1/1
=============================================================================
Ethernet Interface
=============================================================================
Interface : 1/1/1
Description : port-1/1/1
Admin State : up Port State : down
Config Duplex : full Operational Duplex : unknown
Config Speed : speed Operational Speed(Mbps) : unknown
-----------------------------------------------------------------------------
Flow Control : disabled
Dual Port : No Active Link : No-Link
-----------------------------------------------------------------------------
Default VLAN : 1 MTU[Bytes] : 4096
MAC Learning :
LAG ID : N/A
=============================================================================

IP-Interface Configuration Example

1. Create IP interface sw10 and enter the IP-Interface’s Configuration mode:
device-name(config)#router
device-name(config-router)#interface sw10
device-name(config-interface-sw10)#commit
2. Assign IP address 200.1.1.1/24 to interface sw10:

device-name(config-interface-sw10)#address 200.1.1.1/24
3. Describe the interface:

device-name(config-interface-sw10)#description IpIfsw10
4. Create VLAN 10 and associate sw10 with it:

device-name(config)# port 1/1/1 default-vlan 10
device-name(config-port-1/1/1)#exit
device-name(config)# vlan vlan10 10 routing-interface sw10 untagged
1/1/1
device-name(config-vlan-vlan10/10)#commit
device-name#show vlan
===================================================================
VLANs Information
===================================================================
Name | L3 Interface |VTag| Created By | Owned By
|
-------------------+--------------+----+-------------+------------+
default | sw0 |1 | User | User |
-------------------------------------------------------------------
Tagged Ports:
-------------------------------------------------------------------
Untagged Ports: 1/1/1 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15
1/1/16 1/1/17 1/1/18 1/1/19 1/1/2 1/1/20 1/1/21
1/1/22
1/1/23 1/1/24 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8
1/1/9 1/2/1 1/2/2 1/2/3 1/2/4
-------------------------------------------------------------------
===================================================================
Name | L3 Interface |VTag| Created By | Owned By |
-------------------+--------------+----+-------------+------------+
vlan10 | sw10 |10 | User | User |
-------------------------------------------------------------------
Tagged Ports:
-------------------------------------------------------------------
Untagged Ports: 1/1/1
-------------------------------------------------------------------

Link Aggregation Groups (LAGs)

Link Aggregation Groups (LAGs) combine several ports in one logical link.
All links within a LAG operate at the same data rate (specifically, 10 Mbps,
100 Mbps, and 1 Gbps). By aggregating multiple Giga ports (as shown in the
following figure), LAGs also support bandwidths beyond 10 Gpbs.
LAGs provide increased bandwidth and high reliability and eliminate the cost
of hardware upgrades.
NOTE: LAGs are numbered from 1 to 14.
Each LAG can consist of up to eight compatibly
configured ports.
Figure 3-1: Four Ports Combined into a Link Aggregation Group

There are two LAG types:

 Static LAGs, which consist of individual Gigabit Ethernet links bundled
into a single logical link, treat multiple device ports as one device port.
These port groups act as a single logical port for high-bandwidth
connections between two network devices. A static LAG balances the
traffic load across the links in the channel. If a physical link within the
static LAG fails, traffic previously carried over the failed link moves to the
remaining links.
Most protocols can operate using LAG infrastructure as though all ports in
the group were a single, physical port.
 Dynamic LAGs dynamically adapt aggregated links to changes in traffic

conditions using the Link Aggregation Control Protocol (LACP) to
accommodate load sharing and automatic readjustments in case of LAG
link-failure and recovery.
LAG Configuration
You can configure both static and dynamic LAGs simultaneously, assuming
the following restrictions:
 Both static and dynamic LAGs receive unique identifiers from the same
LAG ID pool. Each LAG, whether static or dynamic, must have its own
LAG ID number.
 Each port can only belong to a single LAG but that LAG can be either
static or dynamic.

Link Aggregation Control

Protocol (LACP)
The Link Aggregation Protocol (LACP) is the protocol used by a LAG. LACP,
defined in IEEE 802.3ad, dynamically groups similarly configured ports into a
single logical link (aggregate port) to increase bandwidth and redundancy as
well as provide higher availability. You can group ports based on hardware or
by administrative and port parameter constraints.
The device exchanges LACP frames to synchronize LACP-enabled port
databases.
You can group up to a maximum of eight compatible ports in one LAG.
LACP Modes
LACP has two operational modes:
 Active: When active, the port can start LACP negotiation and as a result
form a link with another device. The other device can be either active or
passive.
 Passive: The port does not start LACP negotiation.
LACP Parameters
The following factors define the ability of a port to aggregate with other ports:
 Physical characteristics such as, data transfer rate, duplex capability, and
medium type
 User-defined configuration constraints
To use LACP, define the following parameters:
1. Enter the System ID. The System ID identifies the LACP system
negotiating with other LACP systems. The System ID is always the MAC
address for the device.
2. Define System Priority. System priority, along with port priority, provides
the means for connected LACP ports to determine dynamically an
exchange policy.
3. Enter the Administrative key to define the ability of the port to aggregate
with other ports.

4. Define port priority. Port and system priority work together so that
connected LACP ports can dynamically determine an exchange policy.
5. Enable the LACP.
NOTE: When enabled, LACP attempts to group the

maximum of eight compatible ports in a LAG. However, if
LACP is unable to aggregate compatible ports (for
example, due to remote device limitations), these ports
remain in a hot standby state to be used when one of the
channeled ports fail.
LAG Commands
In this section, the command hierarchy used by LAGs is defined. Also
presented is a list of useable commands and configuration examples.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] lag
- [no] distribution-type {L2 | L3 | L4}
+ [no] lag-id agN
- [no] lacp enable
- lacp mode {active | passive}
- [no] lacp administrative-key
<number>
- [no] lacp id <number>
- [no] lacp marker {disable |
enable}
- [no] lacp priority <number>
- [no] priority <number>
- show ethernet lag
- show ethernet lag lag-id agN [details | statistics]
- clear lag [lag-id agN] statistics

In this section, configuration commands are described in the following tables:
 Table 3-4: LAGs Configuration Commands
 Table 3-5: Commands Used to Display and Clear LAG Settings and
Statistics
Table 3-4: LAGs Configuration Commands
Command Description
ethernet Enters Ethernet Configuration mode
lag Enters LAG Configuration mode
no lag Removes LAG configurations
distribution-type {L2 | L3 | L4} Defines the LAG packet-distribution
between the ports:
• L2: distributes packets
based on the source and
destination MAC addresses
of the packets
based on the source and
destination IP addresses
of the packets
based on the TCP/UDP ports
as well as the source and
destination IP addresses
for the TCP and UDP
packets
• L2
no distribution-type Restores to default
lag-id agN
Creates a static LAG and enters LAG

Configuration mode:
• agN: LAG ID. N is in the
range of <1-14>
no lag-id agN Removes the created static LAG
description DESCRIPTION Describes the LAG:
1–255 characters (spaces
are allowed)
no description Removes the LAG description

Command Description
lacp enable Enables Link Aggregation Control
Protocol (LACP)
• Disabled
no lacp enable Restores to default
lacp administrative-key Defines the LACP administrative key,
<number> determining the ability of the port to
aggregate with other ports:
<1-65535>
• 1
no administrative-key Restores to default
lacp id xx:xx:xx:xx:xx:xx Assigns a user-defined system ID to a
specific dynamic LAG:
• xx:xx:xx:xx:xx:xx: user-
defined system ID, in a
MAC address format
• the MAC address of the device
no lacp id Restores to default
lacp marker {disable | enable} Enables the device to respond to LACP
marker requests
• Disabled
no lacp marker Restores to default
lacp mode {active | passive} Defines LACP negotiating mode:
• active: places a port into
an active negotiating
state. The port initiates
negotiations by sending
LACP packets to other
ports
• passive: places a port
into a passive negotiating
state. The port responds
to received LACP packets
but does not initiate
negotiation
• Active
no lacp mode [active | Restores to default or to specific
passive]
negotiating mode

Command Description
lacp priority <number> Defines LACP system priority. LACP
uses system priority, together with the
device MAC address, to form the system
ID. System Priority is also used during
negotiation with other systems:
<1-65535> (higher numbers
have lower priority)
• 32768
no lacp priority Restores to default
port UU/SS/PP
Adds a port to a LAG and enters LAG

Port Configuration mode:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port [UU/SS/PP] Removes the selected port from a LAG
group:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
priority <number> Specifies the priority of an individual port
within the LAG:
<1-65535>
• 32768
Table 3-5: Commands Used to Display and Clear LAG Settings and Statistics
Command Description
show ethernet lag Displays the status and configuration of
all LAGs
show ethernet lag lag-id agN Displays the status and configuration of
[details | statistics] the selected LAG:
• agN: LAG ID, where N is
in the range of <1-14>
• details: LAG detail
information
• statistics: LAG
statistics and packet
counters
clear lag [lag-id agN] statistics Clears all LAG statistics:
• agN: clears statistics
for a specific LAG ID,
where N is in the range
of <1-14>

LACP Configuration Example

The following example establishes two dynamic link aggregation groups
between Device1, Devices2 and Device3.
Figure 3-2: Example of Two LAGs Configured on the Same Device
Configuring Device 1:
In the following example ports 1/1/1, 1/1/2, 1/1/3, and 1/1/4 are added
respectively to LAG ag1 and ag2 on which LACP is enabled.
1. Create static LAGs ag1 and ag2. Add relevant ports to both LAGs:
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag1
device-name(config-lag-id-ag1)#port 1/1/1
device-name(config-port-1/1/1)#port 1/1/2

2. Enable LACP on both LAGs:

device-name(config-lag-id-ag1)#lacp enable
device-name(config-lag-id-ag1)#commit
Commit complete.
device-name(config-lag-id-ag1)# lag lag-id ag2
Commit complete.
3. Display LAG configuration:

device-name#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
Distribution Type: L2
Operational Status: up
LACP: enabled
LACP Mode: active
System ID: 005043b5aa9c
System Priority: 32768
Administrative Key: 1
Marker: disabled
Port Admin Status Oper Status Priority Aggr Status

-----------------------------------------------------------
1/1/1 up up 32768 success

Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
System ID: 005043b5aa9c
Marker: disabled

-----------------------------------------------------------

In the following example ports 1/1/1 and 1/1/2 are added to LAG ag1 on
which LACP is enabled.
1. Create static LAG ag1. Add relevant ports to the LAG:
2. Enable LACP on the LAG:

Commit complete.

Interface Name ag1
Mode: network
LACP: enabled
LACP Mode: active
System ID: 005043b5aa66
Marker: disabled

-----------------------------------------------------------

In the following example ports 1/1/3 and 1/1/4 are added to LAG ag2 on
which LACP is enabled.
1. Create static LAG ag2. Add relevant ports to the LAG:
2. Enable LACP on the LAG:

Commit complete.

Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
System ID: 005043b5aa77
Marker: disabled

-----------------------------------------------------------

Resilient Links
Resilient links protect critical links and prevent network downtime. A resilient
link consists of a main link and a standby (backup) link that together form a
resilient-link pair. Under normal network conditions, the main link carries
network traffic. In case of signal loss, the device immediately switches to the
standby link. There is no session timeout since switchover to the standby link
occurs in less than one second.
If the main link has a higher bandwidth than its standby or if the main link is
configured as a preferred link, the device switches traffic back to the main link
as soon as the connection recovers. Otherwise, you must manually switch
traffic back to the main link.
Resilient Links Configuration Notes

When configuring resilient links, note the following:
 Define a resilient-link pair only on one end of the link. This provides a fully
redundant network, even when connecting the device to other devices, such
as routers and servers.
 If using shutdown mode, configure on one device (either local or remote).
 When configuring a VLAN, the resilient link ports must belong to the same
VLAN.
You can configure a resilient link pair only if:
 The ports have the same PVID
 Neither port is part of a LAG
 Neither port belongs to another resilient-link pair

Resilient Link Commands

In this section, the command hierarchy for Resilient Links is defined and a list
of available commands is provided. Included also, is a configuration example.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] resilient-link resN
- backup-mode {standby | shutdown}
- backup-port UU/SS/PP
- primary-port UU/SS/PP
- revertive
Table 3-6: Resilient Links Commands
Command Description
resilient-link resN Enables the resilient link feature and
enters Resilient-link Configuration mode:
• N: in the range of <1-32>
no resilient-link Disables the resilient link feature
backup-mode {standby | shutdown} Defines the standby (backup) link
behavior:
• standby: the port is
powered on (the LED for
the port is on)
• shutdown: the port is
powered off (the LED for
the port is off)
• Standby
backup-port UU/SS/PP Defines the standby (backup) port for the
resilient-link pair:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4

Command Description
primary-port UU/SS/PP Defines the main port of the resilient-link
pair:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
revertive Configures traffic to switch back to the
main link once the link recovers
• Non- revertive mode
In the following example, ports 1/1/1 and 1/1/2 define a resilient-link pair
res1.
1. Enter the Configuration mode of resilient link res1:

device-name(config-ethernet)#resilient-link res1
2. Define primary and backup ports:

device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
3. Define resilient link behavior:

device-name(config-resilient-link-res1)#backup-mode standby
device-name(config-resilient-link-res1)#commit
Commit complete.
4. Display the resilient link configuration:

device-name#show ethernet resilient-link res1
INTERFACE BACKUP
NAME PRIMARY BACKUP REVERTIVE MODE ACTIVE SWAPS
---------------------------------------------------------------
res1 1/1/1 1/1/2 No standby N/A 0

MAC Learning Security Policies

The Port Security and Port Limit policies control how many addresses the
device can learn for a particular port.
 Port Security: MAC addresses are entered in the MAC Address table with
a secure status. Secure MAC Addresses are retained permanently and are
excluded automatically when the switch floods all ports on receipt of an
unknown address.
NOTE: The allocated MAC addresses on a port are

permanently secured.
 Port Limit: MAC addresses are entered in the MAC Address table with a
dynamic status. Dynamic entries age and will eventually drop out of the
MAC Address table.
On the device, you can define one or more MAC Learning Profiles and add to
each profile either Port Security or Port Limit. Once defined, you can apply
those profiles to the physical port.
To define the maximum number of addresses that can be learned, both Port
Security and Port Limit work in conjunction with the max-mac-count
command. If a limit is not set through this command, the device will continue
to learn until the maximum number of addresses for the device is reached.
Beyond the limit, additional MAC addresses are entered into the MAC Address
table with a filtered status. Exceeding the defined limit for a port is considered
to be a security violation. The device can take action. Through configuration
options, the device can either shut down the port or generate an SNMP trap and
log message.Filtered addresses, which are not learned by the device, remain in
the table for later security analysis by the system administrator.

MAC Learning Security Profile Commands

In this section, the command hierarchy for Port Security and Port Limit is
defined and a list of available commands is provided. Included also, is a
configuration example.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] mac-learning learning-profile NAME
- [no] action {operational-shutdown | trap}
- ignore-filtered-addresses
- max-mac-count <number-of-addresses>
- policy {port-limit | port-security}
- [no] watermark count <number-of-addresses>
- [no] watermark {action {log | trap}
- [no] mac-learning-profile NAME
- [no] tx-forward-unknown
Table 3-7: Layer-2 Port Security Commands
Command Description
mac-learning learning-profile
NAME
Defines a specific MAC-learning profile
and enters the MAC-learning
Configuration mode:
• NAME: profile name
no mac-learning learning-profile Removes the defined profile:
[NAME]
• NAME: (optional) profile
name
action {operational-shutdown | Defines the port reaction upon a security
trap}
violation:
• operational-shutdown: the
port shuts down
• trap: an SNMP trap and log
message are generated

Command Description
no action Removes the configured violation
ignore-filtered-addresses Disables configuring/learning of filtered
MAC addresses in the MAC address table
max-mac-count <number-of- Defines the maximum numbers of secure
addresses> MAC addresses the port can learn:
• number-of-addresses: in
the range of <1-4096>
• All MAC addresses are learned as
secured
policy {port-limit | port-
security}
Defines the Layer-2 security technique:
• port-limit
• port-security
watermark count <number-of- Defines the maximum numbers of secure
addresses> MAC addresses the port can learn before
sending a notification:
• number-of-addresses: in
• All MAC addresses are learned as
secured
no watermark count Restores to default
watermark action {log | trap} Defines the notification type sent by the
port before a security violation occurs:
• log: log message is
generated
• trap: trap is sent
no watermark action Removes the configured notification type
port Enters the Configuration Mode for the
port
no port [UU/SS/PP] Removes port configurations
mac-learning-profile NAME Assigns a MAC-learning profile to a port:
• NAME: profile name
no mac-learning-profile [NAME] Removes the assigned MAC-learning
profile:
• NAME: (optional) profile
name
tx-forward-unknown Forwards unknown egress traffic that was
sent to a secured/limited port
no tx-forward-unknown Drops unknown egress traffic sent to a
secured/limited port


RFCs
Fast and Giga IEEE 802.3 Ethernet Public MIBs: RFC 2863 The
Ethernet Port IEEE 802.3u Fast RFC 1213, Interfaces Group
Ethernet Management MIB
Information Base (configL2IfaceTa
IEEE 802.3x Flow ble and interface
Control for Network
Management of table)
IEEE 802.3z Gigabit TCP/IP-based
Ethernet internets:MIB-II
(interface table and
configL2IfaceTable)
RMON MIB
Private MIB, PRVT-
SWITCH-MIB.mib
Link IEEE 802.3ad Private MIB, No RFCs are
Aggregation PRVT-PORTS- supported by this
Groups AGGREGATION- feature
(LAGs) MIB.mib
Resilience No standards are Private MIB, No RFCs are
Links supported by this PRVT-RESILIENT- supported by this
feature LINK-MIB.mib feature
MAC Learning No standards are Private MIB, No RFCs are
Security supported by this PRVT-MAC- supported by this
Policies feature SECURITY- feature
MIB.mib

4
Virtual LANs (VLANs)

Chapter
This chapter provides an overall understanding of Virtual Local Area Network
(VLAN) concepts, including different configuration examples.
The chapter contains the following sections:
 Virtual LAN (VLAN)—IEEE 802.1Q
VLANs are used to group users’ traffic with common requirements, as if
they were on the same LAN although they may be in separate physical
locations. The key benefit of VLANs is its flexibility in allowing any
logical LAN to be implemented on any physical infrastructure.
 Super VLANs
The Super VLAN is a mechanism for aggregating VLANs that share the
same default router address and subnet mask, but remain isolated from one
another's network traffic.

Virtual LANs (VLANs) AS9206 User Manual
Virtual LAN (VLAN)—IEEE

802.1Q
VLAN tagging is a standard designed for grouping hosts with common
requirements, allowing them to communicate as if they were on the same LAN
regardless of their physical location. This allows a logical partition of a
physical LAN into different broadcast domains.
This standard also ensures that VLAN traffic is isolated from hosts that are not
members of the VLAN.
This technology is based on tagging Ethernet frames with VLAN IDs,
assigning each user to a specific VLAN. This prohibits Layer 2 mutual access
between workgroups with different VLAN IDs.
The VLAN Tagging Benefits

Implementing VLANs on the network has the following advantages:
 Flexibility—when a user moves to a different broadcast domain, the system
administrator only has to reconfigure the port the user is connected to.
 Security—VLANs provide a greater degree of security than a traditional
LAN since data packets of one VLAN are not transmitted to a different
VLAN.
 Scalability—VLANs are not limited to a single device, spanning over an
enterprise organization or a WAN link.
 Service per VLAN—you can use separate VLANs for different services
and features corresponding to each VLAN.

AS9206 User Manual Virtual LANs (VLANs)
VLAN Traffic Behavior

VLAN tagging inserts a VLAN ID into the Ethernet frame header, associating
each frame with a specific VLAN. Using this method, the port that
interconnects devices can carry traffic for multiple VLANs over the same
physical connection.
Figure 4-1: IEEE 802.1Q Frame Tag Structure
A port can be a member of one or more VLANs. However, only one of these
VLANs can be the port’s default VLAN. Initially all the device ports are
members of a VLAN named Default (VLAN ID 1).
Ports assigned to different VLANs can communicate only through routing (and
not on Layer 2).

VLAN Tagging and Ingress Traffic

The VLAN membership and the port’s default VLAN affect the incoming
(ingress) traffic process as follows:
 When the traffic has a VLAN tagging:
 if the port is a member of the VLAN, it processes the traffic
 otherwise, the port drops this traffic
 If the traffic has no VLAN tagging, the port adds its default VLAN ID to
the frames and processes them accordingly.
Figure 4-2: VLANs in Ingress Traffic

VLAN Tagging and Egress Traffic

In addition to the VLANs a port is assigned to, the system administrator defines
whether the port is a tagged or an untagged member of a specified VLAN. This
affects the outgoing (egress) traffic process:
 If the port is an untagged member of a VLAN, it removes the VLAN ID
tagging from this VLAN’s frames before forwarding them.
 If the port is a tagged member of a VLAN, it forwards this VLAN’s frames
with their VLAN ID (without changing the frames).
Figure 4-3: VLANs in Egress Traffic
Management VLAN
Management VLAN is a VLAN on which management access to the device is
enabled. With management access, you can manage the device from a PC,
which is connected to a port assigned to a management VLAN. Management
access includes:
 Telnet to the device
 SSH to the device
 SNMP management
 Pinging the device
 TFTP download or upload
 Receiving outgoing Syslog messages

By default, management access to the device is disabled on all VLANs. When

configuring a particular VLAN (in VLAN Configuration mode for that
VLAN), you can explicitly enable management access to the device on that
VLAN. This is done with the management command. The management VLAN
isolates the device’s management IP address from data traffic, preventing
unauthorized access and malicious attacks.
NOTE: You can specify more than one management

VLAN per device.
Management VLANs cannot be deleted. If you need to
delete such a VLAN, you have to disable management
accent on it first.
Configuring VLANs as Services

Because there are many features that are applicable per service base, it makes
sense to simply address VLANs as services. Defining a VLAN as a service
makes it possible to configure multiple settings for this VLAN in one pass (in
the form of policies) and keeps an open perspective to future enhancements and
improvements.
For details on configuring policies on VLANs, refer to the Quality of Service
(QoS) chapter of this user guide.
For the specific commands for configuring VLANs as services, see 802.1Q
Service Configuration Commands.

VLAN Configuration Flow

The following figure displays the process to configure VLAN parameters.
Figure 4-4: VLAN Configuration Flow

VLAN Commands
VLAN Commands’ Hierarchy

+ root
+ config terminal
+ [no] vlan VLAN-NAME <vlan-id>
- [no] tagged UU/SS/PP
- [no] untagged UU/SS/PP
- [no] management
- [no] routing-interface swN
- show vlan
VLAN Commands’ Descriptions
Table 4-1: VLAN Commands
Command Description
vlan VLAN-NAME <vlan-id>
Creates a VLAN with the specified name

and ID (VLAN tag) and enters the VLAN
Configuration mode:
• vlan-id: the valid range
is <1–4092>
• VLAN-NAME: a string of
<1–31> characters
no vlan VLAN-NAME <vlan-id> Removes the existing VLAN:
is <1–4092>
<1–31> characters
tagged UU/SS/PP Adds a port as tagged to the specified
VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no tagged [UU/SS/PP] Removes tagged port(s) from the specified
VLAN:
1/1/1-1/1/24, 1/2/1-1/2/4
untagged UU/SS/PP Adds a port as untagged to the specified
VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4

Command Description
no untagged [UU/SS/PP] Removes untagged port(s) from the
specified VLAN:
1/1/1-1/1/24, 1/2/1-1/2/4
management Enables management access to the device
from the current VLAN
• Disabled
no management Disables management access to the device
routing-interface swN Attaches an IP interface to the specified
VLAN.
The sw0 IP interface is attached only to
the default VLAN (VLAN ID 1).
number the valid range is
<1–9999>
no routing-interface Detaches the IP interface from the
specified VLAN
show vlan Displays VLAN configuration information
802.1Q Service Commands
802.1Q Service Commands’ Hierarchy

+ root
+ config terminal
+ service
- [no] dot1q <service-id>
- [no] sdp vlan <vlan-id>
- [no] port UU/SS/PP [untagged]
- [no] management
- [no] routing-interface swN
- show service dot1q

802.1Q Service Commands’ Descriptions
Table 4-2: 802.1Q Service Commands
Command Description
service Enters the Service Configuration mode
dot1q <service-id> Enters the Service Configuration mode for
the specified 802.1Q service:
• service-id: ID of the
service to configure; the
valid range is <1-
4294967294>
no dot1q [<service-id>] Removes the specified 802.1Q service or,
when used without a parameter, removes
all configured 802.1Q services:
• service-id: (optional) ID
of the service to remove
sdp vlan <vlan-id> Configures the Service Distribution Path
(SDP) to the specified VLAN as enters the
VLAN Configuration mode for that
VLAN:
• vlan-id: ID of the VLAN to
configure; the valid range
is <1-4092>
no sdp vlan [<vlan-id>] Removes the previously configured SDP
to the specified VLAN from the 802.1Q
service or, when used without a
parameter, removes the SDPs to all
configured VLANs for that service:
• vlan-id: (optional) ID of
the VLAN to remove
management Enables management access to the device
• Disabled
no management Disables management access to the device
routing-interface swN Attaches an IP interface to the specified
VLAN.
The sw0 IP interface is attached only to
the default VLAN (VLAN ID 1).
number the valid range is
<1–9999>
no routing-interface Detaches the IP interface from the
specified VLAN

Command Description
port UU/SS/PP [untagged] Adds a port as tagged/(optional ) untagged
to the specified VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• The port is tagged
no port UU/SS/PP [untagged] Removes the tagged/(optional) untagged
port from the specified VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
show service dot1q Displays the currently configured 802.1Q
services
VLAN Configuration Example

1. Enter Configuration mode for VLAN v110 with ID 10:
device-name(config)#vlan vl10 10
2. Add to the VLAN ports 1/1/6 and 1/1/7 as tagged:

device-name(config-vlan-vl10/10)#tagged 1/1/6
device-name(config-vlan-vl10/10)#tagged 1/1/7
3. Add to the VLAN port 1/2/3 as untagged:

device-name(config-vlan-vl10/10)#untagged 1/2/3
device-name(config-vlan-vl10/10)#port 1/2/3
device-name(config-port-1/2/3)#default-vlan 10
4. Configures routing interface for this VLAN:

device-name(config)#router
device-name(config-router)#interface sw11
device-name(config-interface-sw11)#address 111.1.0.1/24
device-name(config-interface-sw11)#vlan vl10 10
device-name(config-vlan-vl10/10)#routing-interface sw11
5. Configures this VLAN as management VLAN for the device:

device-name(config-vlan-vl10/10)#management
device-name(config-vlan-vl10/10)#commit
device-name(config-vlan-vl10/10)#end

6. Display the VLAN's information:

device-name(config-vlan-vl10/10)#pwd
Current submode path:
vlan vl10 10
device-name(config-vlan-vl10/10)#end
device-name#show vlan
===================================================================
VLANs Information
===================================================================
-------------------+--------------+----+-------------+------------+
default | sw0 |1 | User | User |
-------------------------------------------------------------------
Tagged Ports:
-------------------------------------------------------------------
Untagged Ports: 1/1/1 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15
1/1/16 1/1/17 1/1/18 1/1/19 1/1/2 1/1/20 1/1/21
1/1/22
1/1/23 1/1/24 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8
1/1/9 1/2/1 1/2/2 1/2/3 1/2/4
-------------------------------------------------------------------
===================================================================
-------------------+--------------+----+-------------+------------+
vl10 | sw11 |10 | User | User |
------------------------------------------------------------------
Tagged Ports: 1/1/6 1/1/7
-------------------------------------------------------------------
Untagged Ports: 1/2/3
===================================================================
System: 0 User: 2 Total: 2
===================================================================
Super VLANs
Super VLAN is a mechanism used to separate users which reside in the same
VLAN into multiple virtual broadcast domains.
With Super VLAN, systems administrators can use the same IPv4 subnet and
default gateway IP address for users residing in the same switched
infrastructure. This helps in decreasing IPv4 address consumption and the need
for dedicated IP subnet for each VLAN.
VLANs that are members of a Super VLAN are called sub-VLANs. Each sub-
VLAN is a broadcast domain isolated at Layer 2. When users in different sub-
VLANs need to communicate with each other, they use the IP address of the
virtual interface of the Super VLAN as the IP address of the gateway. The
virtual interface IP address is shared by multiple VLANs. This minimizes the
number of required IP addresses.

The below example illustrates the traffic flow in case Super VLAN is not
configured: traffic entering the user device port is not restricted to the uplink
port; therefore, all the broadcast, unknown, and multicast packets are spread
over the entire device VLANs.
Figure 4-5: Switching Decisions without the Super VLAN Agent
As oppose to the above, the below example illustrates the traffic flow in case
Super VLAN is configured: once switching decisions are done, the Super
VLAN agent overrules these decisions and directs the traffic to the Super
VLAN uplink port.
Figure 4-6: Switching Decisions with the Super VLAN Agent

Super VLAN Types

There are two types of Super VLAN:
 Super VLAN layer 2—Suitable for a Layer-2 switching environment, where
the sub-VLANs and Super VLAN share the same IP subnet mask. The
Super VLAN provides enhanced security between the customers, by
disallowing communication between the sub-VLANs, whether or not they
are located in the same LAN.
 Super VLAN ring topology—Suitable for ring topology networks using the
Multiple Spanning Tree Protocol (MSTP). In these cases traffic can flow
either clockwise or counterclockwise. Both ports connected to the ring are
referred to as uplink ports, while the rest of the ports are referred to as user
ports. In this case the Super VLAN uplink has to be one of the two ports
that are connected to the rest of the ring.
Use this topology when the Super VLAN port has to be the root port of the
bridge. In this topology, the Super VLAN uplink-port is selected
dynamically by the bridge between the two uplink ports. If a topology
change occurs, the Super VLAN uplink changes automatically and the new
Root port is selected as a Super VLAN uplink port.
In the figure below, one of the clients connected to device D sends

broadcast traffic. The traffic travels counterclockwise only, since the Super
VLAN active uplink-port is the root port. If the link between device B and
A is disconnected, a topology change occurs and Device D selects a new
Super VLAN uplink-port. As a result traffic flows clockwise only.
Dynamic Super VLAN takes effect on all the bridges, except for the root
bridge since it does not have a root port (only designated ports).

Figure 4-7: Super VLAN Ring Mode Configuration Example
Super-VLAN Commands
Super-VLAN Commands’ Hierarchy

+ root
+ config terminal
+ [no] super-vlan UU/SS/PP
+ [no] ring-ports UU1/SS1/PP1 UU2/SS2/PP2
- [no] preferred-interface UU/SS/PP
- [no] vlan <vlan-id>
- [no] target-port UU/SS/PP
- [no] c-vlan <vlan-id> vlan-mask <vlan-mask>
- - show super-vlan [ring-ports UU1/SS1/PP1 UU2/SS2/PP2 active-
interface]
- show super-vlan

Super-VLAN Commands’ Descriptions
Table 4-3: Super-VLAN Commands
Command Description
super-vlan UU/SS/PP
Defines an user port used by the Super-

VLAN mechanism and enters the Super-
VLAN Configuration mode:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no super-vlan Restores to default
ring-ports UU1/SS1/PP1
UU2/SS2/PP2
Defines uplink ports used by the Super-
VLAN mechanism for networks with a
ring topology:
• UU1/SS1/PP1: first uplink
ring port
• UU2/SS2/PP2: second uplink
ring port
The correct range is:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no ring-ports Removes the selected uplink ports
preferred-interface UU/SS/PP Selects a preferred uplink port for the
Super-VLAN ring-topology mechanism:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no preferred-interface Removes the selected uplink port
vlan <vlan-id> Defines a VLAN of which the uplink ring
ports are members:
is <1-4092>
• The Super-VLAN mechanism is
applied on the uplink ring ports for all
VLANs of which these ports are
members
no vlan Restores the default
target-port UU/SS/PP Defines an uplink port used by the Super-
VLAN mechanism for networks:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no target-port Removes the selected uplink port

Command Description
c-vlan <vlan-id> vlan-mask Enables the Super-VLAN mechanism on a
<vlan-mask> specific user-port that is member of more
than one VLAN:
is <1-4092>
• vlan-mask: in hexadecimal
format FF:FF:FF:FF. The
last 4 bits are
meaningful.
• Disabled
no c-vlan <vlan-id> vlan-mask Restores to default
show super-vlan ring-ports Displays the Super-VLAN ring-topology
[UU1/SS1/PP1 UU2/SS2/PP2 configuration:
active-interface]
• UU1/SS1/PP1: first uplink
ring port
• UU2/SS2/PP2: second uplink
ring port
The correct range is:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
show super-vlan Displays the Super-VLAN configuration
Example
The below example demonstrates how to configure Super-VLAN mechanism

for a network with a ring topology:
1. Define an user port used by the Super-VLAN mechanism:
device-name(config)#super-vlan 1/1/1
device-name(config-super-vlan-1/1/1)#
2. Define uplink ports used by the Super-VLAN in ring mode:

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3
3. Select a preferred uplink port for the Super-VLAN ring-topology:

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3 preferred-
interface 1/1/2
device-name(config-ring-ports-1/1/2/1/1/3)#exit
4. Enable the Super-VLAN on a specific user-vlan:

device-name(config-super-vlan-1/1/1)#c-vlan 10

5. Display the Super-VLAN ring-topology configuration:

device-name#show super-vlan
===================================================================
User port Target port Ring ports Preferred port
Active port
===================================================================
1/1/1 - 1/1/2 1/1/3 1/1/2 1/1/2
device-name#show super-vlan ring-ports

FIRST SECOND
RING RING ACTIVE
PORT PORT INTERFACE
--------------------------
1/1/2 1/1/3 1/1/2

RFCs
Virtual LANs IEEE 802.1Q-1998 Public MIBs: No RFCs are
IEEE 802.1Q-2003  IEEE 802.1Q supported by this
feature.
IEEE 802.1P  Q-BRIDGE-
IEEE 802.1u-2001 MIB.mib
Super VLANs No standards are Private MIB, RFC 3069, VLAN
supported by this PRVT-SUPER- Aggregation for
feature. VLAN-MIB.mib Efficient IP Address
Allocation

5
Transparent LAN Services
(TLS)
Transparent LAN Services (TLS)

Deploying the Transparent LAN Services (TLS) enables network operators to
transport a large number of customers’ virtual LANs (VLANs) while keeping
traffic secured in each VLAN. The TLS mechanism establishes Layer 2 tunnels
inside the service provider network where traffic from different customers is
segregated and where it is marked with an appropriate tunnel name.
802.1Q Tunneling
802.1Q tunneling allows the deployment of secure TLS, using IEEE 802.1Q
standard tags. The main advantage of 802.1Q tunneling is that it enables
service providers to use a separate service VLAN (S-VLAN) to support the
customers who have multiple VLANs, while preserving the customer VLAN
IDs and keeping traffic in the different customer’s VLANs (C-VLANs)
segregated.
802.1Q tunneling expands the VLAN space by adding an additional 802.1Q tag
(the tunnel ID) to all previously-tagged packets when they enter the service
provider infrastructure, as illustrated in the below figure.

Transparent LAN Services (TLS) AS9206 User Manual
Figure 5-1: 802.1Q Tunneling Configuration
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port that is configured to support 802.1Q tunneling is called a tunnel port.
When you configure tunneling, you assign a tunnel port to a VLAN that you
dedicate to tunneling.
Three types of ports are defined on the network devices that are deployed by
the service provider:
 Residential port—a port that is connected to a user and does not participate
in the TLS. Packets that are transmitted through this port have no added
tag.
 Access (SAP) ports—a port that is connected to a user and participates in
the TLS. Packets that are transmitted through this port have no added tag.
 Core (SDP) port—a port that is connected to the service provider’s
network. All packets that are transmitted through this port are either control
packets or packets with an additional tag. If the packets arrive from an
access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header is not added.
NOTE: SAP and SDP ports have to be untagged members

of the default VLAN.

AS9206 User Manual Transparent LAN Services (TLS)
When an access port (SAP) receives tagged customer traffic from an 802.1Q-
port on the customer device, it does not strip the received 802.1Q tag from the
frame header. Instead, the access port (SAP) leaves the 802.1Q tag intact, adds
a 2-byte EtherType field (0x8100) followed by a 2-byte field containing the
priority (CoS) and the VLAN.
An egress core port (SDP) strips the 2-byte EtherType field (0x8100) and the
2-byte length field and transmits the traffic with the 802.1Q tag still intact to
the customer device. The 802.1Q-port on the customer device strips the 802.1Q
tag and puts the traffic into the appropriate customer VLAN.
Layer 2 Protocol Tunneling (L2PT)

Layer 2 protocol tunneling allows IEEE Layer 2 protocol data units (PDUs) to
be tunneled through a network. The L2PT is based on PDUs software
encapsulating in the ingress service provide edge devices. The encapsulation
involves rewriting the destination media access control (MAC) address in the
PDU. An ingress service provides edge devices rewrite the destination
multicast MAC address of the PDUs received, and replaces them with a
predefined multicast tunnel MAC addresses that ensure transparent L2CP
traffic flow.
All devices inside the service provider network treat these encapsulated frames
as regular data packets and forward them out appropriately. The egress service
provides edge devices that listens for these special encapsulated frames and
decapsulates them before forwarding them out of the tunnel.

TLS Configuration Flow
Figure 5-2: TLS Configuration Flow

TLS Commands
TLS Commands’ Hierarchy

+ root
+ config terminal
+ l2-tunneling
- [no] profile {PROFILE-NAME | discard-all | tunnel-all
| tunnel-bpdu}
- [no] protocol PROTOCOL-NAME action {discard |
tunnel}
+ [no] protocol PROTOCOL-NAME
- [no] ethertype <value>
- standard-mac HH:HH:HH:HH:HH:HH
- tunnel-mac HH:HH:HH:HH:HH:HH
- [no] shutdown
+ service
+ [no] tls <service-id>
- [no] sap UU/SS/PP
- [no] c-vlan {<cvlan-id> | all}
- [no] tunnel-profile {PROFILE-NAME
| discard-all | tunnel-all |
tunnel-bpdu}
- [no] sdp s-vlan <svlan-id>
- [no] interface UU/SS/PP
- [no] tunnel-profile {PROFILE-NAME
| discard-all | tunnel-all |
tunnel-bpdu}
- show l2-tunneling profiles
- show l2-tunneling protocols
- show l2-tunneling statistics
- show service tls

TLS Commands’ Descriptions

Table 5-1: TLS Commands
Command Description
l2-tunneling Enables the Layer 2 protocol tunneling
(L2PT) and enters the L2PT Configuration
mode
• Disabled
profile {PROFILE-NAME | Configures a specific tunnel profile:
discard-all | tunnel-all |
tunnel-bpdu} • PROFILE-NAME: a custom
profile name of <1-32>
characters
• discard-all: discards only
Layer 2 protocol PDUs
• tunnel-all: tunnels only
• tunnel-bpdu: tunnels only
xSTP packets
no profile [PROFILE-NAME] Removes the defined tunnel profile:
• PROFILE-NAME: (optional) a
custom profile name of <1-
32> characters
protocol PROTOCOL-NAME action Defines the protocol action:
{discard | tunnel }
• PROTOCOL-NAME: a string of
<1-32> characters or see
Table 5-2 for predefined
protocols names
• discard: discards PDUs of
the specified protocol
• tunnel: tunnels PDUs of the
specified protocol
no protocol [PROTOCOL-NAME] Removes the defined protocol name:
protocols names
protocol PROTOCOL-NAME Defines the Layer 2 protocol name whose
PDUs are tunneled/discarded and enters the
Layer 2 Protocol Configuration mode:
protocols names

Command Description
no protocol [PROTOCOL-NAME] Removes the defined protocol name:
protocols names
ethertype <value> Indicates which protocol is encapsulated in
the payload of the Ethernet frame:
• value: in hexadecimal
format (for example 0x9000)
• 0x8100
no ethertype Restores to default
standard-mac Defines the original multicast destination
HH:HH:HH:HH:HH:HH MAC address of the specified protocol:
• HH:HH:HH:HH:HH:HH: in
hexadecimal format (see
Table 5-3)
tunnel-mac HH:HH:HH:HH:HH:HH Defines a multicast tunnel MAC address
that rewrites the original multicast
destination MAC address in the
encapsulated Layer 2 PDUs:
• HH:HH:HH:HH:HH:HH: in
hexadecimal format
shutdown Disables the defined tunnel profile
no shutdown Enables the defined tunnel profile
service Enters the Service mode
tls <service-id>
Creates a TLS service instance and enters

the TLS Configuration mode:
• service-id: in the range of
<1–4294967295>
no tls <service-id> Removes the defines TLS instance
sap UU/SS/PP
Creates a service access point (SAP) and

enters the SAP Configuration mode:
• UU/SS/PP: the SAP port in
the range of 1/1/1-1/1/24,
1/2/1-1/2/4. This port has
to be an untagged member of
the S-VLAN.
no sap UU/SS/PP Removes the defined SAP:
• UU/SS/PP: the SAP port in
the range of 1/1/1-1/1/24,
1/2/1-1/2/4.

Command Description
c-vlan {<cvlan-id> | all }
Defines a customer VLAN (C-VLAN) and

enters the C-VLAN Configuration mode:
• cvlan-id: in the range of
<1-4092>
• all: tunnels all the
traffic
no c-vlan {<cvlan-id> | all Removes the defined C-VLAN:
}
• cvlan-id: in the range of
<1-4092>
• all: tunnels all the
traffic
tunnel-profile {PROFILE- Applies the user-defined or predefined
NAME | discard-all | tunnel profile on a specified SAP:
tunnel-all | tunnel-bpdu}
• PROFILE-NAME: a string of
<1-32> characters
xSTP packets
no tunnel-profile Removes the defined tunnel profile:
{PROFILE-NAME |
discard-all | tunnel-all • PROFILE-NAME: a string of
| tunnel-bpdu} <1-32> characters
xSTP packets
sdp s-vlan <svlan-id>
Creates a service distribution point (SDP)

and enters the SDP Configuration mode:
• svlan-id: in the range of
<1-4092>
no sdp s-vlan <svlan-id> Removes the defined SDP
interface UU/SS/PP Defines the SDP port:
• UU/SS/PP: the SDP port in
the range of 1/1/1-1/1/24,
1/2/1-1/2/4. This port has
to be an untagged member of
the S-VLAN.
no interface UU/SS/PP Removes the defined SDP port:
• UU/SS/PP: the SDP port in
the range of 1/1/1-1/1/24,
1/2/1-1/2/4.

Command Description
tunnel-profile {PROFILE- Applies the user-defined or predefined
NAME | discard-all | tunnel profile on a specified SAP:
tunnel-all | tunnel-bpdu}
• PROFILE-NAME: a string of
<1-32> characters
xSTP packets
no tunnel-profile Removes the defined tunnel profile:
{PROFILE-NAME |
discard-all | tunnel-all • PROFILE-NAME: a string of
| tunnel-bpdu} <1-32> characters
xSTP packets
show l2-tunneling profiles Displays TLS profile names used to define
the tunneling policy
show l2-tunneling protocols Displays the L2PT encapsulation
information
show l2-tunneling statistics Displays Layer 2 protocol tunneling
statistics
show service tls Displays information about all currently
configured TLS services
Table 5-2: Predefined Protocols
Protocol Description
all-brs Specifies that the PDUs intended for the MAC address that is
reserved for the exclusive use by the All Bridges are
tunneled/discarded
other Specifies that the PDUs intended for the MAC addresses from the
bridge block but are not PDUs of any of the specified protocols are
tunneled/discarded
dot1x IEEE 802.1x standard
efm-oam Ethernet in the First Mile-Operations, Administration and
Maintenance standard
e-lmi Enhanced Local Management Interface
garp Generic Attribute Registration Protocol
lacp Link Aggregation Protocol
lldp Link Layer Discovery Protocol

Protocol Description
pvst Per-VLAN Spanning Tree (PVST) maintains a spanning tree
instance for each VLAN configured in the network. Since PVST
treats each VLAN as a separate network, it has the ability to load
balance traffic (at Layer 2) by forwarding some VLANs on one link
and other VLANs on another link without causing a spanning tree
loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp Spanning Tree Protocol
Table 5-3: Default Multicast MAC Addresses
Protocol MAC Address

xSTP 01-A0-12-FF-FF-00
LACP/LAMP 01-A0-12-FF-FF-02
Link OAM (802.3ah) 01-A0-12-FF-FF-02
Port Authentication (802.1x) 01-A0-12-FF-FF-03
E-LMI 01-A0-12-FF-FF-07
LLDP (802.1AB) 01-A0-12-FF-FF-0E
Bridge block of protocols 01-A0-12-FF-FF-0X
NOTE: X denotes a random digit from 0 to F. When it is

found in the original MAC, is preserved in the replacement
MAC.
All Bridges 01-A0-12-FF-FF-10

GARP Block of 01-A0-12-FF-FF-2X
protocols
NOTE: X denotes a random digit from 0 to F. When it is

found in the original MAC, is preserved in the replacement
MAC.
Provider bridge 01-A0-12-FF-FF-08

STP
PVST 01-A0-12-CC-CC-CD
When you configure the destination MAC address for encapsulated PDUs, you
must leave the last byte of the MAC address for protocols Bridge block of
protocols and GARP Block of protocols as default values:
 00—for Bridge block of protocols
 20—for GARP Block of protocols

TLS Configuration Example
Figure 5-3: TLS Interface Example
1. Create a TLS service instance:

device-name(config)#service
device-name(config-service)#tls 1
2. Define SDP on a port 1/1/1:

device-name(config-tls-1)#sdp s-vlan 100 interface 1/1/1
device-name(config-interface-1/1/1)#exit
device-name(config-s-vlan-100)#exit
3. Define SAPs on ports 1/1/3 and 1/1/8:

device-name(config-tls-1)#sap 1/1/3 c-vlan all
device-name(config-c-vlan-all)#sap 1/1/8 c-vlan all
device-name(config-c-vlan-all)#commit

RFCs
Transparent No standards are Private MIBs: No RFCs are
LAN Services supported by this  PRVT-SERV- supported by this
(TLS) feature. MIB.mib feature.
 PRVT-
L2TUNNELIN
G-MIB.mib


6
Multiple Spanning Tree
Protocol (MSTP, IEEE 802.1s)
Overview
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI)
by mapping groups of VLANs to appropriate MSTP instances. Each MSTI is
an RSTP instance that has its own independent topology and it is applied on a
predefined set of VLANs.
MSTP includes all its spanning tree information in a single BPDU format. This
reduces the number of BPDUs required on a LAN to communicate spanning
tree information for each instance and ensures backward compatibility with
RSTP and STP.
MSTP Regions
An MSTP region is a collection of interconnected bridges that share the same
MSTP configuration.
Devices in the same MST region share the following attributes:
 region name
 the region’s revision number
 the MST instance-to-VLAN assignment map (each VLAN can be mapped
only to one instance)

Multiple Spanning Tree Protocol AS9206 User Manual
(MSTP, IEEE 802.1s)
MST Instances (MSTI)

Each bridge in the MSTP region contains up to 16 MSTIs which act like
separate RSTP bridges for a specific set of configured VLANs. All MSTIs
within the same region share the same protocol timers, but each instance has its
own topology parameters, such as root-device ID, root path-cost, and active
topology. By manipulating these parameters, systems administrator can modify
the spanning tree topology (defining forwarding ports and blocked ports) for
the MSTI VLANs, thus achieving traffic load-balancing within the region.
The MSTIs are identified by their instance ID:
 Instance 0: this is the Common Internal Spanning Tree (CIST) to which all
VLANs are mapped by default. This instance is obligatory and cannot be
removed.
 Instances 1–15: user-configurable, optional instances, to which the system
administrator maps sets of VLANs.
The figure below illustrates load balancing. In MSTI 1:
 Device C is the MST Root
 The port on Device B connected to Device A is blocked
 Traffic for VLANs 101–200 flows between Device C and Device A
However, for MSTI 2:
 Device B is the MST Root
 The port on Device C connected to Device A is blocked
 Traffic for VLANs 201–300 flows between Device B and Device A
Figure 6-1: MSTP within a Region

AS9206 User Manual Multiple Spanning Tree Protocol
(MSTP, IEEE 802.1s)
MST-to-Single Spanning Tree (SST)

Interoperability
Load balancing is supported only within the MSTP region.
Outside the region the spanning tree information is carried by MST instance 0,
enabling the MST region to participate in the Common Spanning Tree (CST )
of legacy xSTP bridges and other MSTP regions it is connected to.
This region is responsible for combining all Internal Spanning Tree (IST)
information and forwarding it to the CST, handling the CST information and
setting the roles of the region’s boundary ports. As a consequence each MSTP
region acts as a single RSTP bridge within the CST topology.
Each region has only one boundary port that can be the region’s Root port,
connecting the region to the CST Root bridge (the CIST Root). This port is
called the Master port. Boundary ports providing alternative paths from the
region to the CIST Root are blocked (set to Alternative). Boundary ports that
provide connectivy to Designated LANs can be set as Designated ports.

(MSTP, IEEE 802.1s)
The MSTI Parameters

Table 6-1: MSTI Parameters
Parameter Description
Boundary Ports Connect the designated bridge (an SST bridge or a bridge with
a different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the
boundary flag set) if it detects an STP bridge or receives an
agreement message from an RST or MST bridge with a
different configuration.
The MST port’s role at the boundary is not important; since
they are forced the same state as the IST port state. The IST
port at the boundary can take any port role except a backup port
role.
IST Master The IST master of an MST region is the bridge with the lowest
bridge identifier and the lowest path cost to the CST root.
 If an MST bridge is the root bridge of the CIST in a region,
then it is the IST master of that MST region.
 If the CST root is outside the MST region, then one of the
MST bridges at the boundary is selected as the IST master.
Other bridges on the boundary that belong to the same
region eventually block the boundary ports that lead to the
root.
 If two or more bridges have an identical path to the root,
you can set a lower bridge priority value to make a specific
bridge the IST master.
The root path-cost and message age inside a region stay
constant. However the IST path cost is incremented and the IST
remaining hops are decremented at each hop.
Regional Root The MSTI Regional root is the root bridge of each MSTI within
a region.
In case of IST, it is the CIST Regional root. Therefore, the
terms “IST Master” and “CIST Regional root” are
interchangeable.
Edge Ports A port connected to a non-bridging device (for example, a host
or a device). A port that connects to a hub is also an edge port if
the hub or any LAN that is connected to it does not have a
bridge.
An edge port can start forwarding as soon as its link is up.

(MSTP, IEEE 802.1s)
Parameter Description
Link-Type Rapid connectivity is established only on point-to-point links.
When connecting a port to another port through a point-to-point
link and the local port becomes a designated port, RSTP
negotiates a rapid transition with the other port, using the
proposal-agreement handshake to ensure a loop-free topology.
By default, the link-type is automatically determined by the
port’s duplex state. However in case of a half-duplex link
physically connected point-to-point to a single port on a remote
device running RSTP, you can override the link-type default
setting and enable rapid transitions to Forwarding state.
Message Age and IST and MSTIs use a hop count mechanism similar to the IP
Hop Count time-to live (TTL) mechanism. Users can configure the
maximum MST bridge hop count.
The MSTI root bridge sends a BPDU (or M-record) with the
remaining hop count. The bridge receiving the BPDU (or M-
record) decrements the remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge
discards the BPDU and ages out the port information. Non-root
bridges propagate the decremented count as the remaining hop
count in the BPDUs they generate.
Port Priority The port priority determines the port’s Forwarding state in case
of a loop.
MSTP selects the port with the highest priority (lower priority
value) first. In case all ports have the same priority, MSTP
selects the port with the lowest number and blocks all other
ports.
Path Cost MSTP uses the path cost when selecting the forwarding port in
case of a loop.
The port’s default path-cost derives from its link speed.
However, you can define lower cost values to ports you want
selected first and higher cost values to ports you want selected
last.
In case all ports have the same path cost value, MSTP selects
the port with the lowest number and blocks all other ports.

(MSTP, IEEE 802.1s)
Interoperability with 802.1D

STP
A device running MSTP supports a built-in protocol migration mechanism that
enables it to interoperate with legacy 802.1D devices.
If this device receives a legacy 802.1D configuration BPDU (a BPDU with the
protocol version set to 0), it sends only 802.1D BPDUs on that port. An MSTP
device can also detect that a port is at the boundary of a region when it receives
a legacy BPDU, an MST BPDU (version 3) associated with a different region,
or an RST BPDU (version 2).
However, the device cannot determine whether the legacy device is removed
from the link (unless the legacy device is the designated device). Therefore, it
does not automatically revert to the MSTP mode if it no longer receives 802.1D
BPDUs.
Also, a device might continue to assign a boundary role to a port when the
device to which it is connected has joined the region.
If all the legacy devices on the link are RSTP devices, they can process MSTP
BPDUs as if they are RSTP BPDUs. Therefore, MSTP devices send either a
version 0 configuration and TCN BPDUs or version 3 MSTP BPDUs on a
boundary port. A boundary port connects the designated device to a LAN that
is either a single spanning tree device or a device with a different MST
configuration.
Fast Ring Modes

The fast ring mode shortens the MSTP convergence time below 50
milliseconds in case of a disconnection in a ring topology.
The device offers two Fast Ring solutions:
 Fast Ring: Designed for when all the devices in the ring are ECI Telecom
devices
 Interoperability Fast Ring: Designed for interoperation with devices that
do not support MSTP or RSTP protocols
NOTE: Use a standard MSTP as a ring solution, if your

network demands a topology different from the one offered
here.

(MSTP, IEEE 802.1s)
Fast Ring
Use this solution when all the devices in the ring are ECI Telecom devices.
1. Select one bridge to be the root bridge: set this bridge’s priority to the
lowest value (0) and do not enable the Fast Ring feature on this bridge (to
avoid instability).
2. Configure all the user ports as MSTP edge ports.
3. To optimize network performance, increment the bridges priority value as
you draw away from the root bridge.
The figure below shows a ring topology using MSTP:
 Device 1 is the MST root bridge
 All the ports have equal priority thus one of Device 8's uplink ports are in
Alternate state.
In case of a link failure between Device 14 and Device 1:
1. Device 14 detects the link failure on its root port.
2. The ring solution immediately changes the traffic flow to a new direction.
Figure 6-2: MSTP in Ring Topology in a Link-Down Event

(MSTP, IEEE 802.1s)
Interoperability Fast Ring

This solution is designed especially for interoperation with devices that do not
support MSTP or RSTP protocols. Use Interoperability Fast Ring when you use
a non ECI Telecom gateway as a part of the ring.
The figure below shows a ring topology using MSTP, when one of the devices
(Router, in the figure below) does not support MSTP, but is capable of
switching the MSTP BPDUs between the ports connected in the topology.
Figure 6-3: MSTP in Ring Topology with a Device in Link-Down Event

(MSTP, IEEE 802.1s)
To use an Interoperability Fast Ring:

1. Configure the two devices closest to the Router (Device 1 and Device 8) as
Border Bridges to avoid network-performance degrade.
2. Do not define any MSTP priorities on Border Bridges. These are
automatically set once the bridges are set as border bridges.
3. Increment the bridges priority value as you draw away from the root bridge,
starting with priority value 8192.
4. Configure all the user ports as MSTP edge ports.
In case the link between Device 8 and the Router fails:
 Device 1 becomes the root
 Traffic changes its direction toward the new root
MSTP Commands
MSTP Commands’ Hierarchy

+ root
+ config terminal
+ ethernet
+ [no] spanning-tree
- [no] forward-delay <interval>
- [no] hello-time <interval>
- [no] max-age <interval>
- [no] edge-port
+ [no] mstp instance-id <instance-id>
- [no] path-cost <cost>
- [no] protocol-fast-ring
- [no] border-bridge preferred-link
{UU/SS/PP | agN}
- [no] ring-ports {UU1/SS1/PP1 | agN1}
{UU2/SS2/PP2 | agN2}
- [no] shutdown
+ [no] protocol-mstp
+ [no] instance <value>
- [no] max-hops <hops>

(MSTP, IEEE 802.1s)
- [no] region-name NAME

- [no] region-revision <unsignedShort>
- [no] shutdown
- [no] vlan-per-instance <vlan-id>
- show ethernet mstp [details | configuration]
MSTP Commands’ Descriptions

Table 6-2: MSTP Commands
Command Description
ethernet Enters the Ethernet Configuration mode
spanning-tree Enters the Spanning Tree Configuration
mode
no spanning-tree Removes STP configurations
forward-delay <interval> Defines the time a port waits in
Learning and Listening states before
moving to Forwarding state:
• interval: in the range of
<4-30> seconds
• 15 seconds
no forward-delay Restores to default
hello-time <interval> Defines the interval between
consecutive configuration messages
generated by the root device, indicating
that the device is alive:
<1-40> seconds
• 2 seconds
no hello-time Restores to default
max-age <interval> Defines the time a device waits without
receiving configuration messages before
attempting a reconfiguration:
<6-40> seconds
• 20 seconds
no max-age Restores to default
port UU/SS/PP Enters the Specific Port’s Configuration
mode
edge-port Changes the port’s administrative status,
setting it as an Edge Port
• The port is not an edge port.
no edge-port Restores to default

(MSTP, IEEE 802.1s)
Command Description
mstp instance-id <value> Enters the MSTP Instance Configuration
mode for the specified port. Parameters
for instance 0 are defined in the STP
Port mode:
<1–15>
no mstp instance-id Removes the defined MSTP instance
path-cost <cost> Defines the path cost of an MSTP
instance. A lower path cost represents a
higher-speed transmission:
• cost: in the range of <1-
200000000>
• Table 6-3 displays the default value
calculated by the port’s media
speed.
no path-cost Restores to default
priority <priority> Defines the port priority:
• priority: valid values
are: 0, 16, 32,48, 64,
80, 96, 112, 128, 144,
160,176, 192, 208, 224,
and 240
• 128
priority <priority> Defines the STP bridge priority. When
MSTP is enabled, the priority value
defines the bridge priority for instance
0:
• priority: the valid
values are: 0, 4096,
8192, 12288, 16384,
20480, 24576, 28672,
32768, 36864, 40960,
45056, 49152, 53248,
57344, and 61440. The
bridge with the highest
bridge priority (the
lowest numerical priority
value) is selected for a
Root device
• 32768
protocol-fast-ring Enables the MSTP Fast Ring mode and
enters the MSTP Fast Ring
Configuration mode:
• Disabled

(MSTP, IEEE 802.1s)
Command Description
no protocol-fast-ring Removes MSTP Fast Ring settings
border-bridge preferred-link Configures the device as a border bridge
{UU/SS/PP | agN} and selects a preferred MSTP Fast Ring
port or a group of ports that connects the
ring topology to the network gateway:
• UU/SS/PP: 1/1/1-1/1/4,
1/2/1-1/2/8
• agN: LAG ID, where N is
no border-bridge preferred-link Disables the process of configuring
[UU/SS/PP | agN] border bridge:
1/1/1-1/1/4, 1/2/1-1/2/8
• agN: (optional) LAG ID,
where N is in the range
of <1-14>
ring-ports {UU1/SS1/PP1 | Defines two physical ports or two
agN1} {UU2/SS2/PP2 | agN2} groups of ports that provide connectivity
in the ring:
• UU1/SS1/PP1: the first
ring port
• UU2/SS2/PP2: the second
ring port
• agN2: the second ring
LAG, where N2 is in the
range of <1-14>
• agN1: the first ring LAG,
where N1 is in the range
of <1-14>
The port range is:
• UU/SS/PP: 1/1/1-1/1/4,
1/2/1-1/2/8
no ring-ports [UU1/SS1/PP1 | Disables the process of defining ring

agN1] [UU2/SS2/PP2 | agN2] ports or groups of ports:
• UU1/SS1/PP1: (optional)
the first ring port
• UU2/SS2/PP2: (optional
the second ring port
• agN1: (optional) the
first ring LAG, where N1
is in the range of <1-14>
• agN2: (optional) the
second ring LAG, where N2
is in the range of <1-14>
The port range is:
• UU/SS/PP: 1/1/1-1/1/4,
1/2/1-1/2/8

(MSTP, IEEE 802.1s)
Command Description
shutdown Disables the MSTP Fast Ring mode
no shutdown Enables the MSTP Fast Ring mode
protocol-mstp Enters the MSTP Configuration mode
no protocol-mstp Removes MSTP configurations
instance <value> Enters the Specific MSTP Instance
Configuration mode:
<1-15>
no instance Removes the defined instance
priority <priority> Defines the MSTP priority for instances
in the range of <1-15>. MSTP priority
for instance 0 is defined in the Global
STP mode:
• priority: 0, 4096, 8192,
12288, 16384, 20480,
24576, 28672, 32768,
36864, 40960, 45056,
49152, 53248, 57344, and
61440
• 32768
max-hops <hops> Defines the maximum number of hops
allowed in a region before discarding a
BPDU:
• hops: in the range of <1-
40>
• 40
no max-hop Restores to default
region-name NAME Defines the MSTP region name:
• NAME: a case-sensitive
string of <1-31>
characters
no region-name Removes the defined name
region-revision Defines the region revision-number:
<unsignedShort>
• unsignedShort: in the
range of <0–65535>
• 1
no region-revision Restores to default
shutdown Disables MSTP
no shutdown Enables MSTP

(MSTP, IEEE 802.1s)
Command Description
vlan-per-instance <vlan-id> Define a VLAN mapped to an instance:
<1–4092>
• All VLANs are mapped to instance
0
no vlan-per-instance Restores to default
show ethernet mstp [details | Displays the MSTP port states and roles
configuration]
for each instance :
• details: (optional)
displays detailed
information about MSTP
information vectors
• configuration: (optional)
displays the current
region’s MSTP
configuration
Table 6-3: Default Path Cost Configuration (IEEE802.1s)
Link Speed Recommended Value Recommended Range Range

<=100 Kbps 200,000,000 20,000,000–200,000,000 1–200,000,000
1 Mbps 20,000,000 2,000,000–20,000,000 1–200,000,000
10 Mbps 2,000,000 200,000–2,000,000 1–200,000,000
100 Mbps 200,000 20,000–200,000 1–200,000,000
1 Gbps 20,000 2,000–200,000 1–200,000,000
10 Gbps 2,000 200–20,000 1–200,000,000
100 Gbps 200 20–2,000 1–200,000,000
1 Tbps 20 2–200 1–200,000,000
10 Tbps 2 1–20 1–200,000,000

(MSTP, IEEE 802.1s)
Configuration Examples
Example 1
In the following example, four devices are connected via VLANs V100 and
V200 that are mapped to two MST instances on each device. The example
shows the redundancy achieved with MSTP.
After configuring the network, use the show mstp command on each device to
verify that the MST instances are configured correctly.
Figure 6-4: Schematic MSTI Configuration
1. Create VLANs V100 and V200 and add the appropriate ports to each
VLAN:
Device1(config)#vlan default 1
Device1(config-vlan-default/1)#no untagged 1/1/1
Device1(config)#vlan v100 100
Device1(config-vlan-v100/100)#tagged 1/1/1
Device1(config-vlan-v100/100)#untagged 1/1/4
Device1(config-port-1/1/4)#default-vlan 100

(MSTP, IEEE 802.1s)
2. Enable MSTP:
Device1(config-ethernet)#spanning-tree protocol-mstp
Device1(config-protocol-mstp)#no shutdown
Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:
Device1(config-protocol-mstp)#instance 1 priority 0
Add the VLANs to MSTIs 1, and 2:
Device1(config)#ethernet spanning-tree
Device1(config-spanning-tree)#vlan-per-instance 100 instance-id 1
VLAN:
Device2#configure
Device2config-vlan-v200/200)#untagged 1/1/4
2. Enable MSTP:
3. Set priority 0 to MSTI 2 to force Device 2 to be MSTI2 root:

Device2(config-protocol-mstp)#instance 2 priority 0
4. Add the VLANS to MSTIs 1, and 2:


(MSTP, IEEE 802.1s)
VLAN:
Device3#configure
2. Enable MSTP:
3. Add the VLANS to MSTIs 1, and 2:

4. Create VLAN V200 and add the appropriate ports to each VLAN:
Device4#configure
5. Enable MSTP:
6. Add the VLANs to MSTIs 1 and 2:


(MSTP, IEEE 802.1s)
Displaying Device 1 Configuration:
Device1#show ethernet mstp detailed

Multiple spanning trees = enabled
ProtocolSpecification = ieee8021s
Priority = 0
TimeSinceTopologyChange = 0 (Sec)
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
ForwardDelay = 15 (Sec)
BridgeMaxAge = 20 (Sec)
BridgeHelloTime = 2 (Sec)
BridgeForwardDelay = 15 (Sec)
ProtoMigratioDelay = 3 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
LearnMode = standard
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
RemainingHopCount = 39
TopChanges = 6
Border Bridge = Disabled
No active ports are mapped to the MSTI
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = This bridge is the root
TopChanges = 5

(MSTP, IEEE 802.1s)
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+------
01/01/01 128 Designat frwrd 200000 0 00000.00A0122700C0 128.003
01/01/04 128 Designat frwrd 200000 0 00000.00A0120A0168 128.006
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
=========================================================================
--------+---+--------+-----+---------+---------+------------------+------
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.005
device-name#show ethernet mstp detailed

Priority = 0
TopChanges = 4
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:C0
TopChanges = 4

(MSTP, IEEE 802.1s)
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 4
=========================================================================
--------+---+--------+-----+---------+---------+------------------+------
01/01/01 128 Alternat block 200000 200000 32768.00A0122700C0 128.004
01/01/03 128 Root frwrd 200000 200000 00000.00A0122700C0 128.005
MST 2
VLANs mapped = 200
Priority = 32768
TopChanges = 4
=========================================================================
--------+---+--------+-----+---------+--------+------------------+-------
01/01/02 128 Designat frwrd 200000 0 00000.00A012271420 128.002
01/01/03 128 Designat frwrd 200000 0 00000.00A012271420 128.003
01/01/04 128 Designat frwrd 200000 0 00000.00A012271420 128.005

(MSTP, IEEE 802.1s)

Priority = 0
TopChanges = 3
CIST Root = This bridge is the root
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
TopChanges = 3
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 0001.00:A0:12:27:00:C0
TopChanges = 2

(MSTP, IEEE 802.1s)
=========================================================================
--------+---+--------+-----+---------+--------+------------------+-------
01/01/01 128 Root frwrd 200000 0 00000.00A0122700C0 128.003
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3
No active ports are mapped to the msti

Priority = 0
TopChanges = 2
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
SpanIgmpFastRecover = disabled
FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
TopChanges = 2
Border Bridge = disabled
MST 1

(MSTP, IEEE 802.1s)
VLAN mapped = 100

Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 5
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 2
=========================================================================
--------+---+--------+-----+---------+---------+------------------+------
01/01/01 128 Root frwrd 200000 0 00000.00A012271420 128.003
01/01/02 128 Designat frwrd 200000 0 32768.00A012271420 128.004
01/01/04 128 Designat frwrd 200000 0 32768.00A012271420 128.006

(MSTP, IEEE 802.1s)
Example 2
In the example above if the direct link between Device 1 and Device 3 fails,
MSTI01 is recalculated, and port 1/1/2 in Device 3 changes its role from
alternative to root.
Figure 6-5: Link Failure between Two Devices
In this case, the show ethernet mstp detailed command displays the
following:

Priority = 0
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
LearnMode = Standard
CIST Information
VLANs mapped = 1..99,101..199,201..4094

(MSTP, IEEE 802.1s)
Priority = 32768
CIST Root = 32768.00:A0:12:27:00:80
TopChanges = 6
No active ports are mapped to the msti
MST 1
VLAN mapped = 100
Priority = 32768
TopChanges = 5
=========================================================================
--------+---+--------+-----+---------+---------+-----------------+-------
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
=========================================================================
--------+---+--------+-----+---------+--------+------------------+-------
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.003

(MSTP, IEEE 802.1s)

Priority = 0
TopChanges = 3
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
SpanIgmpFastRecover = disabled
FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
TopChanges = 3
MST 1
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:0A:01:68
TopChanges = 3

(MSTP, IEEE 802.1s)
=========================================================================
--------+---+--------+-----+---------+--------+------------------+-------
01/01/02 128 Root frwrd 200000 400000 32768.00A00001090B 128.002
01/01/04 128 Designat frwrd 200000 400000 32768.00A012BBBBBB 128.006
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3
On Device 2 and Device 4:
This topology change does not affect Device 2 and Device 4 output.
Fast Ring Configuration Example

The following example displays how to configure the devices in a fast ring so
that traffic is distributed correctly among client networks.

(MSTP, IEEE 802.1s)
Figure 6-6: Fast Ring Topology
1. Enable MSTP and configure Device 1 to be the root device:

Device1(config-ethernet)#spanning-tree
Device1(config-spanning-tree)#priority 0
2. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
1. Enable MSTP fast-ring and configure fast ring ports:

Device2(config-spanning-tree)#protocol-fast-ring
Device2(config-protocol-fast-ring)#no shutdown
Device2(config-protocol-fast-ring)#ring-ports 1/2/1 1/1/2
2. Configure an edge port on the client port:

Device2(config-spanning-tree)#port 1/1/1 edge-port
Device2(config-port-1/1/4)#default-vlan 30Configuring Device 3:

(MSTP, IEEE 802.1s)

5. Create VLAN V10, V20, and V30. Add the appropriate ports to each
VLAN:



(MSTP, IEEE 802.1s)



RFCs
Multiple Spanning IEEE 802.1d-1998 No MIBs are RFC 2863, Interfaces
Tree Protocol IEEE 802.1t-2001 supported by Group MIB
(MSTP) this feature. (configL2IfaceTable)
IEEE 802.1w-2001
IEEE 802.1s-2002

7
Internet Group Multicast
Protocol (IGMP) Snooping
Overview
IGMP snooping constrains the flooding of multicast traffic by dynamically
configuring ports so that multicast traffic is forwarded to only those ports
where the attached hosts have explicitly reported their interest to receive the
multicast traffic by sending an IGMP report. When the IGMP-snooping-
enabled device receives an IGMP report, it adds the host’s port number to the
Multicast Forwarding table. The host’s port number is deleted when an IGMP
Leave Group message is received.
The Multicast Forwarding table is used to control the forwarding of multicast
packets.
IGMP Versions
The device supports IGMP version 1, IGMP version 2, and IGMP version 3
(control plane capability). These versions are interoperable.
IGMP snooping supports IGMPv3 control plane traffic—IGMPv3 queries and
reports cause appropriate updates of the internal database.
The data plane traffic is forwarded according to the destination multicast MAC
address only.

Internet Group Multicast Protocol AS9206 User Manual
(IGMP) Snooping
Joining a Multicast Group

When a host connected to the device wants to join an IP multicast group, it
sends an unsolicited IGMP Join message, specifying the IP multicast group to
join. IP multicast groups learned through IGMP snooping are dynamic. The
device’s CPU creates a multicast entry in the Multicast Forwarding Table for
the group and adds the port where the join message is received. The host
associated with that port receives multicast traffic for that multicast group.
You can statically configure MAC multicast groups (see Table 7-1).
If you specify group membership for a multicast group address statically, your
setting supersedes any automatic manipulation by IGMP snooping. Multicast
group membership lists can consist of both user-defined and IGMP snooping-
learned settings.
Figure 7-1: Initial IGMP Join Message

AS9206 User Manual Internet Group Multicast Protocol
(IGMP) Snooping
A Multicast router (mrouter) is a router that runs a multicast routing protocol

and participates in the multicast tree. On the edge of the network, a multicast
router is connected to an IGMP Snooping device. The IGMP snooping device’s
port on which the multicast router is connected is called an mrouter port. The
multicast router sends periodic IGMP General queries and Group-Specific
queries.
NOTE: The maximum number of multicast entries in the

Multicast Forwarding Table is 1024.
Leaving a Multicast Group

When hosts want to leave a multicast group, they can either silently leave, or
they can send a Leave Group message for IGMP version 2, or Report message
for IGMP version 3. When the device receives a Leave Group message from a
host, the Group timer is reset to the robustness value* last member query
interval value (see the IGMP Snooping Commands table).
Fast-Leave Processing
The IGMP Snooping Fast-Leave processing removes a port that receives a
Leave Group message from the Multicast Forwarding table immediately .
Fast-Leave processing ensures optimal bandwidth management for all hosts on
a switched network, even when multiple multicast groups are simultaneously in
use.
Multicast Addresses
The multicast IP addresses range from 224.0.0.1 to 224.0.0.255 is reserved for
the use of routing protocols and other low-level topology discovery. They are
also called Group Destination Address (GDA). The GDA MAC address is
formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the multicast
GDA IP address. Currently, the multicast traffic addressed to this group of IP
addresses is dropped.

(IGMP) Snooping
IGMP Configuration Flow
Figure 7-2: IGMP Configuration Flow

(IGMP) Snooping
IGMP Snooping Commands
IGMP Snooping Commands’ Hierarchy

+ root
+ config terminal
+ [no] vlan VLAN-NAME <vlan-id>
- [no] ip-igmp-snooping
- [no] ip-igmp-snooping router-alert-check
- [no] ip-igmp-snooping router-timers last-member-
query-interval <interval>
- [no] ip-igmp-snooping router-timers query-interval
<interval>
- [no] ip-igmp-snooping router-timers robustness
<value>
- [no] ip-igmp-snooping router-timers router-query-
interval <value>
- [no] untagged UU/SS/PP igmp-snooping
- [no] untagged UU/SS/PP igmp-snooping explicit-
tracking
- [no] untagged UU/SS/PP igmp-snooping fast-leave
- [no] untagged UU/SS/PP igmp-snooping max-groups
<unsignedInt>
- [no] untagged UU/SS/PP igmp-snooping mrouter
- [no] untagged UU/SS/PP igmp-snooping mrouter-block
- [no] tagged UU/SS/PP igmp-snooping
- [no] tagged UU/SS/PP igmp-snooping explicit-tracking
- [no] tagged UU/SS/PP igmp-snooping fast-leave
- [no] tagged UU/SS/PP igmp-snooping max-groups
<unsignedInt>
- [no] tagged UU/SS/PP igmp-snooping mrouter
- [no] tagged UU/SS/PP igmp-snooping mrouter-block
- show igmp-snooping
- show igmp-snooping vlan [<vlan-id> | detailed | groups | mrouters
| statistics]

(IGMP) Snooping
IGMP Snooping Commands’ Descriptions

Table 7-1: IGMP Snooping Commands
Command Description
vlan VLAN-NAME <vlan-id>
Creates a VLAN with the specified name

and ID (VLAN tag) and enters the VLAN
Configuration mode:
<1–4092>
<1–31> characters
no vlan VLAN-NAME <vlan-id> Removes the existing VLAN:
<1–4092>
<1–31> characters
ip-igmp-snooping Enables the IGMP Snooping on a
specified VLAN
• Disabled
no ip-igmp-snooping Restores to default
ip-igmp-snooping router-alert- Enables the IP Router Alert option (RFC
check
2113) verification
• Enabled
no ip-igmp-snooping router-alert- Disables the IP Router Alert option check
check
ip-igmp-snooping router-timers Defines the time that the IGMP router
last-member-query-interval
waits to receive a response to a Group-
<interval>
Specific Query message:
<1-1024> seconds
• 1 second
no ip-igmp-snooping router-timers Restores to default
last-member-query-interval
ip-igmp-snooping router-timers Defines the time between successive
query-interval <interval> IGMP General queries:
<1-1024> seconds
• 125 seconds
query-interval

(IGMP) Snooping
Command Description
ip-igmp-snooping router-timers Defines the number of times that the
robustness <value> multicast router sends IGMP Group-
Specific queries before declaring that the
multicast group no longer have any
members on a port:
• value: in the range of <1-
10>
• 2
robustness
ip-igmp-snooping router-timers Defines the time that the multicast router
router-query-interval
waits to receive a response to an IGMP
<interval>
General query:
<1-1024> seconds
• 10 seconds
router-query-interval
untagged UU/SS/PP igmp-snooping Enables IGMP snooping on a specified
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no untagged UU/SS/PP igmp- Restores to default:
snooping
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
untagged UU/SS/PP igmp-snooping Enables the router to explicitly track each
explicit-tracking individual host that is joined to a group:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Enabled
no untagged UU/SS/PP igmp- Restores to default
snooping explicit-tracking
untagged UU/SS/PP igmp-snooping Enables the IGMP fast-leave processing:
fast-leave
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Enabled
snooping fast-leave
untagged UU/SS/PP igmp-snooping Defines the number of multicast groups
max-groups <unsignedInt> which can be registered:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• unsignedInt: in the range
of <0- 4294967295>
• 1024K

(IGMP) Snooping
Command Description
snooping max-groups
untagged UU/SS/PP igmp-snooping Configures a port as a multicast router
mrouter port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
snooping mrouter
untagged UU/SS/PP igmp-snooping All IGMP queries received on the selected
mrouter-block port are not processed and entered in local
IGMP database:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
snooping mrouter-block
tagged UU/SS/PP igmp-snooping Enables IGMP snooping on a specified
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
tagged UU/SS/PP igmp-snooping Enables the router to explicitly track each
explicit-tracking individual host that is joined to a group:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
explicit-tracking
tagged UU/SS/PP igmp-snooping Enables the IGMP fast-leave processing:
fast-leave
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
fast-leave
tagged UU/SS/PP igmp-snooping Defines the number of multicast groups
max-groups <unsignedInt> which can be registered:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• unsignedInt: in the range
of <0- 4294967295>
• 1024K
max-groups

(IGMP) Snooping
Command Description
tagged UU/SS/PP igmp-snooping Configures a static connection to a
mrouter multicast router:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
mrouter
tagged UU/SS/PP igmp-snooping All IGMP queries received on the selected
mrouter-block port are not processed and entered in local
IGMP database:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
mrouter-block
multicast-static-group NAME Defines a multicast group name and enters
the Multicast Static Configuration mode:
• NAME: a string
no multicast-static-group Removes the multicast group
ip A.B.C.D Defines the IP address of the multicast
group:
• A.B.C.D: in the range of
<224.0.0.0-
239.255.255.255>
no ip A.B.C.D Removes the defined multicast IP address:
• A.B.C.D: in the range of
<224.0.0.0-
239.255.255.255>
ip-source A.B.C.D Defines a source-specific multicast entry
A1.B1.C1.D1 in the Multicast Forwarding Table for a
group:
• A.B.C.D: the IP address of
the multicast group
• A1.B1.C1.D1: the source IP
address of the multicast
traffic
no ip-source A.B.C.D Removes the defined entry:
A1.B1.C1.D1 • A.B.C.D: the IP address of
the multicast group
• A1.B1.C1.D1: the source IP
address of the multicast
traffic
mac <mac:hexList> Defines the Group Destination MAC
address (GDA) of the multicast group:
• mac:hexList: GDA MAC
address, in format
HH:HH:HH:HH:HH:HH

(IGMP) Snooping
Command Description
no mac <mac:hexList> Removes the defined Group Destination
MAC (GDA) address:
• mac:hexList: GDA MAC
address, in format
HH:HH:HH:HH:HH:HH
show igmp-snooping Displays information for all aspects of
IGMP snooping
show igmp-snooping vlan [<vlan- Displays information for all aspects of
id> | detailed | groups | IGMP snooping on a VLAN, filtered by
mrouters | statistics]
the below arguments:
• vlan-id: (optional) in the
range of <1–4092>
• detailed: (optional)
displays detailed
information
• groups: (optional)
displays information for
multicast groups that are
joined on the specified
VLAN
• mrouters: (optional)
displays multicast routers
ports related to the
specified VLAN
• statistics: (optional)
displays IGMP snooping
statistics for the
specified VLAN and port

(IGMP) Snooping
In the following example IGMP snooping is configured on VLAN 100. The
multicast router that sends IGMP queries is connected to port 1/1/9. The
multicast host that sends the IGMP report is connected to port 1/1/7:
1. Enter the Configuration mode of VLAN v100 with ID 100:

device-name(config)#vlan v100 100
device-name(config-vlan-v100/100)#untagged 1/1/7
device-name(config)#port 1/1/7 default-vlan 100
device-name(config)#port 1/1/9 default-vlan 100
2. Enable IGMP snooping on the specified VLAN and configure last-

member-query interval:
device-name(config)#vlan v100 100
device-name(config-vlan-v100/100)#ip-igmp-snooping
device-name(config-ip-igmp-snoopping)#router-timers last-member-query-
interval 20
device-name(config-untagged-1/1/7)#igmp-snooping
device-name(config-untagged-1/1/9)#igmp-snooping
3. Display IGMP snooping queries and reports information (the multicast

router with source IP address 100.1.1.33 is connected to port 1/1/9 and
a multicast host joins a multicast group with IP address 224.2.2.2 on port
1/1/7):
device-name#show igmp-snooping vlan 100 mrouters
===================================================================
Vlan ID 100 - IGMP Snooping Mrouters
===================================================================
Port ID: 1/1/9 Mrouters: 1
-------------------------------------------------------------------
Mrouter Ip: 100.1.1.33 Type: Dynamic
Group Ip: 224.2.2.2 Age: 244s
-------------------------------------------------------------------
device-name#show igmp-snooping vlan 100 groups

===================================================================
Vlan ID 100 - IGMP Snooping
===================================================================
Port ID: 1/1/9 Groups: 0
===================================================================
===================================================================
===================================================================
device-name#show igmp-snooping vlan 100 groups

===================================================================
Vlan ID 100 - IGMP Snooping
===================================================================
===================================================================

(IGMP) Snooping
===================================================================
===================================================================
===================================================================
Group IP: 224.2.2.2 Mode: Include
-------------------------------------------------------------------
SrcIp Mode Joined Host ExpTime
-------------------------------------------------------------------
100.1.1.50 Forward 258s
100.1.1.11 258s

RFCs
IGMP Snooping No standards are No MIBs are RFC 1112, Host Extensions
supported by this supported by for IP Multicasting
feature. this feature. RFC 2236, Internet Group
Management Protocol,
Version 2
draft-ietf-magma-snoop-
11.txt
RFC3376, Internet Group
Management Protocol,
Version 3

8
Access Control Lists (ACLs)
Overview
Access Control Lists (ACLs) are sets of numbered rules that process packets
going through the device and provide the ability to control network traffic.
Using ACLs, system administrators can filter packets that pass through a port
by defining different criteria, in order to ensure the network's security, traffic
control, and traffic rate-limitation.
These rules are processed in a sequential order, either permitting or denying the
traffic, based on the specified ACL conditions. The hardware tests the packets’
parameters against the ACLs and acts upon the first condition matched.
The main advantages in using ACLs are:
 Security—by forwarding or dropping ingress traffic, ACLs aid
administrators in managing network security policies
 Traffic Control—by enforcing redirection rules, administrators can
manipulate network traffic flow, thus reducing bottlenecks and congestions
 Traffic Rate Limitation—using ACLs, administrators can control traffic
rate per port, according to user defined criteria
 Quality of Service (QoS)—administrators can assign packet-handling
priority to data flow, sorting the flow into eight priority queues, based on
the ACL criteria. You can also use ACLs to remark ToS/DSCP values

Access Control Lists (ACLs) AS9206 User Manual
ACL Types
An ACL is specified by a name or a number. There are four basic ACL types,
in predefined range of numbers. Each type matches specific fields in the
packets:
 Standard IP ACLs (#1–99,) match the packets’ source IP address. These
ACLs can match VPT and other Layer 2 header fields.
 Extended IP ACLs (#100–199) match both the source and destination IP
addresses. These ACLs can also match other parameters such as protocol
types and TCP/UDP port numbers. These ACLs can match VPT and other
Layer 2 header fields.
 Extended MAC ACLs (#400–499) match both the source and destination
MAC addresses. In addition, these ACLs can match VPT and other Layer 2
header fields
 EtherType ACLs (#500–599) match the packets EtherType. These ACLs
can match VPT and VLAN options if the specified EtherType is IP.
ACL Process Options

Systems administrators can apply ACLs to both ingress (inbound) traffic and
egress (outbound) traffic:
 Ingress ACLs process incoming packets, manipulating permitted packets
and forwarding them according to matched ACL conditions. Packets that
do not match any of the ACLs are discarded, reducing the load on the
outbound interface
 VLAN Traffic Redirection ACLs redirect the ingress traffic that matches the
conditions of the configured ACG to a VLAN. Using these ACLs, systems
administrators can change the traffic’s VLAN ID in the VLAN tag header,
in order to forward traffic between VLANs.
 Egress ACLs are used mainly for traffic shaping, remarking and for
collecting statistics, and, to a lesser extent, for traffic filtering. Egress
ACLs process packets received from the inbound and manipulate them
based on matched ACLs.
Egress ACLs do not filter packets originated by the device (such as
outgoing Telnet session packets, NTP service packets, and various
broadcast packets, such as ARP request).

AS9206 User Manual Access Control Lists (ACLs)
Access Control Groups (ACG)

An ACG is a collection of ACLs applied to port(s) determining the process of
ingress or egress traffic.
You can apply multiple ACGs on ports.
ACL Processing Rules

In order to use ACLs effectively, it is essential to understand the ACL
processing rules:
 Once created, users can remove existing and add new rules to the ACL
 The device tests the packets only until it finds the first match, defining
whether to permit or deny the packets
 If the packets do not match any of the ACLs:
 in case of ingress ACL, they are denied. This is due to the fact that the
last rule is an implicit deny statement
 in case of egress ACL, they are permitted (unless the user configures a
rule to implicitly deny packets that do not match any of the rules)
 in case of vlan-based ACL, used for vlan translation, they are permitted
(unless the user configures a rule to implicitly deny packets that do not
match any of the rules)
 Egress ACLs have no default rule. All options defined in ACG are applied
only on traffic that is explicitly defined in permit rule.
 Vlan-based ACLs have no default rule. All options defined in ACG are
applied only on traffic that is explicitly defined in permit rule.
 Ordered processing: when applying multiple ACLs, these ACLs are
applied in the same order the user applies them.
 Due to the above processing rules, the order of the rules within an ACL and
the order the ACLs are applied is crucial.
The total number of rules for a single ACL is limited to 250.
NOTE: ACLs are applied in an ascending order i.e. first is

applied the ACL with the smallest number.

Traffic Rate Limit

Traffic congestion, caused by heavy network traffic, can cause incoming packet
to be dropped.
To prevent congestion on provider networks, system administrators can use
traffic rate-limit by allocating a specific bandwidth per user port or traffic.
A traffic rate limiter monitors the incoming traffic by:
 forwarding conforming traffic (within the predefined rate)
 dropping non-conforming traffic
 marking non-conforming traffic as yellow or red
Single Rate Three Color Marker (RFC 2697)

The Single Rate Three Color Marker (srTCM) meters a traffic stream and
marks it according to three parameters:
 The Committed Information Rate (CIR) determines the long-term average
transmission rate
 The Committed Burst Size (CBS) determines how large traffic bursts can
be before some of the traffic exceeds the rate limit
 The Excess Burst Size (EBS) determines how large traffic bursts can be
before all traffic exceeds the rate limit
The traffic is then marked as follows:
 Traffic within CIR always conforms and is marked green
 Traffic that falls above CBS and below EBS is marked yellow
 Traffic that exceeds EBS is dropped or marked red

Two Rate Three Color Marker (RFC 2698)

The two rate Three Color Marker (trTCM) meters a traffic stream and marks it
according to the below parameters.
 The Committed Information Rate (CIR) determines the long-term average
transmission rate
 The Committed Burst Size (CBS), associated with CIR, determines how
large traffic bursts can be before some of the traffic exceeds the rate limit
 The Peak Information Rate (PIR) determines the long-term delimiter
between yellow packets and red ones
 The Peak Burst Size (PBS), associated with PIR, determines the burst size
before the traffic exceeds PIR
The traffic is then marked as follows:
 Traffic within CIR and CBS always conforms and is marked green
 Traffic not conforming to CIR and CBS but conforming to PIR and PSB is
marked yellow
 Traffic not conforming to PIR and PSB is dropped or marked red
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device:
 either drops the packet or mark it as yellow or red
 or processes the packet based on congestion avoidance mechanisms, such
as SRED or taildrop
Color-Blind and Color-Aware

Rate limiting operates in one of the below two modes:
 in a Color-Blind mode, where all packets are considered green upon
entering the metering process. They are marked yellow or red if the traffic
class exceeds the bandwidth limits configured
 in a Color-Aware mode, assuming the packet stream is colored by an
upstream device before entering the metering process. In this mode the
device forwards green packets and forwards yellow and red packets
according to the defined rate-limit

ACLs Configuration Flow
Figure 8-1: ACLs Configuration Flow

ACLs Commands
ACLs Commands’ Hierarchy
ACLs Monitoring Profiles Commands’

Hierarchy
+ root
+ config terminal
+ [no] access-group-monitoring-profile <profile-id>
- [no] enables-statistics PROFILE
- show running-config access-group-monitoring-profile [<profile-
id>] enable-statistics PROFILE
IP ACLs Commands’ Hierarchy

+ root
+ config terminal
+ [no] ip access-list standard {NAME | <acl-number>}
- [no] remark REMARK
+ [no] rule <value>
- action {deny | permit}
- [no] dscp <value>
- [no] fc <value>
- [no] inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>]
- [no] inner-vpt <priority>
- source_ip A.B.C.D/MASK
- [no] untagged
- [no] vlan <vlan-id> [vlan-mask <vlan-mask>]
- [no] vpt <priority>
+ [no] ip access-list extended {NAME | <acl-number>}
+ [no] rule <value>
- destination_ip A.B.C.D/MASK
- [no] fc <value>
<vlan-mask>]
- [no] precedence TYPE
+ protocol TYPE

- [no] established
- [no] icmp-code <value>
- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>
- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source_ip A.B.C.D/MASK
- [no] tos <value>
- [no] untagged
- [no] dscp <value>
+ [no] ip-access-group-standard {NAME | <acl-number>}
in
- [no] fc <value>
- color {red | green | yellow}
- [no] monitoring-profile <profile-id>
+ [no] rate-limit {dual | single}
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- exceed-action {drop | mark-yellow |
mark-red}
- [no] redirect UU/SS/PP
vlan
- [no] add-vlan <vlan-id>
out
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- exceed-action drop
- [no] dscp <value>


+ [no] ip-access-group-extended {NAME | <acl-number>}
in
+ [no] fc <value>
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
mark-red}
vlan
out
- [no] monitoring-profile <profile-id> (not
supported)
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- [no] dscp <value>
- show port ip-access-group-standard [NAME | <acl-number>] [in |
out | vlan] [monitoring-profile <profile-id> [statistics
[fbrs-green-bps | fbrs-green-fps | fbrs-match-counter-bps |
fbrs-match-counter-fps | fbrs-not-green-bps | fbrs-not-green-
fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-bps |
fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps | match-counter-fps | not-green-
bps | not-green-fps | not-red-bps | not-red-fps | red-bps |
red-fps | yellow-bps | yellow-fps]]]

- show port ip-access-group-extended [NAME | <acl-number>] [in |

out | vlan] [monitoring-profile <profile-id> [statistics
[fbrs-green-bps | fbrs-green-fps | fbrs-match-counter-bps |
fbrs-match-counter-fps | fbrs-not-green-bps | fbrs-not-green-
fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-bps |
fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps | match-counter-fps | not-green-
bps | not-green-fps | not-red-bps | not-red-fps | red-bps |
red-fps | yellow-bps | yellow-fps]]]
- show running-config ip access-list
- show running-config ip access-list standard [NAME | <acl-number>]
[remark REMARK | rule {<rule> | {action {deny | permit} |
inner-vlan <vlan-id> [inner-vlan-mask <VLAN mask>] | inner-vpt
<priority> | source_ip A.B.C.D/MASK | untagged | vlan <vlan-
id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
- show running-config ip access-list extended [NAME | <acl-number>]
[remark REMARK | rule {<rule> | {action {deny | permit} |
destination_ip A.B.C.D/MASK | established | icmp-code <value>
| icmp-type <value> | inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt <priority> | precedence TYPE |
protocol <type> | source_ip A.B.C.D/MASK | tcp-destination-
port <value> | tcp-source-port <value> | tos <value> | udp-
destination-port <value> | udp-source-port <value> | untagged
| vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
MAC ACLs Commands’ Hierarchy

+ root
+ config terminal
+ [no] mac access-list {NAME | <acl-number>}
+ [no] rule <value>
- [no] da-type <type>
- destination_mac HH:HH:HH:HH:HH:HH
destination_mac_mask HH:HH:HH:HH:HH:HH
- [no] fc <value>
<vlan-mask>]
- precedence TYPE
- source_mac HH:HH:HH:HH:HH:HH source_mac_mask
HH:HH:HH:HH:HH:HH
- [no] tos <value>
- [no] untagged
- [no] dscp <value>
+ [no] mac-access-group {NAME | <acl-number>} in
- [no] fc <value>


- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
mark-red}
+ [no] mac-access-group {NAME | <acl-number>} vlan
+ [no] mac-access-group {NAME | <acl-number>} out
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- [no] dscp <value>
- show port mac-access-group [NAME | <acl-number>] [in | out |
vlan] [monitoring-profile <profile-id> [statistics [fbrs-
green-bps | fbrs-green-fps | fbrs-match-counter-bps | fbrs-
match-counter-fps | fbrs-not-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-bps | fbrs-red-
fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps | green-
fps | match-counter-bps | match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps
| yellow-bps | yellow-fps]]]
- show running-config mac access-list
- show running-config mac access-list [NAME | <acl-number>] [remark
REMARK | rule {<rule> | {action {deny | permit} | da-type
<type> | destination_mac HH:HH:HH:HH:HH:HH
destination_mac_mask HH:HH:HH:HH:HH:HH | inner-vlan <vlan-id>
[inner-vlan-mask <vlan-mask>] | inner-vpt priority> |
precedence TYPE | source_mac HH:HH:HH:HH:HH:HH source_mac_mask
HH:HH:HH:HH:HH:HH | tos <value> | untagged | vlan <vlan-id>
[vlan-mask <vlan-mask>] | vpt <priority>}}]

Ethertype ACLs Commands’ Hierarchy

+ root
+ config terminal
+ [no] ether-type access-list {NAME | <acl-number>}
+ [no] rule <rule>
- [no] ether-type <type>
- [no] fc <value>
<vlan-mask>]
- [no] precedence TYPE
- [no] tos <value>
- [no] dscp <value>
+ [no] ether-type-access-group {NAME | <acl-number>} in
- [no] fc <value>
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
mark-red}
+ [no] ether-type-access-group {NAME | <acl-number>}
vlan
+ [no] ether-type-access-group {NAME | <acl-number>}
out
- [no] monitoring-profile <profile-id> (not
supported)
- cbs <value>
- cir <value>
- color-aware
- ebs <value>

- pbs <value>
- pir <value>
- [no] dscp <value>
- show port ether-type-access-group [NAME | <acl-number>] [in | out
| vlan] [monitoring-profile <profile-id> [statistics [fbrs-
green-bps | fbrs-green-fps | fbrs-match-counter-bps | fbrs-
match-counter-fps | fbrs-not-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-bps | fbrs-red-
fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps | green-
fps | match-counter-bps | match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps
| yellow-bps | yellow-fps]]]
- show running-config ether-type access-list
- show running-config ether-type access-list [NAME | <acl-number>]
[remark REMARK | rule {<value> | {action {deny | permit} |
ether-type <type> | inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt <priority> | precedence TYPE | tos
<value> | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
ACLs Commands’ Descriptions

Table 8-1: Monitoring Profile Commands
Command Description
access-group-monitoring-profile Defines a monitoring profile and enters
<profile-id> the specific Profile Configuration mode.
• profile-id: any number
no access-group-monitoring-profile Removes the configured monitoring
[<profile-id>] profiles:
• profile-id: (optional)
any number
enable-statistics PROFILE Defines statistics:
• PROFILE: see Table 8-9
no enable-statistics [PROFILE] Removes the definition:
• PROFILE: (optional) see
Table 8-9
show running-config access-group- Displays information about the
monitoring-profile [<profile- monitoring profiles:
id>] enable-statistics PROFILE
• PROFILE: see Table 8-9

Table 8-2: IP ACLs Configuration Commands
Command Description
ip access-list standard {NAME |
<acl-number>}
Defines a standard IP ACL and enters
the standard IP ACL Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <1-99>
no ip access-list standard [NAME | Removes the selected standard IP ACL:
<acl-number>] • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
remark REMARK Associates a remark to a standard IP
ACL:
• REMARK: a string of
<1–30> characters
no remark Removes the remark
rule <value>
Creates a standard IP ACL rule for

filtering traffic and enters the Rule
Configuration mode:
<1-250>
no rule [<value>] Removes the standard IP ACL rule:
• value: (optional) in the
range of <1-250>
action {deny | permit}
Defines the rule conditions:

• deny: denies packets
• permit: permits packets
fc <value> (only for egress ACLs) Defines a
mapping of egress ACL to forwarding
class (FC):
• value: FC value (see
Table 8-16)
no fc [<value>] Removes the FC mapping:
• value: (optional) FC
value

Command Description
inner-vlan <vlan-id> [inner- Denies a specific VLAN ID and mask
vlan-mask <vlan-mask>] for the inner IP-header:
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no inner-vlan [<vlan-id>] Removes the selected inner-VLAN and
[inner-vlan-mask [<vlan-mask>]] inner-mask:
• vlan-id: (optional) in
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
inner-vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the inner-
VLAN tag header:
• priority: in the range
of <0-7>
no inner-vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
source_ip A.B.C.D/MASK
Defines the packet’s source-address:

• A.B.C.D/MASK: source IP-
address/source mask. Use
keyword any when source
IP-address/source-mask
is
0.0.0.0/255.255.255.255
(any host)
untagged The ACL rule matches untagged packets
only
• Both tagged and untagged
no untagged Restores to default

Command Description
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask
<vlan-mask>] for the outer IP-header:
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
The last 4 bits are
meaningful.
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and
[<vlan-mask>]] outer-mask:
the range of 1-4092
hexadecimal format
FF:FF:FF:FF
vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the outer-
VLAN tag header:
of <0-7>
no vpt [<priority>] Removes the selected VPT:
the range of <0-7>
dscp <value> Defines the packet’s filtering by the
DSCP value in the IP header of the
packet:
<0-63>
no dscp [<value>] Removes the defined DSCP value
ip access-list extended {NAME |
<acl-number>}
Defines an extended IP ACL and enters
the extended IP ACL Configuration
mode:
<1–10> characters
of <100-199>
no ip access-list extended [NAME | Removes the selected extended IP ACL:
<acl-number>] • NAME: (optional) a
string of
<1–10> characters
in the range of <100-
199>

Command Description
remark REMARK Associates a remark to an extended IP
ACL:
• REMARK: a string of <1–
30> characters
rule <value>
Creates an extended IP ACL rule for

Configuration mode:
<1-250>
no rule [<value>] Removes the extended IP ACL rule:
range of <1-250>

destination_ip A.B.C.D/MASK
Defines the packet’s destination-

address:
• A.B.C.D/MASK:
destination IP-
address/destination
mask. Use keyword any
when destination IP-
address/destination-mask
is
0.0.0.0/255.255.255.255
(any host)
class (FC):
Table 8-16)
value

Command Description
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
meaningless bits (any)
hexadecimal format
FF:FF:FF:FF
VLAN tag header:
of <0-7>
no inner-vpt Removes the priority
precedence TYPE The ACL rule matches packets by the
literal precedence values:
• TYPE: see Table 8-11
no precedence Removes the precedence value
protocol TYPE
Specifies the name or a number of an IP

protocol:
• TYPE: tcp, udp, ip,
ipinip, igmp, icmp or IP
protocol numbers in the
range of <0–255>,
representing an IP
protocol number
(http://www.iana.org/ass
ignments/protocol-
numbers (RFC5237)). To
match any Internet
protocol, use the
keyword ip. Some
protocols allow further
qualifiers, as described
below

Command Description
established (valid for TCP protocol only) indicates
an established connection. A match
occurs if the TCP datagram has the
ACK or RST bits set.
The packets that do no match are TCP
packets sent to initialize a TCP session.
no established (valid for TCP protocol only) removes
the established connection
icmp-code <value> ( valid for ICMP protocol only) matches
ICMP packets by the ICMP message
code:
<0–255> or a valid
literal ICMP message
code (see Table 8-13)
no icmp-code Removes the ICMP message code
icmp-type <value> (valid for ICMP protocol only) matches
ICMP packets by the ICMP message
type:
<0–255> or a valid
literal ICMP message
type (see Table 8-11)
no icmp-type Removes the ICMP message type
tcp-source-port <value> (valid for TCP protocol only) defines
the decimal number or a name of source
TCP port. Use TCP port’s names when
filtering TCP packets only:
<0–65535> or a TCP port
literal value (see Table
8-14)
no tcp-source-port Removes the TCP source port’s literal
value
tcp-destination-port <value> (valid for TCP protocol only) defines
the decimal number or a name of
destination TCP port. Use TCP port’s
names when filtering TCP packets only:
<0–65535> or a TCP port
8-14)
no tcp-destination-port Removes the TCP destination port’s
literal value

Command Description
udp-source-port <value> (valid for UDP protocol only) defines
the decimal number or a name of source
UDP port. Use UDP port’s names when
filtering UDP packets only:
<0–65535> or a UDP port
8-15)
no udp-source-port Removes the UDP source port’s literal
value
udp-destination-port <value> (valid for UDP protocol only) defines
the decimal number or a name of a UDP
destination port. Use UDP port’s names
when filtering UDP packets only:
<0–65535> or a UDP port
8-15)
no udp-destination-port Removes the UDP destination port’s
literal value
source_ip A.B.C.D/MASK
Defines the packet’s source-address:

• A.B.C.D/MASK: source IP-
address/source mask. Use
keyword any when source
IP-address/source-mask
is
0.0.0.0/255.255.255.255
(any host)
tos <value> The ACL rule matches packets by the
service level type:
<0–15> or a valid
literal ToS value (see
Table 8-10)
no tos Removes the valid literal ToS value
only

Command Description
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
The last 4 bits are
meaningful.
hexadecimal format
FF:FF:FF:FF
VLAN tag header:
of <0-7>
the range of <0-7>
packet:
<0-63>
port UU/SS/PP Enters the Port’s Configuration mode

Command Description
ip-access-group-standard {NAME |
<acl-number>} {in | out | vlan}
Assigns a IP ACG to a port and enters
the IP ACG Configuration mode:
• NAME: a string of <1–10>
characters
• <acl-number>: in the
range of <1-99>
• in: filters the ingress
traffic only
• out: filters the egress
traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
• Deny any
no ip-access-group-standard [NAME Removes the specified IP ACG:
| <acl-number>] [in | out |
• NAME: (optional) a
vlan]
string of
<1–10> characters
• in: (optional) filters
the ingress traffic only
• out: (optional) filters
the egress traffic only
to a VLAN
• Deny any
fc <value> (Only for ) Applies forwarding class
(FC) mapping on ACG (only the ingress
traffic) and enters the FC Configuration
mode:
Table 8-16)
value
color {red | green | yellow} Defines the conforming level:
• red: the non-conforming
drop level
• green: the conforming
drop level
• yellow: the partially
conforming level

Command Description
monitoring-profile <profile-id> Enables bandwidth counters per ACL
rules:
• profile-id: any number.
Up to 24 profiles can be
defined.
no monitoring-profile [<profile- Disables the bandwidth monitoring:
id>] • profile-id: (optional)
any number
rate-limit {dual | single} Applies a rate-limit on the ACG for the
specified port and enters the Rate-Limit
Configuration mode:
• dual: the Two Rate Three
Color Marker (RFC 2698)
• single: the Single Rate
Three Color Marker (RFC
2697)
no rate-limit [dual | single] Removes the rate limit from the
configured ACG:
• dual: (optional) the Two
Rate Three Color Marker
(RFC 2698)
• single: (optional)the
Single Rate Three Color
Marker (RFC 2697)
cbs <value> Defines the Committed Burst Size
(CBS):
<1–1048575> KB
cir <value> Defines the Committed Information
Rate (CIR):
<1–1048575> Kbps
color-aware Enables the color-aware mode
• Color blind
pbs <value> (only for dual rate) Defines the Peak
Burst Size (PBS):
<1–1048575> KB
pir <value> (only for dual rate) Defines the Peak
Information Rate (PIR):
<1–1048575> Kbps
ebs <value> (only for single rate) Defines the Excess
Burst Size (EBS):
<1–1048575> KB

Command Description
exceed-action {drop | mark- The action performed once the packet is
yellow | mark-red}
classified as exceeding a particular rate
limit:
• drop: drops the packet
• mark-yellow: marks the
packet as yellow
• mark-red: marks the
packet as red
• Drop
no exceed-action [drop | mark- Restores to default
yellow | mark-red]
redirect UU/SS/PP Redirects matching traffic to the
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no redirect [UU/SS/PP] Removes the traffic redirection from the
specified port:
1/1/1-1/1/24, 1/2/1-
1/2/4
vlan <vlan-id> Redirects matching traffic to the
specified VLAN by changing the VLAN
ID in the packet header:
<1-4092>
no vlan [<vlan-id>] Removes the traffic redirection:
add-vlan <vlan-id> Redirects matching traffic to the
specified VLAN by adding a VLAN tag
to the untagged frame, or an additional
VLAN tag to the VLAN-tagged frame:
<1-4092>
no add-vlan [<vlan-id>] Removes the traffic redirection:
dscp <value> Changes the DSCP value in the IP
header of the packet:
• value: the new DSCP
value in the range of
<0-63>

Command Description
inner-vpt <priority> Changes the VLAN Priority Tag (VPT)
in the inner-VLAN tag header:
• priority: the new VPT
<0–7>
no inner-vpt [<priority>] Removes the defined VPT:
the range of <0–7>
vpt <priority> Changes the VLAN Priority Tag (VPT)
in the outer-VLAN tag header:
<0-7>
no vpt [<priority>] Removes the defined VPT:
priority: (optional) in the range of <0–
7>
ip-access-group-extended {NAME |
Assigns a IP ACG to a port and enters
the IP ACG Configuration mode:
<1–10> characters
of <100-199>
traffic only
traffic only
to a VLAN
no ip-access-group-extended [NAME Removes the specified IP ACG:
| <acl-number>] [in | out | vlan]
string of
1–10 characters
199>
to a VLAN

Command Description
fc <value> Applies forwarding class (FC) mapping
on ACG (only the ingress traffic) and
enters the FC Configuration mode:
Table 8-16)
value
drop level
drop level
conforming level
rules:
defined.
• Disabled
any number
Configuration mode:
2697)
configured ACG:
(RFC 2698)
Marker (RFC 2697)
(CBS):
<1–1048575> KB
Rate (CIR):
<1–1048575> Kbps

Command Description
• Color blind
Burst Size (EBS):
<1–1048575> KB
Burst Size (PBS):
<1–1048575> KB
<1–1048575> Kbps
yellow | mark-red}
limit:
packet as yellow
packet as red
• Drop
yellow | mark-red]
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
specified port:
1/1/1-1/1/24, 1/2/1-
1/2/4
<1-4092>

Command Description
specified VLAN by tagging the
untagged traffic and adding an
additional tag to tagged traffic:
<1-4092>
<0-63>
<0–7>
<0-7>

Table 8-3: IP ACLs Show Commands
Command Description
show port ip-access-group-standard Displays the standard IP ACGs
[NAME | <acl-number>] [in | out configured on ports:
| vlan] [monitoring-profile
<profile-id> [statistics [fbrs- • NAME: a string of
green-bps | fbrs-green-fps | fbrs- <1–10> characters
match-counter-bps | fbrs-match- • acl-number: in the range
counter-fps | fbrs-not-green-bps |
of <1-99>
fbrs-not-green-fps | fbrs-not-red-
bps | fbrs-not-red-fps | fbrs-red- • in: only ingress ACGs
bps | fbrs-red-fps | fbrs-yellow- • out: only egress ACGs
bps | fbrs-yellow-fps | green-bps
| green-fps | match-counter-bps | • monitoring-profile
match-counter-fps | not-green-bps statistics: counts match
| not-green-fps | not-red-bps | packets
not-red-fps | red-bps | red-fps | • profile-id: any number
yellow-bps | yellow-fps]]]
• vlan: only VLAN traffic
redirection ACLs
show port ip-access-group-extended Displays information about the extended
[NAME | <acl-number>] [in | out IP ACGs, filtered by the commands’
| vlan] [monitoring-profile
<profile-id> [statistics [fbrs-
arguments:
green-bps | fbrs-green-fps | fbrs- • NAME: a string of
match-counter-bps | fbrs-match- <1–10> characters
bps | fbrs-not-red-fps | fbrs-red- of <100-199>
bps | fbrs-red-fps | fbrs-yellow- • in: only ingress ACGs
| green-fps | match-counter-bps |
• out: only egress ACGs
match-counter-fps | not-green-bps • monitoring-profile
| not-green-fps | not-red-bps | statistics: counts match
not-red-fps | red-bps | red-fps | packets
yellow-bps | yellow-fps]]]
redirection ACLs
show running-config ip access-list Displays the configured IP ACLs
show running-config ip access-list Displays information about the standard
standard [NAME | <1-99>] [remark IP ACLs, filtered by the commands’
REMARK | rule {<1-250> | arguments
{action {deny | permit} | inner-
vlan <vlan-id> [inner-vlan-mask
<VLAN mask>] | inner-vpt
<priority> | source_ip
A.B.C.D/MASK | untagged | vlan
<vlan-id> [vlan-mask <vlan-
mask>] | vpt <priority>}}]

Command Description
show running-config ip access-list Displays information about the extended
extended [NAME | <100-199>] IP ACLs, filtered by the commands’
[remark REMARK | rule {<1-250>
arguments
| {action {deny | permit} |
destination_ip A.B.C.D/MASK |
established | icmp-code <value>
| icmp-type <value> | inner-vlan
<vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt
<priority> | precedence TYPE |
protocol <type> | source_ip
A.B.C.D/MASK | tcp-destination-
port <value> | tcp-source-port
<value> | tos {<0-7> | max-
reliability | max-throughput |
min-delay | min-monetary-cost |
normal} | udp-destination-port
<value> | udp-source-port
<value> | untagged | vlan <vlan-
id> [vlan-mask <vlan-mask>] |
vpt <priority>}}]
Table 8-4: MAC ACLs Configuration Commands
Command Description
mac access-list {NAME | <acl-
number>}
Defines an extended MAC ACL and
enters the MAC ACL Configuration
mode:
<1–10> characters
of <400-499>
no mac access-list [NAME | <acl- Removes the selected extended MAC
number>] ACL:
string of
<1–10> characters
499>
remark REMARK Associates a remark to an extended
MAC ACL:
<1–30> characters

Command Description
rule <value>
Creates an extended MAC ACL rule for

Configuration mode:
<1-250>
no rule [<value>] Removes the extended MAC ACL rule:
range of <1-250>

da-type <type> Defines the traffic type:
• type: see Table 8-8
no da-type [<type>] Removes the traffic type:
• type: (optional) see
Table 8-8
destination_mac
HH:HH:HH:HH:HH:HH
destination_mac_mask Defines the destination MAC address
HH:HH:HH:HH:HH:HH and mask the packet is sent to:
• HH:HH:HH:HH:HH:HH: MAC
address and mask in
hexadecimal format. The
any keyword that
represents all MAC
addresses
class (FC):
Table 8-16)
value
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for

Command Description
hexadecimal format
FF:FF:FF:FF
VLAN tag header:
of <0-7>
the range of <0-7>
precedence TYPE The ACL rule matches packets by the
literal precedence values:
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH Defines the packet’s source MAC-
address and mask:
• HH:HH:HH:HH:HH:HH: MAC
address and mask in
hexadecimal format. The
any keyword that
represents all MAC
addresses
tos <value> The ACL rule matches packets by the
service level type:
<0–15> or a valid
Table 8-10)
only

Command Description
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
The last 4 bits are
meaningful.
hexadecimal format
FF:FF:FF:FF
VLAN tag header:
of <0-7>
the range of <0-7>
packet:
<0-63>

Command Description
mac-access-group {NAME | <acl-
number>} {in | out | vlan}
Assigns a MAC ACG to a port and
enters the MAC ACG Configuration
mode:
<1–10> characters
of <400-499>
traffic only
traffic only
to a VLAN
no mac-access-group [NAME | <acl- Removes the specified MAC ACG:
number>] [in | out | vlan] • NAME: (optional) a
string of
<1–10> characters
499>
to a VLAN
Table 8-16)
value
drop level
drop level
conforming level
rules:
defined.

Command Description
any number
Configuration mode:
2697)
configured ACG:
(RFC 2698)
Marker (RFC 2697)
(CBS):
<1–1048575> KB
Rate (CIR):
<1–1048575> Kbps
• Color blind
Burst Size (EBS):
<1–1048575> KB
Burst Size (PBS):
<1–1048575> KB
<1–1048575> Kbps

Command Description
yellow | mark-red}
limit:
packet as yellow
packet as red
• Drop
yellow | mark-red]
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
specified port:
1/1/1-1/1/24, 1/2/1-
1/2/4
<1-4092>
<1-4092>
<0-63>

Command Description
<0–7>
<0-7>
Table 8-5: MAC ACLs Show Commands
Command Description
show port mac-access-group [NAME Displays the MAC ACGs:
| <acl-number>] [in | out |
vlan] [monitoring-profile
<1–10> characters
green-bps | fbrs-green-fps | fbrs- • acl-number: in the range
match-counter-bps | fbrs-match- of <400-499>
counter-fps | fbrs-not-green-bps | • in: only ingress ACGs
bps | fbrs-not-red-fps | fbrs-red- • out: only egress ACGs
bps | fbrs-red-fps | fbrs-yellow- • monitoring-profile: the
bps | fbrs-yellow-fps | green-bps rate, in frame per
match-counter-fps | not-green-bps
second and bytes per
| not-green-fps | not-red-bps | second, of transmitted
not-red-fps | red-bps | red-fps | packets that are marked
yellow-bps | yellow-fps]]] as red, green, or yellow
on a selected port
• statistics: counts match
packets
redirection ACLs
show running-config mac access- Displays information about the extended
list
MAC ACLs

Command Description
show running-config mac access- Displays information about the extended
list [NAME | <acl-number>] MAC ACLs, filtered by the commands’
[remark REMARK | rule {<value>
arguments
| {action {deny | permit} | da-
type <type> | destination_mac
HH:HH:HH:HH:HH:HH
destination_mac_mask
HH:HH:HH:HH:HH:HH | inner-vlan
<vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt
priority> | precedence TYPE |
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH | tos {<0-7>
| max-reliability | max-throughput
| min-delay | min-monetary-cost |
normal} | untagged | vlan <vlan-
id> [vlan-mask <vlan-mask>] |
vpt <priority>}}]
Table 8-6: EtherType ACLs Configuration Commands
Command Description
ether-type access-list {NAME |
<acl-number>}
Defines an EtherType ACL and enters
the EtherType ACL Configuration
mode:
<1–10> characters
of <500-599>
no ether-type access-list {NAME | Removes the selected EtherType ACL:
<acl-number>} • NAME: (optional) a
string of
<1–10> characters
599>
remark REMARK Associates a remark to an EtherType
ACL:
<1–30> characters

Command Description
rule <value>
Creates an EtherType ACL rule for

Configuration mode:
<1-250>
no rule [<value>] Removes the EtherType ACL rule:
range of <1-250>

ether-type <type>
Matches the hexadecimal value

specifying the EtherType:
• type: see Table 8-17
no ether-type [<type>] Removes the specified EtherType:
• type: (optional) see
Table 8-17
•
class (FC):
Table 8-16)
value
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
hexadecimal format
FF:FF:FF:FF

Command Description
VLAN tag header:
of <0-7>
the range of <0-7>
precedence TYPE Supported only when the value of the
EtherType field of the Ethernet frame
is 0x0800.
The ACL rule matches packets by the
literal precedence values.
tos <value> Supported only when the value of the
is 0x0800.
The ACL rule matches packets by the
service level type:
<0–15> or a valid
Table 8-10)
<1-4092>
• vlan-mask: in
hexadecimal format
match) and F for
The last 4 bits are
meaningful.
hexadecimal format
FF:FF:FF:FF

Command Description
vpt <priority> Supported only when the value of the
is 0x8100.
Defines the packet’s filtering by the
VLAN tag header:
of <0-7>
the range of <0-7>
dscp <value> Supported only when the value of the
is 0x0800.
Defines the packet’s filtering by the
packet:
<0-63>
ether-type-access-group {NAME |
Assigns a EtherType ACG to a port and
enters the EtherType ACG
Configuration mode:
<1–10> characters
of <500-599>
traffic only
traffic only
to a VLAN

Command Description
no ether-type-access-group [NAME | Removes the specified ether-type ACG:
<acl-number>] [in | out | vlan] • NAME: (optional) a
string of
<1–10> characters
599>
to a VLAN
Table 8-16)
value
drop level
drop level
conforming level
rules:
defined.
any number
Configuration mode:
2697)

Command Description
configured ACG:
(RFC 2698)
Marker (RFC 2697)
(CBS):
<1–1048575> KB
Rate (CIR):
<1–1048575> Kbps
• Color blind
Burst Size (EBS):
<1–1048575> KB
Burst Size (PBS):
<1–1048575> KB
<1–1048575> Kbps
yellow | mark-red}
limit:
packet as yellow
packet as red
• Drop
yellow | mark-red]
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4

Command Description
specified port:
1/1/1-1/1/24, 1/2/1-
1/2/4
<1-4092>
<1-4092>
<0-63>
<0–7>
<0-7>

Table 8-7: EtherType ACLs Show Commands
Command Description
show port ether-type-access-group Displays information about the
[NAME | <500-599>] [in | out | EtherType ACGs, filtered by the
vlan] [monitoring-profile
commands’ arguments:
green-bps | fbrs-green-fps | fbrs- • NAME: a string of
match-counter-bps | fbrs-match- <1–10> characters
bps | fbrs-not-red-fps | fbrs-red- of <500-599>
bps | fbrs-red-fps | fbrs-yellow- • in: only ingress ACGs
• out: only egress ACGs
match-counter-fps | not-green-bps • monitoring-profile: the
| not-green-fps | not-red-bps | rate, in frame per
not-red-fps | red-bps | red-fps | second and bytes per
yellow-bps | yellow-fps]]] second, of transmitted
packets that are marked
as red, green, or yellow
on a selected port
• statistics: counts match
packets
redirection ACLs
show running-config ether-type Displays information about the
access-list
EtherType ACLs
show running-config ether-type Displays information about the
access-list [NAME | <500-599>] EtherType ACLs, filtered by the
[remark REMARK | rule {<1-250>
commands’ arguments
| {action {deny | permit} | ether-
type <type> | inner-vlan <vlan-
id> [inner-vlan-mask <vlan-
mask>] | inner-vpt <priority> |
precedence TYPE | tos {<0-7> |
max-reliability | max-throughput |
min-delay | min-monetary-cost |
normal} | vlan <vlan-id> [vlan-
mask <vlan-mask>] | vpt
<priority>}}]

Table 8-8: Traffic Types
Traffic Type Description

unknown-unicast (Optional, supported for ingress ACLs only) matches
unknown traffic.
known-unicast (Optional, supported for ingress ACLs only) matches
known-unicast traffic.
known-multicast (Optional, supported for ingress ACLs only) matches
already known multicast traffic.
unknown-multicast (Optional, supported for ingress ACLs only) matches
unknown multicast traffic.
broadcast (Optional, supported for ingress ACLs only) matches
broadcast traffic.
Table 8-9: Monitoring Profiles
Profile Meaning
bandwidth-monitoring-green-notgreen- The current rate, in bytes per second (bps)
bps of green and not green packets
bandwidth-monitoring-green-notgreen- The current rate, in frames per second (fps)
fps of green and not green packets
bandwidth-monitoring-green-red-fps The current rate, in frames per second (fps)
of green and red packets
bandwidth-monitoring-green-yellow- The current rate, in bytes per second (bps)
bps of green and yellow packets
bandwidth-monitoring-red-yellow-fps The current rate, in frames per second (fps)
of red and yellow packets
bandwidth-monitoring-red-notred-fps The current rate, in frames per second (fps)
of red and not red packets
bandwidth-monitoring-match-counter- The current rate, in bytes per second (bps)
bps of transmitted packets
bandwidth-monitoring-red-yellow-bps The current rate, in bytes per second (bps)
of red and yellow packets
bandwidth-monitoring-match-counter- The current rate, in frames per second (fps)
fps of transmitted packets
bandwidth-monitoring-green-red-bps The current rate, in bytes per second (bps)
of green and red packets
bandwidth-monitoring-green-yellow- The current rate, in frames per second (fps)
fps of green and yellow packets
bandwidth-monitoring-red-notred-bps The current rate, in bytes per second (bps)
of red and not red packets
match-counter-fps Counter of transmitted packets, in frames
match-counter-bps Counter of transmitted packets, in bytes
rate-limit-statistics-red-notred-fps Counter of red and not red packets, in
frames

rate-limit-statistics-red-notred-bps Counter of red and not red packets, in bytes

rate-limit-statistics-green-notgreen-fps Counter of green and not green packets, in
frames
rate-limit-statistics-green-notgreen-bps Counter of green and not green packets, in
bytes
rate-limit-statistics-green-red-fps Counter of green and red packets, in frames
rate-limit-statistics-green-red-bps Counter of green and red packets, in bytes
rate-limit-statistics-green-yellow-fps Counter of green and yellow packets, in
frames
rate-limit-statistics-green-yellow-bps Counter of green and yellow packets, in
bytes
rate-limit-statistics-red-yellow-fps Counter of red and yellow packets, in
frames
rate-limit-statistics-red-yellow-bps Counter of red and yellow packets, in bytes
Table 8-10: Valid ToS Values
Valid Literal Value Description Value

max-reliability Max reliable TOS 2
max-throughput Max throughput TOS 4
min-delay Min delay TOS 8
min-monetary-cost Min monetary cost TOS 1
normal Normal TOS 0
Table 8-11: Valid Precedence Values
Valid Literal Value Description

critical Critical precedence
flash Flash precedence
flash-override Flash override precedence
immediate Immediate precedence
internet Internetwork control precedence
network Network control precedence
priority Priority precedence
routine Routine precedence

Table 8-12: Valid ICMP Message Type Values

alternate-address Alternate Host Address 6
conversion-error Datagram Conversion Error 31
domain name reply Domain Name Reply 35
domain name request Domain Name Request 36
echo Echo (ping) 8
echo-reply Echo reply 0
information-reply Information replies 16
information-request Information requests 15
ipv6-i-am-here IPv6 I-Am-Here 34
ipv6-where-are-you IPv6 Where-Are-You 33
mask-reply Address mask replies 17
mask-request Address mask requests 18
mobile-redirect Mobile Host Redirect 32
mobile-registration-reply Mobile Registration Reply 35
mobile-registration-request Mobile Registration Request 36
parameter-problem Parameter Problem 12
photuris Photuris 40
redirect All redirects 5
router-advertisement Router Advertisement 9
router-solicitation Router Solicitation 10
skip SKIP 39
source-quench Source Quench 4
time-exceeded Time Exceeded 11
timestamp-reply Timestamp Reply 14
timestamp-request Timestamp 13
traceroute Traceroute 30
unreachable Destination unreachable 3

Table 8-13: Valid ICMP Code Values

administratively- Communication administratively prohibited 13
prohibited
dod-host-prohibited Communication with destination host is 10
administratively prohibited
dod-net-prohibited Communication with destination network is 9
administratively prohibited
host-isolated Source host isolated 8
host-precedence- Host precedence violation 14
unreachable
host-tos-unreachable Destination host ToS is unreachable 12
host-unknown Destination host unknown 7
host-unreachable Host unreachable 1
net-tos-unreachable Destination network ToS unreachable 11
net-unreachable Net unreachable 0
network-unknown Destination network unknown 6
packet-too-big Fragmentation needed but fragmentation is not set 4
port-unreachable Port unreachable 3
precedence-cutoff Precedence cutoff in effect 15
protocol-unreachable Protocol unreachable 2
source-route-failed Source route failed 5
Table 8-14: Valid TCP Port Literal Values

bgp Border Gateway Protocol 179
chargen Character generator 19
daytime Daytime 13
discard Discard 9
domain Domain name service 53
echo Echo 7
exec Exec (rsh) 512
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname NIC hostname server 102
ident Ident protocol 113
irc Internet Relay Chat 194


klogin Kerberos login 543
kshell Kerberos shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp PIM Auto-RP 496
pop2 Post Office Protocol v2 109
pop3 Post Office Protocol v3 110
smtp Simple Mail Transport Protocol 25
sunrpc Sun Remote Procedure Call 111
syslog Syslog 514
tacacs-ds TAC Access Control System 49
talk Talk 517
telnet Telnet 23
time Time 37
uucp Unix-to-Unix Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 8-15: Valid UDP Port Literal Values

biff Biff (mail notification, comsat) 512
bootps Bootstrap Protocol (BOOTP) server 67
bootpc Bootstrap Protocol (BOOTP) client 68
discard Discard 9
dnsix DNSIX security protocol auditing 195
domain Domain name service 53
echo Echo 7
isakmp Internet Security Association and Key 500
Management Protocol
mobile-ip Mobile IP registration 434
nameserver IEN116 name service (obsolete) 42
netbios-dgm NetBios datagram service 138
netbios-ns NetBios name service 137
netbios-ss NetBios session service 139
ntp Network Time Protocol 123
pim-auto-rp PIM Auto-RP 496


rip Routing Information Protocol 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog Syslog 514
tacacs-ds TAC Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who service 513
xdmcp X Display Manager Control Protocol 177
Table 8-16: Valid FC Values
FC Description
be The FC to be mapped is the Best-Effort Forwarding Class
l2 The FC to be mapped is the Low-2 Forwarding Class
af The FC to be mapped is the Assured Forwarding Class
l1 The FC to be mapped is the Low-1 Forwarding Class
h2 The FC to be mapped is the High-2 Forwarding Class
ef The FC to be mapped is the Expedited Forwarding Class
h1 The FC to be mapped is the High-1 Forwarding Class
nc The FC to be mapped is the Network Control Forwarding Class
Table 8-17: Known EtherType Values
Value Description
0x0000–0x05DC IEEE 802.3 length
0x0800 IP (Internet Protocol)
0x0806 ARP (Address Resolution Protocol)
0x8035 DRARP (Dynamic RARP)
RARP (Reverse Address Resolution Protocol)
0x80F3 AARP (AppleTalk Address Resolution Protocol)
0x8137 IPX (Internet Packet Exchange)
0x86DD IPv6 (Internet Protocol version 6)
0x880B PPP (Point-to-Point Protocol)
0x880C GSMP (General Switch Management Protocol)
0x8847 MPLS (Multi-Protocol Label Switching) unicast
0x8848 MPLS (Multi-Protocol Label Switching) multicast
0x8863 PPPoE (PPP Over Ethernet) Discovery Stage

Value Description
0x8864 PPPoE (PPP Over Ethernet) PPP Session Stage
0x88BB LWAPP (Light Weight Access Point Protocol)
0x8E88 EAPOL (EAP over LAN)
0xFFFF Reserved
NOTE: Permitting EtherType code 0x8XXX permits

tagged traffic since it uses EtherType 0x8100.
ACLs Configuration Example
Configure Standard ACL

1. Define a standard IP ACL:
device-name(config)#ip access-list standard 3
device-name(config-standard-3)#
2. Define the rule for the standard IP ACL:

device-name(config-standard-3)#rule 3 action permit source_ip
1.0.0.3/32
3. Define the VLAN:

device-name(config-rule-3)#vlan 11 vlan-mask 00:00:00:0F
4. Define the VPT:

device-name(config-rule-3)#vpt 3
5. Commit the configuration:

device-name(config-rule-3)#commit
Commit complete.
6. Define the rate limit on port 1/1/1:

device-name(config-port-1/1/1)#ip-access-group-standard 3 in
device-name(config-ip-access-group-standard-3/in)#rate-limit single cir
5000 cbs 300
device-name(config-rate-limit-single)#commit
Commit complete.

7. Define the FC:

device-name(config-port-1/1/1)#ip-access-group-standard 3 in
device-name(config-ip-access-group-standard-3/in)#fc ef color green
device-name(config-fc-ef)#commit
Commit complete.
8. Display information about the standard IP ACL:

device-name#show running-config ip access-list standard 3
ip access-list standard 3
rule 3
action permit
source_ip 1.0.0.3/32
vlan 11
vlan-mask 00:00:00:0f
vpt 3
!
!
9. Display information about the standard IP ACG per port 1/1/1:

device-name#show running-config port 1/1/1
port 1/1/1
default-vlan 1
description ""
duplex auto
speed auto
learn-new-mac-addresses
ip-access-group-standard 3 in
rate-limit single
cir 5000
cbs 300
!
fc ef
color green
!

Configure Extended ACL

1. Define an extended IP ACL:
device-name(config)#ip access-list extended 110
2. Define the rule for the extended IP ACL:

device-name(config-extended-110)#rule 5 action permit protocol tcp
source_ip 1.0.0.2/32 destination_ip 2.0.0.4/32
3. Define the TCP-port, ToS, VLAN, VPT and precedence level:

device-name(config-rule-5)#tcp-source-port 33
device-name(config-rule-5)#tos max-throughput
device-name(config-rule-5)#vlan 22 vlan-mask 00:00:00:00
device-name(config-rule-5)#vpt 2
device-name(config-rule-5)#precedence critical

Commit complete.
5. Define the rate limit on port 1/1/2:

device-name(config-port-1/1/2)#ip-access-group-extended 110 in
device-name(config-ip-access-group-extended-110/in)#rate-limit dual cir
3000 cbs 100 pir 6000 pbs 300
device-name(config-rate-limit-dual)#commit
Commit complete.
6. Display information about the extended IP ACL:

device-name#show running-config ip access-list extended 110
ip access-list extended 110
rule 5
action permit
protocol tcp
source_ip 1.0.0.2/32
destination_ip 2.0.0.4/32
tcp-source-port 33
tos max-throughput
precedence critical
vlan 22
vlan-mask 00:00:00:00
vpt 2
!
!

7. Display information about the extended IP ACG per port 1/1/2:

device-name#show running-config port 1/1/2
show running-config port 1/1/2

port 1/1/2
default-vlan 1
duplex auto
mtu 1544
speed auto
learn-new-mac-addresses
no shutdown
qos-ingress-policy defInPol
qos-egress-policy defEgPol
ip-access-group-extended 110 in
rate-limit dual
cir 3000
cbs 100
pir 6000
pbs 300
!
!
portname 1/1/2
!
Configure Egress and VLAN ACLs

1. Define an extended IP ACL:
device-name(config)#ip access-list extended 100
2. Define a rule for the extended IP ACL:

device-name(config-extended-100)#rule 1 action permit source_ip
1.0.0.1/32 destination_ip 2.0.0.4/32 protocol tcp
Commit complete.
3. Apply the configured ACL on port 1/1/1 and redirect the matching traffic
to the VLAN 200 by changing the VLAN ID in the packet header:
device-name(config-port-1/1/1)#ip-access-group-extended 100 vlan
device-name(config-ip-access-group-extended-100/vlan)#vlan 200
device-name(config-ip-access-group-extended-100/vlan)#commit
Commit complete.
4. Apply the configured ACL on port 1/1/2 and limit the outgoing traffic to
5M, and remark dscp value with 44:
device-name(config-port-1/1/2)#ip-access-group-extended 100 out
device-name(config-ip-access-group-extended-100/out)#rate-limit single
cir 5000 cbs 16
device-name(config-rate-limit-single)#exit
device-name(config-ip-access-group-extended-100/out)#dscp 44
device-name(config-ip-access-group-extended-100/out)#commit
Commit complete.


RFCs
Access Control No standards are Private MIB, RFC 2697, A Single
Lists (ACLs) supported by this PRVT-SWITCH- Rate Three Color Marker
feature. ACCESS-LIST- RFC 2698, A Two Rate
MIB.mib Three Color Marker

9
Quality of Service (QoS)
Overview
Today’s networks transmit data streams for various applications using many
different protocols. Different types of traffic sharing a data path through the
network can interact in ways that affect their application performance. Traffic
prioritization becomes especially important when delay-sensitive, interactive
applications are supported across the network. In many cases a guaranteed level
of throughput is part of contractual obligations between the network operator
and customers or third-party service providers.
Policy-based Quality of Service (QoS) allows the user to specify different
service levels for traffic traversing the device. Policy-based QoS is an effective
control mechanism for networks that have heterogeneous traffic patterns. Using
Policy-based QoS, the user can specify the service level for a traffic type or
host.
QoS controls congestion by determining the order in which packets are
transmitted based on priorities assigned to those packets. QoS queuing policies
can protect bandwidth for important categories of applications, or specifically
limit the bandwidth associated with less critical traffic. For example, if Voice
over IP (VoIP) traffic requires a reserved amount of bandwidth to function
properly, QoS policies can reserve sufficient bandwidth for this type of
application. Other applications deemed less critical can be limited in their
bandwidth usage.
During periods of light traffic, QoS policies have little effect, and packets are
transmitted as soon as they arrive. During periods of congestion, outbound
packets accumulating at a port are sorted into eight queues. They are
transmitted from the queues according to the queuing mechanism configured
for the port.

Quality of Service (QoS) AS9206 User Manual
Overview
When using QoS feature, each physical port sorts inbound and outbound traffic
into eight queues for the QoS processing.
The user controls Quality of Service behavior in two ways:
 By configuring the criteria used to sort inbound and outbound packets into
the eight queues. In addition to that, you can also use both VPT and DSCP
values for mapping purposes.
 By selecting the queuing mechanism to be applied to the outbound queues.
Three basic queuing mechanisms are provided:
 Strict Priority (SP) queuing sets the eight queues in a rigid order, and
always transmits packets from the highest-priority queue that has
packets waiting
 Weighted Round-Robin (WRR) queuing lets the user assigns a
relative weight to each queue, which determines the bandwidth
assigned to each queue relative to the others
 Deficit Round-Robin (DRR) is a modification of WRR in which
knowing the exact packet size is not required. A maximum packet size
number is subtracted from the packet length, and packets that exceed
that number are held back until the next visit of the scheduler.
In addition, several hybrid queuing schemes are available, which combine the
Weighted/Deficit Round-Robin and Strict Priority mechanisms.
Traffic Analysis for QoS Deployment

To effectively configure QoS, the user must analyze the types of traffic and
determine ports’ relative bandwidth demands. The user should also evaluate the
supported applications’ sensitivity to latency, jitter, and packet loss.
General guidelines for each traffic type are given below. Consider them as
general guidelines and not strict recommendations. Once QoS parameters are
set, the user can monitor the performance of the application to determine if the
actual behavior of the applications matches user expectations.
 Voice applications demand small amounts of bandwidth. However, the
bandwidth must be constant and predictable because voice applications are
typically sensitive to latency (inter-packet delay) and jitter (variation in
inter-packet delay)
 Video applications are similar in needs to voice applications, with the
exception that bandwidth requirements are somewhat larger, depending on
the encoding

AS9206 User Manual Quality of Service (QoS)
 It is important to understand the behavior of the video application being

used. Some applications can transmit large amounts of data for multiple
streams in one “spike”, with the expectation that the end-stations will
buffer significant amounts of video-stream data. This can present a problem
to the network infrastructure, because it must be capable of buffering the
transmitted spikes where there are speed differences (for example, going
from Gigabit Ethernet to Fast Ethernet)
 Database applications such as those associated with ERP, typically do not
demand significant bandwidth and are tolerant of delay. The user can
establish a minimum bandwidth using a priority less than that of delay-
sensitive applications
 Web browsing applications cannot be generalized into a single category.
Casual and application-oriented traffic can be distinguished from each other
by their server source and destinations.
Most browser-based applications have an asymmetric data flow (small data
flows from the browser client, large data flows from the server to the
browser client). An exception to this pattern may be created by some
Java™ -based applications.
Web-based applications are generally tolerant of latency, jitter, and some

packet loss, but small packet-loss may have a large impact on perceived
performance due to the nature of TCP.
 File server applications typically pose the greatest demand on bandwidth,

although they are very tolerant of latency, jitter, and some packet loss,
depending on the network operating system and the use of TCP or UDP.
Basic QoS Architecture

Figure 9-1 shows how QoS affects traffic flow during the switching/routing
process.
On ingress, the traffic is:
 Classified by traffic characteristics. Classification is done using access lists
 Metered, policed and coloring traffic according to the traffic rate limit
(specified by the user), and based on the QoS forwarding class and QoS
policy mapping tables

On egress, traffic is:

 Distributed into eight priority queues according to internal priority and drop
precedence (color). (This is managed by the trust mode.)
 Shaped on a per-queue or per-port basis
 Transmitted according to a scheduling algorithm defined by the user
Figure 9-1: Basic QoS Architecture

Sorting Packets for QoS Handling
Packet Sorting by 802.1p Priority Values

The device supports the standard 802.1p priority bits that are part of a tagged
Ethernet packet. The 802.1p bits can be used to prioritize the packet.
When a packet arrives at the device, the device examines the 802.1p priority
field and assigns the packet to a specific QoS queue for transmission. The
802.1p priority field is located directly following the 802.1Q type field, and
preceding the 802.1Q VLAN ID, as shown in the following figure.
Figure 9-2: 802.1p Priority Header Fields
When the device detects ingress traffic that contains 802.1p prioritization
information, the traffic is mapped to various hardware queues on the egress
port of the device (The exact mapping depends also on the employed trust
mode.). The transmitting hardware queue determines the bandwidth
management and priority characteristics used when transmitting packets.
By default, 802.1p priority information is not replaced or manipulated, and the
information observed on ingress is preserved when the packet is transmitted.
This behavior is not affected by the switching or routing configuration of the
device. However, the device is capable of inserting and/or overwriting 802.1p
priority information when it transmits an 802.1Q tagged frame (in trust mode).
The 802.1p priority information that is transmitted is determined by the
hardware queue that is used when transmitting the packet.
NOTE: The device does not change the VLAN Priority

Tag (VPT) for a switched packet that comes with an
802.1Q tag, since it assumes that the sender of the packet
has already determined the VPT.

Packet Sorting by DiffServ Values

The header of every IP packet contains a field for IP Type of Service (ToS).
The device uses this ToS field to determine the type of service provided to the
packet.
The application software can use ToS/DiffServ values to sort packets into QoS
queues. Individual ToS values, or ranges of values, are mapped to 802.1p
priority values. Packets are sorted into QoS queues based on this derived
priority value. The following figure shows the ToS fields in the IP packet
header.
Figure 9-3: Type of Service (ToS) Header Fields
When a packet arrives at the device on an ingress port, the device examines the
first six of eight ToS bits, called the code point. Depending on the trust mode,
the device can assign the QoS priority used to subsequently transmit the packet
based on the code point. The QoS priority controls a hardware queue used
when transmitting the packet out of the device, and determines the forwarding
characteristics of a particular code point.
An advantage in using marking the DSCP field is that the class of service
information can be carried throughout the network infrastructure, without
repeating complex traffic policies at each device location. Another advantage is
that end stations can perform their own packet marking on an application-
specific basis. The application software can observe and manipulate the
Differentiated Services Code Point (DSCP) information with no performance
penalty.

Source Port Mapping

By default, 802.1p priority information is not replaced or manipulated, and the
information observed on ingress is preserved when transmitting the packet.
Source port traffic mapping applies a specified QoS priority to all packets
transmitted from the physical port. To configure source port mapping, use the
qos priority command in Port Configuration mode. To configure source port
mapping, use an appropriate mapping profile and attach it to QoS policy then
apply it to the port.
Differentiated Services
Differentiated Services (DiffServ) is a multiple service model that can satisfy
differing QoS requirements. However, unlike in the integrated service model,
an application using DiffServ does not explicitly signal the router before
sending data.
For differentiated services, the network tries to deliver a particular kind of
service based on the QoS specified by each packet. This specification can occur
in different ways, for example, using the IP Precedence bit or the 6-bit
Differentiated Services Code Point (DSCP) setting in IP packets, or source and
destination addresses. The network uses the QoS specification to classify,
mark, shape, and police traffic, and to perform intelligent queuing.
The differentiated services model is used for several mission-critical
applications and for providing end-to-end QoS. Typically, this service model is
appropriate for aggregate flows because it performs a relatively coarse level of
traffic classification.

DiffServ Field Definition

A replacement header field, called the DS field, is defined by Differentiated
Services. The DS field supersedes the existing definitions of the IPv4 Type of
Service (ToS) octet (RFC 791) and the IPv6 traffic class octet. Six bits of the
DS field are used as the DSCP to select the Per Hop Behavior (PHB) at each
port. A Currently Unused (CU) 2-bit field is reserved for explicit congestion
notification (ECN). The value of the CU bits is ignored by DS-compliant ports
when determining the PHB to apply to a received packet.
The following figure shows the location of the ToS octet within the IPv4
packet header.
Figure 9-4: IPv4 Header Structure
The following figure shows the IP ToS octet fields.
Figure 9-5: ToS Octet Fields
The ToS fields are described in Table 9-1 and Table 9-2.

Table 9-1: ToS Fields
Bits Number ToS Field

5-7 Precedence level, as described in Table 9-2.
4 0 = Normal delay, 1 = Low delay.
3 0 = Normal throughput, 1 = High throughput.
2 0 = Normal reliability, 1 = High reliability.
0-1 Reserved for future use.
Table 9-2: ToS Precedence Levels
Binary Value Precedence Level

111 Network Control
110 Internetwork Control
101 CRITIC/ECP
100 Flash Override
011 Flash
010 Immediate
001 Priority
000 Routine
Per-Hop Behaviors
RFC 2475 defines PHB as the externally observable forwarding behavior
applied at a DiffServ-compliant node to a DiffServ Behavior Aggregate (BA).
The system can mark packets according to DSCP setting. This allows
collections of packets with the same DSCP setting to be grouped into a BA.
Packets from multiple sources or applications can belong to the same BA.
Per Hop Behavior (PHB) refers to the packet scheduling, queuing, policing, or
shaping behavior of a node on any given packet belonging to a BA, as
configured by a service level agreement (SLA) or a policy map.
The following sections describe the four available standard PHBs:
 Default PHB (as defined in RFC 2474)
 Class-Selector PHB (as defined in RFC 2474)
 Assured Forwarding (AFny) PHB (as defined in RFC 2597)
 Expedited Forwarding (EF) PHB (as defined in RFC 2598)

Default PHB
The default PHB essentially specifies that a packet marked with a DSCP value
of 000000 (recommended) receives the traditional best-effort service from a
DS-compliant node (that is, a network node that complies with the entire core
DiffServ requirements). Also, if a packet arrives at a DS-compliant node, and
the DSCP value is not mapped to any other PHB, the packet will be mapped to
the default PHB.
For more information about default PHB, refer to RFC 2474, Definition of the
Differentiated Services Field in IPv4 and IPv6 Headers.
Class-Selector PHB
To preserve backward-compatibility with any IP precedence scheme currently
in use on the network, DiffServ defines a DSCP value in the form xxx000,
where x is either 0 or 1. These DSCP values are called Class-Selector Code
Points (the DSCP value for a packet with default PHB 000000 is also called the
Class-Selector Code Point).
The PHB associated with a Class-Selector Code Point is a Class-Selector PHB.
These Class-Selector PHBs retain most of the forwarding behavior as nodes
that implement IP Precedence-based classification and forwarding.
For example, packets with a DSCP value of 11000 (the equivalent of the IP
Precedence-based value of 110) have preferential forwarding treatment (for
scheduling, queuing, and so on), as compared to packets with a DSCP value of
100000 (the equivalent of the IP Precedence-based value of 100). These Class-
Selector PHBs ensure that DS-compliant nodes can coexist with IP Precedence-
based nodes.
For more information about Class-Selector PHB, refer to RFC 2474, Definition
of the Differentiated Services Field in IPv4 and IPv6 Headers.

Assured Forwarding (AF) PHB and

Forwarding Colors (FCs)
Assured Forwarding (AF) PHB is nearly equivalent to the Controlled Load
Service available in the integrated services model. The AF PHB defines a
method by which BAs can be given different forwarding assurances.
For example, network traffic can be divided into the following classes:
 Gold: Traffic in this category is allocated 50 percent of the available
bandwidth
 Silver: Traffic in this category is allocated 30 percent of the available
bandwidth
 Bronze: Traffic in this category is allocated 20 percent of the available
bandwidth
Further, the AF PHB defines four AF classes: AF1, AF2, AF3, and AF4. Each
class is assigned a specific amount of buffer space and port bandwidth,
according to the SLA with the service provider or policy map.
Within each AF class, the user can specify three drop precedence (dP) values:
1, 2, and 3.
Assured Forwarding PHB can be expressed as follows:
AFny
In this example, n represents the AF class number (1, 2, or 3) and y represents
the dP value (1, 2, or 3) within the AFn class.
In instances of network traffic congestion, if packets in a particular AF class
(for example, AF1) need to be dropped, packets in the AF1 class will be
dropped according to the following guideline:
dP(AFny) >= dP(AFnz) >= dP(AFnx),
where dP (AFny) is the probability that packets of the AFny class will be
dropped. The variable y denotes the dP within an AFn class.
In the following example, packets in the AF13 class will be dropped before
packets in the AF12 class, which in turn will be dropped before packets in the
AF11 class:
dP(AF13) >= dP (AF12) >= dP(AF11).
The dP method penalizes traffic flows within a particular BA that exceed the
assigned bandwidth. Packets in these offending flows could be remarked by an
ACL to higher drop precedence.
An AFx class can be denoted by the DSCP value, xyzab0, where xyz can be
001, 010, 011, or 100, and ab represents the dP value.

The following table lists the DSCP value and corresponding dP value for each
AF PHB class.
Table 9-3: DSCP Values and Corresponding Drop Precedence, by AF PHB Class
Drop Precedence
AF PHB Class Class 1 Class 2 Class 3 Class 4

Low drop precedence 001010 010010 011010 100010
Medium drop 001100 010100 011100 100100
precedence
High drop precedence 001110 010110 011110 100110
Expedited Forwarding PHB

EF PHB is ideally suited for applications such as VoIP, video, and online
trading programs that require low bandwidth, guaranteed bandwidth, low delay,
and low jitter. The EF PHB, a key ingredient of DiffServ, supplies this level of
service by providing low loss, low latency, low jitter, and assured bandwidth.
When implemented in a DiffServ network, EF PHB provides a virtual leased
line, or premium service. For optimal efficiency, however, EF PHB should be
reserved for only the most critical applications because, in instances of traffic
congestion, it is not feasible to treat all or most traffic as high priority.
The recommended DSCP value for EF PHB is 101110.
For more information about EF PHB, refer to RFC 2598, An Expedited
Forwarding PHB.
Benefits
The benefits of implementing Differentiated Services include the following:
 Reduced burden on network devices and easy scalability as the network
grows
 Customers can keep any existing Layer 3 ToS prioritization scheme that
may be in use
 Customers can mix DiffServ-compliant devices with any existing ToS-
enabled equipment in use
 Bottlenecks are alleviated through efficient management of network
resources

Traffic Scheduling
Traffic scheduling features allow the user to control congestion by determining
the order in which packets are transmitted based on priorities assigned to those
packets. Congestion management entails the creation of queues, assignment of
packets to those queues based on the packet classification, and scheduling of
the packets in a queue for transmission. If the user uses congestion
management features, packets accumulating at a port are queued until the port
is free to transmit them; they are then scheduled for transmission according to
their assigned priority and the queuing mechanism configured for the port. The
router determines the order of packet transmission by controlling which packets
are placed in which queue and how queues are serviced with respect to each
other.
Strict Priority (SP)

With Strict Priority (SP) queue handling, the queues are ranked in order. The
highest ranking queue, queue8, is serviced first until it is empty, then the lower
queues queue7, queue6, queue5, queue4, queue3, queue2 and queue1 are
serviced in sequence. SP provides absolute preferential treatment to high
priority traffic, ensuring that mission-critical traffic traversing various WAN
links gets priority treatment. In addition, SP provides a faster response time
than do other methods of queuing.
Use the SP mechanism to guarantee a fixed portion of available bandwidth to
one type of application - for example, interactive multimedia applications -
possibly at the expense of less critical traffic. But when the user chooses to use
SP, consider that lower priority traffic is often denied bandwidth in favor of
higher priority traffic, so use of SP could, in the worst case, result in lower
priority traffic never being transmitted. To avoid inflicting these conditions on
lower priority traffic, the user can use rate-limit to control the rate of the higher
priority traffic.

The following figure illustrates the SP process in case of a four-queue

architecture.
Figure 9-6: Strict Priority Queuing
Benefits of SP Queuing
SP provides absolute preferential treatment to high priority traffic, ensuring that
mission-critical traffic traversing various WAN links gets priority treatment. In
addition, SP provides a faster response time than do other methods of queuing.
Weighted Round-Robin (WRR)

In this scheduling method, a weighting factor for each queue determines how
many bytes of data the system delivers from the queue before it moves on to
the next queue. The WRR mechanism cycles through the queues. For each
queue, packets are sent until the number of bytes transmitted exceeds the
bandwidth determined by the queue weighting factor, or the queue is empty.
Then the WRR mechanism moves to the next queue. If a queue is empty, the
router will send packets from the next queue that has packets ready to send.
Note that if a packet length exceeds the queue allowed bandwidth, the packet is
still transmitted during its time slot, but its quota is overdrawn so that on the
next time slot it receives a smaller allotment. This mechanism guarantees a
minimum bandwidth to each queue, but allows the minimum to be exceeded if
one or more of the port other queues are idle. However, when all the queues are
loaded each is limited to its maximum bandwidth according to its assigned
weight - no queue achieves more than a predetermined proportion of overall
capacity when the line is under stress.

The weighting factors are specified as relative percentages. The values for all
the queues must be positive, and must add up to ten or 100.
Relative percentages are calculated by byte counts rather than by packets, thus
providing a greater degree of bandwidth fairness. For example, suppose one
protocol has 500-byte packets, another has 300-byte packets, and a third has
100-byte packets. If the user wants to split the bandwidth evenly across all
three protocols, the user might choose to specify byte counts of 200, 200, and
200 for each queue. However, this configuration does not result in a 33/33/33
ratio of bandwidth usage. When the router services the first queue, it sends a
single 500-byte packet; when it services the second queue, it sends a 300-byte
packet; and when it services the third queue, it sends two 100-byte packets. The
effective ratio is 50/30/20 - setting the byte count too low can result in an
unintended bandwidth allocation.
The following figure shows how WRR queuing behaves in a four-queue
architecture.
Figure 9-7: Weighted Round-Robin Queuing

Deficit Round Robin and Modified Deficit

Round Robin (DRR/MDRR)
Deficit Round Robin (DRR) is a modified WRR scheduling. An inherent
limitation of the WRR mode is that the allocation of bandwidth is in terms of
packets. WRR works well if the average packet size for each knows CoS queue
flow. In most cases, this attribute is traffic-dependent and can vary over time.
DRR can handle packets of variable size without knowing their size. A
maximum packet size number is subtracted from the packet length, and packets
that exceed that number are held back until the next visit of the scheduler.
In the DRR scheduling method, you can send frames from non-empty queues
one after the other, in a round-robin way. Each time when sending frames from
a queue, a fixed number of data is dequeued and then the algorithm sends the
next queue. When sending frames from a queue, DRR keeps track of the
number of data bytes dequeued in excess of the configured value.
When sending again the queue, less data is dequeued to compensate the excess
of data previously sent. As a result, the average amount of data dequeued per
queue is close to the configured value.
Two variables define each DRR/MDRR queue:
 Quantum value—It is an average number of bytes served in each round.
The quantum value is 2 KB.
 Deficit counter—Use this counter to track the number of transmitted bytes
per queue in each round. Initial it is the quantum value.
For each queue, send the packets as long as the deficit counter is greater than
zero. Each sent packet decreases the deficit counter by a value equal to its
length in bytes. You cannot send a queue after the deficit counter becomes zero
or negative. DRR serves more packets at a time if their size is less than the
quantum.
Each MDRR queue can receive a relative weight, with one of the queues from
the group defined as a priority queue. The weights assign relative bandwidth
for each queue when the port is congested.
NOTE: When the DRR scheduling with fixed packets size

is used, it behaves as WRR.

MDDR Scheduling
These scheduling methods combine Strict Priority queuing and DDR
scheduling. Service one or more queues with strict priority whereas service the
rest of the queues in accordance with the MDDR algorithm.
MDDR Queuing guarantees immediate delivery of packets from high-ranking
queues while avoiding starving of lowest-ranking queues.
The following table explains the available MDRR scheduling algorithms.
Table 9-4: Modified Deficit Round-Robin Queuing Algorithms
Algorithm Name Algorithm Description

MDRR 1 Assigns DRR queuing to txq1-txq7 and SP queuing to txq8.
MDRR 2 Assigns DRR queuing to txq1-txq6 and SP queuing to txq7-txq8.
Hybrid Scheduling
This scheduling method combines SP queuing and WRR scheduling. Queues
with higher priority are serviced with SP while the remaining queues are
serviced in accordance with WRR, after the higher priority queues are empty.
SP/WRR hybrid scheduling guarantees immediate delivery of packets from
high-ranking queues while avoiding lowest-ranking queues’ starvation.
The following table explains the available hybrid scheduling algorithms.
Table 9-5: Hybrid Scheduling Algorithms
Algorithm Name Algorithm Description

Hybrid 1 Assigns WRR scheduling to txq1-txq7 and SP scheduling to
txq8.
txq7-txq8.
txq6-txq8.
txq5-txq8.
txq4-txq8.
txq3-txq8.

Technique for Avoiding QoS Congestion

The QoS congestion avoidance technique strives to avoid congestion by
monitoring network traffic loads at network and internetwork bottlenecks. In
conditions of congestion, this technique provides preferential treatment for
premium class traffic in order to maximize network throughput and capacity
utilization while minimizing packet loss and delay.
Egress Traffic Shaping

When congestion occurs, the packets are transmitted on the outgoing port and
the assigned queues. Traffic shaping allows the user to shape output traffic
(egress traffic) on a per- port basis and also per queue on the port. The output
traffic is monitored to verify that it conforms to the rate configured on the
device. When excessive traffic is detected on the device, the output port applies
the traffic shaping and controls the excess traffic. If the device queues
overflow, the traffic is dropped.
Policy-Based QoS Management

The QoS implementation is based on Policies and Profiles, which allow easy
and robust management. The idea behind the Policy-based management is that
a carrier usually provides a limited number of “packages” to its customers, with
multiple customers purchasing the same package. Most of the SLAs with the
customers would be based on these “packages” as templates.
For example, a Premium Business package could be a true VPN and triple-play
package including VPN, Voice, Video and Internet with 10Mb/s of overall
bandwidth. On the other hand, a Basic Business package would include VPN
and Internet only, with lower overall bandwidth allocation (e.g. 3Mb/s).
Once a customer subscribes to a package, the network allocates the required
resources both for the service(s) and the QoS implementation. For QoS
implementation, a set of resources (such as queues, schedulers, buffer space
etc.) will be allocated inside the device. In ECI’s QoS terminology, this is
called instantiation of a Policy. Once another customer has subscribed to the
same package, the same Policy will be instantiated again, which means
additional and identical set of resources will be allocated.
In some cases it makes sense to share a Policy instance between multiple
customers. This technique is useful to save resources, although it means no true
per-customer SLA assurance can be performed (for example, these customers
will share the same shapers, and eventually the same allowed bandwidth).

The device supports several types of Policies (described in detail in the

following subsections). Each Policy type includes parameters related to a
different set of QoS features.
In addition, some of the features are configured using Profiles. Unlike Policies,
Profiles are low-level “templates”, each defining parameters for a single
distinctive QoS feature. Profiles are used not to allocate resources, but rather to
configure resources that have already been allocated.
Profiles
Profiles are used within QoS policies. Each profile includes a set of
configurable values that can be applied.
The device supports the following QoS profile types:
 Congestion Avoidance Profile:
 Tail-drop
 Mapping Profile:
 Maps L2(VPT)- or L3 (DSCP)- marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
 Scheduling Profile:
 Specifies the queuing/scheduling algorithm to apply to a queue. (Refer
to Traffic Scheduling for details.)
 Shaper Profile:
 Specifies the shaping algorithm to apply to a port or a queue.
Port-Related Policies
The device supports the following port-related QoS policies:
 Port Ingress Policy
 Applied per port.
 Applies mapping of VPT/DSCP values to Forwarding Class (FC) and
traffic color through a mapping profile.
 Applies trust mode of the VPT/DSCP values to the ingress traffic.
 Port Egress Policy
 Applied per port
 Applies scheduling algorithms through a scheduling profile.
 Applies shaper per port/per queue or both trough a shaper profile.

Relevant Scaling Numbers
Maximum Number of Profiles

 Mapping profiles: 64 (including two default: global and defMapProf )
 Scheduling profiles: 8
 Scheduling profiles: 8 (including SP default profile)
Maximum Number of Policies

 Port ingress policies: 64 (including one default policy)
 Port egress policies: 64 (including one default policy)
Order of Configuration
1. Define and configure the following profiles:
 the mapping profiles
 the shaper profiles
 the scheduling profiles
For details on the respective configuration commands, see "QoS Profile
Configuration Commands Hierarchy".
2. Define and configure the ingress/egress policies. Configuring port ingress

policy consists of mapping VPT and DSCP bits of the incoming traffic to
internal Forwarding Class (FC) and color, and trust mode. The FC groups
in ingress policies are mapped to queues. On the other hand, port egress
policy defines queueing mechanism (scheduling), congestion-avoidance
mechanism (tail-drop) and shaper profile.
3. Apply the configured policies to ports. Once applied, QoS profiles and
policies can be modified. For updating the configuration of any port, the
applied policies must first be first removed from that configuration. You
are not able to delete profiles and polices attached to port or SAP.

QoS Default Configuration

The following table shows the default QoS configuration.
Table 9-6: QoS Default Configuration
Feature Default Value

Default mapping profile defMapProf
Global
This profile implements the default mapping
on device, see Table 9-8
QoS scheduling algorithm Strict Priority
Port trust mode untrust
Drop level per user priority Green
User priority fc=be
DSCP value Specified in the default mapping profiles

DSCP drop level Specified in the default mapping profiles
Traffic shaping Disabled
Congestion Avoidance Tail-Drop See Table 9-7
profiles configuration
Port policies profiles configuration See Table 9-10
Table 9-7: Congestion Avoidance Tail-Drop Profiles Default Configuration
Profile Threshold
Yellow Red
1 50 100
2 20 100
Table 9-8: Mapping Profile Default Configuration
Profile Priority Mapping

VPT DSCP FC Color
defMapProf untrust be green
Global

Table 9-9: Mapping Profile Default Configuration
Profile Priority Mapping

VPT DSCP FC Color
global 0 - be green
1 - l2 green
2 - af green
3 - l1 green
4 - h2 green
5 - ef green
6 - h1 green
7 - nc green
- 0-7 be green
- 8-15 l2 green
- 16-23 af green
- 24-31 l1 green
- 32-39 h2 green
- 40-47 ef green
- 48-55 h1 green
- 56-63 nc green
Table 9-10: Port Policies Profiles Default Configuration
Policy Policy Type Profile Type/Name Trust Mode

Mapping Scheduling
defInPol ingress defMapProf - untrust
defEgPol egress - 1 -

QoS Configuration Flow

The following flow chart shows the process of configuring the QoS parameters.
Figure 9-8: QoS Configuration Flow

Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a
broadcast, multicast, and/or unicast traffic storm. This mechanism regulates the
rate at which devices forward the traffic. Traffic storm-control monitors
incoming traffic rates over a 1-second storm-control interval and, compares this
traffic rate with the traffic storm-control rate that you configure. When the port
threshold is met, all incoming traffic on the port is dropped.
QoS Commands
QoS Profile Configuration Commands
QoS Profile Configuration Commands’

Hierarchy
+ config terminal
+ qos
+ [no] congestion-avoidance-profile tail-drop <profile-id>
- [no] yellow-threshold <threshold-percent>
+ [no] mapping-profile PROFILE-NAME
- [no] any-untrust-to-fc color {green | yellow}
- [no] any-untrust-to-fc fc {be | l2 | af | l1 | h2 |
ef | h1 | nc}
+ [no] scheduling-profile [<profile-id>]
- scheduling-type {drr | hybrid-1 | hybrid-2 | hybrid-3
| hybrid-4 | hybrid-5 | hybrid-6 | mdrr-1 | mdrr-2
| mdrr-3 | mdrr-4 | mdrr-5 | mdrr-6 | sp | wrr}
+ [no] shaper-profile port [<profile-id>]
- [no] cbs <cbs>
- [no] cir <cir>

QoS Profile Configuration Commands’

Descriptions
Table 9-11: Descriptions of the QoS Profiles Configuration Commands
Command Description
qos Enters QoS mode
congestion-avoidance-profile tail- Specifies a congestion avoidance tail-drop profile
drop <profile-id> to configure and enters configuration mode for
that profile:
• profile-id: ID of the tail-drop
profile, the valid range is <1-
8>
• 1, 2: IDs of the default tail-drop congestion
avoidance profiles; for details, refer to
§Default Settings
no congestion-avoidance-profile Deletes the specified congestion avoidance tail-
tail-drop [<profile-id>] drop profile or, when used without a parameter,
deletes all congestion avoidance tail-drop
profiles.
• profile-id: ID of the tail-drop
profile to delete
Note: Default congestion avoidance tail-drop
profiles cannot be deleted.
description DESCRIPTION Assigns a description to the configured profile:
• DESCRIPTION: a string of <1-
150> characters
no description Removes the assigned description
yellow-threshold <threshold- Yellow threshold of the specified tail-drop
percent> profile, as a percentage value. This is the
maximum allowed queue size for packets marked
as yellow, as a percentage of the size of the entire
queue. The yellow threshold must be lower than
or equal to the red threshold.
• threshold-percent: yellow
threshold percentage, the valid
range is <0-100>
no yellow-threshold <threshold- Restores to default
percent>

Command Description
mapping-profile PROFILE-NAME Specifies a mapping profile to configure and
enters configuration mode for that profile:
• PROFILE-NAME: name of the
mapping profile, a string of
<1-32> characters
• Global and defMapProf (default mapping
profiles)
For more information on default profiles, see
QoS Default Configuration.
no mapping-profile [PROFILE- Deletes the specified mapping profile or, when
NAME] used without a parameter, deletes all mapping
profiles.
mapping profile to delete
any-untrust-to-fc color {green | Assigns the specified color to all untrusted
yellow} ingress traffic:
• green: assigns green color to
the traffic
• yellow: assigns yellow color to
the traffic
no any-untrust-to-fc color Restores to default
any-untrust-to-fc fc {be | l2 | af Assigns the specified FC to all untrusted ingress
| l1 | h2 | ef | h1 | nc}
traffic:
• be: assigns be FC to the
traffic
• l2: assigns l2 FC to the
traffic
• af: assigns af FC to the
traffic
• l1: assigns l1 FC to the
traffic
• h2: assigns h2 FC to the
traffic
• ef: assigns ef FC to the
traffic
• h1: assigns h1 FC to the
traffic
• nc: assigns nc FC to the
traffic
no any-untrust-to-fc fc Restores to default
150> characters

Command Description
scheduling-profile <profile-id> Specifies a scheduling profile to configure and
• profile-id: ID of the mapping
profile, the valid range is <1-
8>
no scheduling-profile [<profile- Deletes the specified scheduling profile or, when
id>] used without a parameter, deletes all mapping
profiles.
• profile-id: ID of the
scheduling profile to delete

Command Description
scheduling-type {drr | hybrid-1 |
hybrid-2 | hybrid-3 | hybrid-4 |
hybrid-5 | hybrid-6 | mdrr-1 |
mdrr-2 | mdrr-3 | mdrr-4 | mdrr-5
Specifies the type of queuing/scheduling to be
| mdrr-6 | sp | wrr} employed by the configured profile. For an
explanation of the algorithm behind each
scheduling type, see "WRR/MDDR Hybrid
Queuing" and "Hybrid Scheduling".
• drr: specifies Deficit Round-
Robin (DRR) scheduling
• hybrid-1: specifies scheduling
according to the first hybrid
algorithm
according to the second hybrid
algorithm
according to the third hybrid
algorithm
according to the fourth hybrid
algorithm
according to the fifth hybrid
algorithm
according to the sixth hybrid
algorithm
• mdrr-1: specifies scheduling
according to the first Modified
Deficit Round-Robin (MDRR)
algorithm
according to the second MDRR
algorithm
according to the third MDRR
algorithm
according to the fourth MDRR
algorithm
according to the fifth MDRR
algorithm
according to the sixth MDRR
algorithm
• sp: specifies Strict Priority
(SP) scheduling
• wrr: specifies Weighted Round-
Robin (WRR) scheduling

Command Description
shaper-profile port <profile-id> Specifies a port shaper profile to configure and
• profile-id: ID of the port
shaper profile, the valid range
is <1-8>
no shaper-profile port [<profile- Deletes the specified port shaper profile or, when
id>] used without a parameter, deletes all port shaper
profiles.
shaper profile to delete
cbs <cbs> Specifies the Committed Burst Size (CBS) for the
shaper profile, in kilobytes:
• cbs: the valid range is <1-
1048575>
• 64
no cbs Restores to default
cir <cir> Specifies the Committed Information Rate (CIR)
for the shaper profile, in kilobytes per second:
• cir: the valid range is <1-
1048575>
• 100000
no cir Restores to default
150> characters
no description DESCRIPTION Removes the assigned description

QoS Policy Configuration Commands
QoS Policy Configuration Commands’

Hierarchy
+ config terminal
+ qos
+ [no] port-egress-policy POLICY-NAME
- [no] congestion-avoidance tail-drop <profile-id>
+ [no] queue <queue-id>
- [no] congestion-avoidance tail-drop <profile-
id>
- [no] shaper-profile <profile-id>
- [no] scheduling-profile <profile-id>
- [no] shaper-profile <profile-id>
+ [no] port-ingress-policy POLICY-NAME
- [no] mapping-profile PROFILE-NAME
- [no] trust-mode {trust-dscp | trust-preserve-priority
| trust-priority | trust-priority-and-dscp |
untrust}
QoS Policy Configuration Commands’

Descriptions
Table 9-12: Descriptions of the QoS Policy Configuration Commands
Command Description
qos Enters QoS mode
port-egress-policy POLICY-NAME Specifies a port egress policy to
configure and enters configuration mode
for that policy:
• POLICY-NAME: name of the
specified policy, a
string of <1-64>
characters
• defEgPol: name of the default egress
policy; for details, refer to §Default
Settings
no port-egress-policy POLICY-NAME Deletes the specified port egress policy:
specified policy

Command Description
congestion-avoidance tail-drop Assigns congestion avoidance tail-drop
<profile-id> profile to the policy. The profile is
selected from the available congestion
avoidance tail-drop profiles.
assigned profile
no congestion-avoidance tail-drop Removes the assigned congestion
avoidance tail-drop profile from the
configured policy
description DESCRIPTION Assigns a description to the configured
policy:
<1-150> characters
queue <queue-id> Assigns queue to the configured policy
and enters queue configuration mode for
that queue:
• queue-id: ID of the
assigned queue, the valid
range is <1-8>
no queue <queue-id> Removes the specified queue from the
configured policy:
• queue-id: ID of the queue
to remove from the policy
congestion-avoidance tail-drop Specifies congestion avoidance tail-drop
<profile-id> profile to apply to the queue. The profile
is selected from the available congestion
avoidance tail-drop profiles.
specified profile
no congestion-avoidance tail-drop Removes from the queue the applied
congestion avoidance tail-drop profile
shaper-profile <profile-id> Specifies shaper profile to apply to the
queue. The profile is selected from the
available shaper profiles:
specified profile
no shaper-profile Removes from the queue the applied
shaper profile
scheduling-profile <profile-id> Assigns scheduling profile to the
configured policy. The profile is selected
from the available scheduling profiles.
assigned profile
no scheduling-profile Removes the assigned scheduling profile
from the policy

Command Description
shaper-profile <profile-id> Assigns a shaper profile to the
from the available shaper profiles.
assigned profile
no shaper-profile Removes the shaper scheduling profile
from the policy
port-ingress-policy POLICY-NAME Specifies a port ingress policy to
configure and enters configuration mode
for that policy:
specified policy, a
string of <1-64>
characters
• defInPol: name of the default ingress
policy; for details, refer to §Default
Settings
no port-ingress-policy POLICY-NAME Deletes the specified port ingress policy:
specified policy, a
string of <1-64>
characters
description DESCRIPTION Assigns a description to the configured
policy:
<1-150> characters
no description DESCRIPTION Removes the assigned description
mapping-profile PROFILE-NAME Assigns mapping profile to the
from the available mapping profiles.
assigned profile
no mapping-profile Removes the mapping profile from the
policy

Command Description
trust-mode {trust-dscp | trust- Specifies the ingress traffic trust mode to
preserve-priority | trust-priority |
trust-priority-and-dscp | untrust}
be applied by the configured policy:
• trust-dscp: trusts all
DSCP-marked ingress
traffic
• trust-priority: trusts
all VPT-marked ingress
traffic
• trust-priority-and-dscp:
trusts all DSCP- and VPT-
marked ingress traffic;
the DSCP-marked traffic
has higher precedence
than the VPT traffic
• untrust: untrusts all
ingress traffic
no trust-mode Removes the ingress traffic trust mode
that has been specified for the policy
QoS Port Configuration Commands
QoS Port Configuration Commands’

Hierarchy
+ root
+ config terminal
- [no] qos-egress-policy POLICY-NAME
- [no] qos-ingress-policy POLICY-NAME

QoS Port Configuration Commands’

Descriptions
Table 9-13: Descriptions of the QoS Port Configuration Commands
Command Description
port UU/SS/PP Specifies a port to configure with port
ingress/egress policies and enters QoS port
configuration mode for that port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port UU/SS/PP Removes the port from the configuration:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
qos-egress-policy POLICY-NAME Specifies port egress policy to apply to the
configured port. The policy is selected from
the available port egress policies.
specified policy, a string
of <1-64> characters
no qos-egress-policy Restores the default port egress policy on the
specified port.
qos-ingress-policy POLICY-NAME Specifies the port ingress policy to apply to
the configured port. The policy is selected
from the available port ingress policies.
specified policy, a string
of <1-64> characters
no qos-ingress-policy Removes service ingress policy on the
specified port

Storm-Control Commands
Storm-Control Commands’ Hierarchy

+ root
+ config terminal
+ ethernet
+ [no] storm-control
- [no] traffic-type broadcast [rate-
threshold <rate>]
- [no] traffic-type multicast [rate-
threshold <rate>]
- [no] traffic-type unknown [rate-
threshold <rate>]
- [no] traffic-type all [rate-threshold
<rate>]
- [no] shutdown
Storm-Control Commands’ Descriptions
Table 9-14: Descriptions of the Storm-Control Configuration Commands
Command Description
ethernet Enters the Ethernet Configuration mode
storm-control Enters the Storm-control Configuration
mode
no storm-control Removes the storm-control configurations
port UU/SS/PP Selects a port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port UU/SS/PP Removes the port from the configuration:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4

Command Description
traffic-type broadcast [rate- Defines the upper threshold rate for
threshold <rate>] broadcast traffic. The storm control action
occurs when traffic utilization reaches this
rate.
 rate: the valid range is <0–
4294967295> packets per second
(pps), which, calculated on 64-byte
packet size basis, translates to the
following limits (in pps):
▪ for 100-megabit ports: 148810
▪ for 1-gigabit ports: 1488095
no traffic-type broadcast Restores to default
traffic-type multicast [rate- Defines the upper threshold rate for
threshold <rate>] multicast traffic:
no traffic-type multicast Restores to default
traffic-type unknown [rate- Defines the upper threshold rate for
threshold <rate>] unknown traffic:
no traffic-type unknown Restores to default

Command Description
traffic-type all [rate- Defines the upper threshold rate for all
threshold <rate>] traffic:
no traffic-type all Restores to default
shutdown Disables the storm-control on the port
• Disabled
no shutdown Enables the storm-control on the port
QoS Configuration Display Commands
QoS Configuration Display Commands’

Hierarchy
+ root
- show running-config qos
- show running-config qos congestion-avoidance-profile
- show running-config qos congestion-avoidance-profile tail-drop
[<profile-id>]
- show running-config qos mapping-profile [PROFILE-NAME]
- show running-config qos port-egress-policy [POLICY-NAME]
- show running-config qos port-ingress-policy [POLICY-NAME]
- show running-config qos shaper-profile
- show running-config qos shaper-profile port [<profile-id>]
- show running-config qos scheduling-profile [<profile-id>]
- show running-config port UU/SS/PP

QoS Configuration Display Commands’

Descriptions
Table 9-15: Descriptions of the QoS Display Configuration Commands
Command Description
show running-config qos Displays the current QoS configuration
show running-config qos Displays all configured congestion
congestion-avoidance-profile
avoidance profiles
show running-config qos Displays the specified tail-drop congestion
congestion-avoidance-profile
avoidance profile or, when used without a
tail-drop [<profile-id>]
parameter, displays all configured tail-drop
congestion avoidance profiles.
• profile-id: ID of the tail-
drop congestion avoidance
profile to display
show running-config qos mapping- Displays the specified mapping profile or,
profile [PROFILE-NAME] when used without a parameter, displays
all configured mapping profiles.
mapping profile to display
show running-config qos port- Displays the specified port egress policy
egress-policy [POLICY-NAME] or, when used without a parameter,
displays all configured port egress policies.
policy to display
show running-config qos port- Displays the specified port ingress policy
ingress-policy [POLICY-NAME] or, when used without a parameter,
displays all configured port ingress
policies.
policy to display
show running-config qos shaper- Displays all configured shaper profiles.
profile
show running-config qos shaper- Displays the specified port shaper profile
profile port [<profile-id>] or, when used without a parameter,
displays all configured port shaper profiles.
shaper profile to display

Command Description
show running-config qos Displays the specified scheduling profile
scheduling-profile [<profile- or, when used without a parameter,
id>] displays all configured scheduling profiles.
scheduling profile to
display
show running-config port Displays the configuration of the specified
{UU/SS/PP} port, including the ingress/egress policies
applied to it or, when used without a
parameter, displays the configuration for
all ports.
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
Configuring QoS Shaper per Port

1. Create port shaper profile:
device-name(config)#qos
device-name(config-qos)#shaper-profile port 1 cir 12000 cbs 1500
device-name(config-port-1)#commit
Commit complete.
device-name(config-port-1)#
2. Apply shaper profile per egress policy:

device-name(config-port-1)#exit
device-name(config-qos)#port-egress-policy 22
device-name(config-port-egress-policy-22)#shaper-profile 1
device-name(config-port-egress-policy-22)#commit
Commit complete.
device-name(config-port-egress-policy-22)#
3. Apply egress policy per egress port:

device-name(config-port-1/1/3)#qos-egress-policy 22
Commit complete.
device-name(config-port-1/1/3)#

Configuring QoS Shaper per Queue

1. Create port shaper profile:
device-name(config)# qos shaper-profile port 1 cir 6000 cbs 16
2. Apply shaper profile per queue per egress policy:

device-name(config-port-egress-policy-22)#queue 1
device-name(config-queue-1)#shaper-profile 1
3. Apply egress policy per egress port:

Commit complete.
Creating a Complete QoS Configuration

The following example demonstrates how to create QoS profiles and policies
and apply them to port 1/1/1.
1. Configure shaper profile:
device-name(config-qos)#shaper-profile port 2 cir 5555 cbs 55
device-name(config-port-2)#description shaper
device-name(config-port-2)#exit
2. Configure scheduling profile:

device-name(config-qos)#scheduling-profile 5 scheduling-type hybrid-
2 queue1-weight 11 queue2-weight 22 queue3-weight 33 queue4-weight
44 queue5-weight 55 queue6-weight 66
device-name(config-scheduling-profile-5)#exit
3. Configure ingress/egress policies:

device-name(config-qos)#port-ingress-policy 2
device-name(config-port-ingress-policy-2)#description ingress
device-name(config-port-ingress-policy-2)#mapping-profile global
device-name(config-port-ingress-policy-2)#trust-mode trust-
priority-and-dscp
device-name(config-port-ingress-policy-2)#exit
device-name(config-port-egress-policy-2)# description egress
device-name(config-port-egress-policy-2)#shaper-profile 2
device-name(config-port-egress-policy-2)#scheduling-profile 5
device-name(config-port-egress-policy-2)#congestion-avoidance tail-
drop 2


device-name(config-port-egress-policy-2)#commit
Commit complete.
device-name(config-port-egress-policy-2)#
5. Apply the ingress and egress policies to port 1/1/1:

device-name(config-port-egress-policy-2)#exit
device-name(config-port-1/1/1)#qos-ingress-policy 2
Commit complete.
device-name(config-port-1/1/1)#

RFCs
Quality of Service MEF-10 Private ECI Telecom No RFCs are
(QoS) (Ethernet Services QOS MIB (currently supported by
Attributes Phase I) not supported) this feature.


10
Operations, Administration,
and Maintenance (OAM)

Chapter
OAM is a family of standards providing reliable remotely-managed service-
assurance (SA) mechanisms for both the provider and customer networks,
offering the ability to perform automatic periodic network-wide service
assurance and quality verifications.
This chapter includes the configuration instructions for the following OAM
standards:
 802.1ag Connectivity Fault Management (CFM)
This standard refers to the ability of a network to monitor the health of an
end-to-end service delivered to customers (as opposed to just links or
individual bridges).
 802.3ah Ethernet in the First Mile (EFM-OAM)

This standard specifies the protocols and Ethernet interfaces for using
Ethernet over access links as a first-mile technology and transforming it
into a highly reliable technology.

Operations, Administration, and AS9206 User Manual
Maintenance (OAM)
802.1ag Connectivity Fault

Management (CFM)
Overview
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a
network to monitor the health of an end-to-end service delivered to customers
(as opposed to just links or individual bridges). The pre-standard IEEE 802.1ag
CFM feature, called MAC ping/trace route, defines the end-to-end OAM
capabilities that are intrinsic to Ethernet technology, enabling service providers
to monitor the Ethernet service that the customer receives.
The 802.1ag CFM standard specifies protocols, procedures, and managed
objects to support transport fault management. These allow:
 the discovery and verification of the frames' path addressed to and from
specified network users
 the detection and isolation of a connectivity fault to a specific bridge or
LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for
point-to-point and multipoint Ethernet Virtual Connections (EVC) that span
one or more links.
CFM-OAM Protocol Functionality

CFM-OAM supports the following basis functionalities:
 Discovery & Connectivity: the ability to discover other CFM-OAM enabled
devices and verifying the connectivity to these devices
 Fault Verification: the ability to verify and test the quality of the service
delivered
 Fault Isolation: the ability to identify and isolate the point of fault within
the service path

AS9206 User Manual Operations, Administration, and
Maintenance (OAM)
CFM Purpose
Bridges are increasingly used in networks operated by multiple independent
organizations, each with restricted management access to each other’s
equipment.
CFM provides capabilities for detecting, verifying, and isolating connectivity
failures in such networks, where multiple organizations are involved in
providing and using the Ethernet service (such as customers, service providers,
and operators).
Customers purchase Ethernet service from service providers. These service
providers may utilize their own networks or the networks of other operators to
provide connectivity for the requested service. Customers themselves may be
service providers. For example, a customer may be an Internet service provider
that sells Internet connectivity.
Figure 10-1: OAM Ethernet Tools
Operators need minimal Ethernet OAM as oppose to providers that need more
comprehensive Ethernet OAM for themselves and the ability to provide
customers with better monitoring functionality.
In order to validate the service quality and to perform fault verification on
Maintenance End Points (MEP) and Maintenance Intermediate Points (MIPs)
that belong to the organization, each organization defines its own maintenance
domain. These MEPs and MIPs are then linked to the relevant domain creating
a Maintenance Association (MA).

Maintenance (OAM)
Mechanisms of Ethernet 802.1ag OAM

The mechanisms supported by CFM include Connectivity Check Messages
(CCM), loopback, link trace and Alarm Indication Signal (AIS).
CFM allows for end-to-end fault management that is generally reactive
(through loopback, link trace messages, and Alarm Indication Signals) and
connectivity verification that is proactive (through Connectivity Check
messages).
Discovery and Connectivity

To discover the devices in a domain, each MEP transmits a periodical CCM to
the entire domain MIPs and MEPs.
CCMs are periodic hello messages multicast by a MEP within the MA at a
defined rate. The receiving MEPs build a MEP database that catalogs a list of
the various MAs, including their MEPs and MIPs (indicating each entity's
MAC address) as functional points.
The database includes entities MEP Destination MAC Address (DA) and port
(format: MEP DA, Port).
Figure 10-2: MEP1 and MEP3 Send a Multicast CC Frame

Maintenance (OAM)
Figure 10-3: MEP4 and MEP2 Send a Multicast CC Frame
A CCM timeout is used to detect connectivity faults (such as a software failure,

memory corruption, or miss-configuration). A CCM loss is assumed when a
MEP does not receive the next CCM from a remote MEP within the CCM
timeout.
If a MEP on a local bridge (local MEP) stops receiving periodic CCMs from a
peer MEP on a remote bridge (remote MEP), it assumes that a failure in the
remote bridge or in the continuity of the path has occurred. If the MEP does not
receive three consecutive CCMs, it declares a connectivity loss.
In this case, the bridge can notify the network management application about
the failure and initiate the fault verification and fault isolation steps either
automatically or through an operator command.
Since a short CCM interval rate is a key point in ensuring fast connection-
failure detection, the systems administrator can define a CCM interval rate of
down to 3.3 milliseconds.
In cases that the MEP is deliberately taken out of commission, the MEP
indicates this status to other peer MEPs to avoid triggering false fault
detections.
CFM also provides an alarm suppression mechanism in cases where a network
fault affects more than one VLAN and to avoid a situation where different
MEPs generate an alarm notifying of the same common fault.

Maintenance (OAM)
Fault Verification (Loopback Messages)

A unicast Loopback Message (LBM) is used for fault verification. To verify the
connectivity between MEP and its peer MEP or a MEP, the LBM is initiated by
a MEP with a destination MAC address set to the MAC address of either a
Maintenance association Intermediate Point (MIP) or the peer MEP. The
receiving MIP or MEP responds to the LBM with a Loopback Reply (LBR).
A Loopback message helps a MEP identify the precise fault location along a
given MA. A Loopback message is issued by a MEP to a given MIP along an
MA. The appropriate MIP in front of the fault responds with a Loopback reply.
The MIP behind the fault does not respond. For Loopback to work, the MEP
must know the MAC address of the MIP to ping.
Figure 10-4: Loopback Operation
In the above figure two maintenance entities are shown: one comprising the
yellow MEPs and MIPs, the other comprising orange MEPs and MIPs.
Fault Isolation (Linktrace Messages)

In order to isolate the exact point of fault, a MEP initiates a Linktrace
mechanism. This mechanism is used to isolate faults at the Ethernet MAC
layer.
To run this mechanism, the originating MEP sends a Linktrace Message (LTM,
using the domain's set of reserved multicast MAC addresses) that traverses
hop-by-hop along the domain's trace path. Each Maintenance Point (MP,
whether a MEP or MIP) along the trace path intercepts this LTM, processes it,
and forwards it onto the next hop until it reaches the destination MEP.

Maintenance (OAM)
Each MP along the path returns a unicast Linktrace Reply (LTR) back to the
originating MEP. The MEP then sends a single LTM to the next hop along the
trace path eventually determining the MAC address of all MIPs along the MA
and their precise location with respect to the originating MEP.
Figure 10-5: Link Trace Operation
In case of Ethernet, fault isolation is more challenging due to MAC addresses

aging out, erasing the information needed for locating the fault.
The possible ways to address this issue are:
 Carrying out the Linktrace within the age-out time frame
 Maintaining information about the destination MEP at the MIPs along the
path using CCMs
 Maintaining the path's visibility at the source MEPs through periodic LTMs
(in intervals larger than the CCM rate interval)
You can also use the Linktrace mechanism to discover normal data paths
through the network, during times where the network is fault-free. This can be
helpful at a later stage, in cases where Linktrace cannot provide the information
needed to isolate a fault and by issuing LBMs to MPs along the normal data
paths to retrieve additional useful information.

Maintenance (OAM)
Fault Notification and Alarm Suppression

(Fault Alarms)
The Fault Alarm feature is a management operation that generates an SNMP
notification to a designated address when a MEP detects a fault.
When you enable the Fault Alarm, the MEP transmits an alarm upon detecting
a defect that occurred for more than a predefined threshold time. The MEP can
transmit no further Fault Alarms until a configured time period has passed
during which no defect indication is present.
A MEP maintains a number of separate defects, for example, one for defects
caused by the accidental cross-connection of two different MAs and one for
defects that are confined to a single MA.
The defects are ranked by priority. If a higher priority defect occurs after a
lower priority defect has triggered a Fault Alarm, then the MEP transmits
another Fault Alarm. This enables the operator to reliably prioritize Fault
Alarms. For example, cross-connect errors are typically of greater concern in a
Service Provider environment than connectivity loss errors. Only the highest-
priority defect is reported in the Fault Alarm.
In the order of their priority the defects are:
 DefRDICCM—the last CCM received by this MEP from a remote MEP
contained the RDI bit
 DefMACstatus—the last CCM received by this MEP from a remote MEP
indicated that the transmitting MEP’s associated MAC is reporting an error
status
 DefRemoteCCM—this MEP is not receiving CCMs from one of the MEPs
in its configured list
 DefErrorCCM—this MEP is receiving invalid CCMs
 DefXconCCM—this MEP is receiving CCMs from a different MA
The following table shows the relationship between the variables indicating the
defects (the highestDefect column), their priorities, and corresponding integer
(the highestDefectPri column) reported to the fault alarm. The
highestDefectPri is an integer value indicating the priority of the defect named
in the variable highestDefect. The highestDefect variable is the highest-priority
defect which is currently detected by the MEP.

Maintenance (OAM)
Table 10-1: Defects and Priorities
Defect Priority
Variable HighestDefect HighestDefectPri Importance
Disable Disable 6
xconCCMdefect DefXconCCM 5 most
errorCCMdefect DefErrorCCM 4
someRMEPCCMdefect DefRemoteCCM 3
someMACstatusDefect DefMACstatus 2
someRDIdefect DefRDICCM 1 least
CFM Configuration Flow
Figure 10-6: CFM-OAM Configuration Flow

Maintenance (OAM)
CFM Commands
CFM Command’s Hierarchy

+ root
+ config terminal
+ [no] oam
+ [no] cfm
+ [no] shutdown
+ [no] domain-name DOMAIN-NAME
- level <level>
+ [no] ma MA-NAME
- [no] ais-lck
- [no] ais-lck-interval {1min |
1sec}
- [no] ais-lck-level <level>
- [no] ais-lck-priority <priority>
- [no] ccm-priority <priority>
- format {icc | ieee}
- [no] hello-interval <value>
- [no] mep <id> UU/SS/PP
- [no] shutdown
- direction {up | down}
- [no] ccm-enabled
- [no] ccm-priority <priority>
- [no] fng-alarm-time <value>
- [no] fng-reset-time <value>
- [no] fault-alarms-level
<detect-priority>
- [no] mip-policy {default | defer |
explicit | none}
- [no] sender-id-content (hostname |
all | management-address | none}
- [no] service <id>
- format {none | string}
- [no] mip-policy {default | explicit |
none}
- [no] sender-id-content {hostname | all |
management-address | none}
+ [no] threshold-profile <id>
- [no] one-way-jitter-error <value>
- [no] one-way-jitter-warning <value>
- [no] one-way-jitter-monitoring <true |
false>

Maintenance (OAM)
- [no] frame-loss-error <threshold>

- [no] frame-loss-warning <threshold>
- [no] frame-loss-monitoring
- [no] round-trip-jitter-error <value>
- [no] round-trip-jitter-error-period
<value>
- [no] round-trip-jitter-warning <value>
- [no] round-trip-jitter-warning-period
<value>
- [no] round-trip-jitter-monitoring
- [no] round-trip-latency-error <value>
- [no] round-trip-latency-error-period
<value>
- [no] round-trip-latency-warning <value>
- [no] round-trip-latency-warning-period
<value>
- [no] round-trip-latency-monitoring
- [no] results-bucket-size <size>
- [no] rate <rate>
- [no] tlv-size <size>
- [no] description <string>
- [no] update-interval <value>
- [no] test <id> DOMAIN-NAME MA-NAME <id>
[repeat-interval number]
- oam cfm linktrace domain DOMAIN-NAME ma MA-NAME mep <id> {target-
mep <target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} {timeout
<value> | ttl <value>}
- oam cfm loopback domain DOMAIN-NAME ma MA-NAME mep <id> {target-
mep <target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} [timeout
<value> | payload <value> | delay <value> | number <value>]
- clear oam cfm remote-mep-table domain-name NAME ma NAME [remote-
mep <id>]
- show oam cfm
- show oam cfm connectivity [domain-name DOMAIN-NAME]
- show oam cfm connectivity [extended]
- show oam cfm domain level <level>
- show oam cfm update-interval
- show oam cfm {interface UU/SS/PP | interfaces}
- show oam cfm test [id <id>]
- show oam cfm threshold-profile [id <id>]
- show oam cfm linktrace-results domain-name DOMAIN-NAME [ma MA-
NAME]

Maintenance (OAM)
CFM Commands’ Descriptions
Table 10-2: CFM Configuration Commands
Command Description
oam Enters OAM Protocol Configuration
mode
no oam Removes the OAM configurations
cfm Enters CFM Protocol Configuration mode
no cfm Removes all CFM configurations
shutdown Disables CFM
no shutdown
Enables CFM
domain-name DOMAIN-NAME
Creates a Maintenance Domain (MD) and

enters a specific MD mode:
• DOMAIN-NAME: a string of
<1-22> characters
no domain-name DOMAIN-NAME Removes the maintenance domain
level <level>
Defines a domain's level:

• level: in the range of <0-
7>
The domain's levels are:
 Operator’s Maintenance Association
(MA) levels: 0–2
 Provider’s MA levels: 3–4
 Customer’s MA levels: 5–7
ma MA-NAME
Creates a Maintenance Association (MA)

and enters a Specific MA configuration
mode:
• MA-NAME: a string of <1-
22> characters
vlan <vlan-id>
Defines an unique VLAN identifier:

<1–4092>
no vlan [<vlan-id>] Removes the defined VLAN identifier

Maintenance (OAM)
Command Description
service <id>
Defines an unique service identifier:

• id: in the range of
<1–4294967295>
no service [<id>] Removes the defined service identifier
ais-lck Enables Alarm Indication Signal (AIS)
and Lock Signal (LCK) functions of
Y.1731. MEPs send AIS packets during
signal failure detection and LCK packets
during tests.
no ais-lck Disables AIS and LCK functions of
Y.1731
ais-lck-interval {1min | Defines a time interval between two
1sec}
successively sent AIS or LCK packets:
• 1min: 1 minute interval
• 1sec: 1 second interval
• 1sec
no ais-lck-interval Restores to default
ais-lck-level <level> Defines a domain level for sending AIS
and LCK packets (AIS-LCK level). This
level must be higher than the CFM
domain level:
• level: in the range of <0-
7>
no ais-lck-level Removes the configured AIS-LCK level
ais-lck-priority Defines the priority for sending AIS and
<priority> LCK packets:
<0-7>
• 6
no ais-lck-priority Restores to default
ccm-priority <priority> Defines the VLAN priority assigned to
CCM and LTM packets for all MEPs in a
MA:
<0-7>
• 6
no ccm-priority Restores to default

Maintenance (OAM)
Command Description
fng-alarm-time <value> Defines the time interval for triggering a
Fault Alarm by all local MEPs from MA
in case of fault detection:
<250-1000> hundredths of a
second
• 250 hundredths of a second
no fng-alarm-time Restores to default
fng-reset-time <value> Defines the time interval for re-enabling
the Fault Alarm if no faults have been
detected:
second
no fng-reset-time Restores to default
format {icc | ieee} Defines the MA format:
• icc: domain name format
complying to ITU-T Y.1731
standard specifications
• ieee: domain name format
complying to IEEE 802.1ag
standard specifications
• ieee
hello-interval <value> Defines the time interval between two
successive CCMs sent by a MEP that is a
member of this MA:
• value: 1s, 10s, 1m, and
10m
• 1 second
no hello-interval Restores to default
mep <id> UU/SS/PP
Adds a local port as MEP to a specific

MA:
• id: in the range of <0–
8191>
• UU/SS/PP: the
corresponding local MEP
port (unit, slot and
port).
•
no mep <id> Removes the MEP from the MA
shutdown Disables the MEP
• Disabled
no shutdown Enables the MEP

Maintenance (OAM)
Command Description
direction {up | down} Defines the direction in which the MEP
faces on the bridge port:
• up, down
ccm-enabled Enables generating of CCM messages the
by the MEP
no ccm-enabled Restores to default
• Disabled
ccm-priority Defines the VLAN priority assigned to all
CCM and LTM packets for a particular
MEP:
<0-7>
• 6
no ccm-priority Restores to default
fng-alarm-time <value> Defines the time interval for which
defects must be present before a local
MEP generates a Fault Alarm:
second
no fng-alarm-time Restores to default
fng-reset-time <value> Defines the time interval in which defects
must be absent before enabling a Fault
Alarm again:
second
no fng-reset-time Restores to default
fault-alarms-level Defines the defect priority for generating
<defect-priority> Fault Alarms. Defects can be either loss
of CCMs or a reception of cross
connected CCMs:
• defect–priority: in the
range of <1-6>
• Defect priority is 1 and alarms are
generated for all defect conditions
no fault-alarms-level Restores to default

Maintenance (OAM)
Command Description
mip-policy Defines the conditions under which MIPs
are automatically created on ports:
• default: always creates
MIPs
• defer: adopts the setting
of the enclosing domain
• explicit: creates MIPs
only if a MEP exists on a
lower MD Level
• none: does not create any
MIPs for the specified MA
• defer
no mip-policy Restores the default MIP policy setting
sender-id-content {hostname Configures the content of the Sender ID's
| defer | all | management-
address | none}
Type Length Value (TLV) included in
most of the CFM packets sent by the
MEPs:
• hostname: the Sender ID's
TLV includes only the
device hostname: the local
hostname is visible to all
remote sites on the MA but
the local management
address is hidden
• defer: adopts the setting
of the enclosing domain
• all: the Sender ID's TLV
includes both the hostname
and the management address
of the device
• management-address: the
Sender ID TLV's includes
only the device's
management address: the
local management mechanism
and management address are
visible to all remote
sites on the MA, but the
local hostname is hidden
• none: does not send the
Sender ID's TLV to remote
MEPs: the chassis ID and
management information are
hidden from all remote
sites
• defer
no sender-id-content Restores to default

Maintenance (OAM)
Command Description
format {none | string} Defines the format of the domain name:
• none: the name will not
appear in the MA ID
• string: the name will
appear in the MAID as
string
mip-policy Defines the conditions in which MIPs are
automatically created on ports:
• default: always creates
MIPs
• explicit: creates MIPs
only if a MEP exists on a
lower MD Level
• none: does not create any
MIPs for the specified MA
• none
no mip-policy Restores to default
sender-id-content Configures the content of the Sender ID's
Type Length Value (TLV) included in
most of the CFM packets sent by the
MEPs:
• hostname: the Sender ID's
TLV includes only the
device hostname: the local
hostname is visible to all
remote sites on the MA,
but the local management
address is hidden
• all: the Sender ID's TLV
includes both the hostname
and the management address
of the device
• management-address: the
Sender ID's TLV includes
only the device's
management address: the
local management mechanism
and management address are
visible to all remote
sites on the MA but the
local hostname is hidden
• none: does not send the
Sender ID's TLV to remote
MEPs: the chassis ID and
management information are
hidden from all remote
sites
• none
no sender-id-content Restores to default

Maintenance (OAM)
Command Description
threshold-profile <threshold- Creates a CFM profile with a specified
profile id> name and enters Monitoring Profile
Configuration mode:
• threshold-profile id: in
the range of <1-64>
• When the CFM protocol is enabled, a
default profile is created
automatically
no threshold-profile Restores to default
[threshold-profile id]
one-way-jitter-error <value> Configures the one-way jitter error
monitoring:
10000> milliseconds
• 350 milliseconds
no one-way-jitter-error Restores to default
one-way-jitter-warning Configures the one-way jitter warning
<value> monitoring:
10000> milliseconds
no one-way-jitter-warning Restores to default
frame-loss-error <error– Specifies the threshold for the two-way
threshold> frame-loss error monitoring:
• error–threshold: in the
range of <1-99>%
• 10% frame loss
no frame-loss-error Restores to default.
frame-loss-warning <warning Specifies the threshold for the two-way
–threshold> frame-loss warning monitoring:
• warning–threshold: in the
range of <0-99>%. If you
specify a value that is
higher than the frame-
loss-error value, the
frame-loss-warning will be
disabled
• 8% frame loss
no frame-loss-warning Restores to default
frame-loss-monitoring Enables frame-loss monitoring
• Enabled
no frame-loss-monitoring Disables the frame loss monitoring

Maintenance (OAM)
Command Description
round-trip-jitter-error Specifies error value of the two-way jitter
<value> error monitoring:
10000> milliseconds
no round-trip-jitter-error Restores to default
round-trip-jitter-error- Specifies the duration of the two-way
period <value> jitter error:
3600> seconds
• 90 seconds
no round-trip-jitter-error- Restores to default
period
round-trip-jitter-warning Specifies the warning value for the two-
<value> way jitter warning monitoring:
10000> milliseconds
no round-trip-jitter-warning Restores to default
round-trip-jitter-warning- Specifies the duration of the two-way
period <value> jitter warning:
3600> seconds
• 180 seconds
no round-trip-jitter-warning- Restores to default
period
round-trip-jitter-monitoring Enables round-trip jitter monitoring
<true | false>
• True
no round-trip-jitter- Restores to default.
monitoring
round-trip-latency-error Specifies the threshold for the two-way
<value> latency error monitoring:
10000> milliseconds
no round-trip-latency-error Restores to default
round-trip-latency-error- Specifies the duration of latency error
period <value> increase:
3600> seconds
• 90 seconds
no round-trip-latency-error- Restores to default
period

Maintenance (OAM)
Command Description
round-trip-latency-warning Specifies the threshold for the two-way
<value> latency warning:
10000> milliseconds
no round-trip-latency-warning Restores to default
round-trip-latency-warning- Specifies the duration of the latency
period <value> warning increase:
3600> seconds
• 180 seconds
no round-trip-latency- Restores to default
warning-period
round-trip-latency-monitoring Enables round-trip latency monitoring
no round-trip-latency- Disables the round-trip latency
monitoring
monitoring
results-bucket-size <size> Specifies the number of results to be
stored for jitter calculation:
• size: in the range of <2-
255>
• 20 results
no results-bucket-size Restores to default
priority <priority> Specifies the 802.1p class-of-service:
7>
• 0
rate <rate> Specifies the number of the Loopback
Request packets:
• rate: in the range of <1-
3>
• 1 packet
no rate Restores to default
tlv-size <size> Specifies the size of the Loopback
Request packets, in bytes:
• size: in the range of <0-
1462>
• 0 bytes
no tlv-size Restores to default

Maintenance (OAM)
Command Description
update-interval <value> Specifies the time interval for updating
the monitoring parameters (one-way
jitter, two-way jitter, latency, and frame
loss):
65535> seconds. A value 0
suspends the monitoring
task and a value different
from 0 resumes it
• 20 seconds
no update-interval Restores to default
test <id> DOMAIN-NAME MA- Tests the connectivity:
NAME <threshold-profile id> • id: in the range of <1-
[repeat-interval number]
256>
<1-22> characters
22> characters
• threshold-profile id: in
the range of <1-64>
• number: the repeat
interval in the range of
<1-420>
no test <id> DOMAIN-NAME MA- Stops the testing
NAME <threshold-profile id>
[repeat-interval]

Maintenance (OAM)
Command Description
oam cfm linktrace domain Sends a linktrace message to a specified
DOMAIN-NAME ma MA-NAME mep MEP or MIP in the domain:
<id> {target-mep <target-mep-
id> | target-mip • DOMAIN-NAME: a string of
HH:HH:HH:HH:HH:HH} [timeout <1-22> characters
<value> | ttl <value>] • MA-NAME: a string of <1-
22> characters
• mep <id>: the source MEP
ID, in the range of <1–
8191>
• target-mep <target-mep-
id>: the linktrace
destination MEP ID, in the
range of <1–8191>
• target-mip
HH:HH:HH:HH:HH:HH: the MAC
address of the linktrace
destination MIP
• timeout <value>:
(optional) the linktrace
reply (LTR) timeout, in
seconds
• 2 seconds
• ttl <value>: (optional)
the initial TTL field
value, in the range of <1–
255>

Maintenance (OAM)
Command Description
oam cfm loopback domain DOMAIN- Sends a loopback message to a specific
NAME ma MA-NAME mep <id> MEP or MIP in a specified domain:
{target-mep <target-mep-id> |
target-mip HH:HH:HH:HH:HH:HH}
<1-22> characters
[timeout <value> | payload
<value> | delay <value> |
number <value>] 22> characters
• mep <id>: the source MEP
ID, in the range of <1–
8191>
• target-mep <target-mep-
id>: the loopback
destination MEP ID, in the
range of <1–8191>
• target-mip
HH:HH:HH:HH:HH:HH: the MAC
address of the loopback
destination MIP
• timeout <value>:
(optional) the loopback
reply (LBR) timeout, in
seconds
• 2 seconds
• payload <value>:
(optional) the loopback
message PDU size, in the
range of <0–1462> bytes
• 0 bytes
• delay <value>: (optional)
the delay between 2
consecutive loopback
messages, in the range of
<0–60> seconds
• 5 seconds
• number <value>: (optional)
defines the number of
loopback messages sent, in
• 3 messages

Maintenance (OAM)
Command Description
clear oam cfm remote-mep-table Clears a remote MEP connectivity table:
domain-name NAME ma NAME
remote-mep <id>
• DOMAIN-NAME: clears table
for a domain name string,
characters
• ma NAME: clears table for
a MA name string, in the
range of <1-45> characters
• remote-mep <id>: clears
table for a specific MEP,
in the range of <0–8191>.
A value of 0 clears all
remote MEPs
Table 10-3: CFM Configuration Display Commands
Command Description
show oam cfm Displays the current CFM configuration
and CFM status
show oam cfm connectivity Displays connectivity statistics for all
[domain-name DOMAIN-NAME] configured domains:
• DOMAIN-NAME: displays
connectivity statistics
for the specified domain
•
show oam cfm connectivity Displays information extracted from the
[extended]
Port ID's TLV in CCMs:
• extended: (optional)
displays additional
information, as remote
device management address
and name
show oam cfm domain level Displays information for MD:
<level>
• level: in the range of
<0-7>
show oam cfm update-interval Displays the update interval value in
seconds
show oam cfm {interface Displays the CFM configuration per
UU/SS/PP | interfaces} interface
show oam cfm test [id <id>] Displays information about performed
test(s):
• id: in the range of <1-
256>
show oam cfm threshold-profile Displays information about CFM
[id <id>] profile(s):
• id: in the range of <1-
256>

Maintenance (OAM)
show oam cfm linktrace-results Displays linktrace results for a

domain-name DOMAIN-NAME [ma management domain and maintenance
MA-NAME] association:
• domain-name DOMAIN-NAME:
a string of <1-22>
characters
• ma MA-NAME: (optional) a
string of <1-22>
characters
CFM Configuration Example

1. Enable CFM:
device-name(config)#oam cfm
device-name(config-cfm)#no shutdown
2. Create a maintenance domain with a specified name d7 and level 7 and

create a MA ma7 within a specified domain:
device-name(config-cfm)#domain-name d7 level 7
device-name(config-domain-name-d7)#ma ma7 vlan 10
3. Specify the identification data sent to the remote MEPs creation policy on
the specified MA:
device-name(config-ma-ma7)#sender-id-content all
device-name(config-ma-ma7)#mip-policy explicit
4. Add port 1/1/1 as MEP with an ID 10 to a specified MA and specify the

CCM flow direction:
device-name(config-ma-ma7)#mep 10 1/1/1 direction down ccm-enabled
device-name(config-mep-10/1/1/1)#no shutdown
device-name(config-mep-10/1/1/1)#exit
device-name(config-ma-ma7)#exit
device-name(config-domain-name-d7)#exit
5. Create a profile with ID 4 and configure the profile priority, rate, round-
trip jitter, frame loss, and latency errors monitoring:
device-name(config-cfm)#threshold-profile 4
device-name(config-threshold-profile-4)#priority 2
device-name(config-threshold-profile-4)#rate 2
device-name(config-threshold-profile-4)#round-trip-jitter-error 100
device-name(config-threshold-profile-4)#frame-loss-error 20
device-name(config-threshold-profile-4)#no frame-loss-monitoring
device-name(config-threshold-profile-4)#round-trip-latency-error 200
device-name(config-cfm)#commit
Commit complete.
device-name(config-cfm)#end

Maintenance (OAM)
6. Display the current CFM configuration and status:

device-name#show oam cfm
Domain: d7
Domain Name Format: string
Level: 7
Mip Policy: none
Sender ID Content: none
Maintenance association: ma7

MA Name Format: string
Service ID: 10
CCM Priority: 6
Hello interval (ms): 1000
Mip Policy: defer
Sender ID Content: all
Local MEPs
============================================================================
| MEP | Port | Adm |CCM| Oper | Alarm | CCM | Sent | Last
|
| | | State |En | State | Level |Priority| CCM | CCM
|
|-----+----------+-------+---+-------+-------+--------+--------+-----------|
| 10| 1/1/1| Up |Yes| Up | 1 | 6 | 15835|
23:18:58.012|
============================================================================
device-name#show oam cfm connectivity
Domain: d7
Level: 7
Maintenance association: ma7

Service ID: 10
Hello interval (ms): 1000
Remote MEPs discovered by local MEP 10

=================================================================
| MEP | MAC-address | Adm | Oper | Last State |RDI|
| | | State | State | Change |Bit|
|-----+-------------------+-------+-------+-----------------+---|
| 11| 00:A0:12:9B:00:00| Up| Up | 1days 01:00:10| 0|
=================================================================
device-name#show oam cfm threshold-profile id 4

Profile ID/name: 4/none
Priority: 2; Rate: 2; Payload size: 0; Bucket size: 20;
Thresholds (value<ms>/duration<s>):
1W Jitter error: 350 1W Jitter warning: 300
2W Jitter error: 100/90 2W Jitter warning: 600/180
Latency error: 200/90 Latency warning: 1600/180
Frame loss error[disabled]: 20% Frame loss warning[disabled]: 8%

Maintenance (OAM)
802.3ah Ethernet in the First

Mile (EFM-OAM)
Overview
The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the
protocols and Ethernet interfaces for using Ethernet over access links as a first-
mile technology and transforming it into a highly reliable technology.
Using the Ethernet in the First Mile solution, you gain broadcast Internet access
in addition to services (such as Layer 2 transparent LAN services, Voice
services over Ethernet Access networks, Video, and multicast applications)
reinforced by security and Quality of Service (QoS) control to build a scalable
network.
The in-band management specified by this standard defines the operations,
administration, and maintenance (OAM) mechanism needed for the advanced
monitoring and maintenance of Ethernet links in the first mile. The OAM
capabilities facilitate network operation and troubleshooting for both the
provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link.
The 802.3ah (Clause 57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units
(OAMPDUs). OAMPDUs are standard-size frames, including information such
as the destination MAC address, EtherType and subtype, sent at a predefined
rate (a limitation necessary for reducing the impact on the usable bandwidth).
EFM OAM is an optional and you can enable or disable it per physical port.
Figure 10-7: End-to-End OAM Configuration

Maintenance (OAM)
Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices
(defined as passive devices) without utilizing an IP layer. Instead, they can
utilize link-layer SNMP counters request and reply, loopback testing, and other
techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE
passive device) using 802.3ah standard.
Figure 10-8: Managing Provider Devices using the EFM 802.3ah Standard

Maintenance (OAM)
The configuration below illustrates how to manage the customer devices using
EFM 802.3ah.
Figure 10-9: Managing Customer Devices (passive) using the EFM 802.3ah
Standard
EFM-OAM Protocol Functionality

EFM-OAM supports the following basis functionalities:
 Discovery: a local Data Terminating Entity's (DTE) ability to discover
other EFM-OAM enabled DTEs and exchanging information about OAM
entities, capabilities, and configuration.
 Link monitoring: this process is used to detect and indicate link faults to its
peer.
 Remote failure detection: a mechanism for an OAM device to convey error
conditions to its peer via a flag in the OAMPDUs.
 Response to MIB variable retrieval: used for retrieving information for a
management information base.
 Organizing specific enhancements: provides vendor-specific enhancements
to the protocol.

Maintenance (OAM)
Discovery
At the first phase EFM-OAM enabled DTEs identify other DTEs along with
their OAM capabilities using Information OAMPDUs, advertising the
following information:
 OAM configuration (capabilities)—the local DTE's OAM capabilities.
Using this information, a peer can determine what functions are supported
and accessible (for example, loopback capability).
 OAM mode—the DTE's OAM mode, also used to determine the DTE's
functionality:
 Active mode: the DTE instigates OAM communications and can issue
queries and commands to the remote device.
 Passive mode: the DTE generally waits for the peer DTE to instigate
OAM communications and responds to them. It does not instigate
commands and queries.
For more information about the rules for active and passive mode DTEs,
refer to Rules for Active Mode and Rules for Passive Mode below.
The mode combinations are:
 One active and one passive OAM DTE

 Two active OAM DTEs
 OAMPDU configuration—including the maximum size of OAMPDUs
delivered (This information, in combination with a limited rate of ten
frames per second, is used to limit the bandwidth allocated to OAM traffic)
 Platform identity—the platform identity is a combination of an
Organization Unique Identifier (OUI, the first three bytes of the MAC
address) and 32-bits of vendor-specific information. OUI allocation is
controlled by the IEEE.
Once OAM support is detected and the OAM expectations are met, both ends
of the link exchange the above information, enabling OAM on the link.
However, the loss of a link or a failure to receive OAMPDUs for a predefined
interval causes the discovery process to start over again.

Maintenance (OAM)
Timers
Two configurable timers control the protocol:
 The Hello timer, determining the rate for sending OAMPDUs
 The Keep-alive timer, determining the time interval for expecting
OAMPDUs from the peer
An additional 1-second non-configurable timer is used for error aggregation
necessary for the Link Monitoring Process to generate link quality events.
Flags
Each OAMPDU includes a Flags field that includes the discovery process
status. There are three possible status values:
 Discovering—the discovery process is in progress
 Stable—discovery is completed and the remote device can start sending any
type of OAMPDU
 Unsatisfied—when there are mismatches in the OAM configuration that
prevent OAM from completing the discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect
OAM on a remote DTE. Once OAM support is detected, both ends of the link
exchange state and configuration information (such as mode, PDU size,
loopback support, etc.). If both DTEs are satisfied with the settings, OAM is
enabled on the link. However, the loss of a link or a failure to receive
OAMPDUs for the keep alive time interval (e.g. 5 seconds) may cause the
discovery process the start over again.
DTEs may either be in active or passive mode. Active mode DTEs instigate
OAM communications and can issue queries and commands to a remote
device. Passive mode DTEs generally wait for the peer device to instigate
OAM communications and respond to, but do not instigate, commands and
queries. Rules of what DTEs in active or passive mode can do are discussed in
the following sections.

Maintenance (OAM)
Rules for Active Mode
The Active mode DTE:

 initiates the OAM Discovery process
 sends Information PDUs
 can send Event Notification PDUs
 can send Variable Request/Response PDUs
 can send Loopback Control PDUs
 can respond to Variable Request PDUs (does not respond to Variable
Request PDUs from devices in Passive mode)
 can react to Loopback Control (does not react to Loopback Control PDUs
from devices in Passive mode)
Rules for Passive Mode
The Passive mode DTE:

 waits for the remote device to initiate the Discovery process
 sends Information PDUs
 can send Event Notification PDUs
 can respond to Variable Request PDUs
 can react to received Loopback Control PDUs
 cannot send Variable Request or Loopback Control OAMPDUs
Link Monitoring Process

The Link Monitoring process is used for monitoring the link for occurrences
where defined thresholds are crossed and notifying the remote device by
sending Event Notification OAMPDUs.
The events the Link Monitoring process indicates:
 Errored Symbol per second—if the number of symbol errors that occurred
during a specified period exceeded a threshold. These are coding symbol
errors (for example, a violation of 4B/5B coding).
 Errored Frame per second—if the number of frame errors detected during
a specified period exceeded a threshold.

Maintenance (OAM)
Since 802.3ah OAM does not guarantee the delivery of OAMPDUs, the Event
Notification OAMPDU can be sent multiple times to reduce the probability of
losing these notifications using a sequence number in order to recognize
duplicate events.
The Link Monitoring process operates on all enabled EFM OAM links.
Remote Failure Indication

Faults in Ethernet that are caused by slowly deteriorating quality are more
difficult to detect than completely disconnected links. A flag in the OAMPDU
allows an OAM entity to send failure conditions to its peer. The failure
conditions are defined as follows:
 Link Fault—The Link Fault condition is detected when the receiver loses
the signal. This condition is sent once per second in the Information
OAMPDU.
 Dying Gasp—This condition is detected when the receiver goes down. The
Dying Gasp condition is considered as unrecoverable. Conditions for dying
gasp:
 Management of the reload command
 Device power down (incidental / deliberate).
 Critical Event—When a critical event occurs, the device is unavailable as a
result of malfunction, and it is to be restarted by you. The critical events
can be sent immediately and continually. Conditions for critical events:
 Fatal error mess any task on the device (suspend)
When a link receives no signal from its peer at the physical layer (for example,
if the peer’s laser is malfunctioning), the local entity sets this flag to let the peer
know that it’s transmit path is inoperable.
Since these conditions are severe, the OAMPDUs updated with these flags are
not subject to normal rate limiting policy.

Maintenance (OAM)
EFM-OAM Configuration Flow
Figure 10-10: EFM-OAM Configuration Flow

Maintenance (OAM)
EFM-OAM Commands
EFM-OAM Commands’ Hierarchy

+ root
+ config terminal
+ [no] oam
+ [no] efm
+ [no] shutdown
- [no] event-config UU/SS/PP
- [no] critical-event-enable
- [no] dying-gasp-enable
- [no] error-frame-event-notification-
enable
- [no] error-frame-threshold <frame–
threshold>
- [no] error-frame-window <value>
- [no] error-symbol-period-event-
notification-enable
- [no] error-symbol-period-threshold
<period–threshold>
- [no] error-symbol-period-window <value>
- [no] hello-interval <value>
- [no] history-limit <value>
- [no] keep-alive-interval <value>
- [no] log-events
- [no] multiple-pdu-count <pdu-count>
- [no] priority <priority-level>
- [no] remote-event
+ port UU/SS/PP
+ [no] efm
- [no] efm mode [basic | enhanced]
- [no] efm event-forward-status UU/SS/PP
- [no] efm event-forward-shutdown UU/SS/PP
- [no] efm event-return-shutdown <number-of-attempts>
- [no] efm role [active | passive]
- [no] efm shutdown
- show oam efm
- show oam efm event-log
- show oam efm peer
- show oam efm statistics
- show port UU/SS/PP efm statistics

Maintenance (OAM)
EFM-OAM Commands’ Descriptions
Table 10-4: EFM Configuration Commands
Command Description
oam Enters OAM Protocol Configuration mode
no oam Removes the OAM configurations
efm Enters EFM Protocol Configuration mode
no efm Restores to default the configuration set in
OAM-EFM Configuration mode. The command
does not affect the configurations made per port,
that is, in EFM Interface Configuration mode.
shutdown Disables EFM
no shutdown
Enables EFM. By default, EFM is enabled on the

device
event-config Accesses Event Configuration Mode for the
specified interface for configuring thresholds and
managing event notifications:
• UU/SS/PP: 1/1/1-1/1/24, 1/2/1-
1/2/4
no event-config Removes the configured thresholds and event
notifications for all interfaces
critical-event-enable Configures the local OAM entity to send critical
events notifications to its OAM peer
no critical-event- Disables sending critical events notifications
enable
dying-gasp-enable Configures the local OAM entity to send dying
gasps notifications to its OAM peer
no dying-gasp-enable Disables sending dying gasps notifications
error-frame-event- Configures the OAM entity to send an event
notification-enable
notification OAMPDU whenever an Errored
Frame Event occurs
no error-frame-event- Disables sending event notifications
notification-enable

Maintenance (OAM)
Command Description
error-frame-threshold Configures the Errored Frame Event threshold.
<frame–threshold>
This is a threshold for frame error testing and
reporting a specific interface. Providing the
error-frame-event-notification-
enable option has been configured, once the
threshold is reached, the device generates an
Errored Frame Event message and sends it to the
remote peer. The message is written to the
system log and to the feature history.
Additionally, the event counters are updated.
• frame–threshold: the valid
range is <1-1488000>
• 256
no error-frame- Restores to default.
threshold
error-frame-window Monitoring interval for frame errors, in seconds:
value>
• value: the valid range is <1-
60>
• 20
no error-frame-window Restores to default
error-symbol-period- Configures the OAM entity to send an event
event-notification-
enable
notification OAMPDU whenever an error
symbol period event occurs
no error-symbol-period- Restores to default
event-notification-
enable
error-symbol-period- Configures the symbol errors threshold within a
threshold <period– given window. Once the threshold is reached, a
threshold> notification is triggered if the error-symbol-
period-event-notification-enable
option has been configured.
• period–threshold: the valid
range is <1-1488000>
• 256
threshold
error-symbol-period- Monitoring interval for symbol errors, in
window <value> seconds:
60>
• 20
window

Maintenance (OAM)
Command Description
hello-interval <value> Configures the hello interval, in milliseconds.
The hello interval is the time interval between
two PDUs in milliseconds. This mechanism is
used to inform the neighboring device that the
local device is operative. When the local device
receives no PDU within the defined keep-alive
interval, the neighboring device is considered
inoperative.
5000>
• 1000
NOTES: The standard hello interval is 1000 ms. However,

to reduce overload in some cases, it is possible to set the
range to up to 5000 ms even though it violates the
standard.
The keep-alive interval (keep-alive-interval) must

be 2 times bigger than the hello-interval
no hello-interval Restores to default

history-limit <value> Maximum number of entries in the efm-oam
history log:
• value: the valid range is
<1000-10000>
• 5000
no history-limit Restores to default.
keep-alive-interval Configures keep-alive interval, in milliseconds.
<value>
The keep-alive interval is the aging interval for
the neighboring device that has last sent packets.
When the neighboring device does not send a
PDU within the defined keep-alive interval, it is
considered inoperative.
15000>
• 5000
no keep-alive-interval Restores to default
log-events Enables sending threshold notification messages
to the local system log
no log-events Disables sending threshold notification messages
to the local system log
multiple-pdu-count <pdu- Configures number of identical PDUs to send
count> when local event occurs:
• pdu-count: the valid range is
<1-10>
• 5

Maintenance (OAM)
Command Description
no multiple-pdu-count Restores to default
Priority <priority- Configures EFM-OAM PDU’s priority. Priority
level> is effective only if the port is a tagged member of
the default VLAN.
• priority-level: the valid range
is <0-7> (The highest the
number, the highest the
priority.)
• 0
remote-event Enables sending local event notifications to the
remote peer
no remote-event Disables sending local event notifications to the
remote peer
port UU/SS/PP Accesses Interface Configuration Mode for the
specified port:
• UU/SS/PP: 1/1/1-1/1/24, 1/2/1-
1/2/4
efm Enables the EFM-OAM protocol
no efm Disables the EFM-OAM protocol
efm mode [basic | enhanced] Enables/disables the organization-specific EFM-
OAM enhancements on the specified interface or
interface range. Depending on the variable used
(the variable is required), this command specifies
one of the following two alternative the EFM
modes:
 Basic: does not employ organization-specific
extensions
 Enhanced: allows defining and retrieving all
the SNMP variables on the remote device.
If the remote device is not an organization
device, Basic mode is used, even if Enhanced
mode is configured; configure both devices with
Enhanced mode for the devices to exchange their
hostname.
• basic: enables Basic mode
• enhanced: enables Enhanced mode
• Enhanced
no efm mode Returns the default EFM mode configuration
efm event-forward-status Enables sending a Link Event Notification from
UU/SS/PP a target port to its EFM peer whenever the source
port’s link status changes:
• UU/SS/PP: target port; the
valid range is 1/1/1-1/1/24,
1/2/1-1/2/4

Maintenance (OAM)
Command Description
no efm event-forward-status Disable sending a Link Event Notification
efm event-forward-shutdown Enables shutting down a target port whenever the
UU/SS/PP source port's link status changes.
In order to restore the UP state of the target port
which was previously disabled by the efm event-
forward-shutdown command, follow the bellow
steps:
• Disable the target port by the
shutdown command.
• Enable the target port by the no
shutdown command.
• UU/SS/PP: target port; the
valid range is 1/1/1-1/1/24,
1/2/1-1/2/4
no efm event-forward- Disables shutting down a target port
shutdown
efm event-return-shutdown Enables the Event Return feature. This feature is
<number-of-attempts> used to determine the number of discovery
attempts prior to administratively shutting down
the port.
• number-of-attempts: number of
discovery attempts before
shutting down the port; the
valid range is <0–10> (0
disables the feature)
• 0
no efm event-return- Disables shutting down a target interface
shutdown

Maintenance (OAM)
Command Description
efm role [active | passive] Enables EFM-OAM on a specific interface and
configures its mode to one of the following two
alternative modes:
Active: the device can send Hello packets over
this interface to initiate an EFM-OAM discovery
process.
Passive: the device cannot use this interface to
initiate the EFM-OAM discovery process.
The valid mode combinations are either
 one active and one passive OAM interface,
or
 two active OAM interfaces
In case both peer interfaces are in Passive mode,
the Remote Status information is not updated
anymore and might be inaccurate.
• active: Configures the device’s
role as Active for uplinks and
user interfaces.
• passive: enables Enhanced mode.
• passive
no efm role Restores to default
efm shutdown Disables the EFM-OAM protocol for the
configured interface. Though disabled, the
interface’s EFM-OAM configuration is
preserved and can be restored with the no efm
shutdown command.
no efm shutdown Enables the EFM-OAM protocol for the
configured interface. This command restores the
interface’s EFM-OAM configuration which has
been previously disabled with the efm
shutdown command.
Table 10-5: EFM Display Commands
Command Description
show oam efm Displays the current EFM configuration and
EFM status
show oam efm event-log Displays the EFM-OAM event log
show oam efm peer Displays the EFM-OAM peer
show oam efm statistics Displays the local and remote counters and all
EFM-OAM statistics for all interfaces
show port UU/SS/PP efm Displays the EFM-OAM statistics for the
statistics specified interface:
• UU/SS/PP: 1/1/1-1/1/24, 1/2/1-
1/2/4

Maintenance (OAM)
Table 10-6: Log messages employed by the EFM-OAM protocol
Message Severity Description

EFM-OAM-Remote- Error An event generated on interface UU/SS/PP.
CriticalEvent
NOTE: This error requires special attention
EFM-OAM-Remote- Error A Dying Gasp event generated on interface

DyingGasp UU/SS/PP.
EFM-OAM-Remote- Warning A fault event generated on interface
LinkFault UU/SS/PP.
EFM-OAM-Remote- Notification An organization specific event generated on
SpecificEvent interface UU/SS/PP.
EFM-OAM-Remote- Warning The PDU quantity exceeded the allowed rate
RateExceeded on interface UU/SS/PP.
EFM-OAM-Remote- Warning Port UU/SS/PP:
Errored-Symbol-  Remote, Errored Frame, Symbol Period,
Event Event Received
 Date: Thu Jan 1 01:09:57 2009
 Window: 45.1 seconds
 Threshold: 10
 Errors: 15
 Total Errors: 32654
 Total Events: 5943
Errored-Frame-Event  Remote, Errored Frame, Frame Event
Received
 Date: Thu Jan 1 01:09:57 2009
 Window: 45.1 sec
 Threshold: 10
 Errors: 15

Maintenance (OAM)

Errored-Period-  Remote, Errored Frame, Period Event
Event Received
 Date: Thu Jan 1 01:09:57 2009
 Window: 45.1 seconds
 Threshold: 10
 Errors: 15
Errored-Seconds-  Remote, Errored Frame, Seconds Event
Event Received
 Date: Thu Jan 1 01:09:57 2009
 Window: 45.1 sec
 Threshold: 10
 Errors: 15
EFM-OAM-Local- Fatal EFM-OAM detected a local Dying Gasp event.
DyingGasp
EFM-OAM-Local- Error Link Fault occurred on the local device, on
LinkFault interface UU/SS/PP.
EFM-OAM-Local- Warning Port UU/SS/PP—Local Errored Frame Symbol
Errored-Symbol- Period Event sent:
Event  Date: Thu Jan 1 01:09:57 2009
 Window: 45 seconds
 Threshold: 10
 Errors: 15
EFM-OAM-Local- Warning Port UU/SS/PP—Local Errored Frame Frame
Errored-Frame-Event Event sent:
 Date: Thu Jan 1 01:09:57 2009
 Window: 45 sec
 Threshold: 10
 Errors: 15

Maintenance (OAM)

EFM-OAM-Remote- Warning Port UU/SS/PP—Local Errored Frame
Errored-Seconds- Seconds Event sent:
Event  Date: Thu Jan 1 01:09:57 2009
 Window: 45 sec
 Threshold: 10
 Errors: 15
EFM-OAM Configuration Example

The following example, based on the following figure, demonstrates how to
configure an Ethernet network using the EFM-OAM protocol.
Figure 10-11: Example Configuring of Two Devices using EFM-OAM

Maintenance (OAM)
Configuring Device1:
1. Verify if the EFM-OAM protocol is enabled on the device (default):

Device1#show oam efm
===================================================================
EFM-OAM
===================================================================
Administrative Status : Enabled
Local MAC : 00:a0:12:27:0d:e1
History Count : 0
Hello Interval : 1000 milliseconds
Keep-alive Interval : 5000 milliseconds
Remote Event : True
Log Events : True
Packets Counter : Sent = 0, Received = 0
===================================================================
Device1#
2. Access EFM Configuration Mode:

Device1#configure terminal
Device1(config)#oam
Device1(config)#efm
Device1(config-efm)#
3. Specify the number of OAMPDUs:

Device1(config-efm)#multiple-pdu-count 3
4. Enable sending local event notifications to the remote device:

Device1(config-efm)#remote-event
5. Define OAMPDU priority:

Device1(config-efm)#priority 3
6. Define the aging interval in seconds for the neighboring device that last
sent packets:
Device1(config-efm)#keep-alive-interval 3000
Device1(config-efm)#exit
Device1(config-oam)#exit
Device1(config)#
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config)#port 1/1/1
Device1(config-port-1/1/1)#efm role active
Device1(config-port-1/1/1)#

Maintenance (OAM)
Configuring Device2:
1. Verify if the EFM-OAM protocol is enabled on the device (default):

Device2#show oam efm
===========================================================================
EFM-OAM
===========================================================================
Administrative Status : Enabled
Local MAC : 00:a0:12:27:0d:c1
History Count : 58
Hello Interval : 1000 milliseconds
Keep-alive Interval : 5000 milliseconds
Remote Event : True
Log Events : True
Packets Counter : Sent = 20, Received = 5
===========================================================================
2. Access EFM Configuration Mode:

Device2#configure terminal
Device2(config)#oam
Device2(config)#efm
3. Specify the number of OAMPDUs:

Device2(config-efm)#multiple-pdu-count 3
4. Enable sending local event notifications to the remote device:

Device2(config-efm)#remote-event
5. Define OAMPDU priority:

Device2(config-efm)#priority 3
6. Define the aging interval in seconds for the neighboring device that last
sent packets:
Device2(config-efm)#keep-alive-interval 3000
Device2(config-efm)#exit
Device2(config-oam)#exit
Device2(config)#
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device2(config)#port 1/1/1
Device2(config-port-1/1/1)#efm role active
Device2(config-port-1/1/1)#

Maintenance (OAM)
Displaying EFM-OAM Configuration on Device1:
Device1#show oam efm peer

===============================================================================
EFM-OAM Peer
===============================================================================
Port | Remote | Remote | Remote | Remote
| MAC | Role | Port | Hostname
------------+-------------------+--------------+--------------+----------------
1/1/1 | 00:a0:12:27:0d:c1 | Active | 1/1/1 | Device2
1/1/2 | 00:00:00:00:00:00 | Unknown | N/A | Unknown
===============================================================================
Displaying EFM-OAM Configuration on Device2:
Device2#show oam efm peer

===============================================================================
EFM-OAM Peer
===============================================================================
Port | Remote | Remote | Remote | Remote
| MAC | Role | Port | Hostname
------------+-------------------+--------------+--------------+----------------
1/1/1 | 00:a0:12:27:0d:e1 | Active | 1/1/1 | Device2
===========================================================================

Maintenance (OAM)
Displaying Interface Statistics on Device1:
Device1#show port 1/1/1 efm statistics

===============================================================================
EFM-OAM Statistics
===============================================================================
Port 1/1/1
Counter Name Counter Value
-------------------------------------------------------------------------------
information-tx 73
information-rx 60
unique-event-notification-tx 0
unique-event-notification-rx 0
duplicate-event-notification-tx 0
duplicate-event-notification-rx 0
loopback-control-tx 0
loopback-control-rx 0
variable-request-tx 0
variable-request-rx 5
variable-response-tx 5
variable-response-rx 0
organization-specific-tx 2
organization-specific-rx 2
unsupported-codes-tx 0
unsupported-codes-rx 0
frames-lost-due-to-oam 0
===============================================================================

Maintenance (OAM)

RFCs
802.1ag IEEE 802.1ag- Public MIB, RFC 2544,
Connectivity Fault 2007 (draft 8.1)— IEEE8021-CFM-MIB Benchmarking
Management Virtual Bridged Private MIB, Methodology for
(CFM) Local Area PRVT-CFM-MIB.mib Network
Networks Interconnect
(Amendment 5: These MIBs are used Devices
Connectivity Fault for the Connectivity
Management). Fault Management
(CFM) module for
Connectivity Fault managing IEEE
Management—An 802.1ag.
Update on
Bridging
Technologies
(IEEE Tutorial,
July 18, 2005).
Intermediate IEEE Std 802.3ah- Public MIB: DOT3- No RFCs are
802.3ah EFM- 2004 OAM-MIB.mib supported by this
OAM Private MIB: PRVT- feature
SWITCH-EFM-
OAM-MIB.mib

Maintenance (OAM)

11
Simple Network Management
Protocol (SNMP)
Overview
SNMP is an application layer protocol that facilitates the exchange of
management information between network devices.
An SNMP-managed network consists of three key components:
 managed device—is a network node that contains an SNMP Agent and
resides on a managed network
 agent—is a network-management software module that resides in a
managed device. An agent has local knowledge of management
information and translates that information into a form compatible with
SNMP
 network-management system—executes applications that monitor and
control managed devices.
SNMP enables network administrators to manage network performance, find
and solve network problems and extend the network.

Simple Network Management AS9206 User Manual
Protocol (SNMP)
The following figure displays the communication between an SNMP Agent and
Manager.
Figure 11-1: SNMP Agent and Manager Communications
SNMP Entity
An SNMP Entity is an implementation of the SNMP architecture. Each entity
consists of an SNMP Engine and one or more associated applications. An
SNMP Engine provides services for sending and receiving messages,
authenticating and encrypting messages, and controlling access to managed
objects. The SNMP Engine is identified by the SNMP Engine ID. The
applications use the services of an SNMP Engine to accomplish specific tasks.
They coordinate the processing of management information operations, and
may use SNMP messages to communicate with other SNMP Entities.
SNMP Agent
An Agent is a network-management software module that resides in a managed
device and is responsible for maintaining local management information and
delivering that information to a Manager via SNMP. A management
information exchange can be initiated by the Manager or by the Agent. The
SNMP Agent contains MIB variables and these values can be requested or
changed by the SNMP Manager. The Agent and MIB reside on the device. The
Agent gathers data from the MIB and responds to a Manager’s request to get or
set data.

AS9206 User Manual Simple Network Management
Protocol (SNMP)
Structure of Management Information (SMI)

Management information is a collection of managed objects, residing in a
virtual information store, termed the MIB. Collections of related objects are
defined in MIB modules. Each type of object has a name, syntax, and an
encoding. The name is represented uniquely as an Object Identifier (OID). An
OID is an administratively assigned name for identifying one object, regardless
of the semantics associated with the object. The encoding of an object type is
the way the instances of that object type are represented using the object’s type
syntax. The names are used to identify managed objects.
SNMP Manager
An SNMP Manager is a software module in a management network
responsible for managing part or the entire configuration on behalf of network
management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB
values. Communication among protocol entities is accomplished by the
exchange of messages; each of them is entirely and independently represented
within a single UDP datagram. A message consists of a version identifier, an
SNMP community name, and a protocol data unit (PDU). PDUs are the packets
that are exchanged in the SNMP communication.
Management Information Base (MIB)

A MIB consists of a collection of objects organized into groups. Objects have
values that represent managed resources. All managed objects in the SNMP
environment are arranged in a hierarchical or tree structure. A MIB is the
repository for information about device’s parameters and network data.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier
of a participant in SNMP communication within a single management domain.
The SNMP Manager and SNMP Agent must be configured by an administrator
to have unique SNMP Engine IDs.

Protocol (SNMP)
SNMP View Records

With the community-based authentication defined in SNMPv1, an authorized
user is granted access to the whole MIB tree for reading or for reading/writing.
With SNMPv1, it is not possible to allow diverse authorized users access to
different portions of the MIB database.
This deficiency is overcome in SNMPv3 with the introduction of views. A view
is a set of rules that define what portion of the MIB database can be visible to a
specific user. The rules are defined by the OID of a node in the MIB tree, and
the type of rule: included or excluded. The OID defines a view family—a set of
object identifiers that have a common prefix. A single rule (included or
excluded) in the view is applied to view family, not only to a single OID.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages
to the SNMP Managers. Devices can send notifications to SNMP Managers
when particular events occur. For example, an Agent might send a message to a
Manager when the Agent experiences an error condition.
NOTE: All traps, except the ones sent with SNMPv1, have
a request ID as part of the PDU.
SNMP notifications can be sent as traps or Inform requests. Traps are

unreliable because the receiver does not send any acknowledgment when it
receives a trap. However, an SNMP Manager that receives an Inform request
acknowledges the message with an SNMP response PDU. If the sender does
not receive a response after a particular time interval, the Inform request is sent
again.
Informs consume more resources in the device and in the network but are more
reliable. Unlike a trap, which is discarded as soon as it is sent, an Inform
request must be held in memory until a response is received or the request
times out. Also, traps are sent only once, while an Inform may be retried
several times.
Figure 11-2 through Figure 11-5 illustrate the differences between traps and
Inform requests.

Protocol (SNMP)
In Figure 11-2, the Agent successfully sends a trap to the SNMP Manager.
Although the Manager receives the trap, it does not send any acknowledgment
to the Agent. The Agent has no way of knowing whether the trap reached its
destination.
Figure 11-2: Trap Sent to SNMP Manager Successfully
In Figure 11-3, the Agent successfully sends an Inform request to the Manager.
When the Manager receives the Inform request, it sends a response back to the
Agent. Thus, the Agent knows that the Inform request successfully reached its
destination. In this example, twice traffic is generated as inFigure 11-2;
however, the Agent is sure that the Manager received the notification.
Figure 11-3: Inform Request Sent to SNMP Manager Successfully

Protocol (SNMP)
In Figure 11-4, the Agent sends a trap to the Manager, but the trap does not
reach the Manager. Since the Agent has no way of knowing whether the trap
reached its destination, the trap is not sent again. The Manager never receives
the trap.
Figure 11-4: Trap Unsuccessfully Sent to SNMP Manager
In Figure 11-5, the Agent sends an Inform request to the Manager, but the
Inform request does not reach the Manager. Since the Manager did not receive
the Inform request, it does not send a response. After a period of time, the
Agent resends the Inform request. This time, the Manager receives the Inform
request and replies with a response. In this example, there is more traffic than
in Figure 11-4; however, the notification reaches the SNMP Manager.
Figure 11-5: Inform Request Successfully Resent to SNMP Manager

Protocol (SNMP)
The Discovery Mechanism

To protect the user network against message reply, delay and redirection, one
of the SNMP engines involved in each communication is designated to be the
authoritative SNMP engine. When an SNMP message contains a payload that
expects a response, the receiver of such a message is authoritative. When
Inform PDUs are sent, the notification receiver is an authoritative
snmpEngineID (the Manager). This implies that the PDUs that are involved in
an authenticated/encrypted session between the Agent and the Manager are
encoded with keys that are localized with the Manager’s snmpEngineID and
not with the local application software Agent’s snmpEngineID.
To match the described requirements, you need an additional configuration of
users, on whose behalf Inform PDUs can be sent. User keys are required to be
localized with the snmpEngineID of the Manager (the authoritative side). The
keys of these users are localized for the remote side and the Agent cannot
process configuration of SNMP requests on their behalf. GET, GET-NEXT,
GET-BULK, or SET requests from users with a SNMP Engine ID that is
different from the Agent SNMP Engine ID cannot be processed. The
application software defines as remote those users created with a
snmpEngineID different from the Agent’s snmpEngineID. Remote users can
participate just by sending Inform PDUs.
To create a remote user, specify the snmpEngineID of the notification recipient,
where this user is correctly defined. The proper calculation of
authentication/encryption keys requires a valid remote user.
To send the Inform PDU to the authoritative side, the Agent needs information
for the snmpEngineID of the target-address of the recipient.
To reduce a configuration complexity, the application software Agent
implements an auto discovery procedure for obtaining the SNMP Engine IDs
of different Inform recipients.
When an event occurs, for example LinkUp, the Agent sends an Inform PDU to
all valid targets for this Inform. The very first Inform PDU actually is not valid
as the Agent still does not know the parameters of the Receiver Engine ID—
snmpEngineId, snmpEngineBoots and snmpEngineTime.

Protocol (SNMP)
In the following figure, the Manager reports the PDU with its Engine ID to the
Agent.
Figure 11-6: Obtaining the snmpEngineID
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is
received as shown in the previous figure), but with incorrect snmpEngineBoots
and snmpEngineTime. These parameters are still unknown to the Agent. The
discovery process ends when no authentication/encryption exists for the target
address. If authentication/encryption exists, the packet is with the
corresponding authentication/encryption—MD5, SHA or DES.
In the following figure, the Manager returns an authenticated REPORT PDU
(notInTimeWindow) that consists of valid snmpEngineBoots and
snmpEngineTime parameters.
Figure 11-7: Obtaining the snmpEngineBoots and snmpEngineTime
Finally, when the discovery process is completed, the Agent and the Manager
are synchronized and following packets do not discover the Engine ID of the
Manager.

Protocol (SNMP)
Versions of SNMP
The application software supports the following versions of SNMP:
Table 11-1: SNMP Versions
Variable Description
SNMPv1 In the SNMP version 1, user can get and set MIB objects,
traverse the MIB tree using the getNext operation, and enable
the management device to receive asynchronous messages from
the Agent using the trap mechanism. SNMPv1 bases its security
on community strings.
SNMPv2c SNMP version 2c (the c stands for community) is the
community-string based Administrative Framework. SNMPv2c
includes the following improvements over SNMPv1:
 Improved performance for getting data using getBulk. The
bulk retrieval mechanism supports the retrieval of tables
and large quantities of information in one PDU, thus
minimizing the number of round-trips required.
 Improved error handling. SNMPv2 adds many error codes
to the five originally defined in SNMPv1. Management
devices are provided with more detailed information about
the cause of the error. Also, three exceptions are reported
with SNMPv2c:
no such object, no such instance, and end of MIB view
exceptions.
 Extended asynchronous reporting. SNMPv2 allows the
Agent to send SNMP notifications by inform request, as
well as by trap messages that are available in SNMPv1.
Whereas traps do not provide the Agent with an indication
that the message is received, the inform request requires
the Manager to confirm reception and is therefore more
reliable. As for the trap message, its format is changed to
match the PDU format of a regular get/set PDU, in order to
simplify the protocol. The SNMPv2 protocol requires
adding more details to every trap in order to supply the
Manager with more information.
Generally, MIBs written for Agents that use SNMPv2c or
higher versions use SMIv2 instead of version 1 of the SMI.
This version adds some new variables types.
Both SNMPv1 and SNMPv2c use a community-based form of
security.

Protocol (SNMP)
Variable Description
SNMPv3 SNMP version 3 is an interoperable standards-based protocol. It
provides secure communication using the USM (User-based
Security Model) and access control using the VACM (View-
based Access Control).
The USM model provides an answer to the following threats:
 Replay, interception and retransmission of messages—
prevented by using time-stamp.
 Masquerading—prevented by authenticating the message
sender.
 Integrity, interception, changing data, and retransmission of
messages—prevented by authenticating the message sender
and encryption of the message data.
 Disclosure—prevented by encryption of the message data.
The SNMPv3 USM allows three levels of security (see the table
below):
 No Authentication and No Privacy (noAuthNoPriv)
 Authentication and No Privacy (AuthNoPriv)
 Authentication and Privacy (authPriv)
Table 11-2: Security Levels Available in the SNMPv3 Security Models
Level Authentication Encryption Explanation

noAuthNoPriv Username No All PDUs are sent
unencrypted and not
authenticated in the
network.
authNoPriv HMAC-MD5 or No The PDUs are authenticated
HMAC-SHA with HMAC (keyed-
Hashing for Message
Authentication Codes). They
cannot be altered by an
attacker, but can be read.
authPriv HMAC-MD5 or Cipher Block The PDUs are authenticated
HMAC-SHA Chaining— and encrypted (with CBC-
Data DES Symmetric Encryption
Encryption Protocol).
Standard
(CBC-DES)
You must configure the SNMP Agent to use the version of SNMP supported by
the management device. An Agent can communicate with multiple users. For
this reason, you can configure the application software to support
communications with many users: some users can use the SNMPv1 protocol,
some can use the SNMPv2c protocol, and the rest can use SMNPv3.

Protocol (SNMP)
NOTE: You can participate in different groups, with a

different security model in each group. You cannot
participate in more than one group with the same security
model.
SNMP Commands
SNMP Commands’ Hierarchy

+ root
+ configure terminal
+ system
+ [no] snmp
- [no] engine-id <engineID>
- [no] max-packet-size <size>
- [no] general-port <port-number>
- [no] snmp-address {A.B.C.D | all}
- [no] shutdown
- [no] authentication-failure-trap
- [no] system-name .LINE-TEXT
- [no] system-location .LINE-TEXT
- [no] system-contact .LINE-TEXT
- [no] system-description .LINE-TEXT
- notification-change-trap {true | false}
- [no] view VIEWNAME OID-TREE [MASK | included |
excluded]
- [no] group GROUPNAME {authNoPriv | authPriv |
noAuthNoPriv} read READ-VIEW write WRITE-VIEW
notify NOTIFY-VIEW
- [no] user USERNAME GROUPNAME {v1 | v2c | v3}
[md5 | sha | remote ENGINE-ID]
[AUTHENTICATION-PASSWORD] [ENCRYPTION-
PASSWORD]
+ [no] target-address ADDR-NAME
- [no] message- model {v1 | v2c | v3}
- [no] security-model {noAuthNoPriv |
authNoPriv | authPriv}
- [no] address TARGET-ADDRESS
- [no] security-name USERNAME
- [no] dst-port <port-number>
- [no] timeout <value>
- [no] retry-count <value>
- [no] type [both | inform | trap]

Protocol (SNMP)
- show snmp-server [displaylevel <level> | statistics]

- show snmp engine [displaylevel <level>]
- show snmp-system [displaylevel <level>]
- show snmp views [displaylevel <level>]
- show snmp group [displaylevel <level>]
- show snmp access [displaylevel <level>]
- show snmp target-address [displaylevel <level>]
SNMP Commands’ Descriptions

Table 11-3: SNMP Configuration Commands
Command Description
snmp Enters the SNMP Configuration mode
no snmp Removes the SNMP configurations
engine-id <engineID> Defines a new value for the Agent’s
SNMP Engine ID:
• engineID: a string of 10
to 64 characters
(represented internally
by 5 to 32 bytes), in
the format of
XX:XX:XX:XX:XX:XX
• 80 00 02 E2 03 [MAC ADDR]
no engine-id Restores to default
max-packet-size <size> Defines a new value for the maximum
packet size:
• size: in the range of
<484-2147483647>
• 9216
no max-packet-size Restores to default
general-port <port-number> Defines a new value for the IP SNMP
port number:
• port-number: in the
range of <161, 1025-
65535>
• 161
no general-port Restores to default

Protocol (SNMP)
Command Description
snmp-address {A.B.C.D | all} Defines the SNMP server address:
• A.B.C.D: the IP address
• all: all IP addresses
configured on the device
• all
no snmp-address Restores to default
shutdown Disables SNMP server
• SNMP server is disabled
no shutdown
Enables SNMP server

authentication-failure-trap Enables authentication SNMP traps on
the device. An authentication failure
trap signifies that the sending protocol
entity is the addressee of a protocol
message that is not properly
authenticated.
• Enabled
no authentication-failure-trap Disables authentication SNMP traps
system-name .LINE-TEXT Defines the MIB-II system name:
• .LINE-TEXT: descriptive
system name string, up
to 255 characters long
• The default value is the device’s
model name
no system-name Removes the defined system name.
system-location .LINE-TEXT Defines the MIB-II system location
string:
system location string,
long
• Empty (null)
no system-location Restores to default.
system-contact .LINE-TEXT Defines the MIB-II system contact
string:
system contact string,
long
• Empty (null)
no system-contact Restores to default

Protocol (SNMP)
Command Description
system-description .LINE-TEXT Defines the MIB-II system description
string:
• .LINE-TEXT: description
string, up to 255
characters long
• Empty (null)
no system-description Restores to default
notification-change-trap {true | Enables/disables SNMP notification
false}
change traps:
• true: enables the traps
• false: disables the
traps
view VIEWNAME OID-TREE [MASK |
included | excluded]
Defines the subset of all MIB objects
accessible to the given view:
• VIEWNAME: the name of
the view up to 32
characters
• OID-TREE: the starting
point inside the MIB
tree given in dot-
notation or as an object
name
• MASK: the mask is typed
as a hexadecimal value,
and is interpreted as a
binary value. A binary 1
in the mask states that
the Object ID at the
corresponding position
has to match, a binary 0
states that the Object
ID at the corresponding
position is irrelevant—
no match is required
• included: the Object ID
subtree is included in
the view
• excluded: the Object ID
subtree is excluded from
the view
no view VIEWNAME Removes the specified view

Protocol (SNMP)
Command Description
group GROUPNAME {authNoPriv |
authPriv | noAuthNoPriv} read
READ-VIEW write WRITE-VIEW Creates an SNMP group with a
notify NOTIFY-VIEW specified security model and defines
the access-right for this group by
associating views to this group:
• GROUPNAME: the name of
the group is limited to
32 characters
• {authNoPriv | authPriv |
noAuthNoPriv}: the
security level. For more
information, refer to
Table 11-2
• If no security level is specified,
noAuthNoPriv security level is
assumed
• READ-VIEW: the name of
the view (not to exceed
32 characters) in which
you can only view the
contents of the Agent’s
MIB
• WRITE-VIEW: the name of
32 characters) in which
you can type data and
configure the contents
of the Agent’s MIB
• NOTIFY-VIEW: the name of
32 characters) that
specifies what portion
of the MIB database is
accessible for
notifications
no group GROUPNAME {authNoPriv | Removes the SNMP group data:
authPriv | noAuthNoPriv}
 If you specify only the group
name, all groups with that name
are removed, regardless of their
security model and security level.
 If you specify the security model,
only the group matching all
conditions is removed.

Protocol (SNMP)
Command Description
user USERNAME GROUPNAME {v1 |
v2c | v3} [md5 | sha | remote
ENGINE-ID] [AUTHENTICATION- Creates an SNMP local or remote user:
PASSWORD] [ENCRYPTION- • USERNAME: the name of
PASSWORD] the user on the host
that connects to the
Agent.
• SNMP user is not configured
• GROUPNAME: the name of
the group is limited to
32 characters
• v1, v2c, v3: the
security model. For more
Table 11-1
• md5: enables HMAC-MD5
(Message Digest 5)
authentication
• sha: enables HMAC-SHA
(Secure Hash Algorithm)
authentication
• (only for v3
users)remote ENGINE-ID:
creates a remote user by
its engine ID, in
hexadecimal format
FF:FF:FF:FF
• ENCRYPTION-PASSWORD: the
PDUs sent to or received
by this user should be
encrypted, with the key
generated from the
encryption password; up
to 32 characters
• AUTHENTICATION-PASSWORD:
the authentication
password string up to 32
characters
no user USERNAME GROUPNAME {v1 Removes the specified user definition
| v2c | v3}
target-address ADDR-NAME Defines the notification target address:
• ADDR-NAME: the name of
the notification target
address up to 32
characters
no target-addr ADDR-NAME Removes the notification target
address.

Protocol (SNMP)
Command Description
message- model {v1 | v2c | v3} Defines the security model. It specifies
the version of the protocol in which the
traps are sent (for more information,
refer to Table 11-1):
• v1, with TRAP-V1 PDU
type
• v2c with TRAP-V2 PDU
type
• v3, with TRAP-V2 PDU
type)
• v2c
no message- model Restores to default
security-model {noAuthNoPriv | Defines the SNMP levels of security:
authNoPriv | authPriv}
• authNoPriv, authPriv,
noAuthNoPriv: the
security level. For more
Table 11-2
• If no security level is specified,
noAuthNoPriv security level is
assumed
no security-model Restores to default
address TARGET-ADDRESS Defines the IP address of the target:
• A.B.C.D: the IP address
of the target
• 0.0.0.0
no address Restores to default
security-name USERNAME Defines the security name that
identifies how SNMP messages will be
generated using this entry:
• USERNAME: the security
user name
no security-name Removes the security name
dst-port <port-number> Specifies the UDP port number:
• port-number: in the
range of <162, 1025-
65535>
• 162
no dst-port Restores to default
timeout <value> Configures the time to wait for an
acknowledgement before resending an
unacknowledged inform PDU:
<0-600> seconds
• 15 seconds

Protocol (SNMP)
Command Description
retry-count <value> Configures the number of retries if
there is not response from the client on
the informs:
<0-255>
• 3 retries
no retry-count Restores to default
type [both | inform | trap] Defines the notification type:
• both: specifies both
inform- and trap-type
notifications
• inform: specifies
inform-type
notifications
• trap: trap-type
notifications
no type Removes the configured notification
type
show snmp-server [displaylevel Displays the bind address, the status of
<level> | statistics] the SNMP server, and the UDP port on
which the SNMP is enabled:
<0-64>
• statistics: the SNMP
server statistics
show snmp engine [displaylevel Displays the local SNMP Engine ID of
<level>] the SNMP Agent, all Engine IDs that
are known to the Agent, and
information about the inform operation
values:
<0-64>
show snmp-system [displaylevel Displays the SNMP server system
<level>] configuration:
<0-64>
show snmp views [displaylevel Displays all configured views and the
<level>] viewmask of a particular view (if
configured):
<0-64>

Protocol (SNMP)
Command Description
show snmp group [displaylevel Displays the configured groups, their
<level>] associated views, and the security
model. If the security model is USM
(v3), the command displays the
security level:
<0-64>
show snmp access [displaylevel Displays the users and their associated
<level>] remote engine ID:
<0-64>
show snmp target-address Displays the notification target
[displaylevel <level>] address:
<0-64>
SNMP Configuration Example
Creating Users
In this example, an SNMP user is added to the device. The user is named
tester and is attached to a group named public. The SNMPv3 community is
parsed by the SNMP Agent as the user name.
1. Enable SNMP:
device-name(config-system)#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3. Create a user named tester that uses SNMPv3 and attach it to a group
named public without authentication and privacy:
device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
device-name(config-snmp)#user tester public v3
4. Enable SNMP server:

device-name(config-snmp)#no shutdown

device-name(config-snmp)#commit
Commit complete.
device-name(config-snmp)#end

Protocol (SNMP)
6. Display the SNMP configuration:

device-name#show snmp
SNMP engine configuration
=============================================================================
Local snmpEngineID : 800002E203005043B5AA9B
snmpEngineBoots : 30
snmpEngineTime : 17
snmpEngineMaxMessageSize : 9216
=============================================================================
SNMP Views
=============================================================================
MIB View name : internet
MIB Subtree : 1.3
MIB Subtree Mask :
MIB Subtree View type : included
=============================================================================
Number of entries: 1
SNMP Groups table

=============================================================================
SNMP group name : public
Security-model : noAuthNoPriv
Read-only MIB view : internet
Read-write MIB view : internet
Accessible-for-notify MIB view : internet
=============================================================================
SNMP user access configuration

=============================================================================
SNMP user name : tester
SNMP version : SNMPv3
Authentication type : None
Authentication password string : N/A
Encryption password : N/A
Remote Engine ID :
=============================================================================
SNMP Notification targets

=============================================================================
7. Display the configured SNMP groups:

device-name#show snmp group
SNMP Groups table
=============================================================================
Security-model : noAuthNoPriv
Read-only MIB view : internet
Read-write MIB view : internet
Accessible-for-notify MIB view : internet
=============================================================================

Protocol (SNMP)
SNMP Notification for Users

In this example, a user named private with IP address 20.0.0.5 is attached
to a group named private_grp. This user receives SNMPv1 notifications
linkUp and linkDown.
1. Enable SNMP:
device-name(config-system))#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3. Create a group named public that supports notifications:

device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
4. Create a user named tester that uses SNMPv3, and attach it to the already
created group named public:
device-name(config-snmp)#user private public v3
5. Create the target address my_pc with IP address 20.0.0.5:

device-name(config-snmp)#target-address my_pc
device-name(config-target-address-my_pc)#address 20.0.0.5
device-name(config-target-address-my_pc)#message-model v3
device-name(config-target-address-my_pc)#security-name tester
device-name(config-target-address-my_pc)#security-model noAtuhnoPriv
device-name(config-target-address-my_pc)#type trap
device-name(config-target-address-my_pc)#exit
6. Enable SNMP server:


device-name(config-snmp)#commit
Commit complete.
device-name(config-snmp)#end

Protocol (SNMP)
8. Display the SNMP server:

device-name#show running-config system snmp
system
snmp
engine-id 80:00:02:e2:03:00:a0:12:64:05:60
no shutdown
authentication-failure-trap
view internet 1.3 "" included
group public noAuthNoPriv read internet write internet notify internet
user tester public v3
target-address my_pc
address 20.0.0.5
dst-port 162
message-model v3
security-name tester
security-model noAuthNoPriv
timeout 15
retry-count 3
type trap
!
!

RFCs
Simple Network STD0015, Simple Public MIBs: RFC 1157, SNMPv1—The
Management Network SNMPV1-MIB Simple Network
Protocol (SNMP) Management Management Protocol: A
Protocol MIB-II (RFC1213- full Internet Standard
MIB)
STD0016, RFC 1213, Management
Structure of SNMP- Information Base for
Management COMMUNITY- Network Management of
Information MIB (RFC2576) TCP/IP-based internets:
STD0017, SNMPv2-MIB MIB-II
Management SNMP-VIEW- RFC 2579, Textual
Information Base BASED-ACM-MIB Conventions for SMIv2
STD0058, SNMP-USER- RFC 2580, Conformance
Structure of BASED-SM-MIB Statements for SMIv2
Management RFC 3410, Introduction
Information and Applicability
Version 2 (SMIv2) Statements for Internet
STD0062, Simple Standard Management
Network Framework
Management RFC 3411, An
Protocol Version 3 Architecture for
(SNMPv3) Describing Simple
Network Management
Protocol (SNMP)
Management Frameworks
RFC 3412, Message

Processing and

Protocol (SNMP)

Dispatching for the Simple
Network Management
Protocol (SNMP)
RFC 3413, Simple
Network Management
Protocol (SNMP)
Applications
RFC 3414, User-based
Security Model (USM) for
version 3 of the Simple
Network Management
Protocol (SNMPv3)
RFC 3415, View-based
Access Control Model
(VACM) for the Simple
Network Management
Protocol (SNMP)
RFC 3416, Version 2 of
the Protocol Operations for
the Simple Network
Management Protocol
(SNMP)
RFC 3417, Transport
Mappings for the Simple
Network Management
Protocol (SNMP)
RFC 3418, Management
Information Base (MIB)
for the Simple Network
Management Protocol
(SNMP)
RFC 1901, Introduction to
Community-based
SNMPv2.
RFC1902, Structure of
Management Information
for Version 2 of the Simple
Network Management
Protocol (SNMPv2).
RFC1905, Protocol
Operations for Version 2
of the Simple Network
Management Protocol
(SNMPv2).
RFC3584, Coexistence
between Version 1,
Version 2, and Version 3
of the Internet-standard
Network Management
Framework

Protocol (SNMP)

12
SNMP Reference Guide

Chapter
This chapter contains the following sections:
1. Device Administration via SNMP
Describes how to administer the device via SNMP including initial CPU
utilization monitoring and upgrading the system software
2. Configuration Management via SNMP

Provides notification for configuration changes as SNMP traps.
3. Configuration MAC Security via SNMP

The MAC Security feature restricts the port input by limiting and
identifying MAC addresses of devices allowed to access this port.
4. Configuring Interfaces via SNMP

The device’s interfaces allow service providers to deliver multiple services
over separate user ports. Multiple application flows are supported over a
single customer port, with each flow being mapped to a different traffic
class.
5. Configuring Link Aggregation Groups (LAGs) via SNMP

LAGs provide increased bandwidth and high reliability while saving the
cost of upgrading the hardware.

SNMP Reference Guide AS9206 User Manual
6. Configuring Resilient Links via SNMP

Using resilient links feature, you can protect critical links and prevent a
device failure by providing a secondary backup link that is inactive until it
is needed.
7. Configuring Virtual LANs (VLANs) via SNMP

VLAN tagging is a standard designed for grouping hosts with common
requirements, allowing them to communicate as if they were on the same
LAN regardless of their physical location.
8. Configuring Layer 2 Protocol Tunneling (L2PT) via SNMP

Layer 2 Protocol Tunneling is a feature that allows IEEE Layer-2 Protocol
Data Units (PDUs) to be tunneled through a network.
9. Configuring 802.1ag Connectivity Fault Management (CFM) via SNMP

IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability
of a network to monitor the health of an end-to-end service delivered to
customers (as opposed to just links or individual bridges).
10. Retrieving Manufacturing Details via SNMP

Enables retrieving the device’s serial number, assembly number, equipment
part number, hardware revision number and other manufacturing data.
11. Troubleshooting and Monitoring via SNMP

Describes how to perform troubleshooting and monitoring of the device via
SNMP including monitoring power supply units, fans and temperature level
and configuring periodic diagnostic self-tests.

AS9206 User Manual SNMP Reference Guide
Device Administration via SNMP
MIB Architecture: PRVT-INTERWORKING-

OS-MIB
This MIB enables displaying and managing the device’s OS features, including
OS upgrades.
NOTE: For the purposes of system information

management via SNMP, only the
prvtInterworkingOSMibObjects node of the PRVT-
INTERWORKING-OS-MIB is used.
The prvtInterworkingOSMibObjects table contains the following tables

and objects:
Object Entry Field Name Description
version Object identifier node containing the
oSversionNumber node.
oSversionNumber Object identifying the version number of the OS.
management Object identifier node containing the
managementMisc and prvtBootConfigUpgrade
nodes.
managementMisc Object identifier nodes containing various nodes
related to system reload.
managementMiscReset Performs a hardware reset of the unit. The
available values are:
 noop(1)
 reset(2)
 resetToDefaults(3)
 saveAndReset(4)
Use with care!
The meaning of the values is as follows:
 reset(2) resets the unit
 reset-to-defaults(3) reloads the configuration
file to factory defaults and then resets the
unit
 save-and-reset(4) saves the configuration
and then resets the unit
 noop(1) does nothing. noop(1) is always
returned for a GET operation.


managementMiscReload Reloads the unit’s software; the unit’s hardware
is not affected. The available values are:
 noop(1)
 saveAndReload(2)
The value of noop(1) is always returned for a
GET operation.
managementMiscReloadInTime Date/time for a scheduled reload without save in
day:month:hour:min format.
Octets’ contents range:
1 - Day 0x01-0x1f (1-31)
2 - Month 0x01-0x0C (1-12), where January
= 1 […] December = 12
3 - Hour 0x01-0x17 (0-23)
4 - Min 0x01-3B (0-59)
For example: 0x01 0x01 0x01 0x01 means 1
January 01:01.
To disable a scheduled reload, set it to 0x00 0x00
0x00 0x00.
managementMiscReloadAtTime Date/time a for scheduled reload without save in
day:month:hour:min format.
Octets contents range:
1 - Day 0x01-0x1f (1-31)
2 -Month 0x01-0x0C (1-12), where January =
1 […] December = 12
3 - Hour 0x01-0x17 (0-23)
4 - Min 0x01-3B (0-59)
For example: 0x01 0x01 0x01 0x01 means 1
January 01:01.
To disable a scheduled reload, set it to 0x00 0x00
0x00 0x00.
prvtBootConfigUpgrade Object identifier node containing various nodes
related to system upgrade.


prvtBootUpgradeSrcURI The source address from which the application
will be copied and used by the device.
The address must be in a valid URI format. It
will be used by all booting mechanisms as the
source from which to retrieve the application.
The URI can point to either a local folder or
remote device.
Examples:
 ftp://myuser:mypass@netaddress/MyApps/I
magev1.5.Z
 tftp://Usr/Imagev1.5.Z
If there is no value set, the device will boot with
local application provided in the
prvtBootApplicationNameURI object.
prvtBootApplicationNameURI The name of the application to be used by the
network device to boot.
The name of the application must be in valid
URI format and should point to the storage
device. Every network device can have a few
locally saved application files copied in different
storage devices: local file system, flash etc.. The
user can choose one of them by selecting the
storage device and the application name.
Example:
 Imagev1.5.Z
If this object is empty, the device will boot from
the network using the remote application given
in prvtBootUpgradeSrcURI.
prvtBootUpgradeCmd Used to apply the configuration. The available
values are:
 none(0)
 ready(1)
 apply(2)
 applyExec(3)
When a get request is executed, the returned
value should be always ready (1). When the
apply (2) command is executed, the upgrade
settings are applied. Alternatively, when the
applyExec (3) command is executed, the upgrade
process starts.
• ready(1)


prvtBootOperStatus The object is used to show the current status of
the upgrade process. The default value is ready.
The available values are:
 unknown(0)
 ready(1) - the process is idle
 notReady(2) - the device’s upgrade
mechanism is not configured correctly.
 upgradeInProgress(3) - the upgrade process
is in progress
• ready(1)
prvtBootErrorCondition Provides feedback on the outcome of the upgrade
process. The available values are:
1 - noError(0)
2 - genericError(1)
3 - copyFailed(2)
4 - downloadFailed(3)
5 - freeSpaceError(4)
6 - validationFailed(5)
7 - backupFailed(6)
8 - inProgressError(7)
9 - consistencyError(8)
10 - fileSystemError(9)
11 - profileNameError(10)
12 - profileError(11)
13 - fileNameError(12)
14 - pathError(13)
15 - zFileError(14)
16 - cannotFindFile(15)
17 - defApplicationProfileError(16)
18 - configProfileError(17)
19 - bootDevProfileError(18)
20 - ftpServerProfileError(19)
21 - ftpUserProfileError(20)
22 - ftpPassProfileError(21)
• noError(0)
cpu Object identifier node containing nodes related to
CPU monitoring.
cpuMonitoring Object identifier node containing the
cpuMonitoringUtilization node.
cpuMonitoringUtilization Displays the current CPU utilization.

Examples of Device Administration
Software Update via CLI
1. Make sure there is connectivity between the device and TFTP server:
device-name#ping 10.3.71.62 number 1
PING 10.3.71.62 (10.3.71.62): 56 data bytes
64 bytes from 10.3.71.62: icmp_seq=0 ttl=128 time=3.8 ms
--- 10.3.71.62 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.8/3.8/3.8 ms
2. Copy the desired file to flash:

device-name#file cp os-image tftp://10.3.71.62/2.3.R1.AS9206.tar.bz2
3. List the available software images:

device-name#file ls os-image
* Jan 00:33 14.6M 2.2.R1.AS9206.tar.bz2
* 1 Jan 00:28 13.2M 2.3.R1.AS9206.tar.bz2
Number of files: 2, 21.2M
Flash Size: 38.4M
Used Space: 22.7M
Free Space: 15.7M
4. Activate the 2.3.R1.AS9206.tar.bz2 image (new image) on the device

and then remove the 2.2.R1.AS9206.tar.bz2 image (old image):
device-name#file active-os-image 2.3.R1.AS9206.tar.bz2
device-name#file rm os-image 2.2.R1.AS9206.tar.bz2
5. Reboot the device:

device-name(config)#system reload
Software Update via SNMP
1. Set a new application name different from prvtBootApplicationNameURI

leaded by the TFTP folder information.:
SET prvtBootUpgradeSrcURI “tftp://1.0.0.2/New_Image.Z”
2. Specify the currently loaded application:

SET prvtBootApplicationNameURI “New_Image.Z”
3. Start application replacement:

SET prvtBootUpgradeCmd apply
4. Verify the upgrade:

GET prvtBootOperStatus ready
GET prvtBootErrorCondition noError

Configuration Management via

SNMP
MIB Architecture: PRVT-CONFIGCHANGE-

MIB
This private MIB provides notification for configuration changes as SNMP
traps. Each trap contains the time at which the configuration change was
committed, the name of the user who made the change, and the method by
which the change was made.
The prvtConfigChangeObjects contains the following objects:
prvtConfigChangeAlarmNamespace The Namespace of an object whose value
has been changed
prvtConfigChangeAlarmKeypath The Keypath of an object whose entry has
been changed.
Configuration Management via CLI

1. Configure SNMP with Traps:
device-name(config-system)#no snmp
device-name(config-system)#snmp
device-name(config-snmp)#com
2. Commit complete:
device-name(config-snmp)#view myview 1.3 included
device-name(config-snmp)#group mygroup noAuthNoPriv read myview write
myview notify myview
device-name(config-snmp)#user tester mygroup v3
device-name(config-snmp)#target-address mycomp
device-name(config-target-address-mycomp)#dst-port 162
device-name(config-target-address-mycomp)#address 10.3.71.167
device-name(config-target-address-mycomp)#security-name tester
device-name(config-target-address-mycomp)#security-model noAuthNoPriv
device-name(config-target-address-mycomp)#message-model v3
device-name(config-target-address-mycomp)#type trap
device-name(config-target-address-mycomp)#com
Commit complete.
device-name(config-target-address-mycomp)#exit

3. Configure notification change trap to be true:

device-name(config-snmp)#notification-change-trap true
Commit complete.
Configure system location .
device-name(config-snmp)#system-location LAB
Commit complete.
device-name(config-snmp)#
Configuring Interfaces via SNMP

For additional information about this feature, refer to the Physical Ports and
Logical Interfaces chapter of this User Guide.
MIB Architecture: PRVT-SWITCH-MIB

This private MIB is used for managing the internal device parameters and
contains additional configuration options and device information that go
beyond the requirements of the RFC 2863 standard.
The Fast Ethernet and Giga Ethernet port configuration is done through the
configL2IfaceTable table of the MIB.
The configL2IfaceTable table contains the following objects:

configL2IfaceTable Contains a list of interfaces and their properties
configL2IfaceUnit The ID that uniquely identifies a unit in the
interface table, in the range of <1–1000>
(not supported)
configL2IfaceSlot The ID that uniquely identifies a slot within the
unit in the interface table, in the range of
<1–1000> (not supported).
configL2IfacePort The ID that uniquely identifies a port within the
slot in the interface table, in the range of
<1–1000> (not supported).
configL2IfaceEnable Enables/disables the control of the interface:
enable (1) or disable (2). For this product, this is
the only way to enable or disable the interface.
ifAdminStatus (RFC1213) can be set, and
dot1dStpPortEnable (RFC1493) is implemented
as read-only.
configL2IfaceDefaultVID Sets the default VLAN ID according to 802.1Q,
in the range of <1–4092>.


configL2IfaceDuplexModeSet The duplex mode for the interface: auto(1),
full(2), or half(3). If the port type does not
support the default of autonegotiate (1), then the
application initializes the port to a valid value
(for example, full(2)).
configL2IfaceSpeedSet The desired speed and duplex mode for the
interface: auto(0), speed10(10), speed100(100),
speed1000(1000) or speed10000(10000).
 If the selected control is not available for the
interface, a value of illegal (99) is returned.
 If the port type does not support the default
of autonegotiate(1), then the application
initializes the port to a valid value (for
example, speed1000(3)).
Not all controls are available for all interfaces.
For example, only speed1000(4) is available for
Gigabit Ethernet interfaces.
configL2IfaceMtu The Maximum Transmission Unit (MTU), in
octets, of the interface.
configL2IfaceFlowEnable The desired flow mode for the interface. Note
that not all controls are available for all
interfaces.
reportsL2IfaceTable Lists the interfaces and their properties.


reportsL2IfaceMediaType Installed media type. The available values are:
 not-installed(1)
 unknown(2)
 m1000BaseCXMMSFP(3)
 m1000BaseCXSMSFP(4)
 m1000BaseTSFPCOPPERMR(5)
 m1000BaseTSFPCOPPERSR(6)
 m1000BaseBXSMSFP(7)
 m1000BaseBXMMSFP(8)
 m1000BasePXSMSFP(9)
 m1000BasePXMMSFP(10)
 m1000BaseDWDMSMSFP(11)
 m1000BaseDWDMMMSFP(12)
 m1000BaseSXMMSFP(13)
 m1000BaseSXSMSFP(14)
 m1000BaseLXSMSFP(15)
 m1000BaseLXMMSFP(16)
 m1000BaseXDSMSFP(17)
 m1000BaseXDMMSFP(18)
 m1000BaseZXSMSFP(19)
 m1000BaseZXMMSFP(20)
 m1000BaseEXSMSFP(21)
 m1000BaseEXMMSFP(22)
 m1000BaseXWDMSMSFP(23)
 m1000BaseXWDMMMSFP(24)
 m100BaseBXSMSFP(25)
 m100BaseBXMMSFP(26)
 m100BasePXSMSFP(27)
 m100BasePXMMSFP(28)
 m100BaseFXSMSFP(29)
 m100BaseFXMMSFP(30)
 m100BaseSXSMSFP(31)
 m100BaseSXMMSFP(32)
 m100BaseLXSMSFP(33)
 m100BaseLXMMSFP(34)
 m100BaseXDSMSFP(35)
 m100BaseXDMMSFP(36)
 m100BaseZXSMSFP(37)


 m100BaseZXMMSFP(38)
 m100BaseEXSMSFP(39)
 m100BaseEXMMSFP(40)
 m100BaseXWDMSMSFP(41)
 m100BaseXWDMMMSFP(42)
 m10GBaseSRMMXFP(43)
 m10GBaseLRMMXFP(44)
 m10GBaseLRMMMXFP(45)
 m10GBaseLRSMXFP(46)
 m10GBaseSRSMXFP(47)
 m10GBaseLRMSMXFP(48)
 m10GBaseSXMMXFP(49)
 m10GBaseSXSMXFP(50)
 m10GBaseLXMMXFP(51)
 m10GBaseLXSMXFP(52)
 m10GBaseXDSMXFP(53)
 m10GBaseXDMMXFP(54)
 m10GBaseZXSMXFP(55)
 m10GBaseZXMMXFP(56)
 m10GBaseEXSMXFP(57)
 m10GBaseEXMMXFP(58)
 m10GBaseXWDMSMXFP(59)
 m10GBaseXWDMMMXFP(60)
reportsL2IfaceOperSpeed Operational speed on the interface:
 auto(0)
 speed-10(10)
 speed-100(100)
 speed-1000(1000)
 speed-10000(10000)
reportsL2IfaceOperDuplex Operational duplex on the interface:
 auto(1)
 full(2)
 half(3)


reportsL2IfaceOperDual Indicates whether interface is a dual combo port
or a single port:
 dual-port(1)
 single-port(2)
reportsL2IfaceOperActive In case of dual port, indicates whether it is an
active copper or fiber port.
 copper-active(1)
 fiber-active(2)
 not-available(3)
Fast Ethernet and Giga Ethernet Port

Configuration via CLI

1. Configure the desired speed on port 1/1/1:
device-name(config-port-1/1/1)#speed 1000
2. Configure the desired duplex-mode on port 1/1/1:

device-name(config-port-1/1/1)#duplex full
3. Define the port’s MTU:

device-name(config-port-1/1/1)#mtu 4096
Configuration via SNMP

1. Configure the desired speed on port 1/1/1:
snmpset configL2IfaceSpeedSet.1.1.1 integer 7 (1000 mbps)
2. Configure the desired duplex-mode on port 1/1/1:

snmpset configL2IfaceDuplexModeSet.1.1.1 integer 2 (full)
3. Define the port’s MTU:

snmpset configL2IfaceMtu.1.1.1 (integer) 4096

Configuring Link Aggregation

Groups (LAGs) via SNMP
MIB Architecture: PRVT-PORTS-

AGGREGATION-MIB
The private Ports Aggregation MIB is used for managing devices’ static and
dynamic port aggregation.
This MIB contains the following objects:

portsAggregationTable The status of all the trunks in the system:
static and dynamic trunks.
portsAggregationName The aggregation name.
portsAggregationRowStatus The aggregation row status:
1. active
2. notInService
3. not ready
4. createAndGo
5. createAndWait
6. destroy
portsAggregationDescription The aggregation description, a string up to
255 characters.
portsAggregationMode The aggregation mode: access (1) or
network (2).
portsAggregationLacpEnable Link Aggregation Control Protocol
(LACP) configuration
portsAggregationLacpMode The aggregation LACP mode: passive (1)
or active (2).
portsAggregationLacpAdminKey The aggregation administrative key, in the
range of <1–65535>.
portsAggregationLacpId The aggregation LACP system ID.
portsAggregationLacpMarker The aggregation LACP marker: enable (1)
or disable (2).
portsAggregationLacpSystemPriority The aggregation LACP priority, in the
range of <1–65535>.


portsAggregationOperStatus The aggregation operational status: up (1)
or down (2)
portsAggregationPortCount The aggregation ports count.
portsAggregationUplinkCount The aggregation uplink ports count.
portsAggregationIfInOctets The total number of octets received on the
interface, including framing characters.
portsAggregationIfInUcastPkts The number of packets, delivered by this
sub-layer to a higher sub-layer, which
were not addressed to a multicast or
broadcast address at this sub-layer.
portsAggregationIfInNUcastPkts The number of packets, delivered by this
sub-layer to a higher sub-layer, which
were addressed to a multicast or broadcast
address at this sub-layer.
portsAggregationIfInErrors This object:
 For packet-oriented interfaces, is the
number of inbound packets that
contains errors preventing them from
being deliverable to a higher-layer
protocol
 For character-oriented or fixed-length
interfaces, is the number of inbound
transmission units that contained
errors preventing them from being
deliverable to a higher-layer protocol
portsAggregationIfInUnknownProtos This object:
number of packets received via the
interface that is discarded because of
an unknown or unsupported protocol
interfaces that support protocol
multiplexing, is the number of
transmission units received via the
interface that is discarded because of
an unknown or unsupported protocol
 For any interface that does not
support protocol multiplexing, this
counter is 0
portsAggregationIfOutOctets The total number of octets transmitted out
of the interface, including framing
characters.


portsAggregationIfOutUcastPkts The total number of packets that higher-
level protocols requested to be
transmitted. These packets are not
addressed to a multicast or broadcast
address at this sub-layer, including those
that are discarded or not sent.
portsAggregationIfOutNUcastPkts The total number of packets that higher-
transmitted. These packets are addressed
to a multicast or broadcast address at this
sub-layer, including those that are
discarded or not sent.
portsAggregationIfOutDiscards The number of outbound packets that are
selected to be discarded even though no
errors were detected to prevent their
deliverable. One possible reason for
discarding such a packet can be to free up
buffer space.
portsAggregationIfOutErrors This object:
number of outbound packets that
cannot be transmitted because of
errors
interfaces, is the number of outbound
transmission units that cannot be
transmitted because of errors
portsAggregationIfInMulticastPkts The number of packets, delivered by this
sub-layer to a higher sub-layer, which are
addressed to a multicast address at this
sub-layer. For a MAC layer protocol, this
includes both group and functional
addresses.
portsAggregationIfInBroadcastPkts The number of packets, delivered by this
sub-layer to a higher sub-layer, which are
addressed to a broadcast address at this
sub-layer.
portsAggregationIfInDiscardsPkts The number of inbound packets that are
selected to be discarded even though no
errors were detected to prevent their
deliverable to a higher-layer protocol.
One possible reason for discarding such a
packet can be to free up buffer space.


portsAggregationIfOutMulticastPkts The total number of packets that higher-
to a multicast address at this sub-layer,
including those that are discarded or not
sent. For a MAC layer protocol, this
includes both group and functional
addresses.
Discontinuities in the value of this
counter can occur at re-initialization of
the management system, and at other
times as indicated by the value of
ifCounterDiscontinuityTime.
portsAggregationIfOutBroadcastPkts The total number of packets that higher-
to a broadcast address at this sub-layer,
including those that are discarded or not
sent.
portsAggregationPortsTable The table contains Link Aggregation
Control configuration information about
every Aggregation Port associated with
this device.
For each physical port, a row appears in
the table.
portsAggregationPortsIfIndex The ifIndex of the port.
portsAggregationPortsRowStatus The status of the port, in the range of <1-
6> as follows:
 1—active
 2—notInService
 3—not ready
 4—createAndGo
 5—createAndWait
 6—destroy
portsAggregationPortsPriority Priority assigned to the aggregation port,
in the range of <1-65535>.

LAG Configuration Examples

1. Configure static link aggregation:
device-name(config)#ethernet lag lag-id ag2
device-name(config-lag-id-ag2)#description Uplink12
2. Remove the port from aggregation:

device-name(config-lag-id-ag2)#no port 1/2/1

1. Configure static link aggregation:
portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
portsAggregationDescription.3.97.103.50 (octet string) Uplink12
portsAggregationPortsRowStatus.3.97.103.50.1201 (integer)
createAndWait(5)
createAndWait(5)
createAndWait(5)
portsAggregationPortsRowStatus.3.97.103.50.1201 (integer) active(1)
portsAggregationRowStatus.3.97.103.50 (integer) active(1)
2. Remove the port from aggregation:

portsAggregationPortsRowStatus.3.97.103.50.1201 (integer) destroy(6)

Configuring Resilient Links via

SNMP
MIB Architecture: PRVT-RESILIENT-LINK-

MIB
The Resilient link MIB is used for managing devices’ resilient link.
This MIB contains the following tables and objects:
prvtResilientLinkTable Contains the resilient link configuration
prvtResilientLinkIndex This object identifies the resilient link
prvtResilientLinkEnable This object enables or disables the resilient
link
prvtResilientLinkPrimaryPort The main port of the resilient-link pair
prvtResilientLinkBackupPort The standby (backup) port of the resilient-
link pair
prvtResilientLinkBackupMode The standby (backup) link behavior
prvtResilientLinkRevertiveMode Configures the traffic to switch back to the
main link as soon as the link is recovered
prvtResilientLinkStatusActive This object identifies the active port (1 or 2)
in this resilient link. Only ports with link up
can be configured as active ports.
prvtResilientLinkStatusSwaps The number of times
prvtResilientLinkStatusActive changes
prvtResilientLinkRowStatus RowStatus of prvtResilientLinkTable

Resilient Link Configuration Examples

 Configure resilient link:
device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
device-name(config-resilient-link-res1)#backup-mode shutdown
device-name(config-resilient-link-res1)#revertive
device-name(config-resilient-link-res1)#commit
Commit complete

 Configure resilient link:
portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
prvtResilientLinkRowStatus.1 (integer) createAndWait(5)
prvtResilientLinkPrimaryPort.1 (integer) 1101 [1101]
prvtResilientLinkBackupPort.1 (integer) 1102 [1102]
prvtResilientLinkBackupMode.1 (integer) shutdown(2)
prvtResilientLinkRevertiveMode.1 (integer) true(1)
prvtResilientLinkRowStatus.1 (integer) active(1)
Configuring Virtual LANs

(VLANs) via SNMP
For additional information about VLANs, refer to the Virtual LANs (VLAN)
chapter of this User Guide.
MIB Architecture: Q-BRIDGE-MIB

The private VLAN Bridge MIB is used for managing VLAN networks. This
MIB is managing the MAC address table and is also referred to as
8021Q_d6.mib.
NOTE: For configuring via SNMP, only the

dot1qVlanStaticTable is used.

This table contains the following objects:

dot1qVlanStaticTable A table containing static configuration
information for each VLAN configured into the
device by (local or network) management. All
entries are permanent and are restored after the
device is reloaded.
dot1qVlanStaticName An administratively assigned string up to 32
characters, which may be used to identify the
VLAN.
dot1qVlanStaticEgressPorts The set of ports that are permanently assigned
to the egress list for this VLAN by
management. A port may not be added in this
set if it is already a member of the set of ports
in dot1qVlanForbiddenEgressPorts.
• a string of appropriate length included in
all ports.
dot1qVlanForbiddenEgressPorts The set of ports that are prohibited by
management from being included in the egress
list for this VLAN.
A port may not be added in this set if it is
already a member of the set of ports in
dot1qVlanStaticEgressPorts.
• a string of zeros of appropriate length,
excluding all ports from the forbidden set
dot1qVlanStaticUntaggedPorts The set of ports that transmits egress packets
for this VLAN as untagged.
• for the default VLAN (dot1qVlanIndex =
1), is a string of appropriate length
including all ports
dot1qVlanStaticRowStatus The status of this entry.

VLAN Configuration Examples

1. Create a VLAN with the specified name vlan3 and ID 3:
device-name(config)#vlan vlan3 3
2. Add port 1/1/1 as tagged to the created VLAN:

device-name(config-vlan-vlan3/3)#tagged 1/1/1
3. Add port 1/1/2 as untagged to the created VLAN:

device-name(config-vlan-vlan3/3)#untagged 1/1/2

1. Create a VLAN with the specified name vlan3 and ID 3:
set dot1qVlanStaticRowStatus.3 (integer) createAndWait(5)
set dot1qVlanStaticName.3 string vlan3
2. Add port 1/1/1 as tagged to the created VLAN:

set dot1qVlanStaticEgressPorts.3 (octet string) C0.00.00.00 (hex)
3. Add port 1/1/2 as untagged to the created VLAN:

set dot1qVlanStaticUntaggedPorts.3 (octet string) 40.00.00.00 (hex)
set dot1qVlanStaticRowStatus.3 (integer) active(1)

Configuring Layer 2 Protocol

Tunneling (L2PT) via SNMP
For additional information this feature, refer to the Transparent LAN Services
(TLS) chapter of this User Guide.
MIB Architecture: PRVT-L2TUNNELING-MIB

The private Layer 2 Tunneling MIB manages the Layer 2 Protocol Tunneling
feature, designed for service providers.
prvtL2TunnEnable Enables/Disables the Layer 2 (L2) Tunneling
feature.
prvtL2TunnProfileTable Table storing all pre-defined and custom profiles.
prvtL2TunnProfileName TLS profile name.
Three pre-defined profiles are available:
 discard-all
 tunnel-bdpu
 tunnel-all
prvtL2TunnProfileRowStatus The RowStatus of the TLS profile.
Pre-defined profiles cannot be modified.
prvtL2ProtocolsTable Table storing all pre-defined and custom L2
protocols.
prvtL2ProtocolName Name of the particular L2 Protocol.
The following protocol names are pre-defined:
 stp
 lacp
 efm-oam
 dot1x
 e-lmi
 lldp
 other (all other bridge-block of protocols)

 all-brs (all bridges)
 garp (GARP Block of Protocols)
 pb-stp (Provider Bridge STP)
 pvst (Per-VLAN STP)


prvtL2ProtocolRowStatus The RowStatus of creating/deleting custom
protocols.
Pre-defined profiles cannot be modified.
prvtL2ProtocolEthertype EtherType of the protocol.
prvtL2ProtocolMAC The protocol’s multicast MAC address (used for
PDU distribution).
prvtL2ReplaceMAC The replacement multicast MAC address.
prvtL2TunnProfMapProtoTab Table storing the actions configured per TLS
le
tunneling profile for each L2 protocol.
prvtL2TunnProfMapProtoRowS The RowStatus of creating/deleting rows.
tatus
prvtL2TunnProfMapProtoActi Action for this TLS tunneled protocol.
on
prvtL2TunnSapTable Table storing the profile-to-SAP assignments.
prvtL2TunnSapProfile The profile associated with an SAP point.
Using an empty string to configure removes the
profile from the SAP.
prvtL2TunnSdpTable Table storing the profile-to-SDP assignments.
prvtL2TunnSdpProfile The profile associated with an SDP point.
Using an empty string to configure removes the
profile from the SDP.
L2PT Configuration Example

device-name(config)#l2-tunneling
device-name(config-l2-tunneling)#no shutdown
device-name(config-l2-tunneling)#commmit
Commit complete.
device-name(config-l2-tunneling)#exit
device-name(config)#service tls 1
device-name(config-tls-1)#sap 1/1/1
device-name(config-sap-1/1/1)#c-vlan 3
device-name(config-c-vlan-3)#tunnel-profile tunnel-all
device-name(config-c-vlan-3)#exit
device-name(config-sap-1/1/1)#exit
device-name(config-tls-1)#sdp s-vlan 10 interface 1/1/2
device-name(config-interface-1/1/2)#tunnel-profile tunnel-all
device-name(config-interface-1/1/2)#commit
Commit complete.
device-name(config-interface-1/1/2)#


1. Enable Layer 2 tunneling and TLS:
prvtL2TunnEnable.0 (integer) enable(1)
OID: 1.3.6.1.4.1.738.10.7.2.1.2.1.2
serviceRowStatus.2 (integer) createAndWait(5)
serviceType.1 (integer) tls(3)
serviceVpnId.2 (gauge) 11
serviceRowStatus.2 (integer) active(1)
2. Get next free id value (Needed to configure the SDP port.):

***** SNMP QUERY STARTED *****
sdpNextFreeId.0 (gauge)16
Use return value to configure sdp port:
3. Configure the SDP RowStatus:

sdpRowStatus.216 (integer) createAndWait(5)
4. Configure the service vlan:

sdpBindVlanTag.116 (gauge) 11
5. Configure the SDP interface:

sdpOutInterface.1.16 (integer) 1202 [1202]
6. Set the SDP/SAP RowStatus to active:

sdpRowStatus.1.15 (integer) active(1)
OID: 1.3.6.1.4.1.738.10.7.2.1.3.1.3
sapRowStatus.1.1201.8 (integer) createAndWait(5)
sapRowStatus.1.1201.8 (integer) active(1)
7. Apply the Layer 2 tunneling profile:

prvtL2TunnSdpProfile.2.3 (octet string) tunnel-bpdu
[74.75.6E.6E.65.6C.2D.62.70.64.75 (hex)]
prvtL2TunnSapProfile.2.1104.4 (octet string) tunnel-all
[74.75.6E.6E.65.6C.2D.61.6C.6C (hex)]

Configuring 802.1ag
Connectivity Fault Management
(CFM) via SNMP
For additional information about this feature, refer to the 802.1ag Connectivity
Fault Management (CFM) section of the Operations, Administration, and
Maintenance (OAM) chapter of this User Guide.
MIB Architecture: PRVT-CFM-MIB

The private CFM MIB is an extension of the Connectivity Fault Management
module for managing IEEE 802.1ag connectivity. It provides proactive and
diagnostic connectivity fault localization capabilities over SNMP for Ethernet
Virtual Connections (EVC) that span one or more links.
prvtCfmUpdateInterval Time elapsed (in seconds) between updating
the monitoring parameters.
Value of 0 suspends the monitoring task and
value other than 0 resumes it.
• 20 seconds
prvtCfmStatus CFM status.
Used to enable/disable CFM.
prvtCfmStack Object containing the
prvtCfmStackTable.
prvtCfmStackTable CFM stack table.
There is one CFM stack table per bridge. It
enables retrieving information about the
Maintenance Points (MPs) configured on any
particular interface.


prvtCfmStackInterfaceName Object representing the bridge port or an
aggregated port on which Maintenance
Association End Points (MEPs) or MIP Half
Functions (MHFs) might be configured.
Upon system reload, the system SHALL, if
necessary, changes the value of this variable
and rearranges the
theprvtCfmStackTable om sich a
manner so that the entry in the interface table
is indexed with the same value of ifAlias
that has been used before the reload. If no
such entry exists, then the system SHALL
deletes all entries in the
prvtCfmStackTable with the interface
index.
prvtCfmStackServiceIdOrNone VLAN ID to which the Maintenance Point
(MP) is attached (0 if none).
prvtCfmStackMdLevel Maintenance Domain (MD) Level of the MP.
prvtCfmStackDirection Direction in which the MP faces on the
bridge port.
prvtCfmStackMdIndex Index of the Maintenance Domain (MD) in
the prvtCfmMdTable to which the MP is
associated (0 if none).
prvtCfmStackMaIndex Index of the Maintenance Associations (MA)
in the prvtCfmMaTable to which the MP is
associated (0 if none).
prvtCfmStackMepId MEPID, if there is an MEP configured (0 if
none).
prvtCfmStackMacAddress MAC address of the MP.
prvtCfmMd Object containing the
prvtCfmMdTableNextIndex and the
prvtCfmMdTable.
prvtCfmMdTableNextIndex Object containing an unused value for the
prvtCfmMdIndex in the
prvtCfmMdTable (0 if no such value
exists).
prvtCfmMdTable Maintenance Domain (MD) table.
Each table row represents a different MD. An
MD is defined in 802.1ag (3.22) as the
network or the part of the network for which
faults in connectivity are managed. The
boundary of an MD is defined by a set of
Destination Service Access Points (DSAPs),
each of which can become a point of
connectivity to a service instance.


prvtCfmMdIndex Index to the Maintenance Domain (MD)
table.
The prvtCfmMdTableNextIndex needs
to be inspected for an available index for row
creation. Referential integrity is required, i.e.
the index has to be persistent upon a reboot
or reload of a device.
The index cannot be reused for other MDs.
The index value should keep increasing up to
the time that they wrap around. This is to
facilitate access control based on OID.
prvtCfmMdRowStatus MD RowStatus.
The writable columns in a row cannot be
modified if the row is active. All columns
must have valid values prior to activating the
row.
prvtCfmMdName Name of the MD.
The type/format of this object is determined
by the value of the prvtCfmMdNameType
object. Each MD has unique a name different
from the names used by or available to a
service provider or operator. This makes it
easier to identify the administrative
responsibility for each MD. Clause 3.24
defines an MD name as the identifier, unique
over the domain for which CFM is to protect
against accidental concatenation of service
instances, of a particular MD.
prvtCfmMdMdLevel Level of the MD.
prvtCfmMdFormat Type (and thereby the format) of the MD
name.
prvtCfmMdMhfCreation Enumerated value indicating whether the
management entity can create MHFs for the
MD.
Because in this variable there is no
encompassing MD, the value defMHFdefer
is not allowed.
prvtCfmMdMhfIdPermission Enumerated value indicating the content, if
any, to be included in the Sender ID TLV
(21.5.3) transmitted by MPs configured in
this MD.
Because in this variable there is no
encompassing MD, the value sendIdDefer
is not allowed.


prvtCfmMdMaNextIndex Value to be used as index value of the MA
table entries, prvtCfmMaTable for this
MD, when the management entity attempts to
create a new row in those tables.
prvtCfmMa Object containing the prvtCfmMaTable.
prvtCfmMaTable Maintenance Association (MA) table.
Each row in the table represents an MA. (An
MA is a set of MEPs, each configured with a
single service instance.)
The writable objects in this table have to be
persistent upon a reboot or reload of a device.
The table includes extra variables needed for
Y.1731 support and service awareness.
prvtCfmMaIndex Index of the MA table.
prvtMaNextIndex must be checked an
available index for row creation.
prvtCfmMaRowStatus MA RowStatus
row.
prvtCfmMaName Short Maintenance Association (SMA) name.
This name must be unique within a
maintenance domain. The type/format of this
object is determined by the value of the
prvtCfmMaNameType object.
prvtCfmMaServiceId Primary service ID attached to the MA.
prvtCfmMaVlanId Primary VLAN ID attached to the MA.
prvtCfmMaMhfCreation Object indicating whether the management
entity can create MHFs for the MA.
prvtCfmMaPermission Enumerated value indicating the content, if
any, to be included in the Sender ID TLV
(21.5.3) transmitted by MPs configured in
this MA.
prvtCfmMaFormat Type (and thereby the format) of the MA
name.
prvtCfmMaCcmInterval Time interval between the Continuity Check
Message (CCM) transmissions to be
employed by all MEPs in the MA.
prvtCfmMaAisLckEnabled Object enabling/disabling the Alarm
Indication Signal (AIS) and Ethernet Lock
Signal (LCK) features.
prvtCfmMaAisLckLevel MD level at which AIS and LCK frames will
be sent.


prvtCfmMaAisLckInterval Time interval at which AIS and LCK frames
will be sent.
prvtCfmMaAisLckPriority Class of Service (COS) parameter for the
outgoing AIS and LCK frames.
prvtCfmMaNumberOfServices Number of services attached to this MA.
prvtCfmMaClearConnectivity ID of MEPs to be cleared.
Value of 0 means all MEPs.
prvtCfmMep Object containing the following tables:
 prvtCfmMepTable
 prvtCfmLtrTable
 prvtCfmLbrTable
prvtCfmMepTable MEP table:
Each table row table represents a different
MEP, which is an actively managed CFM
entity, associated with a specific DSAP of a
service instance, which can generate and
receive CFM PDUs and track responses. It is
an end point of a single MA and an endpoint
of a separate Maintenance Entity for each of
the other MEPs in the same Maintenance
Association (802.1ag clause 3.18).
The MEP uses three indices. The first two
indices are the MD and MA table indices;
since a MEP is always related to an MA and
MD.
The MEP table also stores all the managed
objects for sending Loopback Messages
(LBMs) and Link Trace Messages (LTMs).
LBM-managed objects in the MEP table
enable the management entity to initiate
transmission of LBMs. This will signal the
MEP that it should transmit a certain number
of LBMs and detect the corresponding LBMs
(or their lack thereof).
Steps to use entries in the MEP table:
1) Wait for the
prvtCfmMepTransmitLbmStatus value
to become ready. To do this, follow this
sequence:
a. Perform SNMP GET for both
SnmpSetSerialNo and
prvtCfmMepTransmitLbmStatus
objects (in same SNMP PDU).


b. Check if the value for the
prvtCfmMepTransmitLbmStatus is
ready:
- if it is not, wait x seconds, go to step a.
above.
- if it is, save the value of
SnmpSetSerialNo and proceed to step 2)
below
2) Change the
prvtCfmMepTransmitLbmStatus value
from ready to notReady to ensure that no
other management entity will use the service.
In order not to disturb any other Network
Management System (NMS), do this by
sending SNMP SET for both
SnmpSetSerialNo and
prvtCfmMepTransmitLbmStatus
objects (in the same SNMP PDU and make
sure SNmpSetSerialNo is the first
varBind).
For the SnmpSetSerialNo varBind, use
the value that you have obtained in step 1)a..
This ensures that no two cooperating NMSs
will interfere with each other.
3) Configure data to send (number of
messages, optional TLVs, etc.).
4) Record the current values of
prvtCfmMepLbrIn,
prvtCfmMepLbrInOutOfOrder, and
prvtCfmMepLbrBadMsdu.
5) Initiate transmission of LBMs by changing
the prvtCfmMepTransmitLbmStatus
from notReady to transmit.
6) Check the value of
prvtCfmMepTransmitLbmResultOK to
find out whether the operation has been
initiated successfully.
7) Monitor the value of
prvtCfmMepTransmitLbmRemainingMe
ssages:
when it reaches 0, this means that the last
LBM has been transmitted. Wait an
additional 5 seconds to ensure that all LBRs
are returned.


8) Compare the current prvtCfmMepLbrIn,
prvtCfmMepLbrInOutOfOrder, and
prvtCfmMepLbrBadMsdu with their old
values from step 4) above in order to obtain
the results of the test.
9) Change the
prvtCfmMepTransmitLbmStatus back
to ready to allow other management entities
to use the table.
The LTM-managed objects in the MEP table
are used in a manner similar to the one
described for the LBM transmission above.
Upon successfully initiating the transmission,
the variables
pvrtCfmMepTransmitLtmSeqNumber
and
prvtCfmMepTransmitLtmEgressIdent
ifier return the information needed to
recover the results of the LTM from the
prvtCfmLtrTable.
prvtCfmMepIdentifier MEP identifier. (Also known as “MEPID”.)
The MEP identifier is an integer that is
unique among all MEPs within the same MA.
Another possible definition is “a small
integer, unique over a given MA, identifying
a specific MEP (3.19)”.
prvtCfmMepRowStatus MEP RowStatus.
row.
prvtCfmMepInterfaceName Name of the interface.
The interface can be either a bridge port, or
an aggregated IEEE 802.1 link within a
bridge port to which the MEP is attached.
prvtCfmMepDirection The direction in which the MEP faces on the
Bridge port.
prvtCfmMepActive Administrative state of the MEP.
This is a Boolean value:
 if true, the MEP is to function normally
 if false, the MEP is to cease
functioning
prvtCfmMepFngState Current state of the MEP Fault Notification
Generator State Machine.


prvtCfmMepCciEnabled Object indicating whether CCM is enabled.
If set to true, the MEP will generate CCM
messages.
prvtCfmMepCcmLtmPriority Priority value for the CCMs and LTMs
transmitted by the MEP.
prvtCfmMepMacAddress MAC address of the MEP.
prvtCfmMepLowPrDef Lowest priority defect.
The lowest priority defect that is allowed to
trigger a fault alarm. (Integer value.)
prvtCfmMepHighestPrDefect Highest priority defect.
The highest priority defect since the MEPs
Fault Notification Generator State Machine
was last in FNG_RESET state.
prvtCfmMepDefects MEP defects.
A vector of Boolean error conditions from
Table 20-1, any of which might be true.
prvtCfmMepErrorCcmLastFailure Last DefErrorCCM failure.
This is the last-received CCM that triggered
an DefErrorCCM fault.
prvtCfmMepXconCcmLastFailure Last DefXconCCM failure.
This is the last-received CCM that triggered
an DefXconCCM fault.
prvtCfmMepCcmSequenceErrors Total CCM sequence errors.
This is the total number of out-of-sequence
CCMs received from all remote MEPs.
prvtCfmMepCciSentCcms Total number of CCMs transmitted.
prvtCfmMepNextLbmTransId Next sequence number/transaction identifier
to be sent in a Loopback message.
This sequence number can be zero because it
wraps around.
prvtCfmMepLbrIn Total number of valid, in-order Loopback
Replies (LBRs) received.
prvtCfmMepLbrInOutOfOrder Total number of valid, out-of-order LBRs
received.
prvtCfmMepLbrBadMsdu Total number of LBRs received whose
mac_service_data_unit did not match
(except for the OpCode) that of the
corresponding LBM (20.2.3).
prvtCfmMepLtmNextSeqNumber Next sequence number/transaction identifier
to be sent in a Link Trace Message (LTM).
This sequence number can be zero because it
wraps around.


prvtCfmMepUnexpLtrIn Total number of unexpected Link Trace
Replies (LTRs) received (20.39.1).
prvtCfmMepLbrOut Total number of LBRs transmitted.
prvtCfmMepTransmitLbmStatus LBM transmit status
This is a Boolean flag set to true by the
bridge port to indicate that another LBM may
be transmitted. It is reset to false by the
MEP Loopback Initiator State Machine.
prvtCfmMepTransmitLbmDestMacAd Target MAC Address Field to be transmitted:
dress
a unicast destination MAC address.
This address will be used if the value of the
prvtCfmMepTransmitLbmDestIsMepId
column is false.
prvtCfmMepTransmitLbmDestMepId The MEPID of another MEP in the same MA
to which the LBM is to be sent.
prvtCfmMepTransmitLbmDestIsMepId
column is true.
prvtCfmMepTransmitLbmDestIsMep If true, the MEPID of the target MEP is
Id
used for Loopback transmission.
If false, then the unicast destination MAC
address of the target MEP is used.
prvtCfmMepTransmitLbmMessages Number of Loopback messages to transmit.
prvtCfmMepTransmitLbmDataTlv An arbitrary amount of data to be included in
the Data TLV, if the Data TLV is selected to
be sent.
prvtCfmMepTransmitLbmVlanPrior LBM VLAN priority.
ity
Three-bit value to be used in the VLAN tag,
if present in the transmitted frame.
• CCM priority
prvtCfmMepTransmitLbmVlanDropE Drop Enable bit value to be used in the
nable
VLAN tag, if present in the transmitted
frame.
For more information about VLAN Drop
Enable, see IEEE 802.1ad.
prvtCfmMepTransmitLbmResultOK Result of the operation:
 if true, the LBM(s) will be (or has
been) sent
 if false, the LBM(s) will not be sent


prvtCfmMepTransmitLbmSeqNumber Loopback Transaction Identifier
(prvtCfmMepNextLbmTransId) of the
first LBM (to be) sent.
The value returned is undefined if
prvtCfmMepTransmitLbmResultOK is
false.
prvtCfmMepTransmitLtmStatus A Boolean flag set to true by the bridge
port to indicate that another LTM may be
transmitted.
To start LinkTrace:
 Verify CFM connectivity
 Set
prvtCfmMepTransmitLtmTargetIs
MepId to true (if using target MEP)
 Set
prvtCfmMepTransmitLtmTargetMe
pId to the remote MEP ID.
 Set the
prvtCfmMepTransmitLtmTimeout
(timeout for LTM packets).
 Set
prvtCfmMepTransmitLtmStatus to
true.
prvtCfmMepTransmitLtmFlags Flags field for the LTMs transmitted by the
MEP.
prvtCfmMepTransmitLtmTargetMac Target MAC address field to be transmitted:
Address
a unicast destination MAC address.
prvtCfmMepTransmitLtmTargetIsMep
Id column is false.
prvtCfmMepTransmitLtmTargetMep Indication of the Target MAC address field to
Id
be transmitted: the MEP ID of another MEP
in the same MA.
prvtCfmMepTransmitLtmTargetIsMep
Id column is true.
prvtCfmMepTransmitLtmTargetIsM If true, the MEPID of the target MEP is
epId
used for LinkTrace transmission.
If false, the unicast destination MAC
address of the target MEP is used for
Loopback transmission.


prvtCfmMepTransmitLtmTtl LTM TTL field.
The TTL field indicates the number of hops
remaining to the LTM. Decremented by 1 by
each LinkTrace Responder that handles the
LTM. The value returned in the LTR is 1 less
than the value received in the LTM. If the
LTM TTL is 0 or 1, the LTM is not
forwarded to the next hop and, if 0, no LTR
is generated.
• 64
prvtCfmMepTransmitLtmResult Result of the operation:
 if true, the LTM(s) will be (or has
been) sent
 if false, the LTM(s) will not be sent
prvtCfmMepTransmitLtmSeqNumber LTM transaction identifier
(prvtCfmMepLtmNextSeqNumber) of the
LTM sent.
prvtCfmMepTransmitLtmResult is
false.
prvtCfmMepTransmitLtmEgressIde The MEP LinkTrace Initiator that is
ntifier
originating this LTM or the Linktrace
Responder that is forwarding it.
The low-order six octets contain a 48-bit
IEEE MAC address unique to the system in
which the MEP Linktrace Initiator or
Linktrace Responder resides. The high-order
two octets contain a value sufficient to
uniquely identify the MEP Linktrace Initiator
or Linktrace Responder within that system.
For most bridges, the address of any MAC
attached to the bridge will suffice for the low-
order six octets, and 0 for the high-order
octets. In some situations, e.g. if multiple
virtual bridges utilizing emulated LANs are
implemented in a single physical system, the
high-order two octets can be used to
differentiate among the transmitting entities.
prvtCfmMepTransmitLtmResult is
false.
prvtCfmMepAlarmSupressed Boolean indicating whether an AIS or LCK
packet was received from a lower level.


prvtCfmMepAisCondition AIS condition
True upon detection of signal fail condition at
a server layer or reception of AIS at a server
(sub-) layer MEP [AIS condition/Rec. ITU-T
Y.1731]
Respectively AIS condition Exit criteria:
“During an interval equal to 3.5 times the
AIS transmission period indicated in the AIS
frames received earlier, the MEP does not
receive AIS frames or when ETH-CC is used,
upon clearing of LOC defect at MEP”
/Appendix I/Rec. ITU-T Y.1731/
If prvtCfmMaCompAisLckLevel is
configured, the MEP should send AIS
packets.
prvtCfmMepLckCondition Boolean showing if the MEP should lock the
service towards the client and send LCK
packets.
prvtCfmMepAisLifetime Lifetime of the last received AIS packet.
prvtCfmMepLckLifetime Lifetime of the last received LCK packet.
prvtCfmMepTransmitMcastLbm Boolean controling the sending of Y.1731
multicast Loopback.
prvtCfmMepTransmitLbmInfinite Boolean controling the sending of LBMs
continuously until the operation is explicitly
stopped by setting this option back to false.
prvtCfmMepTransmitLbmDelay Time to wait between sending LBMs (in
seconds).
prvtCfmMepTransmitLbmTimeout Time to wait after the last sent LBM if no
LBR is received (in seconds).
prvtCfmMepTransmitLtmTimeout Time to wait after the last sent LTM if no
LTR has been received received (in seconds).
prvtCfmMepTransmitLbmSentPkts Number of successfully sent packets in the
current LBM session.
prvtCfmMepTransmitLbmSuccessRa Success rate of the current LBM session
te
(percentage*100).
prvtCfmMepTransmitLbmMinTime Minimum LBR response time (in
milliseconds).
prvtCfmMepTransmitLbmAvgTime Average LBR response time (in
milliseconds).
prvtCfmMepTransmitLbmMaxTime Maximum LBR response time (in
milliseconds).
prvtCfmMepFngAlarmTime Time to elapse before a fault alarm is
triggered (fngAlarmTime. 20.33.3) (default
2.5s).


prvtCfmMepFngResetTime Time to elapse before a fault alarm is re-
enabled (fngResetTime, 20.33.4) (default
10s).
prvtCfmMepTransmitLbmRemaining Number of LBMs to be transmit.
Messages
prvtCfmMepDbTable MEP Database.
This database is maintained by every MEP. It
stores the received information about other
MEPs in the MD.
The Structure of Management Information
(SMI) does not allow for a MIB to state that
an object in a table is an array. The solution
is to take the index (or indices) of the first
table and add one or more indices..
prvtCfmMepDbRMepIdentifier Maintenance association end point identifier
of a remote MEP whose information from the
MEP database is to be returned.
prvtCfmMepDbRMepState Operational state of the remote MEP IFF
State machines.
prvtCfmMepDbRMepFailedOkTime Time (SysUpTime) at which the IFF Remote
MEP state machine last entered either the
RMEP_FAILED or RMEP_OK state.
prvtCfmMepDbMacAddress MAC address of the remote MEP.
prvtCfmMepDbRdi State of the RDI bit in the last received CCM
(true for RDI=1), or false if none has
been received.
prvtCfmMepDbPortStatusTlv An enumerated value of the Port status TLV
received in the last CCM from the remote
MEP or the default psNoPortStateTLV
value indicating that either no CCM has been
received,or that no port status TLV was
received in the last CCM.
prvtCfmMepDbInterfaceStatusTlv An enumerated value of the Interface status
TLV received in the last CCM from the
remote MEP or the default
isNoInterfaceStatusTLV value
indicating that either no CCM has been
received, or that no interface status TLV was
received in the last CCM.
prvtCfmMepDbChassisIdSubtype Format of the chassis ID received in the last
CCM.
prvtCfmMepDbChassisId Chassis ID.
Format of this object is determined by the
value of the
prvtCfmLtrChassisIdSubtype object.


prvtCfmMepDbManAddressDomain TDomain identifying the type and format of
the related prvtCfmMepDbManAddress
object, used to access the SNMP agent of the
system transmitting the CCM. Received in
the CCM Sender ID TLV from that system.
The typical values include (but are not
limited to):
 snmpUDPDomain (from SNMPv2-TM,
RFC3417)
 snmpIeee802Domain (from SNMP-
IEEE802-TM-MIB, RFC4789)
 Value of 0.0 (from RFC2578) means
“no LTR Sender ID TLV received”; in
this case, the related object
prvtCfmMepDbManAddress must
have a zero-length octet string as a value.
prvtCfmMepDbManAddress Address that can be used to access the SNMP
agent of the system transmitting the CCM,
received in the CCM Sender ID TLV from
that system.
If the related object
prvtCfmMepDbManAddressDomain has
value of 0.0 this object
prvtCfmMepDbManAddress must have a
zero-length octet string as a value.
prvtCfmLtrTable Table extending the MEP table and
containing a list of LinkTrace replies
received by a specific MEP in response to a
LinkTrace message.
SNMP SMI does not allow to state in a MIB
that an object in a table is an array. The
solution is to take the index (or indices) of
the first table and add one or more indices.
prvtCfmLtrSeqNumber Transaction Identifier / Sequence number
returned by a previous transmit LinkTrace
message command, indicating which LTM's
response is going to be returned.
prvtCfmLtrReceiveOrder Index serving to distinguish among multiple
LTRs with the same LTR Transaction
Identifier field value.
prvtCfmLtrReceiveOrder values are
assigned sequentially from 1, in the order in
which the LinkTrace initiator received the
LTRs.
prvtCfmLtrTtl Time-To-Live (TTL) field value for a
returned LTR.


prvtCfmLtrForwarded Object indicating if a LTM was forwarded by
the responding MP as returned in the
FwdYes flag of the flags field.
prvtCfmLtrTerminalMep Boolean value stating whether the forwarded
LTM has reached a MEP enclosing its MA,
as returned in the Terminal MEP flag of the
flags field.
prvtCfmLtrLastEgressIdentifier Octet field holding the Last Egress Identifier
returned in the LTR Egress Identifier TLV of
the LTR.
The Last Egress Identifier identifies the MEP
LinkTrace Initiator that originated, or the
LinkTrace Responder that forwarded, the
LTM to which this LTR is the response. This
value is the same as the value of the Egress
Identifier TLV of that LTM.
prvtCfmLtrNextEgressIdentifier Octet field holding the Next Egress Identifier
returned in the LTR Egress Identifier TLV of
the LTR.
The Next Egress Identifier Identifies the
LinkTrace Responder which transmitted this
LTR, and which can forward the LTM to the
next hop. This value is the same as the value
of the Egress Identifier TLV of the
forwarded LTM, if any. If the FwdYes bit of
the flags field is false, the content of this field
is undefined (i.e. any value can be
transmitted) and the field is ignored by the
receiver.
prvtCfmLtrRelay Value returned in the Relay Action field.
prvtCfmLtrChassisIdSubtype Format of the Chassis ID returned in the
Sender ID TLV of the LTR, if any.
This value is meaningless if
prvtCfmLtrChassisId has a length of 0.
prvtCfmLtrChassisId Chassis ID returned in the Sender ID TLV of
the LTR, if any. The format of this object is
determined by the value of the
prvtCfmLtrChassisIdSubtype object.


prvtCfmLtrManAddressDomain Domain identifying the type and format of
the related prvtCfmMepDbManAddress
object, used to access the SNMP agent of the
system transmitting the LTR.
Received in the LTR Sender ID TLV from
that system. The typical values include (but
are not limited to):
 snmpUDPDomain (from SNMPv2-TM,
RFC3417)
 snmpIeee802Domain (from SNMP-
IEEE802-TM-MIB, RFC4789)
 Value of 0.0 (from RFC2578) indicates
“no LTR Sender ID TLV received”; in
this case, the related
prvtCfmMepDbManAddress object
must have a zero-length octet string as a
value.
prvtCfmLtrManAddress Address that can be used to access the SNMP
agent of the system transmitting the CCM,
received in the CCM Sender ID TLV from
that system.
If the related
prvtCfmLtrManAddressDomain object
contains value 0.0, the
prvtCfmLtrManAddress object must
have a zero-length octet string as a value.
prvtCfmLtrIngress Value returned in the Ingress Action Field of
the LTM.
prvtCfmLtrIngressMac MAC address returned in the ingress MAC
address field.
prvtCfmLtrIngressPortIdSubtype Format of the Ingress Port ID.
prvtCfmLtrIngressPortId Ingress Port ID.
The format of this object is determined by the
value of the
prvtCfmLtrIngressPortIdSubtype
object.
prvtCfmLtrEgress Value returned in the Egress Action Field of
the LTM.
prvtCfmLtrEgressMac MAC address returned in the egress MAC
address field.
prvtCfmLtrEgressPortIdSubtype Format of the egress Port ID.


prvtCfmLtrEgressPortId Egress Port ID.
The format of this object is determined by the
value of the
prvtCfmLtrEgressPortIdSubtype
object.
prvtCfmLtrOrganizationSpecific Organization-specific TLVs returned in the
Tlv
LTR, if any. Includes all octets including and
following the TLV length field of each TLV,
concatenated together.
prvtCfmLbrTable Table storing the loopback results after the
last loopback operation.
prvtCfmProfile Object containing the
prvtCfmProfileTableNextIndex and
the prvtCfmProfileTable.
prvtCfmProfileTableNextIndex Object storing an unused value for the
prvtCfmProfileIndex in the
prvtCfmProfileTable or a zero to
indicate that none exist.
prvtCfmProfileTable CFM Profile table.
This is a table storing the loopback results
from all remote MEPs in the MA.
prvtCfmProfileIndex CFM Profile table index.
prvtCfmProfileRowStatus CFM Profile RowStatus.
row.
prvtCfmProfileName Name of the profile.
prvtCfmProfilePriority 802.1p class-of-service setting.
prvtCfmProfileRate Number of Request packets to send at a time.
prvtCfmProfileSize Size of the data TLV included in probe
packets (in octets).
prvtCfmProfileBucketSize Number of results to save for the purpose of
results calculation.
prvtCfmProfile1wJitterError Error values to monitor for one-way jitter (in
milliseconds).
prvtCfmProfile1wJitterWarning Warning values to monitor for one-way jitter
(in milliseconds).
prvtCfmProfileJitterError Error values to monitor for round-trip jitter
(in milliseconds).
prvtCfmProfileJitterErrorPerio Jitter duration (in seconds) to trigger an error
d
message.


prvtCfmProfileJitterWarning Warning values to monitor for round-trip
jitter (in milliseconds).
If the configured value is higher than the
jitter error, warning is disabled.
prvtCfmProfileJitterWarningPer Jitter duration (in seconds) to trigger a
iod
warning message.
prvtCfmProfileFrameLossError Round-trip frame-loss error values to
monitor.
• Reporting frame-loss of 10%.
prvtCfmProfileFrameLossWarning Round-trip frame-loss warning values to
monitor.
• Reporting frame-loss of 8%.
frame-loss error, warning is disabled.
prvtCfmProfileLatencyError Round-trip latency error values to monitor (in
milliseconds).
prvtCfmProfileLatencyErrorPeri Latency duration (in seconds) that will trigger
od
an error.
prvtCfmProfileLatencyWarning Round-trip latency error values to monitor (in
milliseconds).
latency error, warning is disabled.
prvtCfmProfileLatencyWarningPe Latency duration (in seconds) that will trigger
riod
a warning.
prvtCfmProcess Object containing the
prvtCfmProcessTable and the
prvtCfmProcessResultTable.
prvtCfmProcessTable CFM Process table.
This is a table controling the two-way
monitoring process for MEP's in the MA. It is
a private extension of the
prvtCfmMaTable.
prvtCfmProcessIndex CFM Process table index.
prvtCfmProcessRowStatus CFM Process RowStatus.
row.
prvtCfmProcessProfileIndex Index of the monitoring profile to use.
prvtCfmProcessName Name of the process. Must be unique per
domain/MA.
prvtCfmProcessStatus Object enabling/disabling the two-way
monitoring process for MEP's in the MA.


prvtCfmProcessRepeatInterval Repeat interval of the monitoring process.
prvtCfmProcessPacketType Type of the monitoring process.
Use CFM Loopback or Y.1731 LMMs and
DMMs packets.
prvtCfmProcessUnreturnedPkts Number of requests for which a reply has not
been received. Once the time-out elapses,
these packets are counted as lost.
prvtCfmProcessResultTable Table storing the results of the monitoring
process.
prvtCfmProcessResultOneWayJitt One-way jitter (in milliseconds) calculated
er
for a specific remote MEP.
prvtCfmProcessResultTwoWayJitt Two-way jitter (in milliseconds) calculated
er
prvtCfmProcessResultLatency Two-way latency (in milliseconds) calculated
prvtCfmProcessResultFrameloss Two-way frame-loss (in hundredths of
percent) calculated for a specific remote
MEP.
When
prvtCfmProcessResultFrameloss has
a value of 10000, all the values of
prvtCfmProcessResultOneWayJitter,
prvtCfmProcessResultTwoWayJitter,
and prvtCfmProcessResultLatency are
irrelevant.

CFM Configuration Example

In the following example, a domain MA is created for aVLAN and port 1/1/1 is
added as a MEP to the specified MA.

1. Enable CFM:
device-name(config)#oam cfm
2. Create the domain_1 domain:

device-name(config-cfm)#domain-name domain_1 level 1
3. Create ma_1 MA:

device-name(config-domain-name-domain_1)#ma ma_1 vlan 10
4. Create a MEP:
device-name(config-ma-ma_1)#mep 1 1/1/1
device-name(config-mep-1/1/1/1)#direction down
device-name(config-mep-1/1/1/1)#ccm-enabled
device-name(config-mep-1/1/1/1)#no shutdown
device-name(config-mep-1/1/1/1)#commit
Commit complete.
device-name(config-mep-1/1/1/1)#

1. Enable CFM:
prvtCfmStatus.0 1
2. Create domain_1 domain:

get prvtCfmMdTableNextIndex.0 (gauge) 1
prvtCfmMdRowStatus.1 5
prvtCfmMdMdLevel.1 5
prvtCfmMdName.1 domain_1
prvtCfmMdRowStatus.1 1

3. Create ma_1 MA:

get prvtCfmMdMaNextIndex.1 (gauge) 1
prvtCfmMaRowStatus.1.1 5
prvtCfmMaName.1.1 ma_1
prvtCfmMaVlanId.1.1 251
prvtCfmMaRowStatus.1.1 1
4. Create a MEP with ID 105:

prvtCfmMepRowStatus.1.1.105 5
prvtCfmMepDirection.1.1.105 1
prvtCfmMepInterfaceName.1.1.105 1/2/1
prvtCfmMepCciEnabled.1.1.105 1
prvtCfmMepActive.1.1.105 1
prvtCfmMepRowStatus.1.1.105 1
Retrieving Manufacturing Details

via SNMP
MIB Architecture: PRVT-SWITCH-MIB

The private Switch MIB is used for managing the internal device parameters
and contains additional configuration options and device information.
The manufacturing details are retrieved from the sysManufacturing table of
the MIB.
The sysManufacturing table contains the following objects:
sysSerialNumber The device’s serial number as assigned by
the manufacturer.
sysAssemblyNumber Object specifying the equipment
assembly number.
sysPartNumber Object specifying the equipment part
number.
sysCLEI Object specifying the common language
equipment identification.
sysHwRevision Object specifying the hardware revision.
sysManufacturingDate Object specifying the manufacturing date.
sysHwSubRevision Object specifying the hardware sub-
revision.
sysBaseMacAddress Base MAC address of the device.

Retrieving Manufacturing Details via SNMP

Examples
Retrieving via CLI

Display manufacturing details using the show system manufacturing-
details command:
device-name#show system manufacturing-details
===============================
System Manufacturing-Details
===============================
Serial number: 0309342504
Assembly No: AL001392
Part number: 2
CLEI:
HW revision: 02
HW subrevision:
Date: 30/09/2009
Base MAC addr: 00:a0:12:64:08:60
Retrieving via SNMP

Retrieve manufacturing details using SNMP query:
**** SNMP QUERY STARTED *****
1: sysSerialNumber.0 (octet string) 0309342504
[30.33.30.39.33.34.32.35.30.34 (hex)]
2: sysAssemblyNumber.0 (octet string) AL001392
[41.4C.30.30.31.33.39.32 (hex)]
3: sysPartNumber.0 (octet string) 2 [54.4D.58.47 (hex)]
4: sysCLEI.0 (octet string) (zero-length)
5: sysHwRevision.0 (octet string) 02 [30.32 (hex)]
6: sysManufacturingDate.0 (octet string) 30/09/2009
[33.30.2F.30.39.2F.32.30.30.39 (hex)]
7: sysHwSubRevision.0 (octet string) (zero-length)
8: sysBaseMacAddress.0 (octet string) 00:a0:12:64:08:60
***** SNMP QUERY FINISHED *****

Notification Argument Values

Table 12-1: List of Notification Argument Values
Argument Value Description

authenticationFailure The SNMP entity, acting as an Agent, received
a protocol message that is not properly
authenticated. The authentication method
depends on the version of SNMP that is used.
 For SNMPv1 and SNMPv2c,
authentication failure occurs for packets
with an incorrect community string.
 For SNMPv3, authentication failure occurs
for packets with an incorrect SHA/MD5
authentication key or for a packet that is
outside of the SNMP engine’s time
window.
The generation of authenticationFailure can
also be controlled by the authentication-
failure-trap command.
cpuTemperatureExceeded The sending Agent senses that the internal
temperature exceeded the program threshold.
cpuUtilizationExceeded The sending Agent senses that the CPU
utilization exceeded the programmed threshold.
fansTest The sending Agent senses that one of the fans
changed its status. The trap should be sent once
the BiST status of the fan test changes, or when
the fan is removed/plugged in.
linkup The SNMP entity, acting as an Agent, detected
that the ifOperStatus object for one of its
communication links left the down state and
transitioned into another state (but not into the
notPresent state). The other state is indicated by
the included value of ifOperStatus.
linkDown The SNMP entity, acting as an Agent, detected
that the ifOperStatus object for one of its
communication links entered the down state
from some other state (but not from the
notPresent state). This other state is indicated
by the included value of ifOperStatus.
powerSupplyTest The sending Agent senses that one of the
power-supply changed its status. The trap
should be sent once the BiST status of the
power supply test changes.
ramFreeSpaceExceeded The sending Agent senses that the internal
amount of free RAM is lower than a
programmed threshold.

Argument Value Description

sapCreated This trap is sent when a new row is created in
the sapBaseInfoTable.
sapDeleted This trap is sent when an existing row is
deleted from the sapBaseInfoTable.
sapStatusChanged This trap is generated when there is a change in
the administrative or operating status of an
SAP.
sdpCreated This trap is sent when a new row is created in
the sdpInfoTable.
sdpDeleted This trap is sent when an existing row is
deleted from the sdpInfoTable.
sdpStatusChanged This trap is generated when a change occurred
in the administrative or operating status of an
SDP.
svcCreated This trap is sent when a new row is created in
the svcBaseInfoTable.
svcDeleted This trap is sent when an existing row is
deleted from the svcBaseInfoTable.
svcStatusChanged This trap is generated when a change occurrs in
the administrative or operating status of a
service.
prvtConfigChangeAlarm Notification generated when the value of
configurable attribute has been changed. It can
be used to trigger maintenance polling of the
running configuration on the device. One of the
varbinds points either to entry of the modified
table (configChangeAlarmRow) or to the OID
of the modified scalar object.
portStatisticsTestPassed Sent when the port statistics test passes
successfully.
portStatisticsTestFailed Sent when the port statistics test fails.
powerSupplyFansTest Sent when the results of the
powerSupplyFansTest change.
onBoardPowerSupplyTest Sent when the results of the
onBoardPowerSupplyTest change.
portSecurityViolation Indicates that a port security violation has been
detected, such as when the number of MAC
adresses that have been learned on that port has
exceeded the number allowed.
sfpPlugged Indicates an SFP has been plugged.
sfpUnPlugged Indicates a connected SFP has been unplugged.

Troubleshooting and Monitoring

via SNMP
This chapter covers retrieving interface management information and managing
the system resources.
For additional information, refer to the Troubleshooting and Monitoring
chapter of this User Guide.
MIB Architecture: PRVT-SYS-MON-MIB

The MIB contains settings for system monitoring and the periodic system self-
tests.
NOTE: All objects in the PRVT-SYS-MON-MIB related

to system monitoring reside under the
prvtSysMonObjects node. Laser monitoring is not
currently supported, so the laserMonitoring child
node of prvtSysMonObjects is not used and therefore
is not listed in the table that follows. Also, the
prvtSysMonNotifications node, containing the
system monitoring is listed in the Notifications section
below.
The prvtSysMonObjects node contains the following tables and objects:

sysMonValues Object identifier node containing nodes related to
the power supply unit (PSU) status, fan status, and
system temperature.
monHardwarePSStatus The current status of the system's PSUs.
Each OCTET stores the status of one power supply
or if supported, a status of its corresponding PSU
fan.
The states an octet can indicate, are as follows:
0 - PSU not installed.
1 - PSU installed but does not function correctly.
2 - PSU installed and working OK.
There are devices that can display also the status of
the PSU fan. All devices that support monitoring of
their PSU fan status display that status in series of
octet pairs. The octet for the PSU fan status is
displayed immediately after the PSU status octet.


monHardwareFanStatus The current status of the system fan(s).
Each octet stores the status of one fan as follows:
0 – The fan has stopped.
1 - Fan failed
2 - Fan OK
monHardwareTemperature The internal temperature of the unit in degrees
Celsius.
sysMonConfig Object identifier node containing the system
monitoring configuration table
(sysMonConfigTable).
sysMonConfigTable Table configuring the periodic monitoring
parameters.
sysMonIndicator Enumeration.
1 - cpuUsage(1)
2 - ramUsage(2)
3 - powerSupply(3)
4 - onboardPower(4)
5 - fan(5)
6 - temperature(6)
8 - portStatistics(8)
9 - powerSupplyFan(9)
sysMonEnable System monitoring enabled/disabled.
sysMonPeriod Configures the monitoring period in seconds.
sysMonTrap System monitoring trap enabled/disabled.
sysMonLog System monitoring log enabled/disabled.
sysMonLed System monitoring LED indicator enabled/disabled.
sysMonDefaults Reloads the default system monitoring settings.
Configure to 1 to reset all configurations to their
defaults.
1 - noop(1)
2 - execute(2)
• 1 - noop (name)
sysMonThresholdHigh The upper threshold setting.
sysMonThresholdLow The lower threshold setting.


sysMonRunOnce Configures the system to execute one-time self-test.
1 - noop(1)
2 - execute(2)
Setting this object to execute(2) causes all tests in
sysMonConfigTable to be immediately executed
once. Note that this causes a test to be run regardless
of whether its sysMonEnable field is set to Enable or
Disable.
The results of the test are displayed in the
sysMonStatusTable.
A GET on this object always returns noop(1).
sysMonRunOnceStatus Object displaying the status of the last execute
command sent to sysMonRunOnce.
1 - notStarted(1)
2 - inProgress(2)
3 - success(3)
4 - error(4)
Values descriptions:
 not-started(1) – the test has not been manually
executed since start-up
 in-progress(2) – the test is still being performed
 success(3) – the test has been performed
successfully.
 error(4) – the test has not been performed due to
an internal error in the software
sysMonStatus Object identifier node containing the table with the
statuses of the periodic monitoring tests (the
sysMonStatusTable).
sysMonStatusTable This table contains status information concerning the
periodic monitoring tests. Note that these tests can
be executed either automatically at pre-defined
periods of time as configured in the
sysMonConfigTable or can be run manually using
sysMonRunOnce.
sysMonSubIndex Sub-index of the sysMonStatusTable used to
indicate a sub-component of a test. This sub-index is
test-dependent.
This sub-index can be used to indicate a device
number (e.g. a PSU number or fan number) or a
port's ifIndex, etc.
For those tests which do not have a sub-component,
index value of 0 is used.


sysMonTestResult Result of the most recently run test.
sysMonTestQuantity Quantitative measure (rate) of the test result if
applicable.
For example, system temperature is rated in degrees,
CPU usage is rated in percentage of maximum load,
etc. Not applicable to tests that return only OK/failed
statuses.
Examples of System Monitoring
Displaying the Self-Test Results via CLI

Type the show system self-test full command:
device-name#show system self-test full
CPU Temperature Test
Status : PASSED
Measure : 39 C
CPU Resources Test
Status : PASSED
Measure : 8 %
Fan Test
Status : PASSED
On-Board Power Test
Status : PASSED
Port Statistics Test
Status : Passed
Measure : 0 %
Power Supply Test
Status : PS1 PRESENT, PS2 NOT PRESENT
Power Supply Fans Test
Status : PS1 FAN OK
RAM Resources Test
Status : PASSED
Measure : 49 %
device-name#

Displaying the Self-Test Results via SNMP

Start an SNMP query:
***** SNMP QUERY STARTED *****
1: monHardwarePSStatus.0 (octet string) 02.02.00.00 (hex)
2: monHardwareFanStatus.0 (octet string) 02.02.02 (hex)
3: monHardwareTemperature.0 (integer) 39
4: sysMonEnable.1 (integer) disable(2)
12: sysMonPeriod.1 (integer) 60
20: sysMonTrap.1 (integer) disable(2)
28: sysMonLog.1 (integer) disable(2)
36: sysMonLed.1 (integer) disable(2)
44: sysMonDefaults.1 (integer) noop(0)
52: sysMonThresholdHigh.1 (integer) 75 [75]
60: sysMonThresholdLow.1 (integer) 0 [0]


65: sysMonThresholdLow.6 (integer) -3 [-3]
68: sysMonRunOnce.0 (integer) noop(1)
69: sysMonRunOnceStatus.0 (integer) notStarted(1)
70: sysMonTestResult.1.0 (integer) passed(1)
78: sysMonTestQuantity.1.0 (integer) 3
***** SNMP QUERY FINISHED *****

RFCs
Device No standards are Private MIB: No RFCs are supported by
Administration supported by this PRVT- this feature
via SNMP feature INTERWORKING-
OS-MIB.mib
Configuration No standards are Private MIB: No RFCs are supported by
Management supported by this PRVT- this feature
via SNMP feature CONFIGCHANG
E-MIB
Fast Ethernet  IEEE 802.3 Public MIBs: RFC 2863, The Interfaces
and Giga Ethernet RFC 1213 Group MIB (Interface table
Ethernet Port  IEEE 802.3u Fast (Interface table and ConfigL2IfaceTable)
via SNMP Ethernet and
 IEEE 802.3x
ConfigL2Iface
Flow Control Table)
 IEEE 802.3z Private MIB,

Gigabit Ethernet PRVT-SWITCH-
MIB.mib
LAGs via IEEE 802.3ad Private MIB, No RFCs are supported by
SNMP PRVT-PORTS- this feature
AGGREGATION-
MIB.mib


Resilience No standards are Private MIB, No RFCs are supported by
Links via supported by this PRVT- this feature
SNMP feature RESILIENT-
LINK-MIB.mib
MAC Security No standards are Private MIB, No RFCs are supported by
via SNMP supported by this prvtMacSecurityM this feature
feature ib
VLANs via  IEEE 802.1Q- IEEE 802.1Q No RFCs are supported by
SNMP 1998 Public MIB, this feature
 IEEE 802.1Q- qBridgeMIB.mib
2003
 IEEE 802.1P
 IEEE 802.1u-
2001
802.1ag IEEE 802.1ag-2007 Public MIB, RFC 2544, Benchmarking
Connectivity (draft 8.1)—Virtual IEEE8021-CFM- Methodology for Network
Fault Bridged Local Area MIB Interconnect Devices
Management Networks Private MIB,
(CFM) (Amendment 5: PRVT-CFM-
Connectivity Fault MIB.mib
Management).
These MIBs are
Connectivity Fault used for the
Management—An Connectivity Fault
Update on Bridging Management
Technologies (IEEE (CFM) module for
Tutorial, July 18, managing IEEE
2005). 802.1ag.
Retrieving No standards are Private MIB, No RFCs are supported by
Manufacturing supported by this PRVT-SWITCH- this feature
Details via feature MIB.mib
SNMP
Troubleshooti No standards are Private MIB: No RFCs are supported by
ng and supported by this PRVT-SYS-MON- this feature
Monitoring via feature MIB.mib
SNMP

13
Remote Monitoring (RMON)
Overview
Remote Monitoring (RMON) is a standard monitoring specification that
enables network monitors and console systems to exchange network-
monitoring data. RMON provides network administrators with more freedom
in selecting network-monitoring probes and consoles with features that meet
their particular networking needs.
The RMON specification defines a set of statistics and functions that can be
exchanged between RMON-compliant console managers and network probes.
The RMON Ethernet statistics group provides traffic and error statistics
including a total count of different frame types and sizes passing through each
port.

Remote Monitoring (RMON) AS9206 User Manual
RMON Commands
RMON Commands’ Hierarchy

+ root
- show [port UU/SS/PP] rmon statistics [etherStatsBroadcastPkts |

etherStatsCollisions | etherStatsCRCAlignErrors |
etherStatsDropEvents | etherStatsFragments | etherStatsJabbers
| etherStatsMulticastPkts | etherStatsOctets |
etherStatsOversizePkt | etherStatsPkts |
etherStatsPkts1024to1518Octets | etherStatsPkts128to255Octets
| etherStatsPkts256to511Octets | etherStatsPkts512to1023Octets
| etherStatsPkts64Octets | etherStatsPkts65to127Octets |
etherStatsUndersizePkts]
RMON Commands’ Descriptions

Table 13-1: RMON Commands
Command Description
root Operational mode
show [port UU/SS/PP] rmon Displays the RMON statistics table.
statistics
[etherStatsBroadcastPkts |
Optionally, you can display statistics for a
etherStatsCollisions | specific port or for all ports (see the
etherStatsCRCAlignErrors | following table)
etherStatsDropEvents |
etherStatsFragments | • port UU/SS/PP: 1/1/1-
etherStatsJabbers | 1/1/24, 1/2/1-1/2/4
etherStatsMulticastPkts |
etherStatsOctets |
• RMON statistics collection is enabled.
etherStatsOversizePkt | Statistics are refreshed every 60
etherStatsPkts | seconds.
etherStatsPkts1024to1518Octets |
etherStatsPkts64Octets |
etherStatsUndersizePkts]

AS9206 User Manual Remote Monitoring (RMON)
Table 13-2: Counters Displayed by the show rmon statistics Command
Counter Description
etherStatsBroadcastPkts The total number of good broadcast
packet received. Note that this does not
include multicast packets.
etherStatsCollisions The total number of collisions on this
Ethernet segment.
etherStatsCRCAlignErrors The number of CRC/alignment errors
(FCS or alignment errors).
etherStatsDropEvents The total number of events in which
packets are dropped due to lack of
resources.
etherStatsFragments The total number of frames received
that are less than 64 bytes in length
(excluding framing bits, but including
FCS bytes) and have either an FCS or
alignment error.
etherStatsJabbers The total number of frames received
that are longer than 1518 bytes
FCS bytes), and have either an FCS or
alignment error.
etherStatsMulticastPkts The total number of good multicast
packet received.
etherStatsOctets The total number of octets of data
(including those in bad packets)
received on the network (excluding
framing bits but including FCS octets).
etherStatsOversizePkt The total number of frames received
that are longer than 1518 bytes
FCS bytes) and are otherwise well
formed (valid CRC).
etherStatsPkts The total number of packets (including
bad packets, broadcast packets, and
multicast packets) received.
etherStatsPkts1024to1518Octets The total number of frames (including
etherStatsPkts128to255Octets bad packets) received and transmitted
etherStatsPkts256to511Octets where the number of bytes fall within
etherStatsPkts512to1023Octets the specified range (excluding framing
etherStatsPkts65to127Octets bits but including FCS bytes).

Remote Monitoring (RMON) AS9206 User Manual
Counter Description
etherStatsPkts64Octets The total number of frames (including
bad packets) received and transmitted
that are 64 bytes in length (excluding
framing bits but including FCS bytes).
etherStatsUndersizePkts The total number of frames received
that are less than 64 bytes long
FCS bytes) and are otherwise well
formed (valid CRC).

RFCs
Remote No standards Public MIBs: RFC 1271, Remote Network
Monitoring are supported  RMON- Monitoring Management
(RMON) by this feature. MIB.mib Information Base
RFC 3273, Remote Network
Monitoring Management
Information Base for High
Capacity Networks

14
System Logs
Overview
The application software provides system log messages that are useful to the
system administrator for troubleshooting problems in the network:
 The console log routes system messages to a local or remote console, or to
the system memory buffer
 Message logging is configurable (for example: what severity levels and
where the log is sent)
System Logs Message Format

The logging subsystem takes messages initiated by various software processes
within the application software, formats the messages, and writes them to the
appropriate log files. These messages come from a local facility or module (a
hardware device, protocol, or process within the system software).
The logging subsystem:
 provides logging information for monitoring and troubleshooting
 allows configuration of the types of logging information to be captured and
the destination (log file or other devices)
 includes system log messages
The system message is stored and displayed based on the following format:
DATE TIME SEVERITY PROCESS MESSAGE-TEXT

System Logs AS9206 User Manual
Table 14-1: System Message Fields
Keyword Description
DATE and TIME Indicates when the message is issued
SEVERITY The literal message’s severity level
PROCESS The name of a system process that generated the
message
MESSAGE-TEXT The textual content of the message
Example
Jan 1 00:55:13 10 local3.info Dot3Ah: DOT3AH : Link down on port 1/1/1
Settings and Values
Severity Levels
Trap level for logging should be configured per receiver (buffer, CLI console,
SSH console, and Syslog server) and per severity.
By default, the buffer is disabled and it does not store any LOG messages.
To configure the level of the trap message logging filter, use the log buffer
severity command.
Table 14-2: Severity Levels
Severity Level Keyword Description

0 emergency Internal error occurred. The device reached a crash
state and cannot continue to operate.
1 alert Immediate action needed. The device might operate
incorrectly.
2 critical Internal error or non-supported event occurred.
3 error Error condition (for example, error messages about
software or hardware malfunctions).
4 warning Warning condition.
5 notice Normal but significant condition (for example,
interface up/down transitions and system restart
messages).
6 info Informational message only (for example, reload
requests and low-process stack messages).
7 debug Debug level messages.

AS9206 User Manual System Logs
Syslog Facility
A Syslog facility is a setting for the remote Syslog server.
Table 14-3: Syslog Message Facilities
Keyword Description
alert Log alert
audit Log audit
auth Security/authorization messages
clock Clock daemon
cron Messages generated internally by Syslog
daemon System daemons
ftp FTP daemon
local0 Local use 0 (local0)
lpr Line printer subsystem
mail Mail system
news Network news subsystem
ntp NTP subsystem
security Security/authorization messages
syslog Messages generated internally by Syslog
user User-level messages
uucp UUCP subsystem
NOTE: Some operating systems use facilities alert,

audit, and auth for security/authorization and audit/alert
messages.

System Log Commands
System Log Commands’ Hierarchy

+ root
+ config terminal
- [no] log cli-console severity <severity level>
- [no] log ssh-console severity <severity level>
- [no] log buffer severity <severity level>
- [no] log telnet-console severity <severity level>
+ [no] log syslog-server A.B.C.D
- [no] facility <facility level>
- severity <severity level>
- show syslog
- show syslog displaylevel <level>
- show syslog message [level <severity level> | process PROCESS |
text NAME | timestamp NAME] [displaylevel <level>]
System Log Commands’ Descriptions

Table 14-4: System Log Commands
Command Description
log cli-console severity Displays system log messages on the
<severity level> CLI console that is attached to the COM
port:
• severity level: refer to
Keyword column ofTable 14-2.
Zero (0) is the highest
severity, and 7 is the lowest
severity. When you specify a
severity level, logging
output of the specified level
and all lower levels (higher
severities) are enabled
no log cli-console Stops the log output to the CLI console
log ssh-console severity Displays system log messages on the
<severity level> SSH console:
Keyword column of Table 14-2
no log ssh-console Stops the log output to the SSH console

AS9206 User Manual System Logs
Command Description
log telnet-console severity Displays system log messages on the
<severity level> Telnet console:
no log telnet-console Stops the log output to the Telnet
console
log buffer severity <severity Copies system log messages to an
level> internal buffer:
• Syslog buffer size is 2000 messages
no log buffer Restores to default
log syslog-server A.B.C.D Enables remote logging using the Syslog
server facility:
• A.B.C.D: the IP address of
the Syslog server
no log syslog-server A.B.C.D Disables the remote logging
[facility]
facility <facility level> Configures the facility level:
• facility level: refer to
Keyword column of Table
14-3
no facility Removes the configured facility level
severity <severity level> Configures the severity level:
show syslog Displays the logging configuration
show syslog displaylevel <level> Displays the detailed logging level
configuration:
<0-64>
show syslog message [level Displays the detailed logging message
<severity level> | process configuration:
PROCESS| text NAME | timestamp
NAME] [displaylevel <level>] Keyword column of Table 14-2
• PROCESS: the name of the
process to filter on
• NAME: the text name
• NAME: the timestamp name
• level: in the range of <0-64>

The following example shows how to enable system log messages for different
severity levels that are displayed by the console port, on SSH session or Syslog
buffer.
1. Enable logging on the console port with severity level critical:
device-name#configure terminal
device-name(config)#log cli-console severity critical
device-name(config)#commit
Commit complete.
2. Enable logging to SSH with severity level debug:

device-name(config)#log ssh-console severity debug
Commit complete.
3. Enable logging to a Syslog buffer with severity level info:

device-name(config)#log buffer severity info
Commit complete.

RFCs
System Logs No standards are No MIBs are RFC 3164, The
supported by this supported by this BSD Syslog
feature. feature. Protocol (client
mode)

15
Troubleshooting

Chapter
ECI Telecom provides a set of powerful tools for troubleshooting and resolving
technical issues with ECI Telecom devices. This chapter details these tools.
 Periodic Monitoring
Periodic monitoring is a method for monitoring hardware conditions in
order to identify problematic hardware and deteriorated environmental
conditions.
 Diagnosing Connectivity Problems

This section provides information about the Ping and Traceroute utilities
used for diagnosing connectivity problems.
 Port Mirroring (Port Monitoring)

Port Mirroring is a method for monitoring network traffic by sending
copies of all incoming and outgoing packets from one port to a monitoring
port, where these packets are diagnosed.
 Technical Support Information

This section lists commands that retrieve the devices' technical information.
The system administrators can forward the commands output to ECI
Telecom technical support team to assist them in the troubleshooting task.

Troubleshooting AS9206 User Manual
Periodic Monitoring
Overview
Periodic monitoring is a method used for monitoring different hardware
conditions before they become critical.
You can use periodic monitoring:
 to ensure a more reliable day-to-day operation. You can periodically
monitor crucial device functions in the background, receiving alerts when
the monitored indicators vary from operating norms
 as a troubleshooting tool, monitoring transient conditions and tracking
irregular behaviors. You can use this method for triggering diagnostic data-
polling based on the device operational status
Periodic-Monitoring Indicator Types

There are two types of monitored indicators:
 Pass/Fail conditions—the monitor function returns a simple Pass or Fail
operational status for the monitored indicator (for example, whether the
fans are working or not, or is the power supply working or not)
 Measured values—the monitor function returns a measured value of the
monitored indicator (for example, the device temperature or the number of
packet errors)
Below is the list of the operational indicators that are periodically monitored.
Table 15-1: Periodic Monitored Operational Indicators
Indicator Monitored As
CPU Resources Measured value
RAM Resources Measured value
CPU Temperature Measured value
Port Statistics Measured value

AS9206 User Manual Troubleshooting
Alert Types
You can assign any or all of the actions below to monitor an alert status:
 log—the alert status is written to the CLI history and error message log
files
 led—the STS LED flashes on the device front panel
 trap—generate an SNMP trap
You can define an alert behavior only individually (for each specific indicator).
Monitoring Limited Values

In order to monitor measured values, you can define limit values that generate
alerts when they are crossed.
You can configure the following conditions:
 the measured value rises above the limit value
 the measured value drops below the limit value
 the measured value crosses the limit value in either direction

Periodic Monitoring Configuration Flow
Figure 15-1: Periodic Monitoring Configuration Flow

Periodic Monitoring Commands
Periodic Monitoring Commands’ Hierarchy
NOTE: All periodic monitoring commands are applied

immediately, no commit is required.
+ root
+ config terminal
+ system
+ monitor
+ cpu-temperature
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>
- [no] period <value>
- [no] shutdown
- [no] trap
+ cpu-usage
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ port-statistics
- [no] led
- [no] log
- [no] shutdown
- [no] trap

+ ram-usage
- [no] led
- [no] log
- [no] shutdown
- [no] trap
- show system monitor [cpu-temperature | cpu-usage | detail | port-
statistics | ram-usage]
- show system cpu-usage
- show system temperature
Periodic Monitoring Commands’

Descriptions
Table 15-2: Periodic Monitoring Commands
Command Description
monitor Enters the Periodic Monitoring
Configuration mode
cpu-temperature Enables the temperature monitoring and
enters the Temperature Monitoring
Configuration mode
• Disabled
cpu-usage Enables the CPU monitoring and enters
the CPU Monitoring Configuration mode.
The CPU monitoring collects CPU usage
samples and periodically calculates their
average value from previous percentage
estimates. If the calculated value exceeds
a configured limit value, the monitor
triggers an alert.
• Disabled
port-statistics Enables the port monitoring and enters the
Port Monitoring Configuration mode
• Disabled

Command Description
ram-usage Enables the RAM monitoring and enters
the RAM Monitoring Configuration mode.
The RAM usage monitoring periodically
checks the remaining RAM that is
available for allocation. If this amount is
less than a configured limit value, the
monitor triggers an alert.
• Disabled
high-threshold <value> Defines the high threshold value for a
specific periodic monitoring:
• value: high threshold
value
• 90% high threshold for RAM-usage
• 75% high threshold for CPU-usage
• 0% high threshold for port statistics
• 70°C high threshold for CPU-
temperature
no high-threshold Removes the high threshold value
led Enables the LED-alert notification.
The LED starts blinking when one of the
following conditions occurs:
 the indicator status is fail
 the indicator’s measured value
exceeds its configured limit
• Disabled
no led Restores to default
log Enables the alert-notification logging.
The alert message is written to the log and
history files when one of the following
conditions occurs:
exceeds its configured limit value
• Disabled
no log Restores to default
low-threshold <value> Defines the low threshold value for a
specific periodic monitoring:
• value: low threshold value
• 0% low threshold for CPU-usage,
RAM-usage, and port statistics
• -3°C low threshold for CPU-
temperature

Command Description
no low-threshold Removes the low threshold value
period <value> Defines the intervals at which an indicator
is polled:
• value: in the range of <1–
65535> seconds
• 60 seconds
no period Restores to default
shutdown Disables the specific test
no shutdown Enables the specific test
trap Enables SNMP trap notification for
specific test.
When you enable this option, an SNMP
trap is issued when one of the following
conditions occurs:
exceeds its configured limit
• Disabled
no trap Restores to default
show system monitor [cpu- Displays the monitor settings (see Table
temperature | cpu-usage | detail
| port-statistics | ram-usage] 15-3)
show system cpu-usage Displays the current device's CPU usage
show system temperature Displays the current device’s temperature
Table 15-3: The Monitor Indicators
Indicator Description
cpu-temperature Displays settings of CPU temperature monitoring
cpu-usage Displays settings of CPU usage monitoring
port-statistics Displays settings of ports monitoring
power Displays settings of power monitoring
ram-usage Displays settings of RAM usage monitoring

CPU Usage Monitoring

1. Enter the CPU Monitoring Configuration mode:
device-name(config)#system monitor
device-name((config-monitor)#cpu-usage
2. Define the CPU usage high limit value to 10 and the low limit to 1:
device-name(config-cpu-usage)#high-threshold 10
device-name(config-cpu-usage)#low-threshold 1
3. Define the monitoring interval to 20 seconds:

device-name(config-cpu-usage)#period 20
device-name(config-cpu-usage)#no shutdown
device-name(config-cpu-usage)#end
4. Display the CPU usage monitoring settings:

device-name#show system monitor cpu-usage
CPU Resources Test
Period : 20 Sec.
Status LED : Disabled
Traps : Disabled
Logging : Disabled
Upper limit : 10 %
Lower limit : 1 %
Measure : 34 %
Last status : FAILED
RAM Usage Monitoring

1. Enter the RAM Monitoring Configuration mode:
device-name(config)#system monitor
device-name(config-monitor)#ram-usage
2. Define the RAM usage high limit value to 10 and the low limit to 3:
device-name(config-ram-usage)#high-threshold 10
device-name(config-ram-usage)#low-threshold 3

3. Define the monitoring interval to 5 seconds:

device-name(config-ram-usage)#period 5
device-name(config-ram-usage)#no shutdown
device-name(config-ram-usage)#end
4. Display the RAM usage monitoring settings:

device-name#show system monitor ram-usage
RAM Resources Test
Period : 5 Sec.
Status LED : Disabled
Traps : Disabled
Logging : Disabled
Upper limit : 10 %
Lower limit : 3 %
Measure : 50 %
Last status : FAILED
Diagnosing Connectivity
Problems
Overview
The device offers the below utilities for troubleshooting network-connectivity
issues:
 PING
 Traceroute
Packet Internet Groper (PING)

PING verifies Internet connectivity at the IP level. It sends an Internet Control
Message Protocol (ICMP) echo request to a specified IP address or device
name and waits for one of the below ICMP responses:
 Normal response—the device is alive and replies within 1–10 seconds,
depending on the network traffic.
 Destination does not respond—if the device does not respond, a no-answer
message is returned. Unknown device—if the device does not exist, an
unknown message is returned.
 Destination unreachable—the default gateway cannot reach the specified
network.
 Network or device unreachable—the route table does not include the
device or network.

Example: Reachable Device
device-name#ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
--- 192.168.1.100 ping statistics ---

round-trip min/avg/max = 1.3/1.3/1.4 ms
Example: Unreachable Device
device-name#ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101): 56 data bytes
--- 192.168.1.101 ping statistics ---

Traceroute
Traceroute sends ICMP echo packets with varying IP Time-to-Live (TTL)
values to the destination. When a device receives an ICMP echo packet with
TTL value of 1 or 0, it drops the packet. Instead it sends a time-to-live-
exceeded message to the sender. Traceroute uses this mechanism for
determining the route to the destination:
It starts by sending a User Datagram Protocol (UDP) to the destination device,
setting its TTL value to 1, receiving a time-to-live-exceeded message from the
next hop.
To identify the next hop, Traceroute sends another UDP packet, setting its TTL
value to 2. The first device reached by the UDP decreases the TTL field by 1
and sends the datagram to the next device. This device discards the datagram
(identifying a TTL value of 1) and returns a time-to-live-exceeded message to
the source.
This process continues until the TTL is incremented to a value large enough for
the datagram to reach the destination device (or until reaching the maximum
TTL).

To determine when a datagram reaches its destination, Traceroute sets the UDP
destination port number in the datagram to a very large value that the
destination device is unlikely to use. When a device receives a self-destined
datagram containing a destination port number that is unused locally, it sends
an ICMP port unreachable error to the source. Because all errors except port
unreachable errors come from intermediate hops, the receipt of a port
unreachable error means this message is sent by the destination.
Connectivity Diagnostic Commands
Connectivity Diagnostic Commands’

Hierarchy
+ root
- traceroute {A.B.C.D | HOSTNAME} [ttl <ttl> | timeout <timeout>]
- ping {A.B.C.D | HOSTNAME} [number <number> | length <length>]
Connectivity Diagnostic Commands’

Descriptions
Table 15-4: Connectivity Diagnostic Commands
Command Description
(root)
•
traceroute {A.B.C.D | Traces the data-packets’ route to their
HOSTNAME} [ttl <ttl> | timeout destination IP address:
<timeout>]
•
A.B.C.D: the destination IP
address
•
HOSTNAME: the name of the
pinged device
• ttl: the maximum number of
devices the traceroute
command passes, in the
range of <1–255>
• 30
• timeout: the timeout for
receiving responses, in the
range of <1–600> seconds
• 5 seconds

Command Description
ping {A.B.C.D | HOSTNAME} Pings a remote device:
[number <number> | length
<length>] •
A.B.C.D: the destination IP
address
•
HOSTNAME: the name of the
pinged device
• number: the number of echo
packets sent, in the range
of <1–2147483646>
• 5
• length: the size of the
ICMP echo packets, in the
range of
<56–65535>
• 56
Port Mirroring (Port Monitoring)
Overview
Port Mirroring is a method for monitoring network traffic. Port mirroring
forwards all the data transmitted and received by a port to a different location
where it can be examined. The port monitoring the traffic has to be connected
to a Network Analyzer or RMON probe for packet analysis.
The Port Mirroring feature copies packets passing through one or more ports
(source ports) of a device to the monitor port (destination port). In this case,
both the source ports and destination port are located on the same device.
Figure 15-2: Port Mirroring

The network traffic monitoring includes the following traffic types:

 Receive (Rx, ingress monitoring)—the destination port receives a copy of
the packets transmitted to the source port, before the source device
modifies or processes them.
 Transmit (Tx, egress monitoring)—the destination port receives a copy of
the packets transmitted by the source port, after the source device modifies
and processes them.
NOTE: In egress monitoring, the packets are forwarded to

the destination port before the source port changes the
packets’ 802.1q header. Therefore, the packets transmitted
to the destination port may differ from the packets sent out
by the source port.
Source Port Characteristics

The device can monitor egress traffic, ingress traffic, or both simultaneously.
 The device supports up to eight source ports, when monitoring egress
traffic.
 The device can monitor any port type such as Fast Ethernet, Gigabit
Ethernet, and link-aggregation group.
 The source port cannot be a destination port.
 Source ports can be in the same or different VLANs.
Destination Port Characteristics

The destination port:
 must reside on the same device as the source port (for a local network
traffic monitoring)
 can be any physical Ethernet port
 cannot be a source port
 can participate in only one network traffic monitoring at a time (it cannot
be a destination port for a second network traffic monitoring)
 does not transmit any traffic except the traffic required for the network
traffic monitoring
 is limited to its capacity: any traffic exceeding the port’s capacity is
dropped

Network Traffic Monitoring Commands
Network Traffic Monitoring Commands’

Hierarchy
+ root
+ config terminal
+ system
- [no] mirror {tx | rx} {destination UU/SS/PP | source
UU/SS/PP}
Network Traffic Monitoring Commands’

Descriptions
Table 15-5: Network Traffic Monitoring Commands
Command Description
mirror {tx | rx} {destination Initiates network traffic monitoring:
UU/SS/PP | source UU/SS/PP}
• tx: monitors egress
traffic
• rx: monitors ingress
traffic
• destination UU/SS/PP: the
destination port
(monitoring port)
• source UU/SS/PP: a list of
source (monitored) ports
• Disabled
no mirror {tx | rx} Disables network traffic monitoring for
specified traffic type (ingress or egress):
• tx: disables egress
traffic monitoring
• rx: disables ingress
traffic monitoring

Technical Support Information
Overview
ECI Telecom provides special-purpose CLI commands in order to retrieve the
devices' technical information. You can then forward this information to ECI
Telecom technical support in order to aid them in tracking and resolving issues
that cause system failures.
These commands dump the required information on the screen. In addition, you
can save the commands output on a specified remote server.
Technical Support Commands’
Technical Support Commands’ Hierarchy

+ root
- file cp technical-support
- file cp technical-support FILE-NAME
- show technical-support

Technical Support Commands’ Descriptions
Table 15-6: Technical Support Commands
Command Description
(root)
file cp technical-support Uploads the output of the show

PROTOCOL[USER[:PASSWORD]@]IPv technical-support command to a
4[:PORT]/FILE-NAME
TFTP/FTP server:
• PROTOCOL type:
tftp://A.B.C.D or
For TFTP servers, no user,
password, and port are
required. For FTP servers,
no port number is
required.
must be immediately
followed by the ape symbol
(@).
TFTP/FTP server in A.B.C.D
format
• PORT: port number for the
TFTP transfer
file
file cp technical-support FILE- Saves the output of the show
NAME technical-support command to the
local file system:
file
show technical-support Displays the selected technical-support
parameters’ information

Execute commands from default TSDB and display the output:
device-name#show technical-support
===============================================================================
TECHNICAL SUPPORT
===============================================================================
It could take several minutes to complete the command. Please wait ...
-------------------------------------------------------------------------------
output from command show running-config
-------------------------------------------------------------------------------
snmp-server
no enable
port 161
engineID 80:00:61:81:05:01
notify linkDown
tag tag
type trap
………
………
………
-------------------------------------------------------------------------------
TSDB_default.db had 2 commands to process
Started at Wed Jul 20 15:05:10 EET 2010
Finished at Wed Jul 20 15:05:10 EET 2010
-------------------------------------------------------------------------------
===============================================================================


RFCs
Features Standards MIB RFC
Periodic Monitoring No standards are Private MIB, No RFCs are
supported by this PRVT-SYS- supported by this
feature. MON-MIB.mib feature.
Diagnosing No standards are No MIBs are RFC 792-
Connectivity supported by this supported by this Internet Control
Problems feature. feature. Message
Protocol
Port Monitoring No standards are No MIBs are No RFCs are
supported by this supported by this supported by this
feature. feature. feature.
Technical Support No standards are No MIBs are No RFCs are
Information supported by this supported by this supported by this
feature. feature. feature.


A
Specifications
Physical Specifications
Width 435 mm (17.12”)
Height 43.6 mm (1.0 RU)
Depth 176 mm (6.9”)
Weight 2.5 kg (5.lbs 8 oz)
AC Power Source
AC Power Source Voltage: 100-240 VAC
Frequency: 50/60Hz
Typical Power consumption 40 W
Typical Power consumption 12V
DC Power Source
DC Power Source Voltage: -36 to-72 VAC
Frequency: 50/60Hz
Typical Power consumption 40 W
Typical Power consumption 12V
Operating Conditions
Operating 0° C to 50° C (-32 °F to 122 °F)
temperature
Environment The equipment is designed for use in indoor applications only
Relative Humidity 10% to 90% non-condensing
Storage -40º C to 70º C (-40º F to 158° F)
Temperature
Storage Humidity 5% – 90% maximum relative humidity, non-condensing
492006-2414-023-A00 ECI Telecom Ltd. Proprietary A-1

Specifications AS9206 User Manual
A-2 ECI Telecom Ltd. Proprietary 492006-2414-023-A00

B
Acronyms Glossary
Term Meaning
AAA Authentication, Authorization, and Accounting
ACG Access Control Group
ACL Access List
AIS Alarm Indication Signal
AMI Alternate Mark Inversion
ARP Address Resolution Protocol
AS Autonomous System
ASIC Application Specific Integrated Circuit
ATM Asynchronous Transfer Mode
BES Bursty Error Seconds
BFD Bidirectional Forwarding Detection
BID Bridge ID
BiST Built-in Self Test
BPDU Bridge Protocol Data Units
CCM Continuity Check Message
CCS Common Channel Signaling
CES Circuit Emulation Service
CFM Connectivity Fault Management
CIC Clock Input Controller
CIR Committed Information Rate
CIST Common and Internal Spanning Tree
CLE Customer Located Equipment
CLI Command Line Interface
CO Central Office
CoLo Co-Location
492006-2414-023-A00 ECI Telecom Ltd. Proprietary B-1

Acronyms Glossary AS9206 User Manual
Term Meaning
CoS Class of Service
CPE Customer Premise Equipment
CPU Central Processing Unit
CRC Cyclical Redundancy Checking
CSS Controlled Slip Seconds
CST Common Spanning Tree
C-VLAN Customer VLAN
DAI Dynamic ARP Inspection
DHCP Dynamic Host Configuration Protocol
DLC Data-Link Control
DNS Domain Name System
DoS Denial of Service
DoSAP Denial of Service Access Point
DRR Deficit Round Robin
DSCP Differentiated Services Code Point
DSx Digital Signal Level x
DSA Digital Signature Algorithm
DSAP Destination Service Access Point
DSS Digital Signature Standard
DST Daylight Saving Time
DTE Data Terminating Entity
EAP Extensible Authentication Protocol
EAPOL EAP Encapsulation over LAN
ECN Explicit Congestion Notification
EFM-OAM Ethernet in the First Mile
EPS Ethernet Protection Switching
ES Error Seconds
ESF Extended Super Frame
EVC Ethernet Virtual Connections
FC Forwarding Class
FDB Forwarding Database Table
FEC Forwarding Equivalence Class
FIB Forwarding Information Base
FRR Fast Re-Route
FS File System
H-VPLS Hierarchical VPLS
IETF Internet Engineering Task Force
B-2 ECI Telecom Ltd. Proprietary 492006-2414-023-A00

AS9206 User Manual Acronyms Glossary
Term Meaning
IGMP Internet Group Multicast Protocol
IP Internet Protocol
ISAP Intermediate Service Access Protocol
IST Internal Spanning Tree
ITU-T International Telecommunications Union-
IWF InterWorking Function
LACP Link Aggregation Control Protocol
LAG Link Aggregation Group
LAN Local Area Network
LBM Loopback Message
LBR Loopback Reply
LCK Ethernet Lock Signal
LCV Line Code Violations
LDP Label Distribution Protocol
LER Label Edge Router
LES Line Error Seconds
LIU Line Interface Unit
LLDP Link Layer Discovery Protocol
LMM Laser Management Monitoring
LOPS Loss of Packet Synchronization
LSL Logical Service Loopback
LSP Label Switched Path
LSR Label Switch Router
LTM Link Trace Message
LTR Link Trace Reply
MA Maintenance Association
MAID Maintenance Association Identifier
MAC Media Access Control
MBB Make-Before-Break
MCID MST Configuration Identifier
MD Maintenance Domain
MEP Maintenance Association End Point
MEPID Maintenance Association End Point Identifier
MIB Management Information Base
MIP Maintenance Intermediate Points
MHF MIP Half Function
MOTD Message of the Day

Term Meaning
MP Maintenance Point
MPLS Multi Protocol Label Switching
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration
NAS Network Access Server
NMS Network Management System
NTP Network Time Protocol
OAM Operations, Management and Maintenance
OAMPDU OAM Protocol Data Units
OSPF Open Shortest Path First
PCV Path Coding Violations
PDU Protocol Data Unit
PE Provider Edge
PHP Penultimate Hop popping
PING Packet Internet Groper
PIR Peak Information Rate
PLR Point of Local Repair
POP Point of Presence
PSN Packet Switched Network
PVID Port VLAN Identifier
PVST Per-VLAN Spanning Tree
PW Pseudo Wire
PWE Pseudo Wire Emulation
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
R-APS Ring Automatic Protection Switching
RED Random Early Detection
RFC Request for Comments
RIP Routing Information Protocol
RMON Remote Monitoring
RSTP Rapid Spanning Tree Protocol
RSVP Resource Reservation Protocol
RTP Real-Time Transport Protocol
RTR Response Time Reporter
SA Service Agreement

AS9206 User Manual Acronyms Glossary
Term Meaning
SAA Service Assurance Application
SAP Service Access Point
SCP Secure Copy Server
SDP Service Distribution Path
SES Server Error Seconds
SF Super Frame
SFD Start of Frame Delimiter
SFP Small Form-factor Pluggable
SLA Service Level Agreement
SLO Service Level Objectives
SMA Short Maintenance Association
SMI Structure of Management Information
SNMP Simple Network Management Protocol
SSH Secure Shell
SST Bridge Single Spanning Tree Bridge
STP Spanning Tree Protocol
SW Software
TACACS+ Terminal Access Controller Access Control System Plus
TC Topology Change
TCA Threshold Crossing Alarm
TCN TC Notification
TCP Transmission Control Protocol
TDM Time Division Multiplexing
TFTP Trivial File Transfer Protocol
TIME Time Synchronization Control Protocol
TLS Transparent LAN Service
TLV Type Length Value
TTL Time-To-Live
ToS Type of Service
UAS Unavailable Seconds
UDP User Datagram Protocol
USM User-based Security Model
VACM View-based Access Control Model
VCCV Virtual Circuit Connection Verification
VID VLAN Identifier
VLAN Virtual LAN
VPLS Virtual Private LAN Service

Term Meaning
VPT VLAN Priority Tag
VPWS Virtual Private Wire Service
VRED Virtual Random Early Detection
VRRP Virtual Router Redundancy Protocol
VTY Virtual Telnet Type
WAN World Area Network
WRR Weighted Round Robin

AS9206 UM 2.3.R1 A00 en

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AS9206 UM 2.3.R1 A00 en

Caricato da

Copyright:

Formati disponibili

AS9206

© Copyright by ECI Telecom, 2012. All rights reserved worldwide.

Administrating the Device ...................................................... 1-1

Device Authentication ............................................................. 2-1

Physical Ports and Logical Interfaces ................................... 3-1

492006-2414-023-A00 ECI Telecom Ltd. Proprietary i

Virtual LANs (VLANs) .............................................................. 4-1

Transparent LAN Services (TLS) ........................................... 5-1

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) ........ 6-1

Internet Group Multicast Protocol (IGMP) Snooping ........... 7-1

Access Control Lists (ACLs) .................................................. 8-1

ii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Quality of Service (QoS) ......................................................... 9-1

Operations, Administration, and Maintenance (OAM) ....... 10-1

Simple Network Management Protocol (SNMP) ................. 11-1

SNMP Reference Guide ......................................................... 12-1

Remote Monitoring (RMON) ................................................. 13-1

492006-2414-023-A00 ECI Telecom Ltd. Proprietary iii

System Logs .......................................................................... 14-1

Troubleshooting .................................................................... 15-1

Specifications ......................................................................... A-1

Acronyms Glossary................................................................ B-1

iv ECI Telecom Ltd. Proprietary 492006-2414-023-A00

492006-2414-023-A00 ECI Telecom Ltd. Proprietary v

Figure 10-1: OAM Ethernet Tools ................................................................................ 10-3

vi ECI Telecom Ltd. Proprietary 492006-2414-023-A00

492006-2414-023-A00 ECI Telecom Ltd. Proprietary vii

Table 8-5: MAC ACLs Show Commands..................................................................... 8-37

viii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Table 13-1: RMON Commands.................................................................................... 13-2

492006-2414-023-A00 ECI Telecom Ltd. Proprietary ix

x ECI Telecom Ltd. Proprietary 492006-2414-023-A00

492006-2414-023-A00 ECI Telecom Ltd. Proprietary xi

xii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Using This Document

You are: Document Function Function

492006-2414-023-A00 ECI Telecom Ltd. Proprietary xiii

Chapter Name Description

xiv ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Chapter Name Description

Convention Indicates Example

492006-2414-023-A00 ECI Telecom Ltd. Proprietary xv

NOTE: Text set off in this manner presents clarifying

CAUTION: Text set off in this manner indicates that failure

WARNING: Text set off in this manner indicates that failure

DANGER: Text set on this manner indicates special

LASER WARNING: Text set off in this manner indicates

ESD: Text set off in this manner indicates information on

xvi ECI Telecom Ltd. Proprietary 492006-2414-023-A00

TIP: Text set off in this manner includes helpful information

IMPORTANT: Text set off in this manner presents essential

492006-2414-023-A00 ECI Telecom Ltd. Proprietary xvii

xviii ECI Telecom Ltd. Proprietary 492006-2414-023-A00

Features Included in this

 System Time and Date

492006-2414-023-A00 ECI Telecom Ltd. Proprietary 1-1

 Domain Name System (DNS) Client

 VTY (Virtual Terminal)

MAC-Address Table (FDB)

MAC-Address Table Entry Types

1-2 ECI Telecom Ltd. Proprietary 492006-2414-023-A00

 A port goes down

492006-2414-023-A00 ECI Telecom Ltd. Proprietary 1-3