T-Marc 300 Series v10.1.Rx User Guide

T-Marc 300 Series
(T-Marc 340 and T-Marc 380)

Demarcation Device
User Guide

Release 10.1.Rx
May 2010

MN100168 Rev R

The information in this document is subject to change without notice and describes only the product defined in
the introduction of this document. This document is intended for the use of customers of Telco Systems only
for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced
or transmitted in any form or means without the prior written permission of Telco Systems. The document is
intended for use by professional and properly trained personnel, and the customer assumes full responsibility
when using it. Telco Systems welcomes customer comments as part of the process of continuous development
and improvement of the documentation.
If the Release Notes that are shipped with the device contain information that conflicts with the information in
the user guide or supplements it, the customer should follow the Release Notes.
The information or statements given in this document concerning the suitability, capacity, or performance of the
relevant hardware or software products are for general informational purposes only and are not considered
binding. Only those statements and/ or representations defined in the agreement executed between Telco
Systems and the customer shall bind and obligate Telco Systems. Telco Systems however has made all
reasonable efforts to ensure that the instructions contained in this document are adequate and free of material
errors and omissions. Telco Systems will, if necessary, explain issues which may not be covered by the
document.
Telco Systems sole and exclusive liability for any errors in the document is limited to the documentary
correction of errors. TELCO SYSTEMS IS NOT AND SHALL NOT BE RESPONSIBLE IN ANY EVENT
FOR ERRORS IN THIS DOCUMENT OR FOR ANY DAMAGES OR LOSS OF WHATSOEVER KIND,
WHETHER DIRECT, INCIDENTAL, OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES),
that might arise from the use of this document or the information in it.
This document and the product it describes are the property of Telco Systems, which is the owner of all
intellectual property rights therein, and are protected by copyright according to the applicable laws.
Telco Systems logo is a registered trademark of Telco Systems, a BATM Company. BiNOS, BiNOSCenter,
T-Marc, T5 Compact, T5C-XG, T-Metro, EdgeLink, EdgeGate, Access60, AccessIP,
AccessMPLS, AccessTDM, AccessEthernet, NetBeacon, Metrobility, and OutBurstare trademarks
of Telco Systems.
Other product and company names mentioned in this document reserve their copyrights, trademarks, and
registrations; they are mentioned for identification purposes only.

Copyright Telco Systems 2010. All rights reserved.

Page 1
Introduction (Rev. 12)

Introduction
Telco Systems T-Marc 300 Series Ethernet Service-Demarcation and Extension product line
provides intelligent and remotely managed, multiport customer-located equipment (CLE) to deliver
managed converged services (voice, video, and data) over virtual Ethernet, MPLS/ VPLS, and IP
networks.
This family of products allows service providers to deliver multiple services on separate customer
interfaces, including multiple services over a single customer interface. Since each service is isolated,
providers can troubleshoot each individual service without impacting others.
Using Operations, Administration, and Maintenance (OAM) tools, service providers can measure
and ensure provisioned Service Level Agreements (SLA).
The devices embedded security controls ensure protection against denial-of service attacks.
Advanced Layer 2 Networking, using Telco Systems AccessEthernet, allows total flexibility in
deployment and delivery of Ethernet services. Physical and virtual networking capabilities provide
automated address-management and discovery, bandwidth profiles, advanced traffic classes, and
complete control over how subscriber traffic is transported across a service providers network.
The T-Marc 300 Series product line includes two models:
T-Marc 340 offers two dual uplink ports (10/ 100/ 1000Base-T or 100Base-Fx/ 1000Base-X)
and four dual access ports (10/ 100/ 1000Base-T or 100Base-Fx/ 1000Base-X).
T-Marc 380 offers the same as T-Marc 340 in addition to four dual access ports
(10/ 100/ 1000Base-T or 100Base-Fx/ 1000Base-X).
The devices operate using an internal AC or DC power supply. They can be rack/ wall mounted or
placed on a table-top.
T-Marc 300 Series User Guide

Page 2

Using This Document
Documentation Purpose
This user guide includes the relevant information for configuring the T-Marc 300 Series
functionalities.
It provides the complete syntax for the commands available in the currently-supported software
version and describes the features supplied with the device.
This guide does not include instructions on how to install the device. For more information
regarding the device installation, refer to the T-Marc300 SeriesInstallationGuide.
For the latest software updates, see the ReleaseNotesfor the relevant release. If the release notes
contain information that conflicts with the information in the user guide or supplements it, follow
the release notes' instructions.
Intended Audience
This user guide is intended for network administrators responsible for installing and configuring
network equipment.
You have to be familiar with the concepts and terminology of Ethernet and local area networking
(LAN) to use this guide.
Documentation Suite
This document is just one part of the full documentation suite provided with this product.
You are: Document Function Function
Installation Guide Contains information about installing the hardware and
software; including site preparation, testing, and safety
information.

User Guide Contains information on configuring and using the system.
Release Notes Contains information about the current release, including
new features, resolved issues (bug fixes), known issues,
and late-breaking information that supersedes information
in other documentation.

Page 3

Conventions Used
The conventions below are used to inform important information:

NOTE
Indicating special information to which the user needs to pay special attention.

CAUTION
Indicating special instructions to avoid possible damage to the product.

DANGER
Indicating special instructions to avoid possible injury or death.

The table below explains the conventions used within the document text:

Conventions Description
commands CLI and SNMP commands
command example
CLI and SNMP examples
<Variable>
user-defined variables
[Optional Command Parameters]
CLI syntax and coded examples

Page 4

Organization
The T-Marc 300 Series User Guide comprises the below list of chapters, each focusing on a
different feature or set of features. Each chapter begins with a brief overview of the feature/ s,
followed by the configuration flow and corresponding commands' configuration section.

Chapter Name Description
Using the Command Line
Interface (CLI)
Basic information about the T-Marc 300 Series CLI, its modes, and
general usage details.
Device Setup and
Maintenance
Accessing T-Marc 300 Series devices, login information, and the
devices' reloading options.
Device Administration Administering T-Marc 300 Series devices and performing initial
device configuration (such as the devices time and date, software
upgrade, and protecting the device from outside attacks).
Configuring Interfaces The device interface types and their configuration. The chapter
also offers information on static Link Aggregation Groups (LAGs),
establishing resilience across the network segments, and Alarm
Propagation.
Configuring VLANs and
Super VLANs
An overall understanding of VLANs and their configuration.
Configuring Transparent
LAN Services (TLS)
The deployment of Transparent LAN Services.
Configuring Spanning Tree
Protocol (STP)
The IEEE 802.1D STP standard and its configuration
Configuring Rapid
Spanning Tree Protocol
(RSTP)
The IEEE 802.1W Rapid STP standard and its configuration.
Configuring Multiple
(MSTP, IEEE 802.1s)
The IEEE 802.1S Multiple STP standard and its configuration.
Configuring Access Control
List (ACL)
Creating ACLs, traffic rate-limit, and applying QoS using ACLs.
DHCP Snooping DHCP Snooping security feature used to reinforce the client
network and create an environment resilient to outside attacks.
Configuring Quality of
Service (QoS)
Configuring different service levels for traffic traversing the device,
providing preferential treatment to specific traffic.
Operation Administration
and Maintenance (OAM)
The different tools for monitoring and troubleshooting the network:
IEEE 802.3ah Ethernet in the First Mile (EFM)
IEEE 802.1ag Connectivity Fault Management (CFM)
SAA Test-Head and SAA Throughput Test
ITU-T G.8031 Ethernet Protection Switching (EPS)
Event Propagation (configuring automatic actions executed
upon the occurrence of specific events)
Ethernet Local Management Interface (E-LMI), an OAM
protocol enabling the auto configuration of Metro Ethernet
services support

Page 5

Chapter Name Description
Configuring Link Layer
Discovery Protocol (LLDP)
Configuring the IEEE 802.1AB standard.
Configuring Device
Authentication Features
The privileged access levels to commands used for protecting the
device from unauthorized access.
The chapter describes RADIUS, TACACS+, and SSH.
Internet Group Multicast
Protocol (IGMP) Snooping
Configuring the session-layer IGMP Protocol.
Configuring Simple
Network Management
Protocol (SNMP)
Configuring SNMP, community strings, and enabling trap
managers and traps.
SNMP Reference Guide The detailed list of MIBs and objects for controlling, monitoring,
and managing the device and its features from a remote location.
Configuring Remote
Monitoring (RMON)
Configuring the RMON feature used with the SNMP agent.
Configuring System
Message Logging
Configure system message logging, message format, and
message types displayed.
Troubleshooting and
Monitoring
Troubleshooting and monitoring tools used to detect and solve
BiNOS related problems. Provides a set of built-in tests that
examine hardware and its configuration validity.
This chapter also contains other information such as traffic
monitoring, monitoring the device's periodic operation, alert
behavior, and laser monitoring.
Appendix A: Default
Configuration
The devices default configuration.
Appendix B: Product
Capabilities
The devices supported features.
Appendix C: Acronyms
Glossary
The list of acronyms used in this user guide and their meaning.

Page 6

Getting Documentation Updates
You can access the most current Telco Systems documentation on the following site:
http:/ / support.batm.com/ .
Access to most of the Telco Systems documentation is password protected. To obtain a password,
contact the BATM support center.
Technical Support
Telco Systems provides technical assistance for customers and partners. Users can obtain technical
assistance by any of the following phone, fax, and e-mail options:
Web Access: http:/ / www.telco.com/
BATM Advanced CommunicationsMain Support Center in Israel
Tel: +972-4-993-5630
Fax: +972-4-993-7926
Email: mailto:support@batm.co.il
BATM/ Telco Systems a BATM Companyfor Americas
Tel: 1-800-227-0937 (U.S.), 1-781-255-2120 (Outside U.S.)
Fax: 1-781-255-2122
Email: techsupport@telco.com
BATM Germanyfor Northern Europe
Tel: +49-241-463-5490
Fax: +49-241-463-5491
Email: info@batm.de
BATM Francefor Southern Europe
Tel: +33-15-671-2773
Fax: +33-14-377-1780
Email: support@batm.fr
Telco Systems, a BATM Company Asia Pacific in Singapore
Tel: +65-6-725-9901
Fax: +65-6-725-9889
Email: enquiryapac@telco.com
Telco Systems Asia PacificJapan
Tel: +81-3-5215-5709
Fax: +81-3-5215-5704
Email: info.jp@telco.com

Page 1
Using the Command Line Interface (CLI) (Rev. 07)

Using the Command Line Interface (CLI)
Table of Contents
Overview 2
Accessing the CLI 2
The CLI Modes 3
View Mode 3
Privileged (Enable) Mode 3
Configuration Modes 3
Using the CLI 5
Command Keywords and Arguments 5
Minimum Abbreviation 6
Dynamic Completion of Commands 7
Regular Expressions 7
Getting Help 8
CLI Keyboard Sequences12
Using the Command History12
General Commands13
CLI Messages14


Page 2

Overview
CLI is a network management application operating through an ASCII terminal.
Using the CLI commands, users can configure the device parameters and maintain them, receiving
text output on the terminal monitor. These system parameters are stored in a non-volatile memory
and users have to set them up only once.
The device CLI is password protected.
Accessing the CLI
You can access the CLI:
directly, by connecting a PC to the devices console port
over an IP network, using Telnet or SSH
Once the console port is displayed, users have to type the deivce password to execute CLI
commands.
Example:
User Access Verification

Password:batm
T-Marc_3X0>
For more information, refer to the Methodsof Managinga Devicesection of the DeviceSetupand
Maintenancechapter.
Throughout this guide, we refer to the T-Marc 300 Series device prompt as device-name.

Page 3

The CLI Modes
The CLI is built in heirarchial modes, each mode grouping relevant CLI commands. Below is the
list of the devices main CLI modes.
View Mode
This is the initial, user-level mode the CLI enters after successfully login on to the CLI. This modes
prompt is >:
device-name>
The View mode is password protected (the default password is batm)
Privileged (Enable) Mode
The Privileged (Enable) mode is primarily used for viewing the system status, controlling the CLI
environment, monitoring network connectivity, troubleshooting, and initiating the different
Configuration modes. This modes prompt is #.
To access this mode from View mode use the enable command:
device-name>enable
device-name#
The Privileged (Enable) mode is not password protected by default. However you can configure
password protection by using the enable password command (for more information, refer to the
DeviceSetupandMaintenancechapter of the user guide).
Configuration Modes
To change the device configuarion, users need to access the Configuration mode. This modes
prompt is (config)#.
To access this mode from the Privileged (Enable) mode, use the configure terminal command.
device-name#configure terminal
device-name(config)#
The Configuration mode has various sub-modes for configuring the different device features, as
shown in the below table.
Example
To access the Protocol Configuration mode, use the protocol command in Global Configuration
mode:
device-name(config)#protocol
device-name(cfg protocol)#

Page 4

Table 1: Configuration Sub-Modes Summary
Configuration
Mode
Role Prompt
VTY Controlling the Virtual Telnet Type
(VTY) connection to the device
device-name(config-VTY)#
The device physical-interfaces
configuration
device-name(config-config-if
UU/SS/PP)#
Interface range configuration
device-name(config-if-group)#
Link Aggregation Groups (LAG)
interface configuration
device-name(config-if AG0N)#
Interface
LAG interface range configuration
device-name(config-ag-group)#
Interface Access Control Groups
(ACG) configuration
device-name(config-if UU/SS/PP
acg ACL-NUMBER)#
Virtual LAN (VLAN) ACG
configuration
device-name(config-vlan VLAN-
NAME acg ACL-NUMBER)#
ACG
LAG interface ACG configuration
device-name(config-if AG0N acg
ACL-NUMBER)#
VLANs configuration
device-name(config vlan)#
VLAN
Specific VLAN configuration
device-name(config vlan VLAN-
NAME)#
Protocol Protocols settings such as STP,
RSTP, MSTP, EFM-OAM and, LAG
device-name(cfg protocol)#
Resilient Link Resilient links configuration
device-name(config-resil-link
N)#
Script-file
System
Script-file system management
device-name(config-config
script-file-system)#
Monitor Monitoring parameters settings
device-name(config monitor N)#
MSTP MSTP configuration
device-name(cfg protocol mstp)
CFM CFM-OAM protocol configuration
device-name(config-cfm)
SAA
Throughput
Test
SAA throughput test configuration
device-name(config-saa-
throughput)
SAA profile configuration
device-name(config-saa-profile-
Profile_ID)
SAA Test-
Head
SAA test configuration
device-name(config-saa-TESTNAME)
TLS TLS service configuration
device-name(config-tls SERVICE-
NAME)#
EPS EPS configuration
device-name(config-eps-SERVICE-
NAME)#
Event
Propagation
Event Propagation profile
configuration
device-name(config-ep-profile
ID)#

Page 5

Using the CLI
Command Keywords and Arguments
Each CLI command is build up of a series of keywords and arguments:
Keywords identify the commands action
Arguments specify the commands configuration parameters
The CLI commands are not case sensitive.
The general CLI syntax is represented by the following format:
device-name[(config ...)]#keyword(s) [argument(s)] ... [keyword(s)]
[argument(s)]
In this format:
device-name[(config ...)]# represents the prompt displayed by the device. This prompt
includes:
the user-defined device-name
the current CLI mode
the command keywords and arguments typed by the user
Example:
In the command below:
device-name(config vlan)#create NAME <vlan-id>
the CLI mode is Config VLAN
create is the command keyword
NAME <vlan-id> are command arguments

Page 6

Table 2: CLI Syntax Conventions in the User Guide
Symbol/Format Description
<Italic, small
letters>
A numerical argument:
<priority>
Italic, capital
letters
A string argument:
NAME
bold letters
A command keyword:
copy
A.B.C.D
An IP address:
10.4.0.4
UU/SS/PP
A physical port number in a unit/slot/port format:
1/2/6
HH:HH:HH:HH:HH:HH
A MAC address in a hexadecimal format:
00:a0:12:07:0f:78
[]
An optional argument or keyword:
[FILENAME]
{}
A mandatory argument or keyword:
{enable | disable}
|
An or between two arguments or keywords, the user should select from:
{true | false}
Minimum Abbreviation
The CLI accepts a minimum number of characters that uniquely identify a command. Therefore
you can abbreviate commands and parameters as long as they contain enough letters to differentiate
them from any other available commands or parameters on the specific CLI mode.
Example
You can type the config terminal command as config t.
device-name#config t

In case of an ambiguous entry (when the CLI mode includes more than once command matching
the characters typed), the system prompts for further input.
Example
device-name#con
[ %Er r or ] Command i ncompl et e

Page 7

Dynamic Completion of Commands
In addition to the Minimum Abbreviation functionality, the CLI can display the commands
possible completions.
To display possible command completions, type the partial command followed immediately by
<Tab> or <Space>.
In case the partial command uniquely identifies a command, the CLI displays the full
command.
Otherwise the CLI displays a list of possible completions.
device-name(config)#in
Possi bl e compl et i ons:
i nt er f ace
- - -
i nser t I nser t a par amet er
Regular Expressions
Regular expressions are a subset of EGREP and AWK programming-language regular expressions.
Table 3: Common Regular Expressions
Key Function
.
Matches any character
^
Matches the beginning of a string
$
Matches the end of a string
[abc...]
Character class that matches any of the characters: abc
To specify a character range, type a pair of characters separated by a -.
[^abc...]
Negated character class that matches any character except abc....
r1 | r2
Matches either r1 or r2
r1r2
Matches r1 and then r2
r+
Matches one or more r
r*
Matches zero or more r
r?
Matches zero or one r
(r)
Matches a pattern group


Page 8

Getting Help
To get specific help on a command mode, keyword, or argument, use one of the following
commands or characters:
Table 4: CLI Help Options
Command Purpose
help
Provides a brief description of the help system in any command
mode:

device-name(config)#help
Bi NOS CLI D VTY pr ovi des advanced hel p f eat ur e.
When you need hel p,
anyt i me at t he command l i ne pl ease pr ess ' ?' .

I f not hi ng mat ches, t he hel p l i st wi l l be empt y and
you must backup
unt i l ent er i ng a ' ?' shows t he avai l abl e opt i ons.
Two st yl es of hel p ar e pr ovi ded:
1. Ful l hel p i s avai l abl e when you ar e r eady t o
ent er a
command ar gument ( e. g. ' show ?' ) and descr i bes
each possi bl e
ar gument .
2. Par t i al hel p i s pr ovi ded when an abbr evi at ed
ar gument i s ent er ed
and you want t o know what ar gument s mat ch t he
i nput
( e. g. ' show me?' . )

abbreviated-
command<Tab> <Tab>
or
abbreviated-
command<Space> <Tab>
To display a commands possible completions, type the partial
command followed immediately by <Tab>or <Space>.
If the partially typed command uniquely identifies a command, the
full command name is displayed. Otherwise, the CLI displays a
list of possible completions:

device-name(config)#int
UU/ SS/ PP ag01 ag02 ag03 ag04
ag05 ag06 ag07 r ange sw0

command?
or
abbreviated-command?
(Leave no space between the command and ?) Provides a list of
commands that begin with a particular string and their description:

device-name#con?
conf i gur e Conf i gur at i on f r omvt y i nt er f ace


Page 9

Command Purpose
?
Lists all commands available in the particular command mode:

device-name(config)#?
aaa Aut hent i cat i on and account i ng
met hod
access- l i st Set access l i st def i ni t i on
al i as Enabl e cr eat i ng an al i as of a
command. An al i as i s a shor t f or mof a command
banner Set t he banner st r i ng
caps- l ock War n i f passwor ds cont ai ns onl y
CAPI TAL l et t er s
cf m Connect i vi t y Faul t Management
cpu CPU ut i l i zat i on moni t or i ng
- - Mor e

command ?
or
abbreviated-command ?
(Leave a space between command and ?) Lists the keywords or
arguments that the user can type next on the command line:

device-name#show ?
access- cl ass Access- cl ass vt y st at us
access- l i st s Di spl ay t he named access
l i st s
al ar m- i nher i t Show Al ar mPr opagat i on on
por t
cf m Connect i vi t y Faul t
Management
cl ock Show cur r ent syst emdat e and
t i me
conf i gur at i on- hi st or y Di spl ay st or ed conf i gur at i on
hi st or y
cpu Di spl ay CPU moni t or i ng
- - Mor e


Page 10

Command Purpose
!
The CLI ignores all the characters following ! and up to the next
new line.
Use this option when pasting a file that includes comments into
the CLI:

device-name#show running-config
Bui l di ng t he conf i gur at i on . . .

! T- Mar c 300 Ver si on 9. 4
!
passwor d:
3090372e3f 8bc00eeacc46219f 7557485983251a994551f 918e
04712f 86c5818
i p addr ess 10. 4. 4. 210 255. 255. 0. 0
i nt er f ace sw0
!
! Sour ce I p Conf i gur at i on:
!
! Log Conf i gur at i on:
- - Mor e- -

NOTE
To use ! as an argument, prefix it with \ or inside
double quotes ().

Page 11

Command Purpose
command | {include |
exclude} regular-
expression
Searches and filters the command output. Use this functionality to
sort through a large output or to exclude irrelevant output.
include: displays output lines that contain the regular
expression
exclude: displays output lines that do not contain the
regular expression
any regular-expression (text string) found in the show
command output

Example 1
The example below displays only interface output lines:
device-name#show running-config | include interface

i nt er f ace sw0
i nt er f ace 1/ 1/ 1
i nt er f ace ag01
i nt er f ace ag02
i nt er f ace ag03
i nt er f ace ag04
i nt er f ace ag05
i nt er f ace ag06
i nt er f ace ag07

Example 2
The example below displays only lines that contain 2:
device-name#show running-config | include 2
passwor d
3090372e3f 8bc00eeacc46219f 7557485983251a994551f 918e
04712f 86c5818
i p addr ess 10. 4. 4. 210 255. 255. 0. 0
i nt er f ace ag02

Page 12

CLI Keyboard Sequences
Users can use keyboard sequences to move around the command line and edit it. They can also use
keyboard sequences to scroll through a list of recently executed commands.
Table 5: CLI Keyboard Sequences
Key Function
Backspace Deletes the character preceding the cursor
Ctrl-A Moves to the beginning of the line
Ctrl-B Moves one character back
Ctrl-C Interrupts the current input and moves to the next line
Ctrl-D Moves one node back
Ctrl-E Moves to the end of the line
Ctrl-F Moves one character forward
Ctrl-H Deletes the character preceding the cursor
Ctrl-K Deletes all characters to the end of the line
Ctrl-N Moves down to the next line in the history buffer
Ctrl-P Moves up to the previous line in the history buffer
Ctrl-U Deletes the line
Ctrl-W Erases the last word
Ctrl-Z Returns to Enable mode
Esc+B Moves one word back
Esc+D Deletes the characters after the cursor
Esc+F Moves one word forward
Esc Stops ping from the device (for more information regarding the ping
command, refer to the Device Administration chapter).
Tab Fills in the rest of the command line
Using the Command History
The CLI maintains a history of commands (used in any CLI mode) that users can modify and
execute.
To scroll back through the commands history, press the arrow-up key.
For more information, refer to the ConfiguringSystemMessageLoggingchapter.

Page 13

General Commands
You can use the following commands in all CLI modes:
Table 6: General Commands
Command Description
no
Negates the command or resets the command to its default value.

To disable privilege-limited logging, type:
device-name#no log group users-limit

alias
Associates a contiguous character string as an alias to a command that
optionally includes specific arguments. The defined alias is fully
equivalent to the command it is associated to, in the CLI mode the alias
was defined.

To assign an alias to the command show interface 1/1/1
statistics, type:
device-name#alias sint1 show interface 1/1/1 statistics

Once the alias is assigned, you can execute the command by typing the
alias (sint1) in the relevant mode (Privileged (Enable) mode):
device-name#sint1
Oct et s 212 I n/ Out Pkt s 64 383
Col l i si ons 0 I n/ Out Pkt s 65- 127 0
Br oadcast 0 I n/ Out Pkt s 128- 255 0
Mul t i cast 0 I n/ Out Pkt s 256- 511 0
CRCAl i gnEr r or s 0 I n/ Out Pkt s 512- 1023 0
Under si ze 0 I n/ Out Pkt s 1024-
MaxFr ameSi ze 0
Over si ze 0 Tot al I nPkt s 383
Fr agment s 0 Tot al I n/ Out Pkt s 383
J abber s 0 Dr opCount 0
Dr opEvent s 0
Last 5secI nPkt s 50 Last 5secI nBps 409
Last 1mi nI nPkt s 353 Last 1mi nI nBps 408
Last 5secOut Pkt s 0 Last 5secOut Bps 0
Last 1mi nOut Pkt s 0 Last 1mi nOut Bps 0

exit
Escapes the current mode and enters the previous mode:

device-name(config-if 1/1/1)#exit
device-name(cfg protocol)#exit


Page 14

Command Description
quit
Logs out and disconnects from the device:

device-name(config-if 1/1/1)#quit
Connection to host lost

end
Escapes the current mode and enters the Privileged (Enable) mode:

device-name(cfg protocol)#end
device-name#

CLI Messages
The CLI displays relevant messages in response to executed commands:
Table 7: CLI Messages
CLI Message Description
% is not recognized
Displayed when the entry is not a command.
% command incomplete
Displayed when the user types a valid command but fails to type
the commands required arguments.
In this case, press <Tab>to display the commands possible
completions.
% Ambiguous token
Displayed when the user types too few characters. In these cases,
the CLI detects an ambiguity and displays the possible matches:

device-name(config)#w
%Ambi guous t oken : w
%I t mat ches t he f ol l owi ng t okens : who wr i t e

Page 1
Device Setup and Maintenance (Rev. 09)

Device Setup and Maintenance
Table of Contents
Table of Figures 3
Overview 4
Methods of Managing a Device 5
Connecting to the Console Port 5
The Terminal Screen Display 6
Connecting the Device via Telnet 7
Managing the Device via SNMP 7
Login and Password 8
Password Recovery 8
Default Passwords Recovery 8
Backdoor Password Recovery 8
Device Passwords Configuration Commands 9
Configuring the View Mode Password 9
Configuring the Privileged (Enabled) Mode Password10
Configuring the Loader Mode Password10
Enabling/ Disabling Caps Lock Notification11
The Device IP Commands12
Configuring the Devices Primary IP Address12
Configuring the Devices Secondary IP Address13
Configuring a Default Gateway14
Displaying the Device IP Address14
Displaying Routes15
Telnet Commands16
Telnet Session Configuration Commands16
Connecting a Remote Host via a Telnet Client17

Page 2

Enabling/ Disabling the Devices Telnet Server17
Displaying Current Telnet Connections18
Displaying the Current Telnet-Session Index18
Terminating a Telnet Connection19
Virtual Terminal (VTY)20
Switching Between VTY Sessions20
The VTY Step by Step Configuration21
VTY Configuration Commands22
Accessing the VTY Configuration Mode22
Configuring the Device Name23
Defining the VTY Connection Timeout23
Creating ACLs for Restricting Telnet and SSH Access to the Device24
Applying ACLs for Filtering Telnet/ SSH Connections25
Defining the Terminal Length25
Enabling the Advanced VTY Mode26
Displaying Applied ACLs26
Configuration Example27
Creating a Login Banner/ Message-of-the-Day (MOTD)28
MOTD Configuration Commands28
Enabling/ Disabling the Default-MOTD Display28
Configuring a Single-line MOTD29
Configuring a Multi-line MOTD30
Saving and Displaying the Device Configuration31
Saving, Erasing, and Displaying Configuration Commands31
Saving the Devices Running Configuration31
Restoring Factory Defaults Configuration32
Displaying the Devices Running Configuration32
Displaying the Devices Start-up Configuration33
Reloading the Device34
Supported Platforms35
Supported Standards, MIBs and RFCs35

Page 3

Table of Figures
Figure 1: Initial Device Configuration 4
Figure 2: Management Methods 5
Figure 3: A Telnet Server Example27


Page 4

Overview
This chapter provides the initial necessary information for accessing a T-Marc 300 Series device,
password configuration, saving new configuation parameters, and reload options.
To start a T-Marc 300 Series device, follow the installation guide instructions about installing, and
powering on the device.
Below are the first steps for initializing and configuring the T-Marc 300 Series device.

Figure 1: I nitial Device Configuration
Manage the device via CLI or/and SNMP
Log on to the device as a default user
Connect to the device console port
Configure the device IP address
Start
End

Page 5

Methods of Managing a Device
You can manage a device using one (or both) of the following methods:
Commandlineinterface(CLI)either directly, connecting the device console port to a PC or over
the network using Telnet and/ or SSH
SimpleNetwork Management Protocol (SNMP)

Figure 2: Management Methods
Connecting to the Console Port
The T-Marc 300 Series console port is a EIA232 VT-100 compatible, (optionaly) password-
protected port, through which you can define the device's basic operational parameters.
To connect your PC to the devices console port follow the steps below:
1. Use the console cable shipped with the device and connect the cables RJ-45 connector to the
device's console port (CON).
The cable has the following pinout:

Device Side PC Side
RJ -45 Pin # DB-9 Female
3 2
2 3
5 5

2. Connect the other side of the cable to your PCs serial port.
3. Set the PC port to 9600-N-8-1 or:
9600 bps
no parity
8 data bits
1 stop bit
no flow control


Page 6

The Terminal Screen Display
Once connected to the console port, turn on the device. A screen similar to the below example is
displayed after a few seconds:

BATM Telco Boot Loader

Device model : T-Marc 340
Loader version : 6.6 TMC 07 created Jan 15 2006 - 10:44:48
MAC Address : 00:A0:12:27:14:20

Press any key to stop auto-boot...
0
auto-booting...

Uncompressing 2131761 bytes...
Loading image... 8234000

Starting device application, please wait...
BUILT-IN SELF TEST
------------------
CPU Core Test : Passed
CPU Interface Test : Passed
Testing Device Core : Passed
Data Buffer Test : Passed

///////////////////////////////////////////////////////////////////////////
// //
// //
// B A T M A d v a n c e d C o m m u n i c a t i o n s //
// //
// T e l c o S y s t e m s //
// //
// Device model : T-Marc 380 //
// Product Category : AccessEthernet(TM) //
// SW version : 10.1 created Mar 17 2010 - 20:19:58 //
// //
// //
///////////////////////////////////////////////////////////////////////////


Password:

Page 7

Connecting the Device via Telnet
You can connect the device CLI using Telnet once the device has a configured IP address.
To connect the device using Telnet, follow the below steps:
1. Connect to the device console port (see above).
2. Power on the device. The device starts up, displaying the device terminal.
3. Type the device password at the prompt (the default password is batm).
Passwor d: batm
4. Enter the Privileged (Enable) mode:
device-name>enable
device-name#
5. Enter the Configure mode:
6. Configure the device IP address and subnet mask (the default IP address is 20.20.5.254/ 16):
device-name(config)#ip address <A.B.C.D/M>

A.B.C.D
The device IP address
/M
The subnet mask, in the range of <130>

7. Define the default gateway IP address (if the host is on a different subnet):
device-name(config)#ip route 0.0.0.0/0 <A.B.C.D>
8. Return to the Privileged (Enable) mode:
device-name(config)#end
9. Save these parameters (from the running configuration to NVRAM):
device-name#write
10. Connect your PC to a device port that is in VLAN 1 (by default all the device ports are
members of this VLAN. For more information on VLANs, refer to the ConfiguringVLANs
andSuper VLANschapter of this User Guide).
11. Open a Telnet session and type the device IP address to connect to the device.
Managing the Device via SNMP
You can manage a T-Marc 300 Series device via SNMP using an SNMP based management-
application. For more information, refer to the ConfiguringSNMP and SNMP ReferenceGuide
chapters of this User Guide.
To manage a device via SNMP, connect youre management PC to a device port that is in VLAN 1
(by default all the device ports are members of this VLAN. For more information on VLANs, refer
to the ConfiguringVLANsandSuper VLANschapter of this User Guide).

Page 8

Login and Password
The CLI is passowrd protected, enabling access only to authorised users.
To control the level of access to the device, the device has three privilege levels, each one with its
own configurable password:
View mode
Privileged (Enable) mode
Loader mode
All device passwords are encrypted.
For information about adding new usernames and defining user privileges, refer to the Device
Authenticationchapter of this User Guide.

Caution

To protect your device from unauthorized access, change all default passwords as
soon as possible.
Password Recovery
Password recovery techniques enable users to recover lost and forgotten passwords. There are two
available password-recovery methods:
Default Passwords Recovery
You can reset the device to factory defaults, including the default passwords, by using the clean
startup-config command (for more information, refer to the DeviceAdministrationchapter of this
User Guide).
Backdoor Password Recovery
You can access the device using the Backdoor password. BATM Technical Support can provide you
the devices Backdoor password, based on the devices MAC address.
You can find the device MAC address on the label found on the device rear panel or at the bottom
of the device. You can also obtain the devices MAC address from the devices boot loader, during
the device start up.
Once you regain access to the device, you can change the device passwords.

Page 9

Device Passwords Configuration Commands
Table 1: Password Commands
Command Description
password
Configures the View mode password (see Configuring the View
Mode Password)
enable password
Configures the Privileged (Enabled) mode password (see
Configuring the Privileged (Enabled) Mode Password)
password loader
Configures the boot loader password (see Configuring the
Loader Mode Password)
caps-lock passwords
warning
Notifies the user when <Caps Lock>is activated, while changing
or typing a password (see Enabling/Disabling Caps Lock
Notification)
Configuring the View Mode Password
The password command configures the View mode password.
CLI Mode: Global Configuration
Command Syntax
device-name(config)#password PASSWORD CONFIRM-PASSWORD
Argument Description
PASSWORD
An alphanumeric, case sensitive field of up to 64 characters (blank
spaces are not allowed)
batm
CONFIRM-PASSWORD
Retype the password for confirmation
Example
The following example sets the View mode password to device12:
device-name(config)#password device12 device12
After setting the new password, use this password upon entering the device console:
Password:device12
device-name>

Page 10

Configuring the Privileged (Enabled) Mode Password
The enable password command configures the Privileged (Enabled) mode password.
Command Syntax
device-name(config)#enable password PASSWORD CONFIRM-PASSWORD
device-name(config)#no enable password
PASSWORD
The Privileged (Enabled) mode does not require a password. However,
once you define this password, users are required to type the password
to enter this mode.
CONFIRM-PASSWORD
no
Removes the modes password
Example
The following example sets the Privileged (Enabled) password to device12:
device-name(config)#enable password device12 device12
After setting the new password, use this password upon entering the Privileged (Enable) mode:
device-name>enable
Password:device12

device-name#
Configuring the Loader Mode Password
The password loader command configures the (boot) Loader mode password.
Command Syntax
device-name(config)#password loader PASSWORD CONFIRM-PASSWORD
PASSWORD
batm
CONFIRM-PASSWORD

Page 11

Example
The following command sets the Loader mode password to loaderp:
device-name(config)#password loader loaderp loaderp
After setting the new password, use this password upon entering the Loader mode:

Password:

loaderp
Loader>
Enabling/Disabling Caps Lock Notification
The caps-lock passwords warning command generates a notification in case the <Caps Lock>
is activated, while changing or typing a password.
Command Syntax
device-name(config)#caps-lock passwords warning {on | off}
on
Enables caps lock notification
Caps lock notification is enabled
off
Disables caps lock notification
Example
device-name(config)#caps-lock passwords warning on
device-name(config)#password batm batm
device-name(config)#password BATM BATM
%War ni ng! The passwor d t yped i s al l i n upper case char act er s. Pl ease check i f
your CapsLock key i s not pr essed by mi st ake.

Page 12

The Device IP Commands
Table 2: Device IP Commands
Commands Description
ip address
Configures the devices primary IP address (see Configuring the
Devices Primary IP Address)
ip address secondary
Configures the devices secondary IP address (see Configuring
the Devices Secondary IP Address)
ip route
Configures the devices default-gateway IP address (see
Configuring a Default Gateway)
show ip
Displays the device IP address (see Displaying the Device IP
Address)
show ip route
Displays the static and directly connected (via configured IP
interfaces) routes (see Displaying Routes)
Configuring the Devices Primary IP Address
The ip address command configures the devices primary (inband, sw0 interface) IP address. You
must configure the devices primary IP address to be able to connect the device via the inband
(using Telnet, SSH, NTP, or SNMP).
Command Syntax
device-name(config)#ip address A.B.C.D [/M | A2.B2.C2.D2]
A.B.C.D
The devices primary IP address
20.20.5.254/16
/M
(Optional) the IP address subnet-mask, in the range of <130>
A2.B2.C2.D2
(Optional) the IP address subnet-mask, in an IP format
Example
device-name(config)#ip address 100.1.2.3/16

Page 13

Configuring the Devices Secondary IP Address
The ip address secondary command configures sw0 interfaces secondary IP address.
CLI Mode: IP Interface Configuration

NOTE
You have to configure the devices primary IP address prior to configuring the
secondary one, otherwise the following prompt is displayed on the terminal:
%Ther e i s no pr i mar y addr ess.

Command Syntax
device-name(config-if sw0)#ip address A.B.C.D [/M | A2.B2.C2.D2] secondary
device-name(config-if sw0)#no ip address A.B.C.D [/M | A2.B2.C2.D2] secondary
A.B.C.D
The devices secondary IP address
/M
(Optional) the IP address subnet-mask, in the range of <130>
A2.B2.C2.D2
(Optional) the IP address subnet-mask, in an IP format
secondary
Specifies that this is a secondary IP address
no
Removes the secondary address (you cannot remove the primary IP
address)
Example
device-name(config)#interface sw0
device-name(config-if sw0)#ip address 100.1.2.3/16 secondary

Page 14

Configuring a Default Gateway
The ip route command configures the devices default-gateway IP address.
Command Syntax
device-name(config)#[no] ip route A.B.C.D {/0 | 0.0.0.0} A2.B2.C2.D2
A.B.C.D
The destination network IP-address
/0
The destination network subnet-mask (the only permitted destination
subnet-mask is 0)
0.0.0.0
The destination network mask, in an IP format
A2.B2.C2.D2
The gateway IP address
no
Removes the specified destination network
Displaying the Device IP Address
The show ip command displays the device IP address.
CLI Mode: Privileged (Enable)
Command Syntax
device-name#show ip
Example
device-name#show ip
I P- ADDR : 100. 1. 2. 3 NET- MASK : 255. 255. 0. 0

Page 15

Displaying Routes
The show ip route command displays the static and directly connected (via configured IP
interfaces) routes.
Command Syntax
device-name#show ip route
Example
device-name#show ip route
Codes: K - ker nel r out e, C - connect ed, S - st at i c, R - RI P,
O - OSPF, > - sel ect ed r out e, * - FI B r out e

S>* 0. 0. 0. 0/ 0 [ 1/ 0] vi a 10. 4. 10. 1, out Band0
K>* 10. 4. 0. 0/ 16 i s di r ect l y connect ed, out Band0
K>* 10. 4. 4. 225/ 32 i s di r ect l y connect ed, out Band0
C>* 10. 5. 0. 0/ 16 i s di r ect l y connect ed, sw0
C>* 10. 5. 4. 225/ 32 i s di r ect l y connect ed, sw0
C>* 127. 0. 0. 0/ 8 i s di r ect l y connect ed, l o0
C>* 127. 0. 0. 1/ 32 i s di r ect l y connect ed, l o0

Page 16

Telnet Commands
T-Marc 300 Series devices have an internal Telnet server and client:
You can connec to the device with a Telnet client (up to five concurrent sessions)
You can connect to a remote host using the devices internal Telnet client
Telnet Session Configuration Commands
Table 3: Telnet Configuration Commands
Command Description
telnet
(In Privileged mode) initiates a Telnet connection to a remote host
(see Connecting a Remote Host via a Telnet Client)
telnet
(In Global Configuration mode) enables/disables the local devices
Telnet server (see Enabling/Disabling the Devices Telnet Server)
who
Displays information about currently logged on users. (see
Displaying Current Telnet Connections)
session
Displays your current Telnet session-index to the device (see
Displaying the Current Telnet-Session Index)
session kill
Terminates a specified Telnet/SSH session to the device (see
Terminating a Telnet Connection)

Page 17

Connecting a Remote Host via a Telnet Client
The telnet command initiates a Telnet connection to a specified remote host.
For more information about the Telnet log output, refer to the ConfiguringSystemLoggingchapter of
this User Guide.
Command Syntax
device-name#telnet A.B.C.D [<port-num>]
A.B.C.D
The remote hosts IP address
port-num
(Optional) specifies a port number for the service, in the range of
<165535>
port 23
Enabling/Disabling the Devices Telnet Server
The telnet command enables or disables the devices internal Telnet server, allowing/ disallowing
remote PCs to access the device.
Command Syntax
device-name(config)#telnet {start | stop}
start
Enables the Telnet server, allowing remote hosts to connect the device via
Telnet
Telnet server is enabled
stop
Disables the Telnet server. Executing this command terminates any open
Telnet connections immediately.


Page 18

Displaying Current Telnet Connections
The who command displays information about Telnet clients that are currently logged on to the
device.
CLI Modes: View and Privileged (Enable)
Command Syntax
device-name>who
device-name#who
Example
device-name#who
Codes: > - cur r ent sessi on, * - conf i gur i ng
vt y on consol e connect ed on consol e.
>vt y on t el net [ 1] connect ed f r om10. 2. 71. 137.
Displaying the Current Telnet-Session Index
The session command displays your current Telnet session-index to the device.
Command Syntax
device-name#session
Example
device-name#session
your cur r ent sessi on i s: 2

Page 19

Terminating a Telnet Connection
The session kill command terminates a specified Telent/ SSH session to the device. Before
executing the command, BiNOS checks if the session number is not the master sessions number
(the VTY from which other sessions originate). If the result is negative, the command closes the
specified session to the remote host.
The CLI displays a notification in case the session terminates.
Command Syntax
device-name#session kill <session-number>
session-number
The Telnet session number, in the range of <1101>

Page 20

Virtual Terminal (VTY)
VTY is a logical conneciton used for controlling inbound Telnet/ SSH/ console connections.
BiNOS supports up to five concurrent VTY sessions (numbered VTY 15).
Switching Between VTY Sessions
To switch between sessions initiated from the same VTY terminal type:
<Ctrl+Shift+6>
or
<Ctrl+]>
Example
device-name#telnet 192.0.103.13

connect i ng t o 192. 0. 103. 13. . .

cur r ent sessi on i s 4.
. . .
device-name(config)#<ctrl+shift+6>
choose sessi on t o devi ce t o:
t he cur r ent sessi on i s 4
your sessi ons ar e 0 4 > 0

cur r ent sessi on i s 0.

Page 21

The VTY Step by Step Configuration
To configure VTY, follow the below steps:
12. Enter the VTY Configuration mode (see AccessingtheVTY ConfigurationMode).
13. Optional configurations:
Configure the device name (see ConfiguringtheDeviceName)
Configure the VTY connection timeout (see DefiningtheVTY ConnectionTimeout)
Create access control lists (ACL) to restrict/ filter Telnet and SSH connections to the
device and apply them to VTY (see CreatingACLsfor RestrictingTelnet andSSH Accesstothe
Deviceand ApplyingACLsfor FilteringTelnet/ SSH Connections)
Define the number of command lines displayed on the terminal screen (see Definingthe
Terminal Length)
Enable advanced mode VTY (see EnablingtheAdvancedVTY Mode)

Page 22

VTY Configuration Commands
Table 4: VTY Configuration Commands
Command Description
line vty
Enters the VTY Configuration mode (see Accessing the VTY
Configuration Mode)
hostname
Configures the devices hostname (see Configuring the Device
Name)
exec-timeout
Defines the VTY connection timeout (see Defining the VTY
Connection Timeout)
access-list
Creates ACLs to restrict device management for specific IP
addresses (see Creating ACLs for Restricting Telnet and SSH
Access to the Device)
access-class
Filters Telnet and SSH connections to the device (see
Applying ACLs for Filtering Telnet/SSH Connections)
terminal length
service terminal-length
Defines the number of commands lines displayed on the
terminal screen (see Defining the Terminal Length)
service advanced-vty
Enables the advanced VTY mode (see Enabling the Advanced
VTY Mode)
show access-lists
Displays the applied VTY ACLs (see Displaying Applied ACLs)
Accessing the VTY Configuration Mode
The line vty command enters the VTY Configuration mode.
Command Syntax
device-name(config)#line vty
device-name(config-vty)#

Page 23

Configuring the Device Name
The hostname command specifies the name of the device (the name displayed at the prompt line).
Command Syntax
device-name(config)#hostname HOSTNAME
device-name(config)#no hostname
HOSTNAME
An alphanumeric, case sensitive string of up to 30 characters (the string
must follow ARPANET rules for host names)
T-Marc
no
Restores the default device name
Example
device-name(config)#hostname Demarc1
Demarc1(config)#
Defining the VTY Connection Timeout
The exec-timeout command defines the VTY connection timeout value. The VTY connection to
the device is terminated, if the session is not active for this period of time.
Executing this command without any arguments, displays the defined VTY connection-timeout.
CLI Mode: VTY Configuration
Command Syntax
device-name(config-vty)#exec-timeout [<minutes> [<seconds>] | unlimited]
device-name(config-vty)#no exec-timeout
minutes
(Optional) the timeout, in the range of <035791>minutes (setting a
zero timeout means no timeout)
10 minutes
seconds
(Optional) the timeout value in the range of <059>seconds
unlimited
(Optional) unlimited timeout value
no
Sets an unlimited timeout value


Page 24

Example
device-name(config-vty)#exec-timeout 3
device-name(config-vty)#exec-timeout
exec- t i meout 3 mi n 0 sec
Creating ACLs for Restricting Telnet and SSH Access to the
Device
The access-list command creates ACLs to restrict the device management to specific IP
addresses. For more information about ACLs, refer to the ConfiguringAccessControl List (ACL)
chapter of this User Guide.
Command Syntax
device-name(config)#access-list <ACL-NAME> {deny | permit} {any | SOURCE-MASK
[exact-match]}
device-name(config)#no access-list <ACL-NAME> [deny | permit] [any | SOURCE-
MASK [exact-match]]
ACL-NAME
The ACL name
deny
Denies access if conditions are matched
permit
Permits access if conditions are matched
any
The ACL is relevant to any source address
SOURCE-MASK
The management source mask-bits. You can specify the source mask in one
of the below options:
An IP address format, place ones (1) in the bit positions that should be
ignored
/M (the IP mask in the range of <130>)
exact-match
(Optional) prefixes exact matching
no
Clears the specified ACL
Example
device-name(config)#access-list batm1 deny 192.98.0.0/16
device-name(config)#access-list batm2 permit 192.0.0.0/8

Page 25

Applying ACLs for Filtering Telnet/SSH Connections
The access-class command applies the defined ACLs (see above) to filter Telnet and SSH
connections to the device.
CLI Mode: VTY Configuration
Command Syntax
device-name(config-vty)#access-class ACL-NAME
device-name(config-vty)#no access-class [ACL-NAME]
ACL-NAME
Restricts the Telnet connections to the addresses specified in the ACL
no
Removes access restrictions. If you do not specify an ACL-NAME, this
command removes all access classes
Defining the Terminal Length
The terminal length command defines the number of command lines displayed on the terminal
screen (applied to all VTY interfaces).
CLI Mode: View and Privileged (Enable)
You can also use the service terminal-length command to define the number of command
lines.
Command Syntax
device-name>terminal length <number-of-lines>
device-name>no terminal length

device-name#terminal length <number-of-lines>
device-name#no terminal length

device-name(config)#service terminal-length <number-of-lines>
device-name(config)#no service terminal-length
number-of-lines
The number of lines displayed, in the range of <0512>
A value of zero removes the limit.
25 lines
no
Restores to default

Page 26

Enabling the Advanced VTY Mode
The advanced VTY mode skips the CLI View mode when connecting to the device and moves
directly to the Privileged mode
The service advanced-vty command enables advanced VTY mode.
To access the device View mode, type the disable command in Privileged mode.
Command Syntax
device-name(config)#service advanced-vty
device-name(config)#no service advanced-vty
no
Disables the advanced VTY mode
VTY mode is disabled
Example
device-name(config)#service advanced-vty
...
Password:
device-name#
Displaying Applied ACLs
The show access-lists command displays the applied filtering ACLs.
Command Syntax
device-name#show access-lists
Example
device-name(config)#access-list batm1 deny 192.98.0.0/16
device-name(config)#access-list batm2 permit 192.0.0.0/8

device-name#show ip access-lists
access- l i st batm1 deny 192. 98. 0. 0/ 16
access- l i st batm2 per mi t 192. 0. 0. 0/ 8

Page 27

Configuration Example
The following example shows how to restrict Telnet connections to one IP address:

Figure 3: A Telnet Server Example
1. Create an access list named Management to allow a Telnet connection only to management
station 212.192.50.2:
device-name(config)#access-list Management permit 212.192.50.2/32
2. Enter the VTY Configuration mode:
device-name(config)#line vty
3. Apply access list Management to the VTY:
device-name(config-vty)#access-class Management
4. Set the VTY timeout to one hour:
device-name(config-vty)#exec-timeout 60
device-name(config-vty)#end
5. Display the current open sessions to the device:
device-name#who
Codes: > - cur r ent sessi on, * - conf i gur i ng
vt y on consol e connect ed on consol e.
>vt y on t el net [ 1] connect ed f r om212. 192. 50. 2.

Page 28

Creating a Login Banner/Message-of-the-Day
(MOTD)
The MOTD (or login banner) is the text appearing on the terminal when initiating a Telnet session
or console connection to the device.
The MOTD is displayed before the User Access Verification and is useful for displaying messages
that affect all network users (such as impending a system shutdown).
MOTD Configuration Commands
NOTE
These commands take effect only after reloading the device.
Table 5: MOTD Commands
Command Description
banner motd default
Enables the default MOTD string display (see Enabling/Disabling
the Default-MOTD)
banner set
Enters a specified string to a single-line MOTD (see Configuring a
Single-line MOTD)
banner set multiline
Enters a specified string to multi-line MOTD (see Configuring a
Multi-line MOTD)
Enabling/Disabling the Default-MOTD Display
The banner motd default command enables the default MOTD Hello, thisisOS CLI..
Command Syntax
device-name(config)#banner motd default
device-name(config)#no banner
no
Disables the default banner
MOTD is disabled


Page 29

Example
device-name(config)#banner motd default
device-name#write
Bui l di ng t he conf i gur at i on
Conf i gur at i on i s successf ul l y wr i t t en t o NVRAM
device-name#reload no-save

. . .
Hel l o, t hi s i s OS CLI

User Access Ver i f i cat i on

Passwor d:
Configuring a Single-line MOTD
The banner set command configures a user-defined single-line MOTD.
Command Syntax
device-name(config)#banner set MOTD-STRING
MOTD-STRING
An alphanumeric string of up to 1024 characters, including blank
spaces and other characters except for a question mark (?)
no
Removes the configured MOTD
Example
device-name(config)#banner set DO NOT CHANGE CONFIGURATION WITHOUT NOTICING THE
SYSADMIN!
device-name#write


. . .

DO NOT CHANGE CONFI GURATI ON WI THOUT NOTI CI NG THE SYSADMI N!

Passwor d:

Page 30

Configuring a Multi-line MOTD
The banner set multiline command configures a user-defined multi-line MOTD. End the
multi-line MOTD with the caret (^) character.
Command Syntax
device-name(config)#banner set multiline
> MOTD-STRING
> MOTD-STRING
An alphanumeric string of up to 1024 characters, including blank
spaces and other characters except for a question mark (?).
Type the caret (^) character on the last line to end the multi-line MOTD.
no
Removes the banner
Example
device-name(config)#banner set multiline
%Ent er a mul t i l i ne t ext . Fi ni sh wi t h ' ^' st r i ng at t he begi nni ng of a r ow
>t hi s i s
>mul t i - l i ne
>t ext
^

device-name#write

. . .

t hi s i s
mul t i - l i ne
t ext

Page 31

Saving and Displaying the Device Configuration
The device configuration is stored in the start-up configuration in NVRAM.
Any configuration changes are stored first on the running configuraiton, in RAM. These changes
are erased when the device shuts down. To save these configuration changes, you have to save
these changes in the startup configuration.
Saving, Erasing, and Displaying Configuration
Commands
Table 6: Saving, Erasing, and Displaying the Device Configuration Commands
Command Description
write memory
Saves the running configuration to the NVRAM (see Saving the Devices
Running Configuration)
write erase
Restoring the device configuration to factory defaults, erasing the
configuration stored on the NVRAM (see Restoring Factory Defaults
Configuration)
write terminal
show running-
config
Displays the current running configuration information (see Displaying
the Devices Running Configuration)
show startup-
config
Displays the startup configuration (see Displaying the Devices Start-up
Configuration)
Saving the Devices Running Configuration
The write and write memory commands save the running configuration to the startup
configuration (NVRAM).
These commands are equivalent to the copy running-config startup-config command (see
the DeviceAdministrationchapter of this User Guide).
Command Syntax
device-name#write [memory]

Page 32

Restoring Factory Defaults Configuration
The write erase command erases the device startup configuration and restores the device to
factory defaults.
This command is like the reload-to-default command (see ReloadingtheDevice), however it does
not reset the device.
Command Syntax
device-name#write erase
Displaying the Devices Running Configuration
The write terminal and the show running-config commands display the delta between the
deivces running configuration and factory default-values.
Use the relevant command argument to view the Running Configuration for a specific feature.
Command Syntax
device-name#write terminal
device-name#show running-config [acl | cfm | dns | fpga | igmp | lag | log |
monitor-session | oam | port | protocol | ptp | qos | rmon | rtr | saa | snmp |
super-vlan | sw-watchdog | switch-monitoring | time-server | vlan]
Example 1
device-name#write terminal
! Cur r ent Conf i gur at i on:
!
! T- Mar c 380
!
passwor d 3090372e3f 8bc00eeacc46219f 7557485983251a994551f 918e04712f 86c5818
i p addr ess 3. 0. 0. 1 255. 0. 0. 0 .
Example 3
device-name#show running-config port
! Por t Conf i gur at i on:
!
!
!

Page 33

!
!
!
!
!
!
!

. . .
Displaying the Devices Start-up Configuration
The show startup-config command displays the devices startup configuration.
Command Syntax
device-name#show startup-config

Page 34

Reloading the Device
When reloading (restarting/ rebooting) the device, you can select one of the below options:
Reload the device, with or without saving the running configuration
Reload the device with factory-default configuration
The reload command ceases the devices operation and reloads it.

NOTE
The devices running configuration stored on the device RAM is erased upon the
device reload, unless you save it to the devices startup configuration.
To save the running configuration, refer to Saving the Devices Running
Configuration.

Command Syntax
device-name#reload [save | no-save | to-defaults]
save
(Optional) saves the running configuration to NVRAM and reloads the
device
save
no-save
(Optional) does not save the running configuration to NVRAM and reloads
the device
to-defaults
(Optional) reloads the device and resets the device configuration to its
factory defaults
Example 1
Saving the running configuration and reloading the device (the save keyword is optional):
device-name#reload save
save cur r ent conf i gur at i on and r eboot t he swi t ch ? [ y/ n] : y
Reboot i ng . . .
Example 2
Reloading the device without saving the running configuration:
Pr oceed wi t h r el oad ? [ y/ n] : y
Reboot i ng . . .

Page 35

Supported Platforms
Features T-Marc 340 T-Marc 380
Accessing the Device using Telnet + +
VTY (Virtual Telnet Type) Commands + +
Configuring ACLs + +
Creating a Banner + +
Saving and Displaying the Device Configuration + +
How to Reload the Device + +
Supported Standards, MIBs and RFCs
Features Standards MIBs RFCs
Accessing the Device
using Telnet
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 854, Telnet
Protocol Specification
VTY (Virtual Telnet
Type) Commands
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 791, Internet
Protocol DARPA
Internet Program
Protocol
Specifications
Configuring ACLs No standards are
supported by this
feature.
Private MIB,
prvt_switch_access_li
st.mib
No RFCs are
supported by this
feature.
Creating a Banner No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 791, Internet
Protocol DARPA
Internet Program
Protocol
Specifications
Saving and Displaying
the Device
Configuration
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 1350, The TFTP
Protocol (Revision 2)
How to Reload the
Device
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 1350, The TFTP
Protocol (Revision 2)

Page 1
Device Administration (Rev. 11)

Device Administration
Table of Figures 3
Features Included in this Chapter 4
MAC Address Table (FDB) 5
Overview 5
The MAC Address Table Default Configuration 7
The MAC Address Table Step by Step Configuration 7
The MAC Address Table Configuration Commands 8
ARP Table21
Overview21
Configuring the ARP Table21
Script Files System23
Overview23
The Script Files System Default Configuration23
The Script Files System Configuration Commands24
File System33
Overview33
The File System Default Folders33
The File System Commands34
Modifying the Default Configuration41
Default Configuration Commands41
Zero-Touch Configuration44
Overview44
Zero-touch Configuration Default Configuration44
Zero-touch Configuration Commands45
Software Upgrade and Boot Options50
Preparing to Download a BiNOS Software Image Using TFTP/ FTP Connection50
Downloading the BiNOS Software Image51
Commands for Upgrading Software Images52

Page 2

Downloading and Uploading Configuration Files60
Boot Loader66
Overview66
The Device Loader's Default Configuration67
The Loader Commands67
System Time and Date82
Daytime Protocol82
Time Protocol82
Summer Time (Daylight saving time)82
Network Time Protocol83
1588v2 Precision Time Protocol (PTP) 83
System Time and Date Default Configuration83
1588v2 PTP Default Configuration83
System Time and Date Configuration Flow85
System Time and Date Configuration Commands86
1588v2 PTP Configuration Flow96
1588v2 PTP Configuration Commands97
Configuration Example 104
DHCP Client 105
Overview 105
When Should Clients Use DHCP 106
The DHCP Client Default Configuration 107
The DHCP Client Configuration Flow 107
DHCP Client Configuration Commands 108
Controlling the Packet Rate112
Overview 112
Packet-Rate Thresholds' Default Configuration 113
The Packet-Rate Thresholds' Commands 113
Control Plane Priority per Protocol116


Page 3

Table of Figures
Figure 1: Obtaining an IP Address from a DHCP Server 106
Figure 2: Rate Limit Mechanism 112


Page 4

Features Included in this Chapter
This chapter describes how to perform operations to administer your T-Marc 300 Series devices.
This chapter consists of these sections:
MAC AddressTable(FDB)
The MAC address table contains address information that the device uses to forward
traffic between ports. The T-Marc 300 Series devices maintain a database of MAC
addresses; both manually configured (static) and dynamically learned entries. During
troubleshooting, it may be helpful to investigate the entries in the MAC address table.
ARP Table
ARP table is another table that is supported on your device. It provides IP
communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address.
Zero-TouchConfiguration
Zero configuration networking allows inexpert users to connect network devices and
expect a functioning network to be established automatically.
Script FilesSystem, FileSystem, SoftwareUpgradeandBoot Options, Boot Loader, and Modifyingthe
Default Configuration
These sections describe some fundamental tasks you perform to maintain the
configuration files and system images used by your T-Marc 300 Series devices.
SystemTimeandDate
You can manage the system time and date on your device using automatic configuration,
such as the Network Time Protocol (NTP), or manual configuration methods. NTP
allows the synchronization of device clocks over TCP/ IP networks. Having a common
view of time on the network makes many things easier, from correlating log files from
different devices to keeping file timestamps consistent.
DHCP Client
The main advantage of dynamically assigning IP addresses using Dynamic Host
Configuration Protocol (DHCP) is that it allows such addresses to be reused, thereby
greatly increasing the total number of devices that can use the Internet.
ControllingthePacket Rate
The ability to control the CPU resource allows you to protect the device from denial-of-
service attacks and to prevent excessive traffic to the CPU.


Page 5

MAC Address Table (FDB)
Overview
The MAC (Media Access Control) address is the unique hardware number that identifies the
computer on a local area network (LAN) or other network.
MAC addresses are 12-digit hexadecimal numbers (48 bits in length) in the following format:
MM:MM:MM:SS:SS:SS
Whereas MAC addressing works at the data link layer (layer 2), IP addressing functions at the
network layer (layer 3). MAC addresses are also known as hardwareor physical addresses.
The MAC Address table holds the source MAC address, VLAN ID, MAC address priority and
port number.
MAC Address Table Entry Types
The following entry types can exist in the MAC address table:
Dynamic entriesto learn a dynamic entry, the device examines packets to determine the
source MAC address, VLAN, and port information. Initially, all entries in the database are
dynamic, except for certain entries created by the device.
Dynamic entries are flushed and updated when any of the following occurs:
A VLAN is removed
A VLAN ID is changed
A port mode is changed (tagged/ untagged)
A port is removed from a VLAN
A port is disabled
A port QoS setting is changed
A port goes down
A new dynamic entry is created when the device identifies a source MAC address that
does not yet have an entry in the MAC address table. Dynamic entries are deleted from
the database if the device is reset or a power off/ on occurs.
Static entriespermanent entries are retained in the database if the device is reset or a power
off/ on cycle occurs. A permanent entry can either be a unicast or multicast MAC address.
These entries are created through the CLI.
Secure entriesa secure entry is configured to a secured port to allow only secured MAC
address to be learned by this port.
Self entriesa self entry is automatically created by the device software for various reasons.
Filtered entriesa filtered entry can be created in two ways. One way is to configure filter
entry statically for blocking the traffic from and to specific MAC address on the device. The
second way is to use the Port/ VLAN Security or the Port Limit feature. The MAC addresses
in the filtered entries are the MAC addresses that caused security violation.

Page 6

Multicast entriesMulticast entries are multicast MAC addresses that were created dynamically
by multicast protocol. The multicast entry is removed via the mac-address-table command,
multicast entries are added via the ip igmp snooping dynamic/static command.
For more information refer to the ConfiguringMulticast Layer 2 chapter of this User Guide.

NOTE
Only the dynamic MAC addresses age out.
You can remove MAC addresses (except Self) from the MAC Address table by using
one of the cl ear macaddr ess- t abl e commands.
Adding Entries to a MAC Address Table
Entries can be added to the MAC address table in the following two ways:
The device can learn entries by examining packets it receives. The system updates its MAC
Address table with the source MAC address from a packet, the VLAN, and the port identifier
on which the source packet is received. You can also limit the number of addresses that can be
learned on a port, or you can shut down the current port and prevent additional MAC address
learning.
You can enter and update entries using the command-line interface (CLI).

Page 7

The MAC Address Table Default Configuration
Table 1: MAC Address Table Default Configuration
Feature Default Value
MAC address aging time 300 seconds
New MAC address learning Enabled
Displaying the learned MAC addresses Enabled
The MAC Address Table Step by Step Configuration
1. Add a static, dynamic or secure entry to the MAC address table (see Addinga NewEntry)
or
2. Add a filtered entry to the MAC address table (see Addinga FilteredEntry)
Configure the MAC address table aging time (see ConfiguringtheMAC AddressTableAging
Time)
Configure learning of new MAC addresses globally (see ConfiguringMAC AddressesLearning
Globally)
Configure learning of new MAC addresses on a port (see ConfiguringMAC Addresses
Learningper Port)
4. Delete a specific entry from the MAC address table (see Clearinga MAC AddressTable)
5. Display entries from the MAC address table (see DisplayingMAC AddressTableEntries)

Page 8

The MAC Address Table Configuration Commands
Table 2: MAC Address Table Commands
Command Description
mac-address-table
Adds a static, dynamic or secure entry to the MAC
address table (see Adding a New Entry)
mac-address-table filtered
Adds a filtered entry to the MAC address table
(see Adding a Filtered Entry)

Table 3: MAC Address Table Optional Commands
Command Description
mac-address-table aging-
time
Configures the MAC address table aging time
(see Configuring the MAC Address Table Aging Time)
learning new-address
Configures learning of new MAC addresses globally (see
Configuring MAC Addresses Learning Globally)
port learning new-address
Enables/disables learning of new MAC addresses on a
port (see Configuring MAC Addresses Learning per Port)

Table 4: Clear MAC Address Table Commands
Command Description
clear mac-address-table
no mac-address-table
Clears a specific entry from the MAC address table
(see Clearing a MAC Address Table)

Table 5: MAC Address Table Display Commands
Command Description
show mac-address-table
Displays the MAC address table contents
(see Displaying MAC Address Table Entries)
mac-address-table learning-
display
Enables/disables displaying the MAC addresses, learned
on a specific list of interfaces or on a list of VLANs (see
Displaying/Hiding MAC Addresses)
aging-time
Displays the MAC address table aging time
(see Displaying the MAC Address Table Aging Time)
hash-depth
Displays the length of the MAC address table hash chain
(see Displaying the Length of the MAC Address Hash
Chain)


Page 9

Adding a New Entry
The mac-address-table command adds a static, dynamic or secure entry to the MAC address
table.
Command Syntax
device-name(config)#mac-address-table {static | dynamic | secure}
HH:HH:HH:HH:HH:HH interface {UU/SS/PP | ag0N} vlan <vlan-id>

device-name(config)#no mac-address-table {static | dynamic | secure}
HH:HH:HH:HH:HH:HH [interface {UU/SS/PP | ag0N} | vlan <vlan-id>]

device-name(config)#mac-address-table {static | dynamic | secure}
HH:HH:HH:HH:HH:HH {service <service ID> [sap SAPSTRING | sdp SDPSTRING]
[interface UU/SS/PP vlan <vlan-id> [priority <0-7>]}

device-name(config)#no mac-address-table {static | dynamic | secure}
HH:HH:HH:HH:HH:HH [service <service ID> [sap SAPSTRING | sdp SDPSTRING]]
[vlan <vlan-id>] [interface UU/SS/PP]
static
Adds a static entry.
dynamic
Adds a dynamic entry.
secure
Adds a secure entry for the secured port feature.
HH:HH:HH:HH:HH:HH
Destination MAC address to be added to the MAC Address table.
Packets with this destination address received on a specific VLAN
are forwarded to the specified interface.
UU/SS/PP
Port to which the received packets are forwarded.
ag0N
The link aggregation ID (ag01, ag04ag07). The allowed ID is in
the range of <17>.
vlan <vlan-id>
Specifies a VLAN for which the packet with the desired MAC
address is received. The VLAN ID is in the range <24094>.
service <service ID>
The service unique service identifier, in the range <1
4294967295>.
sap SAPSTRING
The SAPSTRING has the forms:
UU/SS/PP:CVLANID:use it if you configure the SAP on a
port
AG0N:CVLANID:use it if you configure the SAP on a link
aggregation
The C-VLAN ID is in the range of <14094>

Page 10

sdp SDPSTRING
The SDPSTRING has the forms:
UU/SS/PP:SVLANID:use it if you configure the SDP on a
port
AG0N:SVLANID:use it if you configure the SDP on a link
aggregation
The S-VLAN ID is in the range of <14094>
priority <0-7>
(Optional) specifies the priority range
no
Removes entries from the MAC address table.
Adding a Filtered Entry
The mac-address-table filtered command adds a filtered entry to the MAC address table.
The filtered entry in the MAC address table is known as dangerous. This entry is denied as source and
as destination for each incoming and outgoing packet on the specified VLAN.
Command Syntax
device-name(config)#mac-address-table filtered HH:HH:HH:HH:HH:HH vlan <vlan-
id>
device-name(config)#no mac-address-table filtered HH:HH:HH:HH:HH:HH [interface
UU/SS/PP | vlan <vlan-id>]
HH:HH:HH:HH:HH:HH
Destination MAC address to be filtered. Packets with this destination
address received on the specified VLAN are filtered.
vlan <vlan-id>
Specifies the VLAN for which the packet with the specified MAC
address is filtered. The valid range is <24094>.
UU/SS/PP
The interface's unit/slot/port.
no
Removes entries from the MAC address table.
Example
device-name(config)#mac-address-table filtered 00:A0:12:02:03:04 vlan 2496

Page 11

Configuring the MAC Address Table Aging Time
The mac-address-table aging-time command configures the length of time that a dynamic
entry can remain in the MAC address table from the time the entry was used or last updated.

NOTE
The actual aging time period of the MAC address table may be any time period
between the specified value and twice the specified value.
By default, the aging-time value is 300 seconds.
Command Syntax
device-name(config)#mac-address-table aging-time <time>
device-name(config)#no mac-address-table aging-time
time
Specifies how many seconds the address of a learned device remains on the
list of stations connected to your device. The address is removed from the list of
stations if no frame is received from that device during the aging time interval.
If the value assigned to the aging time is too short, this may increase the
amount of packets received by the device with unknown destinations and cause
the device to flood such packets to all ports in the VLAN. If the value assigned
to the aging time is too long, the MAC Address table may be loaded with
addresses that are no longer in use.
MAC address table aging time is in the range <101000000>seconds.
no
Restores to default
Example
The following example sets the MAC Address aging time to 1500 seconds (25 minutes):
device-name(config)#mac-address-table aging-time 1500

Page 12

Configuring MAC Addresses Learning Globally
The learning new-address command configures learning of new MAC addresses globally.
By default, the learning is enabled.
NOTE
When learning new-address is disabled per port or globally, the following features
will not work correctly:
Port limit
Port security
Command Syntax
device-name(config)#learning new-address {enable | disable}
enable
Enables new MAC address learning.
disable
Disables new MAC address learning. When learning is disabled, no new MAC
addresses will be learned in the MAC address table and the unicast traffic will
be flooded to all the relevant ports (depending on the VLAN configuration).
Configuring MAC Addresses Learning per Port
The port learning new-address command enables/ disables learning new MAC addresses on a
port.
CLI Mode: Interface Configuration, Range Interface Configuration, LAG Range Interface
Configuration, and LAG Interface Configuration
When MAC address learning is disabled, no new MAC addresses are learned in the MAC address
table on the selected port.
The unicast traffic that is destined to devices connected to this port is flooded to the relevant ports.
By default, the learning is enabled.

NOTE
For the port limit feature to function correctly, enable first learning new-address per
port or globally.


Page 13

Command Syntax
device-name(config-if UU/SS/PP)#port learning new-address {enable | disable}

device-name(config-if-group)#port learning new-address {enable | disable}

device-name(config-ag-group)#port learning new-address {enable | disable}

device-name(config-if AG0N)#port learning new-address {enable | disable}
enable
Enables the MAC address learning.
disable
Disables the MAC address learning.
Example 1
device-name(config)#interface range 1/1/1
device-name(config-if-group)#port learning new-address enable
Example 2
device-name(config)#interface range ag01
device-name(config-ag-group)#port learning new-address disable
Clearing a MAC Address Table Entry
Clear a specific MAC address entry on a particular port, or on a particular VLAN from the MAC
address table with:
clear mac-address-table command
no mac-address-table command
Command Syntax
device-name#clear mac-address-table [dynamic | filtered | secure | static]
service <service ID> [sap SAPSTRING | sdp SDPSTRING]

device-name#clear mac-address-table [[dynamic | filtered | secure | static]
[address HH:HH:HH:HH:HH:HH] [vlan <vlan-id>] [interface UU/SS/PP]]

device-name#clear mac-address-table multicast [address HH:HH:HH:HH:HH:HH]
[vlan <vlan-id>]

device-name(config)#no mac-address-table {dynamic | filtered | secure | static
| multicast} address HH:HH:HH:HH:HH:HH [service <service ID> [sap SAPSTRING |
sdp SDPSTRING]] [vlan <vlan-id>][interface UU/SS/PP]

Page 14

dynamic
(Optional). Only dynamic MAC address(es) are cleared.
filtered
(Optional). Only filtered MAC address(es) are cleared.
secure
(Optional). Only secure MAC address(es) are cleared.
static
(Optional). Only static MAC address(es) are cleared.
multicast
Only multicast MAC address(es) are cleared.
address
HH:HH:HH:HH:HH:HH
(Optional in the clear mac-address-table command). MAC address
to be cleared, if it complies with all other specified arguments.
interface UU/SS/PP
(Optional). Removes the MAC address(es) on the specified
interface.
vlan <vlan-id>
(Optional). Removes the MAC address(es) on the specified VLAN.
The VLAN ID is in the range <24094>.
The service unique service identifier, in the range <14294967295>.
sap SAPSTRING
UU/SS/PP:CVLANID: use it if you configured the SAP on a
port
ag0N:CVLANID:use it if you configured the SAP on a link
aggregation
The C-VLAN ID is in the range of <14094>.
sdp SDPSTRING
UU/SS/PP:SVLANID:use it if you configured the SDP on a
port
ag0N:SVLANID:use it if you configured the SDP on a link
aggregation
The S-VLAN ID is in the range of <14094>.

NOTE
If you do not specify an argument, all MAC addresses are removed (except for the
self entries).

Page 15

Displaying MAC Address Table Entries
The show mac-address-table command displays the MAC address table contents.
Command Syntax
device-name#show mac-address-table [dynamic | filtered | multicast | secure |
static | self] [address HH:HH:HH:HH:HH:HH] [vlan <vlan-id>] [interface
UU/SS/PP]

device-name#show mac-address-table service <service ID> [sap SAPSTRING | sdp
SDPSTRING]

device-name#show mac-address-table count [vlan <vlan-id> interface UU/SS/PP |
interface UU/SS/PP]

device-name#show mac-address-table count [address HH:HH:HH:HH:HH:HH] [service
<service ID> [sap SAPSTRING | sdp SDPSTRING]] [interface UU/SS/PP] [vlan
<vlan-id>]
dynamic
(Optional) information is displayed only about the dynamic MAC
address(es).
filtered
(Optional) information is displayed only about the filtered MAC
address(es).
multicast
(Optional) information is displayed only about the multicast MAC
address(es).
secure
(Optional) information is displayed only about the secure MAC
address(es).
static
(Optional) information is displayed only about the static MAC
address(es).
self
(Optional) information is displayed only about the device MAC
address.
count
Displays the number of MAC addresses in the MAC address table.
The service unique service identifier, in the range <14294967295>.
sap SAPSTRING
UU/SS/PP:CVLANID: use it if you configured the SAP on a
port
ag0N:CVLANID:use it if you configured the SAP on a link
aggregation

Page 16

sdp SDPSTRING
UU/SS/PP:SVLANID:use it if you configured the SDP on a
port
aggregation
The S-VLAN ID is in the range of <14094>.
address
HH:HH:HH:HH:HH:HH
(Optional in the show mac-address-table command) information
is displayed about the specified MAC address, if it complies with all
other specified arguments.
vlan <vlan-id>
(Optional) displays the MAC address(es) on the specified VLAN.
The VLAN ID is in the range <24094>. You can create a maximum
of 255 VLANs in this range.
interface UU/SS/PP
(Optional) displays the MAC address(es) on the specified interface.

NOTE
If you do not specify any argument, the show macaddr ess- t abl e command
displays the entire MAC address table.
Example
Display the entire MAC address table:
device-name#show mac-address-table
===+=======+===================+========+================+==========|
# | VI D | Mac | PORT | STATUS | PRI ORI TY |
- - - +- - - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - +
1 | 0001 | 00: 00: 00: 00: 11: 22 | 1/ 1/ 1 | st at i c | 0 |
2 | 0001 | 00: 40: 95: 30: 0e: 8f | 1/ 1/ 2 | dynami c | 0 |
3 | 0001 | 00: A0: 12: 05: 36: 80 | | sel f | 0 |
4 | 0001 | 01: 00: 5e: 11: 22: 33 | | mul t i cast | 0 |
5 | 0001 | 01: 00: 5e: 11: 22: 44 | | mul t i cast | 0 |
6 | 0001 | 01: 00: 5e: 11: 22: 55 | | mul t i cast | 0 |
Displaying/Hiding MAC Addresses
The mac-address-table learning-display command enables/ disables displaying the MAC
addresses, learned on a specific list of interfaces or on a list of VLANs.
By default, displaying the learned MAC addresses is enabled.
Command Syntax
device-name(config)#mac-address-table learning-display interfaces PORT LIST
device-name(config)#no mac-address-table learning-display interfaces PORT LIST

device-name(config)#mac-address-table learning-display vlan VLAN LIST
device-name(config)#no mac-address-table learning-display vlan VLAN LIST

device-name(config)#mac-address-table learning-display interface UU/SS/PP vlan
<vlan-id>

Page 17

device-name(config)#no mac-address-table learning-display interface UU/SS/PP
vlan <vlan-id>
vlan VLAN LIST
List of source VLAN IDs. Use commas as separators and hyphens
to indicate sub-ranges (e.g. 24,8). The VLAN IDs are in the range
<24094>.
interface PORT LIST
Port list, in the form u[[/s[/p]]][-u[[/s[/p]]][,u[[/s[/p]]]]], etc.
Use commas as separators and hyphens to indicate sub-ranges
(for example, 1/1/1,1/2/11/2/3). Blank spaces are not allowed.
vlan <vlan-id>
Specifies the VLAN for which enables or disables displaying the
learned MAC addresses. The VLAN ID is in the range <24094>.
interface UU/SS/PP
Specifies the interface for which enables or disables displaying the
learned MAC addresses.
no
Hides the MAC addresses that are learned on the selected
interfaces or VLAN.
Example 1
The following example shows the command that hides the MAC addresses that are learned on
interface 1/ 1/ 1:
===+========+====================+==========+===========+==========
# | VI D | Mac | PORT | STATUS | PRI ORI TY|
- - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +
1 | 0001 | 00: 80: 00: 00: 03: 01 | 1/ 1/ 1 | dynami c | 0 |
2 | 0001 | 00: 80: 1e: 15: 60: 76 | 1/ 1/ 1 | dynami c | 0 |
3 | 0001 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
4 | 0010 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |

device-name(config)#no mac-address-table learning-display interface 1/1/1
device-name(config)#exit
===+========+======================+========+=========+===========
- - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
1 | 0001 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
2 | 0010 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |

Page 18

Example 2
The following example shows the command that hides the MAC addresses that are learned on
VLANs 1 to 9:
===+========+======================+========+===========+===========
- - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +
1 | 0001 | 00: 80: 00: 00: 03: 01 | 1/ 1/ 1 | dynami c | 0 |
2 | 0001 | 00: 80: 1e: 15: 60: 76 | 1/ 1/ 1 | dynami c | 0 |
3 | 0001 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
4 | 0010 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |

device-name(config)#no mac-address-table learning-display vlan 1-9
===+========+=====================+=========+===========+===========
- - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +
1 | 0001 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
2 | 0010 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
Example 3
The following example enables displaying the MAC addresses that are learned on VLANs 1 to 9:
device-name(config)#mac-address-table learning-display vlan 1-9
===+========+======================+=========+==========+===========
- - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
1 | 0001 | 00: 80: 00: 00: 03: 01 | 1/ 1/ 1 | dynami c | 0 |
2 | 0001 | 00: 80: 1e: 15: 60: 76 | 1/ 1/ 1 | dynami c | 0 |
3 | 0001 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |
4 | 0010 | 00: A0: 12: 00: 00: 02 | | sel f | 0 |

Page 19

Displaying the Length of the MAC Address Hash Chain
The show mac-address-table hash-depth command displays the length of the MAC address
table hash chain.
The length of the MAC address table hash database should be set according to the MAC addresses
available in the network. If the MAC address numbers are randomly distributed, it is recommended
to use the default value.
CLI Mode: Privileged (Enable) and Global Configuration
Command Syntax
device-name#show mac-address-table hash-depth
device-name(config)#mac-address-table hash-depth <value>
device-name(config)#no mac-address-table hash-depth
value
The maximum lookup hash chain length in the range <216>. Only even values
are allowed.
no
Sets default value of the MAC address table hash chain.
Example
device-name#show mac-address-table hash-depth
Max hash chai n l engt h i s 14
Displaying the MAC Address Table Aging Time
The show mac-address-table aging-time command displays the MAC address table aging
time.

Command Syntax
device-name#show mac-address-table aging-time
Example 1
The following example shows how to display the currently configured aging time:
agi ng t i me i s 1500 seconds
Example 2
The following example shows how to display the currently configured noagingtime:

Page 20

agi ng i s of f

Page 21

ARP Table
Overview
ARP table provides mapping between the IP address and the MAC address of the device. It is built
dynamically.
===+==================+=================+========+========+=========+
# | I P Addr ess | MAC | Age( mi n) | i f | Type |
- - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - +
0 | 10. 0. 0. 10 | 00: 00: 00: 00: 00: 10| 1 | sw0 | St at i c |
When you want to send a packet to a local host, the software looks the IP in the ARP cache. After
finding the IP address, the software gets the MAC address, constructs an Ethernet header with the
correct source/ destination MAC addresses, and sends it.
If the MAC address is not found for a specific IP, the device broadcasts an ARP request to every
host on Ethernet in order to learn it.
Configuring the ARP Table
Table 6: ARP Table Commands
Command Description
clear ip arp
Clears dynamic and static entries learned in the ARP table
(see Clearing the ARP Table)
show ip arp
Displays IP addresses learned by ARP packets
(see Displaying the ARP Table)
Clearing the ARP Table
The clear ip arp command clears entries from the ARP cache.
Command Syntax
device-name#clear ip arp [dynamic | static]
dynamic
(Optional) clears only dynamic learned entries in the ARP table.
static
(Optional) clears only the static learned entries in the ARP table.


Page 22

Displaying the ARP Table
The show ip arp command displays the ARP cache.

NOTE
You can store static MAC entries if implementing a static CPU cache when using
the i p ar p command. BiNOS first looks up in this static CPU cache before looking
up in the cache containing dynamic MAC entries.
Command Syntax
device-name#show ip arp
Example
device-name#show ip arp
===+==================+=================+========+========+=========+
# | I P Addr ess | MAC | Age( mi n) | i f | Type |
- - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - +
0 | 10. 0. 0. 10 | 00: 00: 00: 00: 00: 10| 2 | sw0 | Dynami c|

Page 23

Script Files System
Overview
A script file is a text file that includes a sequence of configuration CLI commands.
The script files can be downloaded from the TFTP server, uploaded to the TFTP server, deleted,
renamed or executed. The contents of the script file can also be viewed. There also is the capability
to store running and startup configurations of the device into the file system.
When you run a script file, the current running configuration of the device is merged with the new
settings that are configured by the script file.
Every file in the script-file system has a unique name of maximum 32 characters without blank
spaces.
You can perform the following actions with script files:
Download script files from the TFTP server
Upload script files to the TFTP server
Remove script files from the file system
Rename script files
Run script files
View the contents of script files
The Script Files System Default Configuration
Table 7: Script File System Default Configuration
Startup configuration name startup_config
Running configuration name running_config

Page 24

The Script Files System Configuration Commands
Table 8: Script File System Commands
Command Description
script-file-system
Accesses the Script-file-system Configuration mode
(see Script-file-system Configuration Mode)
copy running-config
Copies the running configuration into the script-file system
(see Copying the Running Configuration)
copy startup-config
Copies the startup configuration into the script-file system
(see Copying the Startup Configuration)
copy
Copies a file (see Copying a File)
run
Executes CLI commands contained in the specified script file (as
a batch file) (see Executing a Script File)
attrib
Specifies file attributes (see Configuring File Attributes)
rename
Renames a specific script file (see Renaming a Script File)
move
Removes a file from its current location and places it at a new
location (see Moving a File)

Table 9: Commands for Removing Script-File System Files
Command Description
del
Removes a specific file from the file system
(see Deleting a Specific File from the Script-file System)

Table 10: Script File System Display Commands
Command Description
display
Displays the textual contents of the specified script file
(see Displaying Script File Textual Contents)
dir
Displays the names and lengths of all script files stored in the file
system (see Displaying the Script-file Name and Length)
show script-file-
system
Displays the names and lengths of all script files stored in the file
system (see Displaying the Script-file Name and Length)
ls
lists the files in Flash memory file system (see Listing Files)
help
Provides description of the interactive help system
(see Describing the Interactive Help System)


Page 25

Script-file-system Configuration Mode
The script-file-system command accesses Script-file-system Configuration mode.
Command Syntax
device-name(config)#script-file-system
device-name(config script-file-system)#
Copying the Running Configuration
The copy running-config command saves a copy of the running configuration into the script-file
system.
CLI Mode: Script-file-system Configuration
Command Syntax
device-name(config script-file-system)#copy running-config [FILE-NAME]
FILE-NAME
(Optional) the name of the destination file, in the script-file system. If no file
name is specified, a default name (running_config.cfg.) is assigned.
Example
device-name(config script-file-system)#copy running-config
bui l di ng t he conf i gur at i on . . .
Savi ng scr i pt f i l e " f l ash: / Usr / r unni ng_conf i g. cf g" t o f i l e syst em. . .
Done
Copying the Startup Configuration
The copy startup-config command saves a copy of the start-up configuration into the script-file
system.

NOTE
To execute this command, the startup configuration should be stored on the device.
Command Syntax
device-name(config script-file-system)#copy startup-config [FILE-NAME]

Page 26

FILE-NAME
(Optional). The name of the destination file, in the script-file system. If no file
name is specified, a default name (startup_config.cfg.) is assigned.
Example
device-name(config script-file-system)#copy startup-config
Savi ng scr i pt f i l e " f l ash: / Usr / st ar t up_conf i g. cf g" t o f i l e syst em. . .
Done
Copying a File
The copy command saves a copy of a file into the script file system.
This command is equivalent to the cp command in all modes.
Command Syntax (for Local Flash system)
device-name(config script-file-system)#copy [[device/]path/]file-name
[[device1/]path1/]file-name1
Command Syntax (for TFTP/FTP Server)
device-name(config script-file-system)#copy
protocol://[user[:pass]@]host[:port]/file-name
protocol1://[user1[:pass1]@]host1[:port1]/file-name1
Command Syntax (for SFTP server)
device-name(config script-file-system)#copy
device/user:pass@host/[path/]file-name
device1/user1:pass1@host1/[path1/]file-name1
device/
(Optional) the device from which the file is copied. It can be a TFTP server
(in format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D)
path
(Optional) the path to the location where the file is copied.
protocol,
protocol1
Specifies the protocol type.
user, user1
Optional) specifies the name of the user performing the operation.
pass, pass1

(Optional) specifies the password that authenticates the specified
username. Symbol (@) following the password is required.
For the TFTP server, not need to specify the user, password and port
For the FTP server, no need to specify the port number
host
Specifies the server IP address in A.B.C.D format.

Page 27

port, port1
(Optional) specifies the port number.
file-name
The source file name.
device1/
(Optional) the device to which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
path1
file-name1
The destination file name.
Example
The following command copies a file from a TFTP server to the local / Usr directory:
device-name(config script-file-system)#copy tftp://10.0.0.60/test usr/test1
The following command copies a file from the local Flash root directory to a remote TFTP server:
device-name(config script-file-system)#copy flash:/profile.cfg
tftp://10.0.0.60/profile.cfg
Executing a Script File
The run command executes CLI commands contained in the specified script file.
Command Syntax
device-name(config script-file-system)#run FILE-NAME
FILE-NAME
The name of the script file, in the script-file system.
Example
device-name(config script-file-system)#run test1
Execut i ng conf i gur at i on scr i pt
Conf i gur at i on f r omf i l e compl et e
Configuring File Attributes
The attrib command configures file attributes (read-only, archive, system and hidden).
Command Syntax
device-name(config script-file-system)#attrib FILE-NAME

Page 28

FILE-NAME
The name of the file, which attributes must be configured, in the script-file
system.
Example
device-name(config script-file-system)#attrib run1
Read- onl y : -
Hydden : -
Syst em : -
Ar chi ve : -
Renaming a Script File
The rename command renames the specified script file.
This command is equivalent to the rm command in all modes.
Command Syntax
device-name(config script-file-system)#rename [[device/]path/]file-name new-
file-name
device/
(Optional) The device on which the file to be renamed is stored. Can
only be flash:/ (the local Flash system).
path
(Optional) The device and the path to the file to be renamed. The
path should end with the name of the file.
file-name
The original name of the file to be renamed.
new-file-name
The new name assigned to the file.
Moving a File
The move command removes a file from its current location and places it at a new location. The
name of the file can be optionally changed.
This command is equivalent to the mv command in all modes.
Command Syntax (for local Flash system)
device-name(config script-file-system)#move [[device/]path/]file-name
[[device1/]path1/]file-name1

Page 29

device-name(config script-file-system)#move
protocol://[user[:pass]@]host[:port]/file-name
device/
(Optional) the device from which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D),, or the local
Flash system (in format flash:/)
path
(Optional) the path to the location where the file is moved.
protocol,
protocol1
user, user1
pass, pass1
host
port, port1
file-name
device1/
(Optional) the device to which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D),, or the local
path1
file-name1
Deleting a Specific File from the Script-file System
The del command removes a specific file from the script-file system.

NOTE
The specified file is removed without requesting your confirmation.
Command Syntax for Local Flash System)
device-name(config script-file-system)#del [[device/]path/]file-name
Command Syntax (for SFTP Server)
device-name(config script-file-system)#del device/user:pass@host/[path/]file-
name

Page 30

device/
(Optional) the device from which the file is removed. It can be a SFTP
server (in format sftp://user:pass@A.B.C.D), or the local Flash system (in
format flash:/)
path
(Optional) the path to the location where the file is removed.
user
pass
host
file-name
The name of the file to be removed.
Displaying Script File Textual Contents
The display command displays textual contents of a specified script file.
This command is equivalent to the pwd command.
Command Syntax for Local Flash System)
device-name(config script-file-system)#display [[device/]path/]file-name
[dump] [START]
device/
(Optional) the device from which the file content is displayed. It can be the
Flash local system (in format flash:/)
path
(Optional) the path to the location where the file content is displayed.
file-name
The name of the file which content is displayed.
dump
(Optional) hex format.
START
(Optional) start offset.
Example
device-name(config script-file-system)#display test1
*********** FI LE START *********
! T- Mar c- 380 Ver si on 10. 1. TMC3
!
i p addr ess 1. 0. 0. 1 255. 0. 0. 0
i nt er f ace sw0
!
!
! Techni cal Suppor t I nf or mat i on Conf i gur at i on:
!

Page 31

************ FI LE END **********
Displaying the Script-file Name and Length
Display the names and lengths of all script files stored in the script-file system with:
dir and show script-file-system commands
show script-file-system command
Command Syntax
device-name(config script-file-system)#dir

device-name(config script-file-system)#show script-file-system

device-name>show script-file-system

device-name#show script-file-system
Example 1
device-name(config script-file-system)#dir

Li st i ng Di r ect or y f l ash: / Usr / :
d S 2048 J an 1 1993 01: 04 . /
d 2048 J an 1 1993 00: 00 . . /
- 9017 J an 1 1993 00: 21 t est 1. cf g
- 4220 J an 1 1993 01: 04 r unni ng_conf i g. cf g

Fr ee di sk space 1929216
Example 2
device-name(config script-file-system)#show script-file-system
f l ash: / Usr / .
f l ash: / Usr / . .
f l ash: / Usr / t est 1. cf g
f l ash: / Usr / r unni ng_conf i g. cf g
Listing Files
The ls command lists files in Flash memory file system.
Command Syntax
device-name(config script-file-system)#ls

Page 32

Example
device-name(config script-file-system)#ls
Li st i ng Di r ect or y f l ash: / Usr :
d S 2048 J an 1 1993 00: 59 . /
d 2048 J an 1 1993 00: 00 . . /
- 176 J an 1 1993 03: 18 pr of i l e. cf g
- 5804 J an 1 1993 00: 12 acl . cf g
- 7069 J an 1 1993 00: 29 snmp. cf g

Describing the Interactive Help System
The help command provides description of the interactive help system.
Command Syntax
device-name(config script-file-system)#help

Page 33

File System
Overview
The Flash file system (also called Flash:) provides commands for defining, downloading, and
deleting software images and configuration files stored in a Flash memory. In addition, users can
define the different Loader parameters using the Flash file system.
The File System Default Folders
Table 11: System Directories Default Configuration
Directory Description
\Boot\ Contains all executable applications and firmware
images
\Log\ Stores all logs of the system operation
\Usr\ Contains all configuration scripts of the system
\Etc\ Contains default startup configuration
\Hidden\ Internal settings storage
\J ava\ Not supported

NOTE
The system directories are locked for editing.
Table 12: Default System File Names and Settings
Parameter Default Value
Startup configuration name dflt_startup.cfg
Image name Image.Z
Auto-boot timeout 5 seconds
BiNOS System Loader password batm

Page 34

The File System Commands
Table 13: File System Directories Commands
Command Description
format
Formats the file system and removes its contents
(see Formatting the File System)
mkdir
Creates a new directory (see Creating a New Directory)
rmdir
Deletes a directory (see Deleting a Directory)
dir
Displays the contents of the current directory
(see Displaying the File System Contents)
pwd
Displays the working directory (see Displaying the Working Directory)

Table 14: File Content Management Commands
Command Description
copy
Copies a file from a TFTP server or from the local Flash system to the
specified path (see Copying a File)
rename
Renames a file (see Renaming a File)
move
Removes a file from its current location and places it at a new location
(see Moving a File)
del
Deletes a specified file (see Deleting a File)
display
Displays the contents of a text file (see Displaying the File Contents)

Page 35

Formatting the File System
The format command formats the file system and removes its contents.
CLI Mode: Loader and Privileged (Enable)
After the next start of the loader (or start-up of downloaded application), the default set of system
directories will be restored automatically. The command deletes all saved configuration files
(starting configuration).
Command Syntax
Loader>format [DEVICE-NAME]
device-name#format [DEVICE-NAME]
DEVICE-NAME
The device name, valid device can be flash:/
Creating a New Directory
The mkdir command creates a new directory.
Command Syntax
Loader>mkdir PATH
device-name#mkdir PATH
PATH
The destination path (directory) ends with the new directory that is created. The
directory name is a case insensitive string.
Deleting a Directory
The rmdir command deletes a directory.
Command Syntax
Loader>rmdir [PATH]
device-name#rmdir [PATH]
PATH
The path ends with the directory to be deleted. The directory name is a case
insensitive string.


Page 36

NOTE
Non-empty and system directories cannot be removed.

Displaying the File System Contents
The dir command displays a list of files in the file system.
CLI Mode: Loader, View and Privileged (Enable)
This command is equivalent to the ls command in all modes.
Command Syntax
Loader>dir [PATH]
device-name>dir [PATH]
device-name#dir [PATH]
PATH
(Optional) the name of a selected directory, which contents is displayed. The
directory name is a case insensitive string.
Displaying the Working Directory
The pwd command displays the working directory.
Command Syntax
Loader>pwd
device-name#pwd
Copying a File
The copy command copies a file from a TFTP/ FTP/ SFTP server or from the local Flash system
to another location. The name of the file can be optionally changed.
This command is equivalent to the cp command in all modes.
Command Syntax (for Local Flash System)
Loader>copy [[device://]path/]file-name [[device1://]path1/]file-name1
device-name#copy [[device://]path/]file-name [[device1://]path1/]file-name1
Loader>copy protocol://[user[:pass]@]host[:port]/file-name

Page 37

device-name#copy protocol://[user[:pass]@]host[:port]/file-name
Loader>copy device://user:pass@host/[path/]file-name
device-name#copy device://user:pass@host/[path/]file-name
device
dath
protocol,
protocol1
user, user1
pass, pass1
host
port, port1
file-name
device1/
format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
path1
file-name1
Examples
The following command copies a file from a TFTP server to the local / Usr directory:
device-name#copy tftp://10.0.0.60/test usr/test1
The following command copies a file from the local Flash root directory to a remote TFTP
server:
device-name#copy flash://profile.cfg tftp://10.0.0.60/profile.cfg

Page 38

Renaming a File
The rename command renames a file.
Loader>rename [path/]file-name NEW-FILE-NAME
device-name#rename [path/]file-name NEW-FILE-NAME
Loader>rename device://user:pass@host/[path/]file-name NEW-FILE-NAME
device-name#rename device://user:pass@host/[path/]file-name NEW-FILE-NAME
device
(Optional) the device on which the file to be renamed is stored. It can be a
SFTP server (in format sftp://user:pass@A.B.C.D), or the local Flash
system (in format flash:/)
path
(Optional) the path to the file to be renamed.
user
pass
host
file-name
The original name of the file to be renamed.
NEW-FILE-NAME
The new name assigned to the file.
Moving a File
The move command removes a file from its current location and places it at a new location. The
name of the file can be optionally changed.
This command is equivalent to the mv command in all modes.
Loader>move [[device://]path/]file-name [[device1://]path1/]file-name1
device-name#move [[device://]path/]file-name [[device1://]path1/]file-name1
Loader>move protocol://[user[:pass]@]host[:port]/file-name
device-name#move protocol://[user[:pass]@]host[:port]/file-name

Page 39

device/
(Optional) the device from which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D), or the local
path
protocol,
protocol1
user, user1
pass, pass1
host
port, port1
file-name
device1/
(Optional) the device to which the file is moved. It can be a TFTP server
(in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D), or the local Flash
system (in format flash:/)
path1
file-name1
Deleting a File
The del command deletes the specified file.
This command is equivalent to the rm command.
Loader>del [path/]file-name
device-name#del [path/]file-name
Loader>del device://user:pass@host/[path/]file-name
device-name#del device://user:pass@host/[path/]file-name
device/
(Optional) the device from which the file is removed. It can be a SFTP
server (in format sftp://user:pass@A.B.C.D), or the local Flash system (in
format flash:/)
path
(Optional) the path to the location where the file is removed.
user
pass

Page 40

host
file-name
The name of the file to be removed.
Displaying the File Contents
The display command displays the contents of a text file.
CLI Mode: Loader, View and Privileged (Enable)
The command must not be applied to binary files.
Command Syntax
Loader>display {[path/] | [device://[path/]]}file-name [dump][START]
device-name>display {[path/] | [device://[path/]]}file-name [dump]
device-name#display {[path/] | [device://[path/]]}file-name [dump]
path
(Optional). The path to the file to be displayed. The path should end with
the name of the file.
device:
(Optional). The device on which the file to be displayed is stored. Can only
be flash:/ meaning the local Flash system.
device:path
(Optional). The device and the path to the file to be displayed. The path
should end with the name of the file.
file-name
The name of the file.
dump
(Optional). HEX format.
START
(Optional). Start offset.

NOTE
The dump option is mandatory to display binary files.

Page 41

Modifying the Default Configuration
The default settings feature allows you to modify the running configuration according your
preferences and saves it as a default configuration.
Default Configuration Commands
Table 15: Default Configuration Commands
Command Description
copy running-config
default-config
Saves the running configuration as a default configuration
(see Modifying the Default Configuration)
copy default-config
Copies the default configuration to a TFTP/FTP server or to the
local Flash system
(see Copying the Default Configuration to a Specific Location)
copy
Copies the default configuration from a TFTP/FTP server or from
the local Flash system
(see Copying the Default Configuration from a Specific Location)
write erase default
Clears the default configuration
(see Clearing the Default Configuration)
show default-config
Displays the default configuration ( see Displaying the Default
Configuration)

Page 42

Modifying the Default Configuration
The copy running-config default-config command saves the running configuration as a
default configuration.
Command Syntax
device-name#copy running-config default-config
Copying the Default Configuration to a Specific Location
The copy default-config command copies the default configuration to a TFTP/ FTP server or
to the local Flash system.
Command Syntax
device-name#copy default-config [<device>:[<server IP>/]][<path>]<file name>
device/
format tftp://A.B.C.D), a FTP server (in format ftp://user:pass@A.B.C.D), or the
local Flash system (in format flash:/):
userspecifies the name of the user performing the operation
passspecifies the password that authenticates the specified username.
Symbol (@) following the password is required.
For the TFTP server, no need to specify the user, password and port
path
(Optional) the exact location path to which the file is copied. The path should
end with the name of the file.
server IP
Specifies the TFTP/FTP server IP Address, in A.B.C.D format.
file-name
The original file name.
Copying the Default Configuration from a Specific Location
The copy command copies the default configuration from a TFTP/ FTP server or from the local
Flash system.
Command Syntax
device-name#copy [[<device>:[<server IP>/]][<path>]<file name> default-config

Page 43

device/
(Optional) the device from which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D), a FTP server (in format ftp://user:pass@A.B.C.D), or
the local Flash system (in format flash:/):
userspecifies the name of the user performing the operation
passspecifies the password that authenticates the specified username.
Symbol (@) following the password is required
For the TFTP server, no need to specify the user, password and port
path
(Optional) the exact location path from which the file is copied. The path should
end with the name of the file.
server IP
Specifies the TFTP/FTP server IP Address, in A.B.C.D format.
file-name
Clearing the Default Configuration
The write erase default command clears the default configuration.
Command Syntax
device-name#write erase default
Displaying the Default Configuration
The show default-config command displays the default configuration.
Command Syntax
device-name#show default-config
Example
device-name#show default-config
! Def aul t Conf i gur at i on:
!

. . .

! Et her net i n t he Fi r st Mi l e OAM
!
! ef m- oamdi sabl e
!
. . .

Page 44

Zero-Touch Configuration
Overview
Zero-touch configuration is a set of operations that provides two options for automatically
configuring the device:
Via IP address that is assigned manually (static IP address).
Via IP address that is obtained from a DHCP server (dynamic IP address).
The BiNOS configuration file is downloaded from a TFTP server after the device reloads to
defaults. The configuration details are stored in NVRAM.
In case of a zero-touch configuration failure, the factory default configuration is executed.

NOTE
When using a DHCP client, the system administrator has to configure a TFTP
server IP address (the siaddr field as specified in RFC 2131) and a Boot filename (the
filename field as specified in RFC 2131) on the DHCP server.
The example displays part of the DHCP server configuration file:
next-server X.X.X.X;
filename configfile.cfg
Zero-touch Configuration Default Configuration
Table 16: Zero-touch Configuration Default Configuration
Zero Touch Configuration Disabled
TFTP IP address 0.0.0.0
Configuration file Not saved to NVRAM
Number of retries 3 times
The time interval between each retry 64 seconds

Page 45

Zero-touch Configuration Commands
Table 17: Zero-touch Configuration Commands
Command Description
configure zero-touch
Enters the Zero-touch Configuration mode
(see Accessing the Zero-touch Configuration Mode)
zero-touch
Enables/disables the zero-touch configuration feature
(see Enabling/disabling the Zero-touch Configuration)
ip-address
Specifies the device IP address
(see Specifying the Device IP Address)
tftp-server
Specifies the TFTP IP address
(see Specifying the TFTP IP Address)
config-file
Specifies the path to the configuration file
(see Specifying the Location of the Configuration File)
save-configuration
Saves the downloaded configuration file to NVRAM
(see Saving the Configuration File to NVRAM)
retry-max
Specifies the maximum number of retries for downloading
the configuration file
(see Specifying the Number of Retries for Downloading the
Configuration File)
execute
Forces the device to reach the TFTP server and to obtain
the required configuration file
(see Forcing the Device to Reach the TFTP Server)
show zero-touch
show
Display the zero-touch configuration details
(see Displaying the Zero-touch Configuration)

Page 46

Accessing the Zero-touch Configuration Mode
The configure zero-touch command enters the Zero-touch Configuration mode.
Command Syntax
device-name#configure zero-touch
device-name(zero-touch)#
Enabling/disabling the Zero-touch Configuration
The zero-touch command enables/ disables the zero-touch configuration feature.
CLI Mode: Zero-touch Configuration
By default, zero-touch configuration feature is disabled.
Command Syntax
device-name(zero-touch)#zero-touch
device-name(zero-touch)#no zero-touch
no
Restores to default
Specifying the Device IP Address
The ip-address command specifies the device IP address.
Command Syntax
device-name(zero-touch)#ip-address A.B.C.D/M
device-name(zero-touch)#no ip-address
A.B.C.D/M
Specifies the device IP address and mask manually
no
Obtains the device IP address via DHCP

Page 47

Specifying the TFTP IP Address
The tftp-address command specifies the TFTP IP address.
By default, the TFTP IP address is 0.0.0.0.
Command Syntax
device-name(zero-touch)#tftp-server A.B.C.D
device-name(zero-touch)#no tftp-server
A.B.C.D
Specifies the TFTP IP address
no
Restores to default
Specifying the Location of the Configuration File
The config-file command specifies the path to the configuration file.
Command Syntax
device-name(zero-touch)#config-file [<path>]<file name>
device-name(zero-touch)#no config-file
[<path>]<file name>
Specifies the original path to the configuration file. The path
should end with the name of the file. The maximum length of the
path is 20 symbols.
no
Removes the necessity of obtaining the configuration file from
the TFTP server
Saving the Configuration File to NVRAM
The save-configuration command saves the downloaded configuration file to NVRAM.
By default, the configuration file is not saved to NVRAM.
Command Syntax
device-name(zero-touch)#save-configuration
device-name(zero-touch)#no save-configuration

Page 48

no
Restores to default
Specifying the Number of Retries for Downloading the
Configuration File
The retry-max command specifies the maximum number of retries for downloading the
configuration file.
By default:
the number of retries is 3 times
the time interval between each retry is 64 seconds
Command Syntax
device-name(zero-touch)#retry-max <1-10>
1-10
Specifies the number of retries.
Forcing the Device to Reach the TFTP Server
The execute command forces the device to reach the TFTP server and to obtain the required
configuration file. If the downloading is completed successfully, the configuration file is saved as a
start-up configuration, and it is not executed.
Command Syntax
device-name(zero-touch)#execute
Displaying the Zero-touch Configuration
The show command and the show zero-touch command display the zero-touch configuration
details.
CLI Mode: Privileged (Enable) and Zero-touch Configuration
Command Syntax
device-name#show zero-touch
device-name(zero-touch)#show

Page 49

Example 1
device-name(zero-touch)#show

St at e = di sabl ed
I P addr ess = 9. 0. 0. 1/ 8
TFTP ser ver = 9. 0. 0. 34
Conf i gur at i on f i l e = di r name/ devi ce. cf g
Save f i l e t o NVRAM = Di sabl ed
Number of r et r i es = 3
St at us =
Example 2
device-name#show zero-touch

St at e = di sabl ed
I p addr ess = 0. 0. 0. 0/ 0
TFTP ser ver = 0. 0. 0. 0
Conf i gur at i on f i l e =
Save f i l e t o NVRAM = Di sabl ed
Number of r et r i es = 3
St at us =

Page 50

Software Upgrade and Boot Options
Preparing to Download a BiNOS Software Image
Using TFTP/FTP Connection
Before you begin to download a file from a TFTP/ FTP server, take the following precautions:
1. Make sure that the device has a route to the TFTP/ FTP server. The device and the
TFTP/ FTP server must be in the same subnet, if you do not have a router to route traffic
between subnets. Check the connection to the TFTP/ FTP server using the ping command
(refer to the TroubleshootingandMonitoringchapter of this User Guide).
2. Make sure that the software image file is in the download directory on the TFTP/ FTP server.
3. Make sure that you have at least Readpermissions for the software image for your username.
4. A power outage (or other problem) during the download procedure can corrupt the Flash
code. If the Flash code is corrupted, connect to the device through the console port, format
the Flash memory and download the application (see the Boot Loader section of the current
chapter).
Make sure that there is enough free space in the bootflash (at least 9.5 MB). To verify
this, use the dir command, as illustrated in the example below:

device-name#dir
Li st i ng Di r ect or y f l ash: / :
d S 2048 J an 1 1993 01: 37 Boot /
d S 2048 J an 1 1980 00: 00 Et c/
d S 2048 J an 1 1980 00: 00 J ava/
d S 2048 J an 1 1980 00: 00 Log/
d S 2048 J an 1 1993 00: 59 Usr /
d SH 2048 J an 1 1993 00: 00 Hi dden/
- 43796 J an 1 1993 00: 00 df l t _st ar t up_bi n. cf g
- 217 J an 1 1993 03: 12 pr of i l e. cf g
- 2483 J an 1 1993 03: 37 st ar t . cf g-
If necessary, delete unnecessary files to free some space:
device-name#del <foldername>/<file_name>

Example:
device-name#del boot/T-Marc 380_bm_fisw_7_1_TMC3.Z


Page 51

Downloading the BiNOS Software Image
To download a BiNOS software image from the TFTP/ FTP server, proceed as follows:
1. Log on to the device through the console port or through a Telnet session and type your
password.
2. Enter the Privileged (Enable) mode.
3. Use the upgrade boot-profile command to upgrade the software image:
device-name#upgrade boot-profile tftp://<TFTP_server_IP_adress>/
<software_image filename> <local_software_image filename>

Example 1:
device-name#upgrade boot-profile tftp://9.0.0.7/BiNOS-v9.4.Z BiNOS-
v9.4.Z
TFTP r ecei vi ng appl i cat i on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appl i cat i on upgr ade compl et ed

An alternative method to upgrade the software image in two steps is by using the copy
application command and then the application command:
device-name#copy application tftp://<TFTP_server_IP_adress>/
<software_image filename>
device-name#configure boot-param
device-name(boot param)#application <local_software_image filename>

Example 2:
device-name#copy application t f t p: / / 9.0.0.7/BiNOS-v9.4.Z
TFTP r ecei vi ng f i l e . . . 5300324

I mage Si ze = 0x50E036 CRC Val ue = 0xD66707AE

device-name#configure boot-param
device-name(boot param)#application BiNOS-v9.4.Z
4. If the upgrade fails, verify that precautions above are taken.
5. To run the new software image, reload the device using the reload save command.
6. After the device reloads, type the show version command to verify the current device version
and the show running-config command to check the configuration of the device (refer to
the DeviceSetupandMaintenancechapter of this User Guide) .

Page 52

Commands for Upgrading Software Images
Table 18: Commands for Upgrading Software Images
Command Description
upgrade boot-profile
Downloads a new software image and sets boot statements to
load the new image on startup.
(see Upgrading the BiNOS Software Image)
copy application
Downloads a new software image to the device
(see Downloading a New BiNOS Software Image)
application
Boots the device with the new image
(see Applying the New Boot Statement)

Table 19: Boot Commands for Upgrading Software Images
Command Description
device
Displays the current software image location (see Displaying and
Specifying the Software Image Location)
ftp-password
Displays the FTP connection password (see Displaying and
Specifying the FTP Password)
ftp-server
Displays the FTP server IP-address (see Displaying and
Specifying the FTP Server IP-Address)
ftp-user
Displays the FTP username (see Displaying and Specifying the
FTP Username)
startup-config
Specifies which startup configuration file is loaded on startup (see
Specifying the Startup Configuration File)
show
Displays the current boot statement (see Displaying Boot
Statements)

Table 20: Display Commands
Command Description
show version
Displays the inventory information regarding the software versions
of the device
(see Displaying the Information Regarding the Software Versions)
show manufacturing-
details
Displays detailed hardware information
(see Displaying Hardware Information)
show uptime
Displays how long the selected device has been operational
(see Displaying the Device Uptime)

Page 53

Upgrading the BiNOS Software Image
The upgrade boot-profile command downloads a new software image and sets boot statements
to load the new image on startup.
device-name#upgrade boot-profile {[[device://]path/]file-name DESTINATION
FILE-NAME | apply [device/]path/]file-name}
device-name#upgrade boot-profile {protocol://[user[:pass]@]host[:port]/file-
name DESTINATION FILE-NAME | apply
protocol://[user[:pass]@]host[:port]/file-name}
device
(Optional) the device from which the file is copied. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, ftp://user:pass@A.B.C.D) or as the local
Flash system (in format flash:/).
path
(Optional) the path where the file is located
protocol
user
pass
host
port
file-name
The original name of the file.
DESTINATION-
FILE-NAME
The destination file name as it appears on the local Flash system.
apply
Applies directly the new boot statement.
PARAMS
Specifies the parameters to be applied in the following format:
[[device/]path/]file-name, when flash:/ system is used.
protocol//[user[:pass]@]host[:port]/file-name, when TFTP or FTP
server is used.


Page 54

Example
The example specifies that the new application image is downloaded via TFTP from server with IP
10.3.71.101. It is searched in a directory called / MyApps/ under the TFTP server root directory.
The application filename on the TFTP server is Imagev1.5.Z; it is stored under the / Boot
directory on the local file system as BootAppv1.5.Z after it is validated; the boot parameters device
and Application are set to local and BootAppv1.5.Z.
device-name#upgrade boot-profile tftp://10.3.71.101/MyApps/Imagev1.5.Z
flash://Boot/BootAppv1.5.Z
Downloading a New BiNOS Software Image
The copy application command downloads a new software image to the device.
Command Syntax (for local Flash System)
device-name#copy appl i cat i on [ [ device://] path] file-name [ DESTINATION-FILE-
NAME] [ no- val i dat i on]
device-name#copy appl i cat i on protocol:/ / [ user[ :pass] @] host[ :port] / file-name
[ DESTINATION-FILE-NAME] [ no- val i dat i on]
device
(Optional) the device from which the file is copied. It can be a
TFTP/FTP server (in format tftp://A.B.C.D, ftp://user:pass@A.B.C.D)
or as the local Flash system (in format flash:/).
path
(Optional) the path where the file is located
protocol
user
pass
For the TFTP server, not need to specify the user, password and
port
host
file-name
The original name of the file.
DESTINATION-FILE-
NAME
The destination file name as it will appear on the local Flash system.
no-validation
(Optional) skips the image validation check.
Example
device-name#copy application tftp://192.168.0.2/image.Z

Page 55

Applying the New Boot Statement
The application FILE NAME command boots the device with the new image.
CLI Mode: Boot Param Configuration
Command Syntax
device-name(boot param)#application FILE-NAME
FILE-NAME
The name of the image file, a case-sensitive string.
Displaying and Specifying the Software Image Location
The device command displays the current software image location. Use one of the below
command arguments to specify the software image location.
Command Syntax
device-name(boot param)#device [local | network]
local
(Optional). The device boots from the local software image
Local Flash file system
network
(Optional). The device boots from a remote software image, using an FTP
server. Currently this option is not supported because an OutBound interface is
not available.
Displaying and Specifying the FTP Password
The ftp-password command displays the FTP connection password. Use the command argument
to specify the FTP password.
Command Syntax
device-name(boot param)#ftp-password [PASSWORD]
PASSWORD
(Optional) specifies the password used for the FTP connection

Page 56

Displaying and Specifying the FTP Server IP-Address
The ftp-server command displays the FTP server IP-address. Use the command argument to
specify the FTP server IP-address.
Command Syntax
device-name(boot param)#ftp-server [A.B.C.D]
A.B.C.D
(Optional) specifies the FTP server IP-address
Displaying and Specifying the FTP Username
The ftp-user command displays the FTP username. Use the command argument to specify the
FTP username.
Command Syntax
device-name(boot param)#ftp-user [NAME]
NAME
(Optional) specifies the FTP username
Specifying the Startup Configuration File
The startup-config command specifies which startup configuration file is loaded on startup.
Command Syntax
device-name(boot param)#startup-config {FILE | binary {FILE | default} |
default}
FILE
The startup configuration filename
binary
Loads the startup configuration file in a binary format
default
Loads the default startup configuration file

Page 57

Displaying Boot Statements
The show command displays the current boot statement.
Command Syntax
device-name(boot param)#show
device-name(boot param)#application
Example 1
device-name(boot param)#show
I P addr ess = 2. 2. 2. 2: f f f f f f 00
Devi ce = l ocal
Appl i cat i on = Bi NOS- TMar c_3X0- 9. 4. 3. TMC3- pr e3. Z
St ar t up conf i gur at i on =
St at up bi nar y conf i g =
FTP ser ver = 2. 2. 2. 1
FTP user = mar k3
FTP passwor d = mar k3
Boot f l ags =
Example 2
device-name(boot param)#application
Bi NOS- TMar c_3X0- 9. 4. 3. TMC3- pr e3. Z
Displaying the Information Regarding the Software Versions
The show version command displays the inventory information regarding the software versions
of the device.
The command displays the following information:
Device modelthe platform name
SW versiondisplays the installed application image
Java versionnot loaded
Loader versiondisplays the installed Loader image
Up timedisplays the time elapsed since the device is turned on
Command Syntax
device-name>show version
device-name#show version

Page 58

Example
device-name#show version
BATM Advanced Communi cat i ons

Devi ce model : T- Mar c 380
Pr oduct Cat egor y : AccessEt her net ( TM)

Devi ce r unni ng SWver si on : 10. 1- pr e8 cr eat ed Mar 17 2010 - 20: 19: 58

Devi ce Def aul t SWf i l e : Bi NOS- TMar c_3X0- 10. 1. BETA- dev26. Z
Devi ce Def aul t SWver si on : 10. 1- pr e8

Bi NOSVi ew f i l e : j ava. i mg - NOT FOUND
Bi NOSVi ew ver si on : -
FPGA ver si on : 1. 2 ( mai nt / bui l d 9/ 1)

Loader ver si on : 8. 2. 0 cr eat ed J an 31 2008 - 16: 29: 48

Up t i me : 0 days, 0 hour s, 45 mi n, 16 sec.
Displaying Hardware Information
The show manufacturing-details command displays detailed hardware information.
Command Syntax
device-name#show manufacturing-details
Example
device-name#show manufacturing-details
Ser i al number : 8807340077
Assembl y No : AL001350
HWr evi si on : 05
HWsubr evi si on : 02
Displaying the Device Uptime
The show uptime command displays how long the selected device has been operational.
Command Syntax
device-name#show uptime
Example:

Page 59

device-name#show uptime
Up t i me : 0 days, 4 hour s, 1 mi n, 52 sec.

Page 60

Downloading and Uploading Configuration Files
You can perform the following operations:
Download new embedded software versions to the Flash memory component of the device
Save the startup configuration on a remote server
Load a startup configuration from a remote server
Save the startup configuration as the running configuration

Table 21: Commands for Downloading and Uploading Configuration Files
Command Description
copy FILE-NAME
startup-config
Loads a start-up configuration with a specified file name from a
remote server (see Downloading the Startup Configuration)
copy FILE-NAME
running-config
Loads a running-configuration with a specified file name, from a
remote server (see Downloading the Running Configuration)
copy startup-config
Saves a copy of the start-up configuration on a remote server
(see Copying the Start-up Configuration)
copy running-config
Saves a copy of the running configuration on a remote server
(see Copying the Running Configuration)
copy running-config
startup-config
Saves the current running-configuration to the start-up configuration
file in NVRAM (see Saving the Device Configuration)
reload
Reloads the device (see Reloading the Operating System)

Downloading the Startup Configuration
The copy FILE-NAME startup-config command loads a start-up configuration with a specified
file name from a remote server.
After the configuration is downloaded, you need to reload the device. When the device completes
booting, it treats the downloaded configuration file as a script of CLI commands, and automatically
executes them. If your CLI connection is through Telnet, the connection is terminated when the
device reloads, but the commands execute normally.

NOTE
After using this command, use the r el oad no- save command. Otherwise, the
downloaded configuration is removed.

Page 61

device-name#copy [[device/]path]file-name startup-config
device-name#copy protocol://[user[:pass]@]host[:port]/file-name startup-
config
device-name#copy device/user:pass@host/[path/]file-name startup-config
device
user
(Optional) specifies the name of the user performing the operation.
pass
(Optional) specifies the password that authenticates the specified username.
path
(Optional) the exact location path from which the file is copied. The path
ends with the name of the file.
file-name
Example
The following command downloads the start-up configuration file named START001located on
the TFTP server at IP address 192.192.54.1:
device-name#copy tftp://192.192.54.1/START001 startup-config
Downloading the Running Configuration
The copy FILE-NAME running-config command loads the running-configuration with the
specified file name from a remote server.
device-name#copy [[device/]path]file-name runni ng- conf i g
device-name#copy protocol://[user[:pass]@]host[:port]/file-name runni ng-
conf i g

Page 62

device-name#copy device/user:pass@host/[path/]file-name runni ng- conf i g
device/
(in format tftp://A.B.C.D),as the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D).
protocol
user
pass
host
path
(Optional) the exact location path from which the file is copied. The path
should end with the name of the file.
file-name
Example
The following command downloads the running-configuration file named RUN001located on the
TFTP server at IP address 192.192.54.1:
device-name#copy tftp://192.192.54.1/RUN001 running-config
Copying the Start-up Configuration
The copy startup-config command saves a copy of the start-up configuration on a remote
server to a specific folder under a specified file name.
When you upload the current configuration, you can modify the configuration using a text editor.
Command Syntax (for Local Flash System and TFTP/FTP Server)
device-name#copy startup-config [<device>:[<server IP>/]][<path>]<file name>
device-name#copy startup-config device/user:pass@host/[path/]file-name
device/
format tftp://:A.B.C.D), the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D).
server IP
Server IP address.

Page 63

user
pass
path
(Optional) the exact location path where the file is copied.
file-name
Example
The following command uploads the start-up configuration under a file named START002 located
on the TFTP server at IP address 192.192.54.1:
device-name#copy startup-config tftp://192.192.54.1/START002
Copying the Running Configuration
The copy running-config command saves a copy of the running configuration on a remote
server to a specific folder under a specified file name.
When you upload the current configuration, you can modify the configuration using a text editor.
Command Syntax (for Local Flash System and TFTP/FTP Server)
device-name#copy running-config [<device>:[<server IP>/]][<path>]<file name>
device-name#copy running-config device/user:pass@host/[path/]file-name
device/
(Optional). The device to which the file is to be copied. It can be a TFTP
server (in format tftp://:A.B.C.D), the local flash system (in format flash:/), or
a SFTP server (in format sftp://A.B.C.D).
server IP
(Optional). Server IP address.
path
(Optional). The exact location path where the file is to be copied.
file-name
Example
The following command uploads the running-configuration under a new file named RUN002 on
device-name#copy running-config tftp://192.192.54.1/RUN002

Page 64

Saving the Device Configuration
The copy running-config startup-config command saves the current running configuration
to the start-up configuration file in NVRAM.
This command is equivalent to the write memory command in Privileged (Enable) mode (refer to
the DeviceSetupandMaintenancechapter of the BiNOS User Guide).
Command Syntax
device-name#copy running-config startup-config
Reloading the Operating System
The reload command reloads the device.

NOTE
Use the r el oad command after configuration information is entered into a file and
saved to the startup configuration.
The r el oad command requires confirmation before reloading!

NOTE
The r el oad t o- def aul t s command does not affect the contents of the file system.
Command Syntax
device-name#reload [save | no-save | to-defaults]
save
(Optional). Saves the running configuration to NVRAM and restart the
device. This is the default status.
no-save
(Optional). Does not save the current running configuration and restart the
device.
to-defaults
(Optional). Sets the device configuration to its factory defaults and restart.
Example 1
Saving the current configuration and reloading the device:
Save cur r ent conf i gur at i on and r eboot t he devi ce ? [ y/ n] : y
Reboot i ng . . .

Page 65

Example 2
Reloading the device without saving the current configuration:
Reboot i ng . . .

Page 66

Boot Loader
Overview
The boot process performs low-level CPU initialization, and loads a default operating system
software image into memory and boots the device.
When starting, the loader counts down a few seconds, allowing you an entry point into the loader
CLI. The loader then passes to interactive mode, requests a login password, and starts a CLI
session. If no key is pressed, the device initiates the auto-startup application is started.
Initially the device expects the default password batm. This password may be changed by using the
password loader command (refer to the DeviceSetupandMaintenancechapter of the BiNOS User
Guide).
While the device reboots, numbers appear on the console terminal following the line Pressanykeyto
stopauto-boot.... To enter the Loader mode, press <Enter> while the numbers are running.
Reboot i ng . . .

BATM Tel co Boot Loader

Loader ver si on : 8. 0. 0 cr eat ed Oct 29 2007 - 21: 59: 11
MAC Addr ess : 00: A0: 12: 27: 0E: E0

usr Boot Li neI ni t f i ni sh OK

At t achi ng net wor k i nt er f ace l o0. . . done.

Pr ess any key t o st op aut o- boot . . .
2
st ar t CLI


Passwor d: bat m
Loader>

Page 67

The Device Loader's Default Configuration
Table 22: Default Loader Configuration
Password batm
Block start address 0
Block length 256
Simulation of CPM redundancy Disabled

The Loader Commands
Table 23: Loader Application Commands
Command Description
start application
Exits the loader and starts using the BiNOS software image
(see Starting the BiNOS Software Image)
copy application
Downloads the software image to the device by using TFTP
server
(see Downloading the Application Software by using TFTP)
download application
Downloads the BiNOS application using X-modem (see
Downloading the BiNOS Application by Using X-modem)
ip-address
Displays the OutBand port IP address
(see Displaying the Device IP Address and Mask)
version
Displays the device model type and the loader version
(see Displaying the Loader Version)
manufacturing-details
Displays detailed hardware information of the board
(see Displaying Hardware Details)
Table 24: Loader Configuration Commands
Command Description
config
Enters the loader configuration mode (see Loader
Configuration Mode)
ip-address
Displays the OutBand port IP address and subnet mask
(see Displaying and Specifying the OutBand Port IP Address)
mac-address
Displays the device MAC address
(see Displaying and Specifying the MAC Address)
clean startup-config
Sets the startup configuration file to the factory default values
(see Resetting the Startup Configuration File)
clean boot-config
Clears the Loader EEPROM
(see Deleting the Boot Configuration)
clean log-history
Cleans all history records (see Erasing Log History Records)
clean flash all
Cleans the Flash memory (see Cleaning the Flash Memory)
backup
Makes a backup copy of the Flash or EEPROM memory

Page 68

Command Description
contents (see Making a Backup Copy)
refresh flash
Rewrites the Flash memory (see Rewriting the Flash Memory)
restore flash
Restores the Flash memory
(see Restoring the Flash Memory)

Table 25: The Boot Parameters Commands

NOTE
Currently these commands are not supported because the OutBound interface is not
available.

Command Description
boot-param device
Displays the current software image location
(see Displaying and Specifying the Software Image Location)
boot-param application
Displays the current boot statement (see Displaying and
Applying the Boot Statement)
boot-param ftp-server
Displays the FTP server IP-address (see Displaying and
Specifying the FTP Server IP-Address)
boot-param ftp-user
Displays the FTP username (see Displaying and Specifying
the FTP Username)
boot-param ftp-password
Displays the FTP connection password (see Specifying the
FTP Access Password)
boot-param startup-config
Specifies which startup configuration file is loaded on startup
(see Specifying the Startup Configuration Name)
boot-param
Displays the current boot statement
(see Displaying Boot Statements)

Table 26: Memory Debug Commands

CAUTION

The commands in the following table can be used only by Telco Systems Technical
Support.

Command Description
memory
Accesses the Loader memory mode
(see Loader Memory Mode)
copy
Copies a block of memory (see Copying a Block of Memory)
check-device
Checks the integrity of the file system and repairs lost clusters
and file structure
(see Checking and Repairing File-system Integrity)
display
Displays a block of memory
(see Displaying a Block of Memory)
fill
Fills a block of memory (see Filling a Block of Memory)

Page 69

Command Description
list
Prints a command list (see Printing a Command List)

Page 70

Starting the BiNOS Software Image
The start application command exits the loader and starts using the BiNOS software image.
CLI Mode: Loader
Command Syntax
Loader>start application
Example
Loader>start application
aut o- boot i ng. . .

Uncompr essi ng 3994461 byt es. . .
Loadi ng i mage. . . 14284304

BUI LT- I N SELF TEST
- - - - - - - - - - - - - - - - - -
CPU Cor e Test : Passed
Power Suppl y Test : Passed
Fan Test : Passed

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
/ / / /
/ / / /
/ / B A T M A d v a n c e d C o mmu n i c a t i o n s / /
/ / / /
/ / T e l c o S y s t e ms / /
/ / / /
/ / Devi ce model : T- Mar c 380 / /
/ / Pr oduct Cat egor y : AccessEt her net ( TM) / /
/ / SWver si on : 10. 1 cr eat ed Mar 17 2010 - 20: 19: 58 / /
/ / / /
/ / / /
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /


Passwor d:

Page 71

Downloading the Application Software by using TFTP
The copy application command downloads the software image to the device by using TFTP
server.
Command Syntax
Loader>copy application [[ [ device/] path] file-name [ DESTINATION FILE-NAME]
[ no- val i dat i on]
device/
(Optional) the device to which the file is copied (in format tftp://A.B.C.D)
path
(Optional) the path to the location where the file is copied
file-name
The original name of the file
DESTINATION-FILE-
NAME
The destination file name as it will appear on the local flash system
no-validation
(Optional) skips the image validation check
Example
The following command downloads the new software-version file named VERxxx that is located
in the Root directory on the TFTP server at IP address 192.192.54.1:
Loader>copy application tftp://192.192.54.1/VERxxx.Z
Downloading the BiNOS Application by Using X-modem
The download application command copies the BiNOS application from a source computer to
the device permanent storage memory, through a console connection by X-modem transfer.
CLI Mode: Loader
The role of this command is to provide a rescue solution when the device becomes inoperable and
a new application image cannot be received by the TFTP transfer!
Command Syntax
Loader>download application
Example
Loader>download application
XMODEM appl i cat i on downl oad t o f l ash 0
XMODEM Recei ve: Wai t i ng f or Sender
I mage Si ze = 0xBD552 CRC Val ue = 0x691181F3
Savi ng appl i cat i on code t o FLASH bank 0. . . . Success.
Loader>

Page 72

Displaying the Device IP Address and Mask
The ip-address command displays the OutBand port IP interface address and subnet mask.
CLI Mode: Loader
Command Syntax
Loader>ip-address
Example
Loader>ip-address
Loader I P addr ess = 10. 2. 111. 111, subnet mask = f f f f 0000
Displaying the Loader Version
The version command displays the device model type and the loader version.
CLI Mode: Loader
Command Syntax
Loader>version
Example
Loader>version
BATM Tel co Boot Loader
Loader ver si on : 8. 0. 0 cr eat ed Oct 29 2007 - 21: 59: 11
Displaying Hardware Details
The manufacturing-details command displays detailed hardware information.
CLI Mode: Loader
Command Syntax
Loader>manufacturing-details
Example
Loader>manufacturing-details
Ser i al number : 8807340077
Assembl y No : AL001350
Par t number : Not Avai l abl e
CLEI : Not Avai l abl e
HWr evi si on : 05
HWsubr evi si on : 02

Page 73

Manuf act ur i ng Dat e : Not Avai l abl e
Loader Configuration Mode
The config command enters the Loader Configuration mode.
CLI Mode: Loader
Command Syntax
Loader>config
Loader(config)#
Displaying and Specifying the OutBand Port IP Address
The ip-address command displays the OutBand port IP address and subnet mask. Use one of
the command arguments below to specify a new IP address and subnet mask.
CLI Mode: Loader Configuration
Command Syntax
Loader(config)#ip-address [A.B.C.D/M | A1.B1.C1.D1 M1.M2.M3.M4]
A.B.C.D/M
(Optional). Specifies the new IP address with mask by number of bits.
A1.B1.C1.D1
M1.M2.M3.M4
(Optional). Specifies the new IP address with mask in dotted decimal
notation.
Example
The following example displays the Loader current IP address:
Loader(config)#ip-address
Loader I P addr ess = 10. 2. 111. 111, subnet mask = f f f f 0000
Displaying and Specifying the MAC Address
The mac-address command displays the device MAC address. Use the command argument to
specify a new device MAC address.
All LAN devices must have different MAC addresses.
Command Syntax
Loader(config)#mac-address [HH:HH:HH:HH:HH:HH]

Page 74

HH:HH:HH:HH:HH:HH
(Optional). Specifies the new MAC address
Example 1
The following example displays the device current MAC address:
Loader(config)#mac-address
Cur r ent base MAC Addr ess of devi ce = 00:A0:12: CE: 10: 61
Out Band MAC Addr ess ( base + 1) = 00:A0:12: CE: 10: 62
Example 2
The following example assigns a new MAC address to the device. The response indicates that the
new MAC address is accepted and stored in the device memory.
Loader(config)#mac-address 00:A0:12:07:0f:78
New MAC Addr ess of devi ce = 00:A0:12: 07: 0F: 78
Resetting the Startup Configuration File
The clean startup-config command cleans the startup configuration database in the permanent
storage memory of the device, and sets it to its default values.
Command Syntax
Loader(config)#clean startup-config [all]
all
(Optional). Cleans the startup configuration and all system settings like
authentication data and configuration profiles.
Example
Loader(config)#clean startup-configuration all
War ni ng: I P addr ess wi l l be l ost .
Deleting the Boot Configuration
The clean boot-config command clears the Loader EPROM.

CAUTION

This command should be used only by Telco Systems Technical Support.
Command Syntax
Loader(config)#clean boot-config {remove-board-data | remove-all}

Page 75

remove-board-
data
Clears the NVRAM board configuration, keeping the management IP
address, boot profile and manufacturing details.
remove-all
Clears all settings in non-volatile memory, including all above.
Erasing Log History Records
The clean log-history command erases all log history records.
Command Syntax
Loader(config)#clean log-history
Cleaning the Flash Memory
The clean flash all command erases all Flash memory records.
Command Syntax
Loader(config)#clean flash all
Making a Backup Copy
The backup command makes a backup copy of the Flash or EEPROM memory contents.
Command Syntax
Loader(config)#backup eeprom A.B.C.D FILE-NAME
Loader(config)#backup flash {1 | 2 | boot} A.B.C.D FILE-NAME
eeprom
Specifies that a backup copy of the EEPROM memory contents is made.
flash
Specifies that a backup copy of the Flash memory contents is made.
A.B.C.D
Specifies the IP address of the TFTP server where the backup copy is
written.
FILE-NAME
Specifies the name of the backup file to be copied.
1
Makes a backup of the primary Flash.
2
Makes a backup of the secondary Flash.
boot
Makes a backup of the boot Flash.

Page 76

Rewriting the Flash Memory
The refresh flash command rewrites the Flash memory.
Command Syntax
Loader(config)#refresh flash {1 | 2 | all}
1
Rewrites the primary Flash memory.
2
Rewrites the secondary Flash memory.
all
Rewrites all Flash memory.
Restoring the Flash Memory
The restore flash command restores the Flash memory.
Command Syntax
Loader(config)#restore flash {1 | 2} A.B.C.D FILE-NAME
1
Restores the primary Flash.
2
Restores the secondary Flash.
A.B.C.D
Specifies the IP address of the TFTP server where the Flash memory will
be restored.
FILE-NAME
The name of the backup file.
Displaying and Specifying the Software Image Location
The boot-param device command displays the current software image location. Use one of the
below command arguments to specify the software image location.
CLI Mode: Loader and Loader Configuration
Command Syntax
Loader(config)#boot-param device
Loader(config)#boot-param device [local | network]

Page 77

local
(Optional). The device boots from the local software image
network
(Optional). The device boots from a remote software image, using an FTP
server
Displaying and Applying the Boot Statement
The boot-param application command displays the current boot statement.
Command Syntax
Loader#boot-param application
Loader(config)#boot-param application [FILE-NAME]
FILE-NAME
The name of the image file, a case-sensitive string.
Displaying and Specifying the FTP Server IP-Address
The boot-param ftp-server command displays the FTP server IP-address. Use the command
argument to specify the FTP server IP-address.
Command Syntax
Loader#boot-param ftp-server
Loader(config)#boot-param ftp-server [A.B.C.D]
A.B.C.D
(Optional) specifies the FTP server IP-address
Displaying and Specifying the FTP Username
The boot-param ftp-user command displays the FTP username. Use the command argument to
specify the FTP username.
Command Syntax
Loader#boot-param ftp-user
Loader(config)#boot-param ftp-user [NAME]

Page 78

NAME
(Optional). The FTP access user name.
Specifying the FTP Access Password
The boot-param ftp-password command specifies the password for FTP server access.
Command Syntax
Loader#boot-param ftp-password
Loader(config)#boot-param ftp-password [PASSWORD]
PASSWORD
(Optional). The FTP authentication password for the configured FTP user name.
Specifying the Startup Configuration Name
The boot-param startup-config command specifies the name of the startup configuration.
Command Syntax
Loader#boot-param startup-config [binary]
Loader(config)#boot-param startup-config [FILE-NAME | binary [FILE-NAME |
default] | default]
FILE-NAME
(Optional). The name of the startup-configuration
default
(Optional). Sets the default name of the startup configuration
binary
(Optional). Sets the binary startup configuration.
Displaying Boot Statements
The boot-param command displays the current boot statement.
Command Syntax
Loader>boot-param
Loader(config)#boot-param

Page 79

Example
Loader>boot-param
I P addr ess = 10. 0. 0. 1: f f f f f f 00
Devi ce = l ocal
Appl i cat i on = Bi NOS- TMar c_3X0- 9. 4. 3. TMC3- pr e3. Z
St ar t up conf i gur at i on =
St at up bi nar y conf i g =
FTP ser ver =
FTP user =
FTP passwor d =
Boot f l ags =
Loader Memory Mode
The memory command enters the Loader memory mode.
CLI Mode: Loader
Command Syntax
Loader>memory
Loader(memory)#
Copying a Block of Memory
The copy command copies a block of memory that is specified by block-lengthfrom the specified
source address to the specified destination address.
CLI Mode: Loader Memory
Command Syntax
Loader(memory)#copy <src-addr> <dst-addr> <blk-len>
src-addr
Hexadecimal source address (optionally prefixed with 0x).
dst-addr
Hexadecimal destination address (optionally prefixed with 0x).
blk-len
Hexadecimal or decimal block length (use 0x prefix for hexadecimal
number).

Page 80

Checking and Repairing File-system Integrity
The check-device command checks the integrity of the file system and repairs lost clusters and file
structure.
Command Syntax
Loader(config)#check-device flash:
Example
Loader(config)#check-device flash:
f l ash: / - di sk check i n pr ogr ess . . .
dosChkLi b : CLOCK_REALTI ME i s bei ng r eset t o THU DEC 27 00: 00: 00 1990
Val ue obt ai ned f r omf i l e syst emvol ume descr i pt or poi nt er : 0xf f f dd38
The ol d set t i ng was THU J AN 01 00: 16: 22 1970
Accept ed syst emdat es ar e gr eat er t han THU DEC 27 00: 00: 00 1990
f l ash: / - Vol ume i s OK
Change vol ume I d f r om0x0 t o 0xe696
t ot al # of cl ust er s: 15, 237
# of f r ee cl ust er s: 12, 042
# of bad cl ust er s: 0
t ot al f r ee space: 24, 084 Kb
max cont i guous f r ee space: 24, 659, 968 byt es
# of f i l es: 8
# of f ol der s: 9
t ot al byt es i n f i l es: 6, 360 Kb
# of l ost chai ns: 0
t ot al byt es i n l ost chai ns: 0

Displaying a Block of Memory
The display command displays a block of memory.
Command Syntax
Loader(memory)#display [<st-addr> [<blk-len>]]
st-addr
(Optional). Hexadecimal start address (optionally prefixed with 0x). If only
the start address is specified, the previous or default block length is
repeated.
blk-len
(Optional). Hexadecimal or decimal block length (use 0x prefix for
hexadecimal number).

Page 81

Filling a Block of Memory
The fill command fills a block of memory.
Command Syntax
Loader(memory)#fill <st-addr> <blk-len> <value>
st-addr
Hexadecimal start address (optionally prefixed with 0x).
blk-len
Hexadecimal or decimal block length (use 0x prefix for hexadecimal
number).
value
Hexadecimal byte value to fill (optionally prefixed with 0x).
Printing a Command List
The list command prints the executed commands in a list format.
CLI Mode: Loader
Command Syntax
Loader(memory)#list

Updating the Application Software from Loader:
1. Configure boot parameters in profile (to configure any application file as a default one, the file
must be downloaded first):
Loader>config
Loader(config)#boot-param device local
2. Download the application by TFTP (it is stored with the source name. To change the target
name, specify the name as an additional command argument). If an application file with the
specified target name exists, it is overwritten.
Loader(config)#exit
Loader>copy application tftp:10.4.0.4/BiNOS-sfm880.Z
TFTP r ecei vi ng f i l e . . . 3385202
3. Set the default application (when the file is already stored in FS):
Loader>config
Loader(config)#boot-param application BiNOS-sfm880.Z

Page 82

System Time and Date
The device internal clock runs from the moment the system starts up and keeps track of the date
and time. It is set from the following sources:
Manual configuration
Daytime Protocol
Time Protocol
Summer Time (Daylight Saving Time)
Network Time Protocol
1588v2 Precision Time Protocol
Daytime Protocol
The Daytime protocol is defined in RFC 867. A host connects to a server that supports the
Daytime protocol, on either TCP or UDP port 13. The server then returns the current date and
time as an ASCII string with an unspecified format.
Time Protocol
The Time protocol is defined in RFC 868. This protocol provides a site-independent, machine
readable date and time.
The Time protocol operates over either TCP or UDP. A host connects to a server that supports
the Time protocol, on port 37. The server then sends the time as a 32-bit unsigned binary number
in network byte order representing a number of seconds since 00:00 (midnight) 1 January, 1900
GMT and closes the connection. The host receives the time and closes the connection.

NOTE
In BiNOS, the Daytime protocol and the Time protocol use TCP.
Summer Time (Daylight saving time)
Daylight saving time (DST) is the practice of temporarily advancing clocks. Computer-based
systems adjust automatically when DST starts and finishes, based on their time zone settings
You can have the device advance the clock one hour at 2:00 a.m. on the first Sunday in April and
move back the clock one hour at 2:00 a.m. on the last Sunday in October. You can explicitly specify
the start and end dates and times and whether or not the time adjustment recurs every year.


Page 83

Network Time Protocol
Network Time Protocol (NTP) provides a reliable way of transmitting and receiving the time over
IP networks. NTP is organized as a client-server model. An NTP network usually gets its time from
an authoritative time source, such as a radio clock or an atomic clock connected to a Time server.
NTP then distributes this time across the network.
1588v2 Precision Time Protocol (PTP)
IEEE-1588v2, also known as PTP, provides an Ethernet-based, scalable clock-synchronization
mechanism with various master-clock and quality options.
Precise time synchronization is essential for monitoring performance measurements in order to
ensure a high quality of service.
Enable this protocol for synchronizing the T-Marc 300 Series devices, in order to measure
extremely accurate Service Assurance Application (SAA) one-way delay (for more information,
refer to the ServiceAssuranceApplicationsection of the Operation, Administration, andMaintenance
chapter of this user guide).
The PTP mechanism functions as follows:
One clock in a defined domain within the network serves as the master clock (either a grand-
master clock or one T-Marc 300 Series device configured as a master clock)
The master clock periodically announces itself as the master clock to the slave clocks within
the defined domain
The master clock sends periodical synchronization messages to the slave clocks within the
domain
In case more than one master announces itself within the domain, the master clock with the
highest defined 1588v2 priority and quality remains the master clock while the other master
clock/ s' mode is automatically switched to slave
To configure the PTP feature, refer to 1588v2 PTP ConfigurationFlow.
System Time and Date Default Configuration
Table 27: System Time and Date Default Configuration
NTP authentication Disabled
Summer time (Daylight Saving Time) Disabled
1588v2 PTP Default Configuration
Table 28: 1588v2 PTP Default Configuration
PTP Disabled

Page 84

PTP mode Slave
PTP primary priority (priority1) 255
PTP secondary priority (priority2) 255
Domain number 0
Announce interval 16 seconds
Synchronization interval 4 seconds
Static master address (none)
PTP per interface Disabled
Announce-receipt timeout intervals 3
Synchronization-receipt timeout intervals 3

Page 85

System Time and Date Configuration Flow
1. Manually configure the system time and date (see ConfiguringSystemTimeandDate)
or
2. Configure the device to synchronize the system time with a specific remote daytime or time
server (see Configuringa Daytimeor TimeServer)
or
3. Configure an NTP server (see ConfiguringanNTP Server)
4. Start the NTP server polling (see ConfiguringtheNTP Server Polling)
Define an MD5 authentication key (see ConfiguringtheMD5 AuthenticationKey)
Adjust the system time to DST and then back to standard time on pre-set dates (see
Specifyinga One-timeSummer Time(DST) Period)
Adjust the system time and date to an annually-recurring summer time (DST) period (see
Specifyinga Recurrent Summer Time(DST) Period)
6. Remove the NTP server (see RemovinganNTP Server)
7. Display the NTP server configuration (see RemovinganNTP Server)
8. Display the current time server configuration (see DisplayingtheTimeServer Configuration)
9. Display the current time and date (see DisplayingtheCurrent SystemTime)

Page 86

System Time and Date Configuration Commands
Table 29: Time and Date Configuration Commands
Command Description
date
Manually configures the system time and date
(see Configuring System Time and Date)
time-server
Configures the device to synchronize the system time with
a specific remote daytime or time server
(see Configuring a Daytime or Time Server)
time-server ntp add
Configures an NTP server
(see Configuring an NTP Server)
time-server ntp start
Configures the NTP server polling
(see Configuring the NTP Server Polling)

Table 30: Time Server Optional Commands
Command Description
time-server ntp key
Configures the MD5 authentication key
(see Configuring the MD5 Authentication Key)
time-server summer-time
date
Adjusts the system time to DST and then back to standard
time on pre-set dates
(see Specifying a One-time Summer Time (DST) Period)
time-server summer-time
recurring
Adjusts the system time and date to an annually-recurring
summer time (DST) period
(see Specifying a Recurrent Summer Time (DST) Period)

Table 31: Commands for Removing the NTP Server
Command Description
time-server ntp delete
Deletes the existing NTP server
(see Removing an NTP Server)

Table 32: Time Servers Display Commands
Command Description
time-server ntp show
Displays defined NTP servers
(see Displaying NTP Servers)
time-server ntp key show
Displays existing NTP keys
(see Displaying the MD5 Authentication Key)
show time-server
Displays the current Time server configuration
(see Displaying the Time Server Configuration)
show date
show clock
Display the current time and date
(see Displaying the Current System Time)

Page 87

Configuring System Time and Date
The date command manually configures the system time and date.
Command Syntax
device-name(config)#date hh:mm:ss <day> MONTH <year>
hh:mm:ss
Specifies the time (24-hour format) in hours and minutes.
day
Day in month, in the range <131>.
MONTH
Specifies the month: January, February, March, April, May, June, July,
August, September, October, November, and December.
year
Year in four digits, in the range <19932035>.
Example
The following example sets system time to 12:30:00 and date 1 April 2008:
device-name(config)#date 12:30:00 1 april 2008
Configuring a Daytime or Time Server
The time-server command configures the device to synchronize the system time with a specific
remote server.
To use this feature, select the remote time synchronization protocol:
The DaytimeProtocol (RFC 867) specifies the date and time as a character string
The TimeProtocol (RFC 868) specifies the time in seconds since midnight, January 01, 1900
The server for remote synchronization can be any PC running Windows NT/ 2000 or the UNIX
operating system.
Command Syntax
device-name(config)#time-server daytime swap
device-name(config)#time-server {daytime | time} A.B.C.D <refresh-time>
[<zone> [timeout <timeout>]] [timeout <timeout>]
device-name(config)#time-server {daytime | time} A.B.C.D <refresh-time>
timezone <zone> {<1-59> timeout <timeout> | timeout <timeout>}
device-name(config)#no time-server [daytime swap]


Page 88

NOTE
The old style of this command, wherein the IP address argument precedes the
daytime protocol, is supported for backward compatibility. However, Telco Systems
strongly recommends using only the new style of the command for setting up time
synchronization clients.
time
Specifies Time Protocol (RFC868).
daytime
Specifies Daytime Protocol (RFC867).
swap
Swaps day and month (for daytime format). This would be required if the
positions of day and month are interchanged in the daytime servers
format, to prevent the device from interpreting the day value as the
month and the month value as the day.
A.B.C.D
IP address of the time-server.
refresh-time
Synchronization polling interval, in the range of <1044640>minutes.
timezone
Specifies the time zone.
zone
Shifts of local hour relative to the server (positive East, negative West of
servers time zone). The range is <-1212>.
timeout <timeout>
Specifies the Time server session timeout in seconds. The range is <2
20>seconds.
1-59
Specifies a number of minutes to synchronize accurately the system time
to the time server.
no
Removes the Time server definitions.
Example 1
The following command synchronizes the system time with host 192.168.0.1, using the Time
Protocol. Synchronization is performed every 10 minutes. Local time is two hours behind the GMT
.
device-name(config)#time-server time 192.168.0.1 10 -2
Example 2
The following command synchronizes the system time with host 192.168.0.1, using the Daytime
Protocol. Synchronization is performed every 10 minutes. Local time is two hours ahead of the
GMT.
device-name(config)#time-server daytime 192.168.0.1 10 2

Page 89

Configuring an NTP Server
The time-server ntp add command configures an NTP server.
You can define up to five NTP servers.
Command Syntax
device-name(config)#time-server ntp add A.B.C.D
A.B.C.D
Specifies the IP address of the Time server to be added.
Example
The following example adds the NTP server with IP address 186.102.20.11:
device-name(config)#time-server ntp add 186.102.20.11
Configuring the NTP Server Polling
The time-server ntp start command configures the NTP server polling interval. The polling
interval is the period of time between polling cycles.

NOTE
To end the NTP server polling use the no t i me- ser ver command.
Command Syntax
device-name(config)#time-server ntp start <polling-interval> {<zone> |
timezone <zone> <1-59>}
polling-interval
The synchronization refresh period in minutes, in the range <10
44640>(the upper limit is equivalent to 31 days).
zone
Shift of local hour relative to GMT (positive East, negative West of
Greenwich). The range is <-1212>.
timezone
Specifies the time zone.
1-59
Specifies a number of minutes to synchronize accurately the system
time to the time server.

Page 90

Configuring the MD5 Authentication Key
The time-server ntp key command configures the MD5 authentication key.
Time synchronization can be authenticated to make sure that the local device obtains its time
services only from known sources.
By default, network time synchronization is unauthenticated.
Command Syntax
device-name(config)#time-server ntp key {add | delete} <key-id> KEY [A.B.C.D]
add
Defines the MD5 authentication key.
delete
Removes the existing MD5 authentication key.
key-id
The key number in the range <165535>.
KEY
String up to 20 non-blank characters. The string is case-sensitive. Some special
characters, such as question marks, are not allowed.
A.B.C.D
(Optional). NTP server address.
Example
The following example adds an MD5 authentication key with key ID of 27 and plain-text key qwerty:
device-name(config)#time-server ntp key add 27 qwerty
Conf i gur at i on changes wi l l t ake ef f ect af t er nt p cl i ent i s r est ar t ed
Specifying a One-time Summer Time (DST) Period
The time-server summer-time date command adjusts the system time to DST and then back to
standard time on pre-set dates.
Adjusts the system time to DST and then back to standard time on pre-set dates
By default, the summer time definition is disabled.
Command Syntax
device-name(config)#time-server summer-time date <day> MONTH <year> HH:MM:SS
<day> MONTH <year> HH:MM:SS <shift>
device-name(config)#no time-server summer-time

Page 91

day
The start day of the month, in range <131>.
MONTH
The start summer-time month: January, February, March, April, May, June,
July, August, September, October, November and December.
year
The start summer-time year, in range <19932035>.
HH:MM:SS
Specify the start summer-time time.
day
The end day of the month, in range <131>.
MONTH
The end summer-time month: January, February, March, April, May, June,
July, August, September, October, November and December.
year
The end summer-time year, in range <19932035>.
HH:MM:SS
Specify the end summer-time time.
shift
The number of minutes to add during summer time, in range <11440>.
no
Remove the summer time settings.
Example
The following example demonstrates advancing the system time 1 hour on May 1st, 2004, at
02:00:00 and shifting it back on December 3rd, 2004, at 02:00:00:
device-name(config)#time-server summer-time date 1 May 2004 02:00:00 3 Dec
2004 02:00:00 60
Specifying a Recurrent Summer Time (DST) Period
The time-server summer-time recurring command adjusts the system time and date to an
annually-recurring summer time (DST) period.
By default, the summer time definition is disabled.
Command Syntax
device-name(config)#time-server summer-time recurring {first | <week> | last}
<day> MONTH HH:MM:SS {first | <week> | last) <day> MONTH HH:MM:SS <shift>
device-name(config)#no time-server summer-time
first
The first week of the month to start.
week
Specify the week of the month to start in, the range <14>.
last
The last week of the month to start.
day
The start summer-time day in the week: Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday and Saturday.
MONTH
The start summer-time month: January, February, March, April, May,
June, July, August, September, October, November, and December.

Page 92

HH:MM:SS
Specify the start summer-time time.
first
The first week of the month to end.
week
Specify the week of the month to end, in the range <14>.
last
The last week of the month to end.
day
The end summer-time day in the week: Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday and Saturday.
MONTH
The end summer-time month: January, February, March, April, May,
June, July, August, September, October, November, and December.
HH:MM:SS
Specify the end summer-time time.
shift
The number of minutes to add during summer time, in the range <1
1440>.
no
Remove the summer-time settings.
Example
The following example shows how to advance the system time automatically by one hour every
year, starting on the second Monday of April at 01:00:00 this year and move the system time back
on the second Tuesday of October at 01:00:00:
device-name(config)#time-server summer-time recurring 2 mon apr 01:00:00 2
tue oct 01:00:00 60
Removing an NTP Server
The time-server ntp delete command deletes the existing NTP server.
Command Syntax
device-name(config)#time-server ntp delete A.B.C.D
A.B.C.D
Specify the IP address of the Time server to be deleted.
Example
The following example removes the NTP server with IP address 186.102.20.11:
device-name(config)#time-server ntp delete 186.102.20.11

Page 93

Displaying NTP Servers
The time-server ntp show command displays defined NTP servers.
Command Syntax
device-name(config)#time-server ntp show
Example
The following example displays the three existing NTP servers:
device-name(config)#time-server ntp show
186. 102. 20. 11
182. 21. 2. 31
128. 11. 24. 6
Displaying the MD5 Authentication Key
The time-server ntp key show command displays the existing MD5 authentication key ID and
string.
Command Syntax
device-name(config)#time-server ntp key show
Example
device-name(config)#time-server ntp key show
192. 168. 0. 40:
1 key1
2 key2
192. 168. 0. 32:
1 key1
Displaying the Time Server Configuration
The show time-server command displays the current Time server configuration.
Command Syntax
device-name#show time-server

Page 94

Example
device-name#show time-server
Cur r ent syst emt i me MON OCT 13 19: 00: 25 2003
Ti me ser ver pr ot ocol : NTP
Ref r esh : 23 mi n
Ti me zone : 2h: 10m
Displaying the Current System Time
The show date and show clock commands display the current system time and date.
Command Syntax
device-name#show date
device-name#show clock [detail]
detail
(Optional). The command also displays the type of the currently used
synchronization client and the time zone indication. If detail is not specified, the
command displays the current system time.
Example 1
device-name#show date
Cur r ent syst emt i me TUE APR 10 13: 45: 04 2001
Example 2
The following example displays the date and time:
device-name#show clock
Cur r ent syst emt i me TUE APR 10 13: 45: 04 2008
Example 3
The following example displays the date and time, and the currently used synchronization client (if
available):
device-name#show clock detail
Cur r ent syst emt i me THU J AN 01 00: 01: 02 1998
Ti me cl i ent i s r unni ng wi t h f ol l owi ng peer s:
Ti me ser ver : 192. 168. 0. 4
Ref r esh t i me: 10 mi nut es
Ti me zone shi f t : 2 hour ( s)

Page 95

The following example demonstrates how the device uses an NTP server.
1. Add the NTP server located in IP address 212.90.11.2:
device-name(config)#time-server ntp add 212.90.11.2
2. Add an MD5 authentication key with key ID of 27 and plain-text key qwerty:
device-name(config)#time-server ntp key add 27 qwerty
3. Start the NTP server polling with refresh period of 10 minutes and time zone 2:
device-name(config)#time-server ntp start 10 2

Page 96

1588v2 PTP Configuration Flow
To configure the 1588v2 PTP, proceed as follows:
1. Enable 1588v2 PTP on the device (see ConfiguringPTP).
2. Define the device's PTP mode (master or slave, see DefiningtheDevice's PTP Mode).
3. (For master devices only) define the clock's primary 1588v2 priority (see Defininga Master
Clock's 1588v2 Primary Priority).
4. (For master devices only) define the clock's secondary 1588v2 priority (see Defininga Master
Clock's 1588v2 Secondary Priority).
5. Specify the PTP domain (logical grouping) the device belongs to (see AssigningtheDevicetoa
PTP Domain).
6. (For master devices only) define the interval for sending announce messages (see Definingthe
Interval for SendingAnnounceMessages).
7. (For master devices only) define the interval for sending synchronization messages (see
DefiningtheInterval for SendingSynchronization Messages).
8. (Optional, for slaves only) define a static master for the device (see Selectinga StaticMaster
Clock).
9. Enable PTP on the interface/ s (see EnablingPTP ona Port).
10. (For slave devices only) define the announce-receipt timeout from a master clock (see Defining
theAnnounce-Receipt Timeout).
11. (For slave devices only) define the synchronization-receipt timeout from a master clock (see
DefiningtheSynchronization-Receipt Timeout).
12. Display the PTP status (see DisplayingthePTP Status).

Page 97

1588v2 PTP Configuration Commands
Table 33: 1588v2 PTP Configuration Commands
Command Description
ptp
Configures PTP on the local device and enters the PTP
Configuration mode (see Configuring PTP)
encapsulation all-ports
Defines the network technology used to transport PTP
messages (see Defining the Packet Encapsulation
Type)
priority1
Defines the 1588v2 primary priority of the master clock
(see Defining a Master Clock's 1588v2 Primary Priority)
priority2
Defines the 1588v2 secondary priority of the master
clock (see Defining a Master Clock's 1588v2 Secondary
Priority)
domain-number
Defines the PTP domain the device belongs to (see
Assigning the Device to a PTP Domain)
ptp-mode
Defines whether the device is a slave or a master (see
Defining the PTP Mode)
master-address
Defines a static master's MAC address for a slave
device (see Selecting a Static Master Clock)
announce-interval
Defines the interval the master sends announce
messages (see Defining the Interval for Sending
Announce Messages)
sync-interval
Defines the interval the master sends announce
messages (see Defining the Interval for Sending
Synchronization Messages)
master-vlan
Defines a VLAN used for sending master clock
messages or sync messages (Defining the Master
VLAN)
ptp enable
Enables PTP on port/s (see Enabling PTP on a Port)
ptp-announce-receipt-timeout
Defines the number of announce intervals to pass
without receiving an announce message before
dropping the current master and selecting a different
one (see Defining the Announce-Receipt Timeout)
ptp-sync-receipt-timeout
Defines the number of synchronization intervals to pass
without receiving a synchronization message before the
slave becomes unsynchronized with the master (see
Defining the Synchronization-Receipt Timeout)
show ptp
Displays the PTP state (see Displaying the PTP Status)


Page 98

Configuring PTP
The ptp command configures PTP on the local device and enters the PTP Configuration mode.
Enable this protocol for accurate SAA one-way delay measurement (refer to the ServiceAssurance
Applicationsection of the Operation, Administration, andMaintenancechapter of BiNOS User Guide).
PTP is disabled by default.
Command Syntax
device-name(config)#ptp [enable]
device-name(config-ptp)#

device-name(config)#no ptp
enable
Enters the PTP Configuration mode
no
Disables PTP
Defining the Packet Encapsulation Type
The encapsulation all-ports command defines the network technology used to transport PTP
messages.

CLI Mode: PTP Configuration
By default, the encapsulation type is ieee8023.
Command Syntax
device-name(config-ptp)#encapsulation all-ports {ipv4 | ieee8023}
device-name(config-ptp)#no encapsulation all-ports
ipv4
PTP over UDP/IPv4. When carried over UDP, the first byte of the PTP
message immediately follows the final byte of the UDP header.
ieee8023
PTP over IEEE 802.3/ Ethernet. When carried over Ethernet, the first byte
of the PTP message occupies the first byte of the data field of the Ethernet
frame.
Defining the 1588v2 Primary Priority of the Master Clock
The priority1 command defines the 1588v2 primary priority of the master clock.
If there is more than one master device in a PTP domain, the device with the highest priority
(lowest number) remains the master while the other device/ s switch to slave.

Page 99

The default priority1 is 255.
Command Syntax
device-name(config-ptp)#priority1 <priority1>
device-name(config-ptp)#no priority1
priority1
The priority1 value, in the range of <0255>
no
Restores to default
Defining the 1588v2 Secondary Priority of the Master Clock
The priority2 command defines a finer grained ordering among otherwise equivalent master
clocks (see above).
The default priority2 is 255.
Command Syntax
device-name(config-ptp)#priority2 <priority2>
device-name(config-ptp)#no priority2
priority2
The priority2 value, in the range of <0255>
no
Restores to default

Assigning the Device to a PTP Domain
The domain-number command specifies the PTP domain the device belongs to.
The PTP domain is the logical grouping of PTP clocks that synchronize to each other.
The default domain number is 0.
Command Syntax
device-name(config-ptp)#domain-number <domain_number>
device-name(config-ptp)#no domain-number
domain-number
The PTP domain number, in the range of <0255>

Page 100

no
Restores to default
Defining the PTP Mode
The ptp-mode command switches between slave and master modes.

NOTE
If the master device receives announce messages from a different PTP master device
with a higher 1588v2 priority and quality, it automatically switches to a slave mode
without any warnings.

The default mode is slave.
Command Syntax
device-name(config-ptp)#ptp-mode {master | slave}
master
Defines the device as a master clock
slave
Defines the device as a slave clock
Selecting a Static Master Clock
The master-address command allows you to select a static master manually. In this case the slave
device skips the master election algorithm and ignores announce messages from other maters.
By default, the device has no static master.
Command Syntax
device-name(config-ptp)#master-address <XX:XX:XX:XX:XX:XX>
device-name(config-ptp)#no master-address
XX:XX:XX:XX:XX:XX
The static master's MAC address
no
Restores to default
Defining the Interval for Sending Announce Messages
The announce-interval command defines the interval for a master device to announce itself as
master clock, in seconds.
The default interval is 16 seconds.

Page 101

Command Syntax
device-name(config-ptp)#announce-interval <announce interval>
device-name(config-ptp)#no announce-interval
announce interval
The interval between two consecutive announce messages, in
the range of {1 | 2 | 4 | 8 | 16 | 32 | 64 | 128}seconds.
no
Restores to default
Defining the Interval for Sending Synchronization Messages
The sync-interval command defines the interval for a master device to send synchronization
messages, in seconds.
The default interval is 4 seconds.
Command Syntax
device-name(config-ptp)#sync-interval <synch interval>
device-name(config-ptp)#no sync-interval
synch interval
Specifies the interval between two consecutive synchronization
messages, in the range of {1 | 2 | 4 | 8 | 16 | 32 | 64 | 128}
seconds.
no
Restores to default
Defining the Master VLAN
The master-vlan command defines a VLAN used for sending master clock messages or sync
messages.
Command Syntax
device-name(config-ptp)#master-vlan <master-vlan-id>
device-name(config-ptp)#no master-vlan
master-vlan-id
The master VLAN ID, in the range of <14094>.The VLAN must
be already configured (see the Configuring VLANs and Super
VLANs chapter of the current User Guide).
no
Removes the VLAN from being a master VLAN.

Page 102

Enabling PTP on a Port
The ptp enable command enables PTP for on a specific port. When you enable PTP on a port,
this port is able to receive and send PTP packets.
CLI Mode: Interface Configuration
By default, PTP is disabled on ports.
Command Syntax
device-name(config-if UU/SS/PP)#ptp {enable | disable}
enable
Enables PTP
disable
Disables PTP
Defining the Announce-Receipt Timeout
The ptp-announce-receipt-timeout command defines the announce-receipt timeout.
This value defines the number of announce-receipt intervals that pass before the slave interface
drops the selected master and initiates an ANNOUNCE_RECEIPT_TIMEOUT_EXPIRES
event.
Command Syntax
device-name(config-if UU/SS/PP)#ptp-announce-receipt-timeout
<announce_receipt_timeout>
device-name(config-if UU/SS/PP)#no ptp-announce-receipt-timeout
The default number of announce-receipt intervals is 3.
announce_receipt
_timeout
The number of announce-receipt intervals, in the range of <2
255>
no
Restores to default

Defining the Synchronization-Receipt Timeout
The ptp-sync-receipt-timeout command defines the synchronization-receipt timeout.
This value defines the number of synchronization-receipt intervals that pass before the slave is no
longer synchronized with the master.

The default number of the synchronization-receipt intervals is 3.

Page 103

Command Syntax
device-name(config-if UU/SS/PP)#ptp-sync-receipt-timeout
<sync_receipt_timeout>
device-name(config-if UU/SS/PP)#no ptp-sync-receipt-timeout
synch_receipt
_timeout
The number of the synchronization-receipt intervals, in the range
of <2255>
no
Restores to default
Displaying the PTP Status
The show ptp command displays the PTP configuration details as specified below.
If you do not use the interface argument, the command displays the common device's PTP
settings without interfaces information.
If you use the interface argument without specifying an interface number, the command
displays the enabled PTP interfaces on the device.
If you use the interface argument and specify an interface number, the command displays
the specified interface's PTP state.
Refer to Table 34 for the parameters displayed by this command.

Command Syntax
device-name#show ptp [interface [UU/SS/PP | AG0N]
UU/SS/PP
The interface displayed
AG0N
The aggregated interface displayed
Example 1
device-name#show ptp
PTP Conf i gur at i on ( sl ave) :
Number of PTP enabl ed por t s: 1
Domai n Number : 0
Mast er Addr ess: 00: A0: 12: 27: 0E: 40
Mean pat h del ay : 5 usec
Of f set f r ommast er : 1 usec
Example 2
device-name#show ptp interface 1/1/1
Thi s por t i s PTP Enabl ed
Por t St at e: Mast er

Page 104

Announce r ecei pt t i meout : 16
Sync r ecei pt t i meout : 4
Table 34: Parameters displayed by the show pt p command
Parameters Description
Mean Path Delay The average between the delay from the master to slave and the
delay from the slave to master
Offset from Master The offset between the slave and the master calculated by the slave

Below is an example of configuring a master device.
1. Enable PTP on the device:
device-name(config)#ptp enable
2. Define a device to PTP master mode:
device-name(config-ptp)#ptp-mode master
device-name(config-ptp)#exit
3. Enter the configuration mode for interface 1/ 1/ 1:
device-name(config)#interface 1/1/1
4. Enable PTP on interface 1/ 1/ 1:
device-name(config-if 1/1/1)#ptp enable
device-name(config-if 1/1/1)#end
5. Display the PTP configuration:
device-name#show ptp
PTP Conf i gur at i on ( mast er ) :
Number of PTP enabl ed por t s: 1
Domai n Number : 0
Pr i or i t y 1: 255
Pr i or i t y 2: 255
Announce I nt er val : 16
Sync I nt er val : 4

Page 105

DHCP Client
Overview
DHCP (Dynamic Host Configuration Protocol) is a TCP/ IP protocol for dynamicallyassigning IP
addresses to devices on a network. DHCP is built on a client-server model, in which designated
DHCP servers allocate network addresses and deliver configuration parameters to dynamically
configured devices (DHCP clients).
The DHCP client use DHCP to reacquire or verify its IP address and network parameters
whenever the local network parameters may have changed (e.g. at the device boot time or after a
disconnection from the local network), as the local network configuration may change without the
clients or users knowledge.
If a DHCP client has knowledge of a previous network address and is unable to contact a local
DHCP server, the DHCP client may continue to use the previous network address until the lease
for that address expires. If the lease expires before the client can contact a DHCP server, the
DHCP client must immediately discontinue use of the previous network address and may inform
local users of the problem.
DHCP consists of two components:
mechanism for delivering configuration parameters from a DHCP server to a device
mechanism for allocating network addresses to devices
DHCP supports three mechanisms for IP address allocation:
AutomaticallocationDHCP assigns a permanent IP address to the user
DynamicallocationDHCP assigns an IP address to the user for a limited period of time.
Dynamic allocation allows automatic reuse of an address that is no longer needed by the user
to which it is assigned. Thus, dynamic allocation is particularly useful for assigning an address
to the user that connected to the network only temporarily or for sharing a limited pool of IP
addresses among a group of users that do not need permanent IP addresses.
Manual allocationthe system administrator assigns to the user an IP address, and DHCP is
used simply to convey the assigned address. A particular network uses one or more of these
mechanisms, depending on the policies of the network administrator. Manual allocation allows
DHCP to be used to eliminate the error-prone process of manually configuring hosts with IP
addresses in environments where it is desirable to manage IP address assignment outside of
the DHCP mechanisms.

Page 106

The DHCP Negotiation Process
As shown in below figure, the parameter negotiation starts with a DHCPDISCOVER broadcast
message from the client seeking a DHCP server. The DHCP Server responds with a
DHCPOFFER unicast message offering configuration parameters (such as an IP address, a MAC
address, a domain name, and a lease for the IP address) to the client. The client returns a
DHCPREQUEST broadcast message requesting the offered IP address from the DHCP Server.
The DHCP Server responds with a DHCPACK unicast message confirming that the IP address
has been allocated to the client.

Figure 1: Obtaining an I P Address from a DHCP Server
The client may suggest values for the IP address and lease time in the DHCPDISCOVER message.
The client may include the requestedIP addressoption to suggest that a particular IP address can be
assigned, and may include the IP addressleasetimeoption to suggest the lease time it would like to
have it. The requestedIP addressoption is filled in a DHCPREQUEST message only when the client
is verifying network parameters obtained previously.
If a server receives a DHCPREQUEST message with an invalid requestedIP address, the server
should respond to the client with a DHCPNAK message and may choose to report the problem to
the system administrator. The server may include an error message in the messageoption.
When Should Clients Use DHCP
A client should use DHCP to reacquire or verify its IP address and network parameters whenever
the local network parameters may have changed (e.g. at the switch boot time or after a
disconnection from the local network), as the local network configuration may change without the
client or user knowledge.
If a client has knowledge of a previous network address and is unable to contact a local DHCP
Server, the client may continue to use the previous network address until the lease for that address
expires. If the lease expires before the client can contact a DHCP Server, the client must
immediately discontinue use of the previous network address and may inform local users of the
problem.

Page 107

The DHCP Client Default Configuration
Table 35: DHCP Client Default Configuration
DHCP Client Disabled
The DHCPDISCOVER message
retransmission timeout
8 minutes
The DHCP Client Configuration Flow
1. Optional configuration:
Enable the DHCP client security feature
(see EnablingtheDHCP Client Security(AuthenticationOption90))
Permit the DHCP client to receive unauthenticated packets
(see ControllingtheUnauthenticatedPacketsFlow)
Specify DHCP server discover attempts (see SpecifyingDHCP Server Discover Attempts)
Configure the maximum time that the DHCP Client is allowed to be active
(see ChangingtheDHCPDISCOVER MessagesRetransmissionTimeout)
2. Provide the device its IP configuration information dynamically and configures the DHCP
lease period (see ConfiguringtheDHCP Client)
3. Display the DHCP Client status and the DISCOVER message timeout
(see DisplayingtheDHCP Client Configuration)

Page 108

DHCP Client Configuration Commands
NOTE
The commands in the following table are applied on demarcation devices in a
topology with proxy management feature started.

Table 36: DHCP Client Security Commands
Command Description
dhcp-client security enable
Enables the DHCP client security feature (see Enabling
the DHCP Client Security (Authentication Option 90))
dhcp-client security accept
Permits the DHCP client to receive unauthenticated
packets
(see Controlling the Unauthenticated Packets Flow)
dhcp-client security attempts
Specifying DHCP server discover attempts (see
Specifying DHCP Server Discover Attempts)

Table 37: DHCP Client Commands
Command Description
dhcp-client discover-rto
Configures the maximum time that the DHCP Client is
allowed to be active (see Changing the
DHCPDISCOVER Messages Retransmission Timeout)
ip address dhcp
Provides the device its IP configuration information
dynamically and configures the DHCP lease period
(see Configuring the DHCP Client)
Table 38: DHCP Client Display Command
Command Description
show dhcp-client
Displays the DHCP Client status and the DISCOVER
message timeout
(see Displaying the DHCP Client Configuration)


Page 109

Enabling the DHCP Client Security (Authentication Option 90)
The dhcp-client security enable command enables the DHCP client security feature.
By default, the DHCP client security is disabled.
Command Syntax
device-name(config)#dhcp-client security enable
device-name(config)#no dhcp-client security
no
Disables the DHCP client security feature.
Controlling the Unauthenticated Packets Flow
The dhcp-client security accept command permits the DHCP client to receive
unauthenticated packets.
By default, the all unauthenticated packets are received.
Command Syntax
device-name(config)#dhcp-client security accept {all | authenticated-only}
all
Permits all unauthenticated packets.
authenticated-only
Permits only authenticated packets.
Specifying DHCP Server Discover Attempts
The dhcp-client security attempts command specifies the number of attempts, which the
DHCP client makes to locate a DHCP server and obtain a configuration from it.
By default, the number of attempts is infinitely.
Command Syntax
device-name(config)#dhcp-client security attempts (<1-512> | infinitely)

Page 110

1-512
Specifies the number of attempts.
infinitely
Sets the number of attempts to infinitely.
Changing the DHCPDISCOVER Messages Retransmission
Timeout
The dhcp-client discover-rto command configures the maximum time that the DHCP Client
is allowed to be active and to send DHCPDISCOVER frames.
The client resends a DHCPDISCOVER frame after 4, 8, 16, 32 and 64 seconds.
By default, the DHCPDISCOVER timeout is 8 minutes.
Command Syntax
device-name(config)#dhcp-client discover-rto <time>
device-name(config)#no dhcp-client discover-rto
time
The DHCPDISCOVER message retransmission timeout, in the range <132>
minutes.
no
Disables the retransmission timeout, i.e. the DHCP client keeps sending requests
until it negotiates an IP address.
Configuring the DHCP Client
The ip address dhcp command provides the device its IP configuration information dynamically
and configures the requested lease period.
By default, the dynamic address allocation is disabled.
Command Syntax
device-name(config)#ip address dhcp [A.B.C.D | renew]
device-name(config)#ip address dhcp lease {<1-10080> | infinite} [A.B.C.D |
renew]
device-name(config)#no ip address dhcp
1-10080
Specifies a value for the lease period, in minutes.
infinite
Sets the lease period to be an infinite period. This is the default value.

Page 111

A.B.C.D
(Optional). The requested IP address. The DHCP Client is initiated with
DHCP negotiation. If the IP address is specified, the DHCP Client sends a
request for this address, and if the requested IP address is not available the
server returns another IP address. To see the IP address provided by the
DHCP server, use the show ip command in Privileged (Enable) mode (refer
to the Device Setup and Maintenance chapter of the BiNOS User Guide).
renew
(Optional). Restarts the DHCP client, freeing the IP address previously
allocated.
no
Stops the DHCP Client and restores the IP address, subnet mask and IP
gateway to their default values.
Displaying the DHCP Client Configuration
The show dhcp-client command displays the DHCP client status and the DISCOVER message
timeout.
Command Syntax
device-name#show dhcp-client
Example
device-name(config)#ip address dhcp lease infinite
device-name#show dhcp-client
DHCP cl i ent i s act i ve
I P addr ess i s acqui r ed by DHCP
DI SCOVER messages r et r ansmi ssi on t i meout - 8 mi nut e( s)
Lease t i me l ef t : 86394

Page 112

Controlling the Packet Rate
Overview
To break the correlation between the management device (the CPU), the remaining switching and
routing devices, the device implements four queues for outgoing packets to the CPU, and a
standalone NewAddressmessage queue destined to the CPU. Each queue has a fixed depth. Packet
dropping is enabled when the queues reach their limit.
Two mechanisms are set:
ProtectingAgainst NewAddressAttacks The rate limit mechanism for learning new addresses is
hardware based. It is designed to prevent overloading the CPU when new MAC address
requests arrive at a high pace.
ProtectingAgainst CPU Attacks The rate limiting hardware mechanism is designed to reduce
CPU usage. You can define a rate limit for traffic to the CPU to prevent overloading the CPU
when the pace at which packets are forwarded to it is too high.
Figure2 shows the packet flow through the device when the rate limit mechanism is enabled.

Figure 2: Rate Limit Mechanism

Page 113

Packet-Rate Thresholds' Default Configuration
Table 39: Packet-Rate Threshold Default Configuration
Rate limit for learning new addresses for
the entire device
1500 packets per second
Rate limit to the CPU for the entire device 1500 packets per second
Low packet-rate threshold 200 packets per second
High packet-rate threshold 5000 packets per second
The Packet-Rate Thresholds' Commands
Table 40: Packet-Rate Threshold Commands
Command Description
set packets_threshold
Configures packet-rate threshold levels
(see Configuring Packet-Rate Thresholds)
reset packets_threshold
statistics
Clears the CPU packet-rate statistics
(see Clearing the CPU Packet Threshold)
show packets_threshold
Displays the current packet-rate threshold levels
(see Displaying Packet-Rate Thresholds)
Configuring Packet-Rate Thresholds
The set packets_threshold command configures rate threshold levels for packets that load the
CPU.
CLI Mode: Global Configuration mode
Default packet-rate threshold levels are described in Table 39.
Command Syntax
device-name(config)#set packets_threshold <low> <high>
low
Low packet rate threshold in packets per second. The range is <5010000>.
high
High packet rate threshold in packets per second. The range is <100
10000>.

Page 114

Example
The following example sets the threshold levels to:
Accept all packets if the rate is less or equal to 300 packets per second
Accept only high-priority packets if the rate is higher than 300 packets per second, but not
more than 4000 packets per second
Reject all packets if the rate exceeds 4000 packets per second
device-name(config)#set packets_threshold 300 4000
Clearing the CPU Packet Threshold
The reset packets_threshold statistics command clears the CPU packet-rate statistics.
Command Syntax
device-name#reset packets_threshold statistics
Displaying Packet-Rate Thresholds
The show packets_threshold command displays the current packet-rate threshold levels.
Table 41 describes the parameters displayed by the show packets_threshold command.
Command Syntax
device-name#show packets_threshold
Example
device-name#show packets_threshold
Low packet r at e t hr eshol d i s 200 pps
Hi gh packet r at e t hr eshol d i s 5000 pps
Packet s r at e per sec: 6 I n packet s: 1425 Dr op packet s: 0
Table 41: Parameters Displayed by the show packet s_t hr eshol d Command
Parameter Description
Low packet rate threshold Low packet rate threshold in packets per second.
High packet rate threshold High packet rate threshold in packets per second.
In packets The number of packets accepted (within the threshold limits)
in the current session.
Drop packets The number of packets rejected (beyond the threshold
limits) in the current session.

Page 115

Packets rate per sec The current rate of information flows to the CPU, in terms of
packets-per-second.

Page 116

Control Plane Priority per Protocol
Table 42: Control Plane Priority per Protocol
Protocol Control Packets Priority
LACP LACPDU 7
MEF8 Ethernet 07
CFM BPDU 6
EFM OAM BPDU 6
DHCP IP 6
ICMP IP 6
ARP Ethernet 6
SNMP UDP 6
Telnet TCP 6
SSH TCP 6
TFTP UDP 6
DHCP Client UDP 6
RADIUS UDP 6
TACAS + TCP 6
SYSLOG messages UDP 6

Page 117

Supported Platforms
Managing the MAC Address Table + +
Managing the ARP Table + +
Script Files System + +
Configuring Default Settings + +
Zero Configuration Networking + +
Software Upgrade and Boot Options + +
Boot Loader + +
Managing the System Time and Date + +
DHCP Client + +
CPU Resource Control + +
Managing the MAC
Address Table
No Standards are
supported by this
feature.
Standard MIB,
8021Q_d6.mib
No RFCs are
supported by this
feature.
Managing the ARP
Table
No standards are
supported by this
feature.
Private MIB,
prvt_switch_ipvaln.mib
RFC 791, Internet
Protocol DARPA
Internet Program
Protocol Specifications
RFC 919,
Broadcasting Internet
Datagrams
RFC 922,
Broadcasting Internet
Datagrams in the
Presence of Subnets
RFC 1042, A Standard
for the Transmission
of IP Datagrams over
IEEE 802 Networks
RFC 1122,
Requirements for
Internet Hosts --
Communication
Layers
RFC 1812,
Requirements for IP
Version 4 Routers

Page 118

Script Files System No standards are
supported by this
feature.
No MIBs are supported
by this feature.
No RFCs are
supported by this
feature
Configuring Default
Settings
No standards are
supported by this
feature.
by this feature.
No RFCs are
supported by this
feature
Zero Configuration
Networking
No standards are
supported by this
feature.
by this feature.
RFC 2131, Dynamic
Host Configuration
Protocol
RFC 2132, DHCP
Options and BOOTP
Vendor Extensions
Software Upgrade and
Boot Options
No standards are
supported by this
feature.
by this feature.
No RFCs are
supported by this
feature.
Boot Loader No Standards are
supported by this
feature.
by this feature.
No RFCs are
supported by this
feature.
Managing the System
Time and Date
No standards are
supported by this
feature.
by this feature.
RFC 867, Daytime
Protocol
RFC 868, Time
Protocol
DHCP Client No standards are
supported by this
feature.
by this feature.
RFC 951, Bootstrap
Protocol (BOOTP)
RFC 1542,
Clarifications and
Extensions for the
Bootstrap Protocol
RFC 2131, Dynamic
Host Configuration
Protocol
RFC 2132, DHCP
Options and BOOTP
Vendor Extensions
CPU Resource
Control
No standards are
supported by this
feature.
Private MIB,
prvt_bist.mib
No RFCs are
supported by this
feature.

Page 1
Configuring Interfaces (Rev. 08)

Configuring Interfaces
Table of Figures 3
Fast Ethernet and Giga Ethernet Ports 5
Overview 5
Fast and Giga Ethernet Ports Default Configuration 6
Fast and Giga Ethernet Ports Configuration Commands 7
Link Aggregation Control Protocol (LACP)23
LACP Modes23
LACP Parameters23
Link Aggregation Groups (LAGs) 24
LAG Default Configuration26
LAG Configuration Flow26
LAG Configuration Commands27
Configuration Examples34
Resilient Links43
Overview43
Resilient Links Default Configuration43
Resilient Links Configuration Flow44
Resilient Links Configuration Commands 45
Port Security Techniques51
Overview51
The Port Security Default Configuration52
The Port Security Configuration Commands52
The Port Limit Feature61
Overview61
Port Limit Default Configuration61
Port Limit Commands 61


Page 2

Interfaces Management65
Overview65
Interfaces Management Commands65
Alarm Propagation Feature67
Overview67
Alarm Propagation Commands 67


Page 3

Table of Figures
Figure 1: Four Ports Combined into a Link Aggregation Group24
Figure 2: Example of LAG Containing Two Ports34
Figure 3: Example of Two LAGs Configured on the Same Device35
Figure 4: Example of Two Static LAGs with RSTP40
Figure 5: Example of a Resilient Link Topology50
Figure 6: Alarm Propagation Configuration Example69


Page 4

This chapter describes the T-Marc 300 Series device interface types and their configuration. In
addition, the chapter includes port security methods.
The chapter includes the following sections:
Fast Ethernet andGiga Ethernet Ports
This section details the T-Marc 300 Series device interfaces and the commands to
configure them.
Link AggregationControl Protocol (LACP)
This protocol provides increased bandwidth, increased redundancy, and higher
availability.
Resilient Links
Resilient links allow protecting critical links and preventing network downtime.
Port SecurityTechniques
Using port security techniques on T-Marc 300 Series device provides control over every
device plugged into the internal network.
AlarmPropagationFeature
Alarm Propagation is a fault detection feature that identifies faults in network uplinks and
alarms downstream devices.


Page 5

Fast Ethernet and Giga Ethernet Ports
Overview
T-Marc 300 Series device allows service providers to deliver multiple services on separate user
ports. It supports multiple application-flows over a single customer interface, mapping each flow to
a different traffic class.
The device supports:
Flexible Ethernet combo-port interfaces
Dual-speed (100M and 1000M) fiber interfaces
Pluggable optics, including CWDM
Tri-speed (10/ 100/ 1000M) copper interfaces
ASCII/ RJ-45 management ports


Page 6

Fast and Giga Ethernet Ports Default Configuration
Table 1: Fast Ethernet and Giga Ethernet Ports Default Configuration
Interface state Enabled
Port name None
Backpressure mode Disabled
Duplex speed For Fast Ethernet Fiber: Auto-negotiation.
For Giga Ethernet Fiber: Auto-negotiation.
For Fast Ethernet and Giga Ethernet Copper: Auto-
negotiation.
Flow Control mode Disabled
Default VLAN 1
Broadcast rate limit Unlimited
Multicast rate limit Unlimited
Unknown rate limit Unlimited
Packet size limit 1632
Remote fault detect Disabled
Crossover detection Automatic
Learning new address Enabled


Page 7

Fast and Giga Ethernet Ports Configuration
Commands
Table 2: Fast and Giga Ethernet Configuration Commands
Command Description
interface
Enters the configuration mode of a specific physical interface, a
LAG, an interface range, or a LAG range (see Entering the
Interface Configuration Mode)
name
Assigns a name to a physical interface or a group of interfaces
(see Specifying the Interface Name)
speed Specifies the interface speed (see Specifying the Interface
Speed)
duplex Specifies a duplex parameter for the specified interface (see
Specifying the Interface Duplex Mode)
backpressure
Enables/disables the backpressure mode (see Defining the
Backpressure Mode)
flow control
Changes the flow control mode (see Defining the Flow Control
Mode)
default vlan
Specifies a default VLAN for a physical interface or group of
interfaces (see Adding Ports to a Default VLAN)
packet-size-limit
Specifies the jumbo frame size (see Specifying the Jumbo
Frames Size)
remote-fault-detect
Enables remote fault detection on the configured interface that is
connected to a 100Base Fiber pair (see Configuring the Remote
Fault Detection)
shutdown
Disables all functions of a specific port (see Disabling an
Interface)

Table 3: IP Interface Commands
Command Description
interface Enters the IP interface configuration mode (see IP Interface
Configuration Mode)
show ip interface Displays the IP interface configuration and statistics (see
Displaying the IP Interface Configuration)


Page 8

Table 4: Commands for Displaying and Clearing Interface Settings and Statistics
Command Description
show
and
show interface
Display the status and configuration of all interfaces or for the
specified interface (see Displaying Interface Configuration
Settings).
show interface
statistics
Displays interface statistics and packet counters (see Displaying
Interface Statistics)
reset
and
clear interface
statistics
Clear all current statistics from a specific physical interface or a
group of interfaces (see Clearing Interface Statistics)
Entering the Interface Configuration Mode
The interface command enters the configuration mode of a specific physical interface, a LAG, an
interface range, or a LAG range.
When in the Range Configuration mode, all the commands are applied to all ports/ LAGs within
that range, until exiting this mode.

CLI Mode: Global Configuration, Interface Configuration, Interface Range Configuration,
LAG Configuration, and LAG Range Configuration
Command Syntax
device-name(config)#interface {UU/SS/PP | ag0N | range PORT-LIST | range
PORT-AG-LIST}
device-name(config-if UU/SS/PP)#
device-name(config-if AG0N)#

device-name(config-if UU1/SS1/PP1)#interface UU2/SS2/PP2
device-name(config-if UU2/SS2/PP2)#

device-name(config-if-group)#interface {UU/SS/PP | ag0N | range PORT-LIST|
range PORT-AG-LIST}
device-name(config-ag-group)#interface {UU/SS/PP | ag0N | range PORT-LIST|
range PORT-AG-LIST}
device-name(config-if AG0N)#interface {UU/SS/PP | ag0N | range PORT-LIST|
range PORT-AG-LIST}
UU/SS/PP Represents the unit, slot, and port numbers of the configured interface.
ag0N Represents a LAG ID in the range of <17>.
range PORT-
LIST
Specifies one or more port numbers. Use commas as separators and
hyphens to indicate sub-ranges (for example, 1/2/11/2/8, 1/1/2).


Page 9

range PORT-
AG-LIST
Specifies a LAG names list (for example AG01, AG04AG07), in the range
<0107>.
Example 1
device-name(config-if 1/1/1)#interface 1/1/2
device-name(config-if 1/1/2)#
Example 2
device-name(config)#interface ag01
device-name(config-if AG01)#interface 1/1/2
Example 3
device-name(config)#interface range ag01
device-name(config-ag-group)#interface 1/1/1
Specifying the Interface Name
The name command assigns a name to a physical interface or a group of interfaces.
CLI Mode:
Interface Configuration and Range Interface Configuration
By default, the port has no name.
Command Syntax
device-name(config-if UU/SS/PP)#name NAME
device-name(config-if UU/SS/PP)#no name

device-name(config-if-group)#name NAME
device-name(config-if-group)#no name
NAME An alphanumeric name of up to 256 characters. Spaces are allowed.
no Removes the port name.


Page 10

Specifying the Interface Speed
The speed command defines the duplex speed of a specified interface or interface range.
The Giga copper ports support crossover detection. This feature allows a device port to automatically
detect, transmit, and receive the Ethernet cables polarity (the relevant cable type).
NOTE
To ensure reliable performance, it is essential to configure the same settings for two
Gigabit fiber ports communicating with each other.
Either enable autonegotiation on both interfaces or set the same duplex speed for
both.

CLI Mode: Interface Configuration and Range Interface Configuration
By default, the device is configured to use auto-negotiation to determine the port speed and duplex
setting.
Command Syntax
device-name(config-if UU/SS/PP)#speed {auto | 10 | 100 | 1000}
device-name(config-if-group)#speed {auto | 10 | 100 | 1000}
auto The port automatically finds the highest speed supported on the link.
10 Sets the duplex speed type to 10Mbps.
100 Sets the duplex speed type to 100Mbps.
1000 Sets the duplex speed type to 1Gbps.
Specifying the Interface Duplex Mode
The duplex command specifies the duplex mode of a physical interface or a group of interfaces.
CLI Mode:
In full-duplex mode, two devices can send and receive at the same time. Full-duplex
communication is often an effective solution for collisions, which are major constrictions in
Ethernet networks. 10 Mbps ports usually operate in half-duplex mode (the device can either
receive or transmit).
NOTE
To ensure reliable performance, it is essential to configure the same settings for two
Gigabit fiber ports communicating with each other.
Either enable autonegotiation on both interfaces or set the same duplex mode for
both.

By default, the device is configured to use auto-negotiation to determine the port speed and duplex
setting.


Page 11

Command Syntax
device-name(config-if UU/SS/PP)#duplex {auto | full | half}
device-name(config-if-group)#duplex {auto | full | half}
auto Enables the auto detect mode.
full Enables the full duplex mode.
half Enables the half duplex mode.
Defining the Backpressure Mode
The backpressure command enables/ disables the backpressure mode.
CLI Mode:
Backpressure is a technique for ensuring that a transmitting port does not send too much data to a
receiving port at a given time. When the buffer capacity of a receiving port exceeds, it sends a Jam
messageto the transmitting port to halt transmission.

NOTE
Backpressure functions only if the port operates in half-duplex mode.
By default, backpressure is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#backpressure {enable | disable}
device-name(config-if-group)#backpressure {enable | disable}
enable Enables backpressure mode.
disable Disables backpressure mode.
Defining the Flow Control Mode
The flow-control command enables/ disables the flow control mode.
Flow control is a technique for ensuring that a transmitting port does not send too much data to a
receiving port at a given time. When the ports buffer is filled, the port transmits a special packet
requesting remote ports to delay sending packets for a period of time.
NOTE
Valid only in full-duplex mode.

By default the flow control is disabled.


Page 12

Command Syntax
device-name(config-if UU/SS/PP)#flow-control {enable | disable | autonegotiate}
device-name(config-if-group)#flow-control {enable | disable | autonegotiate}
enable Enables flow control.
disable Disables flow control.
autonegotiate Enables flow control autonegotiation.
Adding Ports to a Default VLAN
The default vlan command specifies a default VLAN for a physical interface or a group of
interfaces.
You can define only one default VLAN per port. For more information regarding VLAN
commands, refer to the ConfiguringVLANsandSuper VLANschapter of this User Guide.
By default, the default VLAN (PVID) for all ports is 1.
Command Syntax
device-name(config-if UU/SS/PP)#default vlan <vlan-id>
device-name(config-if UU/SS/PP)#no default vlan

device-name(config-if-group)#default vlan <vlan-id>
device-name(config-if-group)#no default vlan
vlan-id The interfaces default VLAN, in the range of <14094>.
no Restores the default VLAN to VLAN 1.
Specifying the J umbo Frames Size
The packet-size-limit command specifies the maximum packet size allowed for a specific
physical interface or a group of interfaces.
CLI Modes: Interface Configuration and Range Interface Configuration
The default packet size limit is 1632 bytes.
Command Syntax
device-name(config-if UU/SS/PP)#packet-size-limit {NUMBER | default}
device-name(config-if-group)#packet-size-limit {NUMBER | default}


Page 13

NUMBER Specifies the maximum allowed packet size on the port, <5129216>bytes.
default Restores the default value of the packet size to 1632 bytes.
Example
device-name(config-if 1/1/1)#packet-size-limit 1522
device-name(config-if 1/1/1)#show
. . .
. . .
Maxi mumPacket Si ze ( MTU) = 1522
Configuring the Remote Fault Detection
The remote-fault-detect command enables remote fault detection on the configured interface
that is connected to a 100Base Fiber pair.
CLI Mode:
When enabling remote fault detection on such an interface, the device indicates link down on the
port if the remote peer detects link down.
NOTE
The remote-fault-detect command is available only on 100Base Fiber ports.
Command Syntax
device-name(config-if UU/SS/PP)#remote-fault-detect {on | off}
device-name(config-if-group)#remote-fault-detect {on | off}
on Enables the remote fault detection.
off Disables the remote fault detection.
Disabling an Interface
The shutdown command disables all functions of a specific port (receive, forward, and learn).
CLI Mode:
By default, the port is enabled (active).
Command Syntax
device-name(config-if UU/SS/PP)#shutdown
device-name(config-if UU/SS/PP)#no shutdown

device-name(config-if-group)#shutdown
device-name(config-if-group)#no shutdown


Page 14

no Enables the interface.
IP Interface Configuration Mode
The interface command enters the IP Interface Configuration mode.
Command Syntax
device-name(config)#interface sw0
device-name(config-if sw0)#
Displaying the IP Interface Configuration
The show ip interface command displays the IP interface configuration and statistics.
Command Syntax
device-name#show ip interface [brief | sw0 | lo0]
brief (Optional). Displays brief information of all the defined IP interfaces.
sw0 (Optional). Specifies the number of the IP interface.
lo0 (Optional). Specifies the loopback interface.
Example 1
device-name#show ip interface sw0
I nt er f ace sw0
i ndex 3 met r i c 1 mt u 1500
di r ect edbr oadcast di sabl ed
Fl ags : <UP, BROADCAST, NOTRAI LERS, RUNNI NG, SI MPLEX, MULTI CAST>
i net 1. 1. 1. 1/ 8 br oadcast 1. 255. 255. 255
Secondar y i net 2. 1. 1. 1/ 8 br oadcast 2. 255. 255. 255
239538 packet s r ecei ved; 15206 packet s sent
3617 mul t i cast packet s r ecei ved
56 mul t i cast packet s sent
0 i nput er r or s; 0 out put er r or s
0 col l i si ons; 0 dr opped
0 down count


Page 15

Example 2
device-name#show ip interface brief
I nt er f ace l o0
Fl ags : <UP, LOOPBACK, NOTRAI LERS, RUNNI NG, MULTI CAST>
i net 127. 0. 0. 1/ 8
I nt er f ace sw0
Fl ags : <UP, BROADCAST, NOTRAI LERS, RUNNI NG, SI MPLEX, MULTI CAST>
i net 1. 1. 1. 1/ 8 br oadcast 1. 255. 255. 255
Secondar y i net 2. 1. 1. 1/ 8 br oadcast 2. 255. 255. 255
Table 5: Parameters Displayed by the show i p i nt er f ace Command
i ndex The Internal index of the IP interface
met r i c The IP interface metric value
mt u The Maximum Transfer Unit
f l ags UP/DOWNIP interface status
BROADCASTThe broadcast address is valid
NOTRAILERSThe device must avoid using trailers
RUNNINGThe device has successfully allocated needed resources
SIMPLEXThe device cannot hear its own transmissions
MULTICASTThe device supports multicast
ALLMULTIThis port receives all multicast packets
LOOPBACKThis is a loopback net
NOARPThere is no address resolution protocol
POINTOPOINTThe IP interface is a point-to-point link
i net The interface's configured IP address and subnet mask
br oadcast The broadcast address of the IP interface
Et her net addr ess The MAC address of the IP interface
packet s r ecei ved The number of packets received on the IP interface
packet s sent The number of packets sent from the IP interface
mul t i cast packet s
sent
The number of multicast packets sent from the IP interface
i nput er r or s The number of error packets received on the IP interface
out put er r or s The number of error packets sent from the IP interface
col l i si ons (always 0)
dr opped The number of packets dropped on the IP interface
down count The number of times the IP interface went down


Page 16

Displaying Interface Configuration Settings
The commands below display the status and configuration for all ports or for a specified port:
show interface command
show command
Command Syntax
device-name#show interface [UU/SS/PP]
device-name(config-if UU/SS/PP)#show
UU/SS/PP
(Optional). Selects a specific port to display.
Example 1
The following example displays the settings of all the device interfaces:
device-name#show interface
==========================================================================
| Por t | Name | Type | St at e | Li nk| Dupl Speed | Fl ow | Backpr es| Def aul t
+- - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - +- - - - - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - -
1/ 1/ 1 DUAL di sabl e down unknown di sabl e di sabl e 0001
1/ 1/ 2 DUAL enabl e up f ul l - 100 di sabl e di sabl e 0001
1/ 2/ 1 DUAL enabl e down unknown di sabl e di sabl e 0001


Page 17

Example 2
The following example displays the settings of a specific interface:
device-name#show interface 1/1/2
Name =
Type = DUAL ( 10/ 100/ 1000BaseT, MEDI A not i nst al l ed)
Enabl eSt at e = enabl e
Li nk = up ( TX)
Dupl ex mode = aut onegot i at e
Speed = aut onegot i at e
Dupl ex speed st at us = f ul l - 100
Fl ow cont r ol mode = di sabl e
Fl ow cont r ol st at us = di sabl e
Backpr essur e = di sabl e
Br oadcast l i mi t = unl i mi t ed
Def aul t VLAN = 1
Super VLAN Por t = No
Lear ni ng new addr ess = Enabl ed
Max Packet Si ze ( MRU) = 1632
Displaying Interface Statistics
The commands below display the interface statistics and packet counters:
show interface statistics command
show statistics command
CLI Mode: Interface Configuration and LAG Interface Configuration

NOTE
The MaxPacketSize refers to the maximum supported packet size depending on the
configuration (512 bytes or 9216 Kbytes).
Command Syntax
device-name#show interface [UU/SS/PP | ag0N] statistics [extended]
device-name(config-if AG0N)#show statistics [extended]
UU/ SS/ PP (Optional). Displays statistics information of a specified interface.
ag0N (Optional). N, the LAG ID number, in the range <17>.
extended (Optional). Displays additional packet counters.


Page 18

Example 1
The following example display various packet counters for 1/ 2/ 1 interface:
device-name#show interface 1/2/1 statistics
Under si ze 0 I n/ Out Pkt s 1024- MaxFr ameSi ze 0
J abber s 0 DownCount 0
Dr opEvent s 0
Table 6: Counters Displayed by the show i nt er f ace st at i st i cs Command
Counter Description
Oct et s
The number of data octets of all received packets on the line. This
includes data octets of rejected and local packets that are not forwarded
to the switching core for transmission.
In case of oversized packets that exceed the allocated buffer-size, only
buffer-size bytes are counted.
Col l i si ons
The number of received packet when detecting a collision event.
Br oadcast
The number of good Broadcast packet received.
Mul t i cast
The number of good Multicast packet received.
CRCAl i gnEr r or s
The number of received packets that meet all the following conditions:
data-length is between <64MaxFrameSize>bytes inclusive
have an invalid CRC
not detected a collision event
not detected a late collision event
Under si ze
data length is less than 64 bytes
have a valid CRC


Page 19

Counter Description
Over si ze
data length is greater than MRU
have valid CRC

NOTE
When the maximum packet size is below 1632,
oversized packets are counted as FCS errored bytes.
The default MRU size is 1632 bytes.
Fr agment s
data length is less than 64 bytes, or the packet does not have a Start
Frame Delimiter (SFD) and is less than 64 bytes
have an invalid CRC
J abber s
The number of packets that meet one of the following conditions:
data length is greater than MaxFrameSize and CRC is invalid
packet length is greater than MaxPacketSize
Dr opEvent s
Not supported.
Down Count
The number of port disconnections.
The counter is initialized in the following cases:
When the device starts running (provided that the link to the port is
connected), the counter is zeroed
When the module is inserted at run-time (hot-swapped), the counter
is initialized to one
When the link to the port is connected for the first time during run-
time, the counter is initialized to one
Tot al I nPkt s
The number of received packets received on the line. This includes
rejected and local packets that are not forwarded to the switching core for
transmission.
I n/ Out Pkt s 64
The number of 64 bytes received and transmitted packets including
rejected, received, and transmitted packets.
I n/ Out Pkt s 65- 127
The number of received and transmitted packets in the range of
<65127>bytes including rejected, received, and transmitted packets.
I n/ Out Pkt s 128-
255
I n/ Out Pkt s 256-
511
<256511>bytes, including rejected, received, and transmitted packets.
I n/ Out Pkt s 512-
1023
I n/ Out Pkt s 1024-
MaxFr ameSi ze
<1024MaxFrameSize>bytes including rejected, received, and
transmitted packets. The default MaxFrameSize is 1632 bytes.
Tot al I n/ Out Pkt s
The number of received and transmitted packets in the range of <64
MaxFrameSize>bytes including rejected, received, and transmitted
packets.


Page 20

Counter Description
Last 5secI nPkt s
The number of packets received during the five seconds before executing
the command.
Last 1mi nI nPkt s
The number of packets received during the minute before executing the
command.
Last 5mi nI nPkt s
The number of packets received during the five minutes before executing
the command.
Last 5secOut Pkt s
The number of packets transmitted during the five seconds before
executing the command.
Last 1mi nOut Pkt s
The number of packets transmitted during the minute before executing
the command.
Last 5mi nOut Pkt s
The number of packets transmitted during the five minutes before
Last 5secI nBps
The rate of packets received, in bits per second, during the five seconds
before executing the command.
Last 1mi nI nBps
The rate of packets received, in bits per second, during the minute before
Last 5mi nI nBps
The rate of packets received, in bits per second, during the five minutes
Last 5secOut Bps
The rate of packets transmitted, in bits per second, during the five
seconds before executing the command.
Last 1mi nOut Bps
The rate of packets transmitted, in bits per second, during the minute
Last 5mi nOut Bps
The rate of packets transmitted, in bits per second, during the five
minutes before executing the command.

NOTE
The Last5secInBps, Last1minInBps, Last5minInBps, Last5secOutBps,
Last1minOutBps, and Last5minOutBps counters are updated every 5 seconds. After
receiving/ transmitting the packets, you must wait for 10 seconds to pass in order to
receive a correct value of the corresponding statistics.
Example 2
The following example uses the extended keyword to display additional packet counters:
device-name#show interface 1/1/1 statistics extended
I nOct et s 41061272 Out Oct et s 7948538
I nUcast Pkt s 73572 Out Ucast Pkt s 73825
I nNUcast Pkt s 3873 Out NUcast Pkt s 28439
I nDi scar ds 0 Out Di scar ds N/ A
I nEr r or s 1 Out Er r or s N/ A
I nUnknownPr ot os N/ A


Page 21

Table 7: Counters Displayed by the show i nt er f ace st at i st i cs ext ended Command
Counter Description
I nOct et s
The number of data octets of all the received packets on the line. This
includes data octets of rejected and local packets that are not forwarded
to the switching core for transmission.
In case of oversized packets that exceed the allocated buffer-size, only
buffer-size bytes are counted.
I nUcast Pkt s
The number of good unicast packets (not including Multicast and
Broadcast packets) received.
I nNUcast Pkt s
The number of good Broadcast and Multicast packets received.
I nDi scar ds
The number of incoming packets dropped due to lack of receive buffers or
due to exceeding the interfaces Rx buffer threshold.
I nEr r or s
This counter is incremented when any of the following events occurs:
Undersized frames (less than 64 bytes) that are correctly aligned and
well formed without Frame Check Sequence (FCS) Errors
Fragments (less than 64 bytes) that are misaligned and/or with
Frame Check Sequence (FCS) Errors
Oversized frames (frames with size bigger than the MTU value) that
are without FCS errors
J abber frames (frames with size bigger than the MTU value) that
have FCS errors
CRC errors
Fragments and Runtswhen the interface goes down while
receiving traffic
Increment in InDiscards counter
I nUnknownPr ot os
Not supported.
Out Oct et s
The number of data octets of good packets transmitted.
Out Ucast Pkt s
The number of good Unicast packets transmitted (not including Multicast
and Broadcast packets).
Out NUcast Pkt s
The number of good Broadcast and Multicast packets transmitted.
Out Di scar ds
Not supported.
Out Er r or s
Not supported.
Clearing Interface Statistics
The commands below clear all current statistics from a specific physical interface, a group of
interfaces, or LAG interface:
reset command
CLI Mode: Interface Configuration, Range Interface Configuration, and LAG
Interface Configuration
clear interface statistics command
CLI Mode:
Privileged (Enable)


Page 22

Command Syntax
device-name(config-if UU/SS/PP)#reset [all]
device-name(config-if-group)#reset [all]
device-name(config-if AG0N)#reset [all]

device-name#clear interface statistics
all (Optional). Clear the statistics of all ports.


Page 23

Link Aggregation Control Protocol (LACP)
LACP, defined in IEEE 802.3ad, dynamically groups similarly configured ports into a single logical
link (aggregate port). This protocol provides increased bandwidth, increased redundancy, and
higher availability. You can group ports based on hardware, administrative, and port parameter
constraints.
The device exchanges LACP frames for synchronizing the databases of the LACP-enabled ports.
Due to hardware limitations, you can group up to eight compatible ports in a LAG.
LACP Modes
There are two LACP operation modes:
Activean interface in active mode can start LACP negotiation and thus form a link with
another device (whether active or passive).
Passivedoes not start LACP negotiation; thus cannot form a link with another device.
LACP Parameters
A ports ability to aggregate with other ports is determined by the following factors:
The port physical characteristics such as, data transfer rate, duplex capability, and medium type
User defined configuration constraints
To use LACP, you need to define the following parameters:
1. SystemID: the ID identifying an LACP system negotiating with other LACP systems. The
device uses its MAC address as a unique system ID.
2. Systempriority: the system priority along with the port priority allows connected LACP ports to
determine their exchange policy dynamically.
3. Administrativekey: define the ports ability to aggregate with other ports.
4. Port priority: the port priority and the system priority allow connected LACP ports to determine
their exchange policy dynamically.
When enabled, LACP attempts to group the maximum of eight compatible ports in a LAG.
However, if LACP is unable to aggregate compatible ports (for example, due to limitations of the
remote device), it leaves these ports in a hot standby state and uses them when one of the
channeled ports fails.


Page 24

Link Aggregation Groups (LAGs)
LAGs, also known as trunks, provide increased bandwidth and high reliability while saving the cost
of upgrading the hardware.
By combining several interfaces in one logical link, LAGs fill the gaps between 10 Mbps, 100 Mbps,
and 1 Gbps with intermediate bandwidth values.
LAGs also enable bandwidths beyond 1 Gbps by aggregating multiple Giga ports (as shown in the
below figure).

NOTE
The LAGs are numbered from 1to 7.
Each LAG can consist of up to eight compatibly configured interfaces.

Figure 1: Four Ports Combined into a Link Aggregation Group
There are two LAG types:
StaticLAGsconsist of individual Gigabit Ethernet links bundled into a single logical link. They
provide the ability to treat multiple device ports as one device port. These port groups act as a
single logical port for high-bandwidth connections between two network devices. A static
LAG balances the traffic load across the links in the channel. If a physical link within the static
LAG fails, traffic previously carried over the failed link is moved to the remaining links.
Most protocols operate over either single ports or aggregated device-ports and do not
recognize the physical interface within the port group.
DynamicLAGsdynamically adapt aggregated links to changes in traffic conditions. This allows
load sharing and automatic readjustments in case of LAG link-failures and recovery.


Page 25

You can configure both static and dynamic LAGs simultaneously, assuming the following
restrictions:
LAG IDs of both static and dynamic LAGs occupy the same available LAG IDs space
You cannot define a static LAG and a dynamic LAG with the same LAG ID number
You can include each port in a single LAG that is either static or dynamic
Prerequisites
Follow the below guidelines for LAG configuration:
You do not need to modify existing higher-layer protocols or applications in order to use
LACP
Some links cannot participate in LAGs due to inherent capabilities, capabilities of the devices
they are connected to, or management configuration. These links operate as individual links.
LACP supports only point-to-point full-duplex links. You cannot aggregate links among more
than two devices (multipoint aggregations) and half-duplex operation.
When the device is connected to a LAN and Spanning Tree protocol (STP) is not active, you
need to physically attach the aggregated ports only after completing the LAG configuration.


Page 26

LAG Default Configuration
Table 8: LAG Default Configuration
Static Link Aggregation Disabled
Global Link Aggregation Control Protocol (LACP) Disabled
Per port Link Aggregation Control Protocol (LACP) Disabled
LACP system priority 32768
LACP port mode Active
LACP port priority 32768
LACP administrative key 1
LAG distribution MAC address
The marker PDU responder per port Disabled
LAG Configuration Flow
To create a static LAG, proceed as follows:
1. Add a specific interface to a static LAG (see Configuringa StaticLAG)
2. Optional configuration: Assign a user-defined name for a specific static LAG (see Naminga
StaticLAG)
To create a dynamic LAG, proceed as follows:
1. Configure LACP (see EnablingLACP)
2. Assign a physical interface(s) to a LAG (see AssigningInterfacestoa DynamicLAG)
3. Optional configuration:
Specify the LACP system priority (see SpecifyingtheLACP SystemPriority)
Specify the LACP administrative key (see SpecifyingtheLACP AdministrativeKey)
Configure the processing of LACP PDU marker (see ConfiguringtheLACP Marker)
Specify the LAG packet distribution between the ports (see SpecifyingtheLAG Distribution)


Page 27

LAG Configuration Commands
Table 9: Static LAG Configuration Commands
Command Description
link-aggregation static id
Adds a physical interface or a group of interfaces to a
static LAG (see Configuring a Static LAG)
link-aggregation static id
name
Assigns a user-defined name for a specific static LAG
(see Naming a Static LAG)

Table 10: Dynamic LAG Configuration Commands
Command Description
link-aggregation lacp
enable/disable
Configures LACP (see Enabling LACP)
Assigns a physical interface or group of interfaces to a
LAG, and specifies LACP parameters (see Assigning
Interfaces to a Dynamic LAG)
system-priority
Specifies the LACP system priority (see Specifying the
LACP System Priority)
link-aggregation lacp key
Specifies the LACP administrative key (see Specifying the
LACP Administrative Key)
marker
Configures the processing of LACP PDU marker (see
Configuring the LACP Marker)
link-aggregation distribute
Specifies the LAG packet distribution between the ports
(see Specifying the LAG Distribution)

Table 11: Commands for Displaying the Static LAG and LACP Configuration
Command Description
show interface link-
aggregation
Displays all static and dynamic LAGs (see Displaying
LAGs)
show link-aggregation lacp
Displays a list of all LACP enabled interfaces (see
Displaying LACP Interfaces)
show link-aggregation
distribute
Displays the LAG packet distribution configuration (see
Displaying the LAG Distribution)


Page 28

Configuring a Static LAG
The link-aggregation static id command adds a physical interface or a group of interfaces to
a static LAG.

NOTE
The l i nk- aggr egat i on st at i c command replaces the trunk command.

By default, static LAG is disabled
Command Syntax
device-name(config-if UU/SS/PP)#link-aggregation static id <id-number>
device-name(config-if UU/SS/PP)#no link-aggregation

device-name(config-if-group)#link-aggregation static id <id-number>
device-name(config-if-group)#no link-aggregation
id <id-number> LAG ID in the range <17>.
no Removes the configured interface or a group of interface from the static
LAG.
Naming a Static LAG
The link-aggregation static id name command assigns a user-defined name for a specific
static LAG.
By default, the static LAG is not named.
Command Syntax
device-name(config)#link-aggregation static id <id-number> name NAME
device-name(config)#no link-aggregation static id <id-number> name
id-number LAG ID in the range <17>.
NAME Alphanumeric string up to 32 characters.
no Removes the user-defined name.


Page 29

Enabling LACP
The link-aggregation lacp enable/disable command enables LACP.
CLI Mode: Protocol Configuration
By default, LACP is disabled.
Command Syntax
device-name(cfg protocol)#link-aggregation lacp {enable | disable}
enable Enables LACP.
disable Disables LACP.
Assigning Interfaces to a Dynamic LAG
The link-aggregation lacp command enables LACP on a physical interface or group of
interfaces, assigns them to a dynamic LAG, and specifies the LACP parameters.
If you do not specify optional arguments and you do not enable LACP on the interface, the
interface is configured with default argument values.
If you enable LACP on the interface, only explicitly defined optional arguments take effect.
By default, the LACP port is in active LACP mode with priority 32768.
Command Syntax
device-name(config-if UU/SS/PP)#link-aggregation lacp [active | passive] [port-
priority [<priority>] key <number>]]
device-name(config-if UU/SS/PP)#no link-aggregation lacp port-priority
device-name(config-if UU/SS/PP)#no link-aggregation

device-name(config-if-group)#link-aggregation lacp [active | passive] [port-
priority [<priority>] key <number>]]
device-name(config-if-group)#no link-aggregation lacp port-priority
device-name(config-if-group)#no link-aggregation
active (Optional). Enables LACP in active mode.
passive (Optional). Enables LACP in passive mode.
port-priority
<priority>
The port priority value, in the range <165535>.
key <number> (Optional). Number of the LACP administrative key, in the range <1
65535>.


Page 30

no Disables LACP and restores to defaults.
Specifying the LACP System Priority
The link-aggregation lacp system-priority command specifies the LACP system priority.
By default, the LACP system priority is 32768.
Command Syntax
device-name(cfg protocol)#link-aggregation lacp system-priority [<priority>]
device-name(cfg protocol)#no link-aggregation lacp system-priority
priority (Optional). Priority value, in the range of 1 (highest priority) to 65535 (lowest
priority).
no Restores to default.
Specifying the LACP Administrative Key
The link-aggregation lacp key command specifies the LACP administrative key, determining
the ability of the port to aggregate with other ports.
CLI Mode:
Interface Configuration, Range Interface Configuration
By default, the LACP administrative key is 1.
Command Syntax
device-name(configif UU/SS/PP)#link-aggregation lacp key <number>
device-name(configif-group)#link-aggregation lacp key <number>
number LACP administrative key in the range <165535>.


Page 31

Example
The following example shows how to set the LACP key to 65535:
device-name(config-if 1/1/1)#link-aggregation lacp
device-name(configif 1/1/1)#link-aggregation lacp key 65535
Value is displayed in the output issued by the show link-aggregation lacp command:
device-name#show link-aggregation lacp
Syst emI D = 00 a0 12 17 01 00
Syst empr i or i t y = 32768
========+========+=======+=========
Por t | Mode | Key | Pr t y |
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - - - +
1/ 1/ 1 | act i ve | 65535| 32768 |
========+========+=======+=========
Configuring the LACP Marker
The link-aggregation lacp marker command configures the processing of the LACP PDU
marker on a specific port.
CLI Mode:
By default, the marker PDU responder per port is disabled.
Command Syntax
device-name(configif UU/SS/PP)#link-aggregation lacp marker {enable | disable}
device-name(configif-group)#link-aggregation lacp marker {enable | disable}
enable Enables the processing of LACP PDU marker.
disable Disables the processing of LACP PDU marker.
Example
device-name(config-if 1/1/1)#link-aggregation lacp marker enable


Page 32

Specifying the LAG Distribution
The link-aggregation distribute command specifies the LAG packet-distribution between
the ports.
You can define the packet distribution based on:
the source and destination MAC addresses (Layer 2)
the source and destination IP addresses (Layer3)

By default, the traffic on the LAG is distributed by Layer 2 (MAC addresses).
Command Syntax
device-name(cfg protocol)#link-aggregation distribute {layer3 | layer4}
device-name(cfg protocol)#no link-aggregation distribute
layer3
Distributes packets based on the packets source and destination IP addresses.
layer4 Distributes packets based on the TCP/UDP ports and the source and destination IP
addresses for the TCP and UDP packets.
no
Restores to the default settings.
Displaying LAGs
The show interface link-aggregation command displays all static and dynamic LAGs.

NOTE
The show l i nk aggr egat i on command replaces the show t r unk command.
The show t r unk command is also supported.
Command Syntax
device-name#show interface link-aggregation [static | dynamic | id <id-number>]
static
(Optional) displays static LAGs only.
dynamic
(Optional) displays dynamic LAGs only.
id <id-number>
(Optional) displays the LAG specified.


Page 33

Example
device-name#show interface link-aggregation
==========+========+=================+=====================
Agg# | Type | Management Name | Por t s |
- - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - +
AG01 | st at i c | TRUNK1 | 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 5 |
| =========+========+=================+=====================
Displaying LACP Interfaces
The show link-aggregation lacp command displays a list of all LACP enabled interfaces.
Command Syntax
Example
Syst emI D = 00 a0 12 02 02 02

========+========+=======+=======+
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - - +
1/ 2/ 1 | act i ve | 1 | 32768 |
1/ 2/ 2 | act i ve | 1 | 32768 |
========+========+=======+=======+
Displaying the LAG Distribution
The show link-aggregation distribute command displays the LAG packet-distribution
configuration.
Command Syntax
device-name#show link-aggregation distribute
Example
device-name#show link-aggregation distribute
Li nk aggr egat i on di st r i but i on mode i s Layer 2


Page 34

Configuration Examples
Simple LACP Configuration
The following example establishes dynamic link aggregation between two devices, as shown in
Figure 2.

Figure 2: Example of LAG Containing Two Ports
On each of the two devices, LACP is enabled in active mode on interfaces 1/ 1/ 1 and 1/ 1/ 2 as an
aggregated link. The configuration of Device2 is identical to that of Device1.
4. Display the LACP status:
LACP di sabl ed on t he syst em
5. Enable the LACP:
device-name(cfg protocol)#link-aggregation lacp enable
6. Display the LACP configuration:
Syst emI D = 00 A0 12 03 04 05
No LAC por t s conf i gur ed
7. Enable LACP on interface 1/ 1/ 1:
8. Enable LACP on interface 1/ 1/ 2:


Page 35

Syst emI D = 00 A0 12 03 04 05
========+========+=======+======+
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - +
1/ 1/ 1 | act i ve | 1 | 32768 |
1/ 1/ 2 | act i ve | 1 | 32768 |
========+========+=======+======+
10. If there is a link between the devices, the following results on each device are displayed:
device-name#show interface link-aggregation
==========+========+=================+=====================
- - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - +
AG01 | LACP | LACP1 | 1/ 1/ 1, 1/ 1/ 2 |
==========+========+=================+=====================
Complex LACP Configuration
The following example establishes two dynamic link aggregation groups between Device 1,
Devices2 and 3, as shown in Figure 3.

Figure 3: Example of Two LAGs Configured on the Same Device


Page 36

Configuring Device 1:
On Device1, LACP is enabled in active mode on the following interfaces:
1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1 and 1/ 2/ 2, as an aggregated link to Device2
1/ 2/ 3 and 1/ 2/ 4, as an aggregated link to Device3
1. Enter Protocol Configuration mode and enable the LACP on Device1:
Device1#configure terminal
Device1(config)#protocol
Device1(cfg protocol)#link-aggregation lacp enable
Device1(cfg protocol)#end
Device1#show link-aggregation lacp
Syst emI D = 00 00 02 03 04 05
3. Enable LACP on interfaces 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1, 1/ 2/ 2, 1/ 2/ 3 and 1/ 2/ 5:
Device1(config)#interface range 1/1/1-1/2/5
Device1(config-if-group)#link-aggregation lacp
Device1(config-if-group)#end
Syst emI D = 00 00 02 03 04 05
========+========+=======+======+
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - +
1/ 1/ 1 | act i ve | 1 | 32768 |
1/ 1/ 2 | act i ve | 1 | 32768 |
1/ 2/ 1 | act i ve | 1 | 32768 |
1/ 2/ 2 | act i ve | 1 | 32768 |
1/ 2/ 3 | act i ve | 1 | 32768 |
1/ 2/ 5 | act i ve | 1 | 32768 |
========+========+=======+======+


Page 37

On Device2, LACP is enabled in active mode on interfaces 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1 and 1/ 2/ 2, as an
aggregated link to Device1.
Syst emI D = 00 a0 12 05 3a 80
3. Enable LACP on interfaces 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1 and 1/ 2/ 2:
Device2(config)#interface range 1/1/1-1/2/2
Device2(config-if-group)#link-aggregation lacp
Device2(config-if-group)#end
Syst emI D = 00 a0 12 05 3a 80
========+========+=======+======+
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - +
1/ 1/ 1 | act i ve | 1 | 32768 |
1/ 1/ 2 | act i ve | 1 | 32768 |
1/ 2/ 1 | act i ve | 1 | 32768 |
1/ 2/ 2 | act i ve | 1 | 32768 |
========+========+======+======+


Page 38

On Device3, LACP is enabled in active mode on interfaces 1/ 2/ 3 and 1/ 2/ 4, as an aggregated link
to Device 1.
Syst emI D = 00 a0 12 10 94 c0
3. Enable LACP on interfaces 1/ 2/ 3 and 1/ 2/ 4:
Device3(config)#interface 1/2/3
Device3(config-if 1/2/3)#link-aggregation lacp
Device3(config-if 1/2/3)#interface 1/2/4
Device3(config-if 1/2/4)#link-aggregation lacp
Device3(config-if 1/2/4)#end
Syst emI D = 00 a0 12 10 94 c0
========+========+=======+=======+
- - - - - - - - +- - - - - - - - +- - - - - - - +- - - - - - - +
1/ 2/ 3 | act i ve | 1 | 32768 |
1/ 2/ 4 | act i ve | 1 | 32768 |
========+========+=======+=======+


Page 39

After the LACP operation the following results on each device are displayed:
Displaying Device 1 Configuration:
Device3#show interface link-aggregation
==========+========+=================+=====================
- - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - +
AG01 | LACP | LACP1 | 1/ 1/ 1, 1/ 1/ 2 |
AG02 | LACP | LACP2 | 1/ 2/ 3, 1/ 2/ 5 |
==========+========+=================+=====================
==========+========+=================+=========================
- - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - +
AG01 | LACP | LACP1 | 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1, 1/ 2/ 2|
==========+========+=================+=========================
==========+========+=================+=====================
- - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - +
AG02 | LACP | LACP2 | 1/ 2/ 3, 1/ 2/ 4 |
==========+========+=================+=====================


Page 40

Static LAG with RSTP
The following example shows how to establish two static LAGs between two devices.
This setup requires a mechanism such as RSTP to prevent the two LAGs from forming a loop. For
more information, refer to the ConfiguringRapidSpanningTreeProtocol (RSTP) chapter of this User
Guide.
The configuration of Device2 is identical to that of Device1. However, there are differences in the
RSTP configuration parameters, since RSTP automatically selects one device (Device 1 in our case)
as the root bridge and the other device (Device 2) as the designated bridge.

Figure 4: Example of Two Static LAGs with RSTP
1. Enable RSTP:
Device1(cfg protocol)#rapid-spanning-tree enable
2. Enable static LAG on interfaces 1/ 1/ 1 and 1/ 2/ 4:
Device1(config-if 1/1/1)#link-aggregation static id 1
3. Enable Static LAG on interfaces 1/ 2/ 7 and 1/ 2/ 8:

NOTE
Repeat the above steps on device 2


Page 41

1. Display the static LAG configuration:
Device1#show interface link-aggregation static
=========+======+=======================+=======================
Agg# | Type | Management Name | Por t s
- - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - -
AG01 | STATI C| TRUNK1 | 1/ 1/ 1, 1/ 2/ 4
AG02 | STATI C| TRUNK2 | 1/ 2/ 7, 1/ 2/ 8
2. Display the RSTP parameters and Rapid Spanning-Tree topology:
Device1#show rapid-spanning-tree
Rapi d spanni ng t r ee = enabl ed
Pr ot ocol Speci f i cat i on = i eee8021w
Pr i or i t y = 32768
Ti meSi nceTopol ogyChange = 41 ( Sec)
TopChanges = 2
Desi gnat edRoot = Thi s br i dge i s t he r oot
MaxAge = 20 ( Sec)
Hel l oTi me = 2 ( Sec)
For war dDel ay = 15 ( Sec)
Br i dgeMaxAge = 20 ( Sec)
Br i dgeHel l oTi me = 2 ( Sec)
Br i dgeFor war dDel ay = 15 ( Sec)
TxHol dCount = 3
Mi gr at i onTi mer = 3 ( Sec)
Det ect Li neCRCReconf i g = di sabl ed
Det ect Li neFl appi ng = di sabl ed
SpanI gmpFast Recover y = di sabl ed

===============================================================================
Por t | Pr i | Pr t r ol e| St at e| PCost | DCost | Desi gnat ed br i dge | DPr t | Fwr dT
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - -
AG01 128 Desi gnat f r wr d 10000 0 32768. 00A0121102A3 128. 88 1
AG02 128 Desi gnat f r wr d 10000 0 32768. 00A0121102A3 128. 90 1
1. Display the static LAG configuration:
Device2#show interface link-aggregation static
=========+======+=======================+=======================
Agg# | Type | Management Name | Por t s
- - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - -
AG01 | STATI C| TRUNK1 | 1/ 1/ 1, 1/ 2/ 4
AG02 | STATI C| TRUNK2 | 1/ 2/ 7, 1/ 2/ 8


Page 42

2. Display the RSTP parameter settings and Rapid Spanning-Tree topology:
Device2#show rapid-spanning-tree
Pr i or i t y = 32768
TopChanges = 1
Desi gnat edRoot = 32768. 00: A0: 12: 11: 02: A3
Root Por t = AG01
Root Cost = 10
MaxAge = 20 ( Sec)
TxHol dCount = 3

===============================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - -
AG01 128 Root f r wr d 10000 0 32768. 00A0121102A3 128. 88 1
AG02 128 Al t er n di scr 10000 0 32768. 00A0121102A3 128. 90 1


Page 43

Resilient Links
Overview
Resilient links allows protecting critical links and preventing network downtime. A resilient link
consists of a main link and a standby (backup) link together forming a resilient-link pair. Under
normal network conditions, the main link carries network traffic. In case of signal loss, the device
immediately enables the standby link which takes over the main links task. Since the switchover
time to the standby link is less than 1 second, there is no session timeout.
If the main link has a higher bandwidth than its standby or if the main link is configured as a
preferred one, traffic is switched back to the main link as soon as its connection is recovered.
Otherwise, you must manually switch traffic back to the main link.
Resilient Links Default Configuration
Table 12: Resilient Link Default Configuration
Preferred port The port with the higher bandwidth.
Active port The port with the higher bandwidth, if both ports are up. If both
ports have the same bandwidth, the active port is the port with
the lower port number (for example, for ports 1/2/3 and 1/2/6 the
active port is 1/2/3).
Backup port status Power-on enabled.


Page 44

Resilient Links Configuration Flow
Configuration Notes
When configuring resilient links, note the following:
You should define a resilient-link pair only on one end of the link. This provides the ability for
a full redundant network, even when connecting the device to other devices, such as routers
and servers.
If using the shutdown mode, configure it on one device (either local or remote).
If you configure a VLAN, the resilient link ports must belong to the same VLAN.
Adding a new port to an existing resilient link, synchronizes the ports VLAN to the resilient
links VLAN
If the ports do not use the same VLAN tagging system (802.1Q tagging), the VLAN tagging
of the first port is applied to the second port added.
You can configure a resilient link pair only if:
the ports have the same PVID
neither of the ports is part of a LAG
neither of the ports belongs to another resilient-link pair
Step by Step Configuration
To configure a resilient link, proceed as follows:
1. Enter the Resilient-link Configuration mode (see EnteringtheResilient Link ConfigurationMode)
2. Add a port pair as a resilient link (see AssigningPortstoa Resilient Link)
3. Optional Configuration:
Specify one of the ports of the resilient link as preferred (see Selectinga PreferredPort)
Switch the active port of the currently edited resilient link (see SwitchingtheActivePort)
Specify the backup link behavior (see SpecifyingtheBackupLink Behavior)


Page 45

Resilient Links Configuration Commands
Table 13: Resilient Link Configuration Commands
Command Description
resilient-link Enters the Resilient-link Configuration mode (see Entering the
Resilient Link Configuration Mode)
ports Adds a port pair as a resilient link (see Assigning Ports to a Resilient
Link)

Table 14: Resilient Link Optional Commands
Command Description
prefer port Specifies one of the ports of the resilient link as preferred (see
Selecting a Preferred Port)
active port Changes the active port of the selected resilient link (see Switching
the Active Port)
backup-link shut-
down
Specifies the backup link behavior (see Specifying the Backup Link
Behavior)

Table 15: Resilient Link Display Commands
Command Description
show Displays a table of the configured resilient links (see Displaying
the Resilient Link Configuration)
show resilient-links Displays a table of the configured resilient links (see Displaying
the Resilient Link Configuration)
show counter Displays how many swaps each resilient link has undergone in
the current session (see Displaying Resilient Link Counters)
show resilient-links
counter
Displays how many swaps each resilient link has undergone in
the current session (see Displaying Resilient Link Counters)


Page 46

Entering the Resilient Link Configuration Mode
The resilient-link command enables the resilient link feature and enters the Resilient-link
Configuration mode.
You can use this command within one resilient-links configuration mode to enter a different
resilient link configuration.
Command Syntax
device-name(config)#resilient-link <N>
device-name(config-resil-link N)#

device-name(config-resil-link N1)#resilient-link <N2>
device-name(config)#no resilient-link <N>
N The resilient links number in the range of <132>.
no Removes the specified resilient link.
Example
device-name(config)#resilient-link 1
device-name(config-resil-link 1)#
Assigning Ports to a Resilient Link
The ports command assigns a pair of ports to a resilient link.
CLI Mode: Resilient-link Configuration
Command Syntax
device-name(config-resil-link N)#ports UU1/SS1/PP1 UU2/SS2/PP2
UU1/SS1/PP1 The first resilient link port number.
UU2/SS2/PP2 The second resilient link port number.


Page 47

Selecting a Preferred Port
The prefer port command specifies one port as the preferred resilient-link port.
The preferred port is the active port as long as it has a link and traffic is switched back to this port
when its connection is recovered.
By default, the port with the higher bandwidth (operational speed). If both ports have the same
bandwidth, no port is the preferred one.
Command Syntax
device-name(config-resil-link N)#prefer port UU/SS/PP
device-name(config-resil-link N)#no prefer port
UU/SS/PP The preferred port number.
no Cancels the port preference.
Switching the Active Port
The active port command changes the current active port (the port currently carrying traffic) of
the selected resilient link.

NOTE
You can use this command only if you did not define a preferred port.

By default, (in case the two ports have the same bandwidth capacity and no preferred port was
defined) the first port added to the resilient link using the ports command.
Command Syntax
device-name(config-resil-link N)#active port UU/SS/PP
UU/SS/PP The active port number.


Page 48

Specifying the Backup Link Behavior
The backup-link shut-down command specifies the standby link behavior:
4. The port is powered off (the ports LED is off). Use this option when transmitting to a non-
resilient link device.
5. The port is powered on (the ports LED is on). Use this option when transmitting to a resilient
link on a remote device.
Command Syntax
device-name(config-resil-link N)#backup-link shut-down
device-name(config-resil-link N)#no backup-link shut-down
no Powers on the standby port.
Displaying the Resilient Link Configuration
The show and show resilient-links commands display the list of configured resilient links.
The command output displays the resilient-link ID, the resilient links ports, the preferred port (if
defined), the standby link behavior, and the current active link.
CLI Mode: Resilient-link Configuration and Privileged (Enable)
Command Syntax
device-name(config-resil-link N)#show [N1 | N1 N2]
device-name#show resilient-links [N1 | N1 N2]
N1
(Optional). The resilient links ID number.
N1 N2
(Optional). A range of resilient link ID numbers.
Example 1
Displaying information on all currently configured resilient links:
device-name(config-resil-link 1)#show
=====================================================
| RLi nk | Por t 1 | Por t 2 | Pr ef er | Backup | Act i ve |
+- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - +
| 1 | 1/ 2/ 1 | 1/ 2/ 2 | 1/ 2/ 1 | shut down| 1/ 2/ 1 |
| 2 | 1/ 2/ 3 | 1/ 2/ 4 | | st andby | 1/ 2/ 4 |
=====================================================


Page 49

Displaying Resilient Link Counters
The show counter command and the show resilient-links counter command display how
many swaps each resilient link has undergone in the current session.
CLI Mode: Resilient-link Configuration and Privileged (Enable)
Command Syntax
device-name(config-resil-link N)#show counter [N1 | N1 N2]

device-name#show resilient-link counter [N1 | N1 N2]
N1
(Optional). The resilient links ID number.
N1 N2
(Optional). A range of resilient link ID numbers.
Example 1
Displaying information on all currently configured resilient links:
=====================================================
+- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - +
| 1 | 1/ 1/ 1 | 1/ 1/ 2 | 1/ 1/ 1 | shut down| 1/ 1/ 1 |
| 2 | 1/ 2/ 5 | 1/ 2/ 6 | | st andby | 1/ 2/ 5 |
| 3 | 1/ 2/ 3 | 1/ 2/ 4 | | st andby | 1/ 2/ 3 |
=====================================================
Example 2
Displaying information on specific resilient link #3:
device-name(config-resil-link 1)#show 3
=====================================================
+- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - +
| 3 | 1/ 2/ 3 | 1/ 2/ 4 | | st andby | |
=====================================================
Example 3
Displaying information on the configured resilient links in the range #1 to #2:
device-name#show resilient-links 1 2
=====================================================
+- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - +
| 1 | 1/ 1/ 1 | 1/ 1/ 2 | 1/ 1/ 1 | st andby | 1/ 1/ 1 |
| 2 | 1/ 2/ 5 | 1/ 2/ 6 | | st andby | 1/ 2/ 5 |
=====================================================


Page 50

The following figure shows a simple network diagram of the resilient link on an Ethernet LAN.

Figure 5: Example of a Resilient Link Topology
1. Enter Resilient-link Configuration mode:
2. Set ports 1/ 1/ 1 and 1/ 2/ 1 as Resilient Links:
device-name(config-resil-link 2)#ports 1/1/1 1/2/1
3. Set the port 1/ 2/ 1 to be preferred:
device-name(config-resil-link 2)#prefer port 1/2/1
4. Display the Resilient Link configuration:
=======================================================
+- - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - |
| 2 | 1/ 1/ 1 | 1/ 2/ 1 | 1/ 2/ 1 | st andby | 1/ 2/ 1 |


Page 51

Port Security Techniques
Overview
The Port Securityfeature restricts an interface or VLAN input by limiting and identifying MAC
addresses of devices allowed to access the interface/ VLAN.
When a secured port receives a packet, it compares the packets source MAC address to the secured
MAC address list.
If the packets source MAC address is in the list, the incoming packet is forwarded.
If the packets source MAC address is not in the secured list, the port does not forward the
packet. In this case, the port either shuts down permanently or drops incoming packets from
the unauthorized device, generating an SNMP trap.
You can configure two types of secured MAC addresses:
Static secured MAC addresses created manually by the mac-address-table command (for
more information, refer to the DeviceAdministrationchapter of this User Guide). These
addresses are stored in the address table and added to the devices running configuration
Dynamic secured MAC addresses that are learned dynamically learned. These addresses are
stored in the address table but are removed when the device restarts.

NOTE
Secured MAC addresses do not age.


Page 52

The Port Security Default Configuration
Table 16: Port Security Default Configuration
Port security Disabled
Port security action Trap
Learning the filtered MAC addresses Disabled
The Port Security Configuration Commands
Table 17: Port Security Configuration Commands
Command Description
port security Configures port security (see Configuring Port Security)
port security enable-
shutdown-port
Re-enables a port that shuts down due to a security violation
(see Re-Enabling a Shut Down Port)

Table 18: Port Security Display Commands
Command Description
show port security Displays the security status of a specific port (see Displaying the
Port Security Configuration)


Page 53

Configuring Port Security
The port security command configures port security on a specific interface or interface range.

NOTE
When configuring port security on a port, the initial frame is lost since the first
packet received from any source is used solely for learning its MAC address.

NOTE
When a packet with a secured source MAC address matches more than one port
security setting, the port security per port and VLAN has precedence over the port
security per port.
By default:
filtered MAC addresses are learned in the MAC address table
SNMP trap and a log message are generated when a security violation occurs
all MAC addresses are learned as secured
Command Syntax
device-name(config-if UU/SS/PP)#port security [max-mac-count <number-of-
addresses> [filter-learn-disable]] [vlan <vlan-id>]

device-name(config-if UU/SS/PP)#no port security [max-mac-count [filter-learn-
disable]] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port security all
device-name(config-if UU/SS/PP)#port security action {shutdown | trap} [vlan
<vlan-id>]
device-name(config-if UU/SS/PP)#no port security action {shutdown | trap} [vlan
<vlan-id>]

device-name(config-if-group)#port security [max-mac-count <number-of-addresses>
[filter-learn-disable]] [vlan <vlan-id>]

device-name(config-if-group)#no port security [max-mac-count [filter-learn-
disable]] [vlan <vlan-id>]
device-name(config-if-group)#no port security all

device-name(config-if-group)#port security action {shutdown | trap} [vlan
<vlan-id>]
device-name(config-if-group)#no port security action {shutdown | trap} [vlan
<vlan-id>]


Page 54

The argumentsare mutually exclusive. You can specify an action (shutdown or trap) in one port
security command and specify the maximum number of secured MAC addresses (max-mac-
count) in a second port security command for the same port. Both settings are effective.
action {shutdown |
trap}
Defines the port reaction upon a security violation:
The port shuts down
An SNMP trap and log message are generated
max-mac-count
<number-of-
addresses>
(Optional). The maximum numbers of secured MAC addresses the
port supports, in the range of <12048>.
In this case, an attempt to exceed the maximum-allowed secured
MAC addresses on the port produces an address violation event.
NOTE
Enable new MAC address learning prior to using this
argument to ensure its proper function (see the
Device Administration chapter of this User Guide).
When MAC address learning is not enabled the
following warning message is displayed: Warning!
Port security may not work correctly since
learning is disabled on the port.
filter-learn-
disable
(Optional). The filtered MAC addresses are not learned in the MAC
address table.
vlan <vlan-id> (Optional). Enables port security on the specified VLAN the port is a
member of. The VLAN ID number is in the range of <24094>.
NOTE
Using the no por t secur i t y act i on t r ap command
stops the SNMP trap generation when a security violation
occurs.
Example 1
The following example disables learning of the violating MAC address in the MAC address table:
device-name(config-if 1/2/3)#port security max-mac-count 15 filter-learn-
disable
Example 2
The following example displays how to secure port 1/ 2/ 3 for VLAN 5 with a maximum of 5
secured MAC addresses:
device-name(config-if 1/2/3)#port security max-mac-count 5 vlan 5


Page 55

Re-Enabling a Shut Down Port
The port security enable-shutdown-port command re-enables a port shut down due to a
security violation.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#port security enable-shutdown-port [vlan <vlan-
id>]
device-name(config-if-group)#port security enable-shutdown-port [vlan <vlan-
id>]
vlan <vlan-id>
(Optional). Re-enables the port also on the VLAN this port is a member of.
The VLAN ID number is in the range of <14094>.
Displaying the Port Security Configuration
The show port security command displays the port security configuration for all device ports.
Command Syntax
device-name#show port security [UU/SS/PP] [vlan <vlan-id>]
UU/SS/PP (Optional). Displays the port security configuration of a specified port.
vlan <vlan-id>
(Optional). Displays the port security configuration of a specified VLAN.
Example 1
The following example shows the port security configuration on port 1/ 1/ 1 and VLAN 5 when
the allowed numbers of secured MAC addresses is 5:
device-name#show port security
| ===================================================================|
| por t #| vi d | act i on | max addr | secur e addr | f i l t er ed addr | st at us |
| - - - - - - - +- - - - - +- - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - |
| 1/ 1/ 1 | 5 | t r ap | 5 | 0 | 0 | enabl ed|


Page 56

Example 2
The following example details how to enable port security on port 1/ 1/ 1 per VLAN 5, set a
maximum of 5 MAC addresses, and set the action to shutdown:
device-name(config-if 1/1/1)#port security action shutdown vlan 5
| ===================================================================|
| por t # | vi d | act i on | max addr | secur e addr | f i l t er ed addr | st at us |
| - - - - - - - +- - - - - +- - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - |
| 1/ 1/ 1 | 5 | shut down| 5 | 0 | 0 | enabl ed|
After sending traffic with tag 5 on port 1/ 1/ 1 with more than 5 source MAC addresses, only 5
MAC addresses are learned and the port is disabled:
| ===================================================================|
| por t # | vi d | act i on | max addr | secur e addr | f i l t er ed addr | st at us |
| - - - - - - - +- - - - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - - |
| 1/ 1/ 1 | 5 | shut down| 5 | 5 | 0 | di sabl ed|
Example 3
The following example details how to set the port security on port 1/ 2/ 4 with a maximum of 20
secured MAC addresses. The example also details how to set a maximum of 10 secured MAC
addresses per port and VLAN:
device-name(config-if 1/2/4)#port security max-mac-count 20
| ===================================================================|
| por t # | vi d | act i on| max addr | secur e addr | f i l t er ed addr | st at us |
| - - - - - - - +- - - - - - - - - +- - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - |
| 1/ 2/ 4 | al l vl ans| t r ap | 20 | 0 | 0 | enabl ed|
| 1/ 2/ 4 | 100 | t r ap | 10 | 0 | 0 | enabl ed|

device-name#show port security 1/2/4 vlan 100
VLAN 100:
The por t / vl an i s : secur ed
St at e : enabl ed
Act i on : send a t r ap
Li mi t Type: : l ear n as f i l t er ed
Max secur ed addr esses = 10
Cur r ent secur ed addr esses = 0
Cur r ent f i l t er ed addr esses = 0


Page 57

Defining Port Security with Dynamic Learned MAC Addresses
The following example configures various port security settings for ports 1/ 1/ 2, 1/ 1/ 3, and 1/ 1/ 4
for all VLANs.
1. Enable port security with default settings on port 1/ 2/ 2. All the MAC addresses are learned as
secure.
device-name(config-if 1/2/2)#port security
2. Enable port security on port 1/ 2/ 3 with action shutdown and a maximum of six MAC
addresses. After six MAC addresses are learned as secure, any additional MAC address sent to
this interface causes the interface to shut down:
device-name(config-if 1/2/3)#port security action shutdown
3. Enable port security on port 1/ 2/ 4 with a maximum of six MAC addresses. After six MAC
addresses are learned as secure, the following MAC addresses are learned as filtered and a
security violation trap is generated:
4. The configured settings are displayed by the show command in Privileged mode as follows:
| ======================================================================|
| - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - | - - - - - - - |
| 1/ 2/ 2| al l vl ans| t r ap | unl i mi t ed | 0 | 0 | enabl ed|
| 1/ 2/ 3| al l vl ans| shut down| 6 | 0 | 0 | enabl ed|
| 1/ 2/ 4| al l vl ans| t r ap | 6 | 0 | 0 | enabl ed|


Page 58

Defining Port Security with Static MAC Addresses
The following example sets a maximum three addresses and sends SNMP traps in the event of
over-learning.
1. Configure the SNMP trap host to receive traps:
device-name(config)#snmp-server enable
device-name(config)#snmp-server view viewAll 1.3 included
device-name(config)#snmp-server group notify_only v1 read none write none
notify viewAll
device-name(config)#snmp-server user notify_user group notify_only v1
device-name(config)#snmp-server target-param MyParam notify_user v1
device-name(config)#snmp-server target-addr blaaddr1 10.2.3.44 162 MyParam
tag_1
device-name(config)#snmp-server notify portSecurityViolation tag_1
2. Configure the port 1/ 2/ 2 to learn a maximum of three MAC addresses.
3. Return to Global Configuration mode and define three MAC addresses to be learned:
device-name(config)#mac-address-table secure 00:02:4b:82:60:e2 interface
1/2/2 vlan 2
device-name(config)#mac-address-table secure 00:02:55:58:0d:8c interface
1/2/2 vlan 2
device-name(config)#mac-address-table secure 00:02:55:98:52:f4 interface
1/2/2 vlan 2
4. In Privileged (Enable) mode, check that the MAC addresses are learned:
+===========+===================+=========+===========+==========
| vi d | mac | por t | st at us | pr i or i t y
+- - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - -
| 0000 | 00: a0: 12: 07: 13: 29| | sel f | 0
| 0001 | 00: a0: 12: 07: 13: 29| | sel f | 0
| 0002 | 00: 02: 4b: 82: 60: e2| 1/ 2/ 2 | secur e | 0
| 0002 | 00: 02: 55: 58: 0d: 8c| 1/ 2/ 2 | secur e | 0
| 0002 | 00: 02: 55: 98: 52: f 4| 1/ 2/ 2 | secur e | 0
| 0002 | 00: 40: 95: 30: 0b: f 8| 1/ 2/ 3 | dynami c | 0


Page 59

5. Check the port security definitions:
device-name#show port security 1/2/2
ALL VLANS:
The por t i s : secur ed
St at e : enabl ed
Act i on : send a t r ap
Li mi t Type: : l ear n as f i l t er ed
Re-Enabling Shut-down Ports
The following example sets the maximum number of secure addresses to five. The example details
how to re-enable a port that is shut down due to a security violation.
1. Configure port 1/ 2/ 4 as secured, learning maximum 5 secure addresses, and shutting down in
case of a security violation:
device-name(config-if 1/2/4)#port security action shutdown
device-name(config-if 1/ 2/ 4)#end

| ===================================================================|
| - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - |
2. Allow the port to learn 10 addresses and inspect what show port security displays. The
port has learned 5 addresses as secure and the rest as filtered. The ports current state is
disabled (shut down):
| ====================================================================|
| - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - - |
| 1/ 2/ 4| al l vl ans| shut down| 5 | 5 | 5 | di sabl ed|


Page 60

3. Re-enable the port:
device-name(config-if 1/2/4)#port security enable-shutdown-port
| ===================================================================|
| - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - |

device-name#show port security 1/2/4
Al l Vl ans:
The por t i s : secur ed
St at e : enabl ed
Act i on : shut down


Page 61

The Port Limit Feature
Overview
The Port Limit feature limits the number of MAC addresses learned by a port. When enabling this
feature:
MAC addresses within the limit are learned as dynamic
MAC addresses that exceed the limit are learned as filtered MAC addresses.
Port Limit Default Configuration
Table 19: Port Limit Default Configuration
Port limit Disabled
Port Limit Commands
Table 20: Port Limit Configuration Commands
Command Description
port limit Configures a limit on the number of learned MAC addresses on
a physical interface or a group of interfaces (see Limiting MAC
Addresses a Port)

Table 21: Port Limit Display Commands
Command Description
show port limit Displays the port limit configuration for all device ports (see
Displaying the Port Limit Configuration)


Page 62

Limiting MAC Addresses a Port
The port limit command limits the number of learned MAC addresses on a physical interface or
a group of interfaces.

NOTE
When configuring port limit on a port, the initial frame is lost since the first packet
received from any source is used solely for learning its MAC address.

NOTE
A secured port does not support the port limit functionality.
By default, the port limit feature is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#port limit max-mac-count <max-count> [filter-
learn-disable] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port limit [max-mac-count filter-learn-
disable] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port limit all

device-name(config-if UU/SS/PP)#port limit forward-unknown
device-name(config-if UU/SS/PP)#no port limit forward-unknown

device-name(config-if-group)#port limit max-mac-count <max-count> [filter-
learn-disable] [vlan <vlan-id>]
device-name(config-if-group)#no port limit [max-mac-count filter-learn-disable]
[vlan <vlan-id>]

device-name(config-if-group)#port limit forward-unknown
device-name(config-if-group)#no port limit forward-unknown

device-name(config-if-group)#no port limit all
max-mac-count <max-
count>
The number of MAC addresses the port is allowed to learn, in the
range of <12048>.
NOTE
Enable new MAC address learning prior to using this
argument to ensure its proper function (see the
Device Administration chapter of this User Guide).
When MAC address learning is not enabled the
following warning message is displayed: Warning!
Port limit may not work correctly since
learning is disabled on the port.
filter-learn-
disable
(Optional). The filtered MAC addresses are not learned in the MAC
address table.


Page 63

MAC addresses are learned in the MAC address table
vlan <vlan-id>
(Optional). Enables port limit on the specified VLAN the port is a
member of. The VLAN ID number is in the range of <14094>.
forward-unknown
Forwards unknown egress traffic on a port when this port is
secured/limited. This command can be used together with the
port security command to allow egress flooding.
no
Restores to default.
NOTE
Using the no por t l i mi t al l command removes port
limit on a port per all VLANs.
Example
The following example disables learning of the violating MAC address in the MAC address table.
The filtered MAC addresses corresponding to VLAN 20 are not learned on port 1/ 2/ 3.
device-name(config-if 1/2/3)#port limit max-mac-count 15 filter-learn-disable
vlan 20
Displaying the Port Limit Configuration
The show port limit command displays the port limit configuration for all device ports.
Command Syntax
device-name#show port limit [UU/SS/PP] [vlan <vlan-id>]
UU/SS/PP
(Optional). Displays the port limit configuration of a specified port.
vlan <vlan-id>
(Optional). Displays the port limit configuration of a specified VLAN.
Example 1
device-name#show port limit
===========================================================
| por t num | vl an | max- mac- count | cur r ent mac- count
- - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - -
1/ 2/ 3 20 15 0
Example 2
device-name#show port limit 1/2/3
VLAN 20:
The por t / vl an i s : l i mi t ed
Li mi t t ype : l ear n as f i l t er ed
Max l i mi t ed addr esses = 15


Page 64

Cur r ent l i mi t ed addr esses = 0


Page 65

Interfaces Management
Overview
The interface management feature allows system administrators to isolate the devices management
traffic from the normal data traffic. This way they can eliminate unauthorized users and malicious
attacks to the device.
Disabling port management disallows:
Telnet to the device
SSH to the device
SNMP management
SNMP traps and informs
Ping to the device
TFTP download or upload
Outgoing Syslog messages
Interfaces Management Commands
Table 22: Interface management Commands
Command Description
port management Limits the device management access only to ports that you
specify in the PORT LIST (see Setting Management Ports)
show port management Displays which ports provide management access (see Displaying
Management Ports)

Setting Management Ports
The port management command limits the device management access only to specified ports.
NOTE
Ensure that your PC is connected to a management enabled port prior to disabling
management on ports.

NOTE
You can also disable management on a VLAN (refer to the Configuring VLANs and
Super VLANs chapter of this User Guide). Management traffic on a VLAN is
allowed on a member port only if management is enabled both on the port and the
VLAN.

By default, management of the device is accessible on all ports.


Page 66

Command Syntax
device-name(config)#port management PORT-LIST
device-name(config)#no port management PORT-LIST
PORT-LIST
Specifies one or more port numbers. Use commas as separators and hyphens
to indicate sub-ranges (for example, 1/2/11/2/8, 1/1/2).
no
Specifies a list of ports prohibited from management access.
Displaying Management Ports
The show port management command displays the ports that provide management access to the
device.
Command Syntax
device-name#show port management
Example
device-name#show port management
Management por t s: 1/ 2/ 1, 1/ 2/ 2


Page 67

Alarm Propagation Feature
Overview
Alarm Propagation is a fault detection feature that identifies faults in network uplinks and
alarms downstream devices. When the uplink interface goes down, the user interfaces are also shut
down and the customer device stops sending traffic over the original route, until the authorized
person becomes aware of the alarm.
The customer device can attempt to forward traffic over another available (alternative) route.
Alarm Propagation Commands
Table 23: Alarm Propagation Commands
Command Description
alarm-status-
inherit source-port
Enables the alarm propagation process on a group of interfaces or a
group of aggregated interfaces (see Enabling Alarm Propagation )
show alarm-inherit Displays the alarm propagation configuration (see Displaying the
Alarm Propagation)
Enabling Alarm Propagation
The alarm-status-inherit source-port command enables the alarm propagation process on a
group of interfaces or a group of aggregated interfaces that will be shut down when the network
uplink goes down.

NOTE
Notes and limitations:
If all alarm-inherit configurations on a port are either a user (downlink) or
uplink, for example a port cannot be uplink in part of the configurations and
user in the rest of them.
An alarm-inheriting (user) port cannot be part of a resilient link nor can port
security with shutdown-violation-action be configured on it.
Command Syntax
device-name(config-if UU/SS/PP)#alarm-status-inherit source-port {PORT-LIST |
PORT-AG-LIST}
device-name(config-if UU/SS/PP)#no alarm-inherit


Page 68

PORT-LIST Specifies one or more port numbers. Use commas as separators and
hyphens to indicate sub-ranges (for example, 1/2/11/2/8, 1/1/2).
PORT-AG-LIST Specifies the list of LAG names (for example AG01, AG04AG06).
The LAG ID is in the range <17>.
no Disables the Alarm Propagation.
Displaying the Alarm Propagation
The show alarm-inherit command displays the alarm propagation configuration.
Command Syntax
device-name#show alarm-inherit
Example
device-name#show alarm-inherit
| ==================================================|
| por t # | pr opagat i ng al ar mf or upl i nk por t s |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 1/ 2/ 1 | 1/ 1/ 2


Page 69

The following example (Figure6) shows how to the set alarm propagation feature:

Figure 6: Alarm Propagation Configuration Example
1. Set user port 1/ 2/ 1 link state to be dependent upon the state of uplink port 1/ 1/ 2 (inherit
alarm on the uplink port):
DeviceC#configure terminal
DeviceC(config)#interface 1/2/1
DeviceC(config-if 1/2/1)#alarm-status-inherit source-port 1/1/2
DeviceC(config-if 1/2/1)#end

DeviceC#show alarm-inherit
| ==================================================|
| por t # | pr opagat i ng al ar mf or upl i nk por t s |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 1/ 2/ 1 | 1/ 1/ 2


Page 70

2. Verify the port states and configuration. Port 1/ 2/ 1 inherits on the state of port 1/ 1/ 2.Initially
the two ports are up:
DeviceC#show interface 1/1/2
Name =
Li nk = up
Def aul t VLAN = 1

Name =
Li nk = up
Def aul t VLAN = 1


Page 71

3. Disconnect port 1/ 1/ 2 forces port link state 1/ 2/ 1 to go also down:
Name =
Li nk = down
Dupl ex speed st at us = unknown
Def aul t VLAN = 1

Name =
Li nk = down
Dupl ex speed st at us = unknown
Def aul t VLAN = 1


Page 72

Supported Platforms
Fast Ethernet and Giga Ethernet Port + +
Link Aggregation Groups (LAGs) + +
Resilience Links + +
Port Security Techniques + +
Alarm Propagation + +
Supported Standards, MIBs, and RFCs
Fast Ethernet
and Giga
Ethernet Port
IEEE 802.3 Ethernet
IEEE 802.3u Fast
Ethernet
IEEE 802.3x Flow
Control
IEEE 802.3z Gigabit
Ethernet
Public MIBs:
RFC 1213, Management
Information Base for
Network Management of
TCP/IP-based
internets:MIB-II
(qwerinterface table and
onfigL2IfaceTable)
RMON MIB
Private MIB, prvt_switch.mib
RFC 2863 The
Interfaces Group
MIB
(configL2IfaceTable
and interface table)
Link Aggregation
Groups (LAGs)
IEEE 802.3ad Private MIB,
prvt_Ports_Aggregation.mib
No RFCs are
supported by this
feature.
Resilience Links No standards are
supported by this
feature.
Private MIB,
prvt_resilient_link.mib
No RFCs are
supported by this
feature.
Port Security
Techniques
No standards are
supported by this
feature.
No MIBs are supported by
this feature.
No RFCs are
supported by this
feature.
Alarm
Propagation
IEEE 802.3 Ethernet
IEEE 802.3u Fast
Ethernet
IEEE 802.3x Flow
Control
IEEE 802.3z Gigabit
Ethernet
Public MIBs:
RFC 1213, Management
Network Management of
TCP/IP-based
internets:MIB-II
(qwerinterface table and
onfigL2IfaceTable)
RMON MIB
Private MIB, prvt_switch.mib
RFC 2863 The
Interfaces Group
MIB
(configL2IfaceTable
and interface table)

Page 1
Configuring VLANs and Super VLANs (Rev. 07)

Configuring VLANs and Super VLANs
Table of Figures 3
Virtual LANs 5
Overview 5
The VLAN Tagging Benefits 5
VLAN Traffic Behavior 6
VLAN Tagging and Ingress Traffic 6
VLAN Tagging and Egress Traffic 7
VLAN Default Configuration 8
VLAN Configuration Flow 9
VLAN Configuration Commands 10
Entering the VLAN Configuration Mode12
Creating a New VLAN12
Entering an Existing VLAN Configuration Mode12
Adding Ports to a VLAN13
Adding Ports to a Default VLAN14
Creating a Range of VLANs 14
Securing Management Access Based on VLAN ID15
Modifying the CPU Port Membership16
Removing the CPU Port16
Deleting a VLAN (by VLAN Name) 17
Deleting a VLAN (by VLAN ID) 17
Deleting a Range of VLANs18
Removing Ports from a VLAN19
Removing Ports from a Default VLAN20
Displaying the VLAN Configuration20
Displaying VLAN Management Information20

Page 2

VLAN Configuration Example21
Management VLAN Configuration Example31
Super VLANs33
Overview33
Super VLAN Types 34
The Super VLAN Default Configuration35
The Super VLAN Configuration Commands35
Defining a Super VLAN35
Configuring the Super VLAN Ring Topology36
Displaying the Super VLAN Configuration36
Super VLAN Configuration Example37
Super VLAN with Aggregated Uplink Configuration Example39
Super VLAN Ring Topology Configuration41

Page 3

Table of Figures
Figure 1: IEEE 802.1Q Frame Tag Structure 6
Figure 2: VLANs in Ingress Traffic 7
Figure 3: VLANs in Egress Traffic 7
Figure 4: VLAN Configuration Flow 9
Figure 5: VLAN Configuration Example21
Figure 6: Management VLAN Configuration Example31
Figure 7: Switching Decisions without the Super VLAN Agent 33
Figure 8: Switching Decisions with the Super VLAN Agent33
Figure 9: Super VLAN Ring Mode Configuration Example34
Figure 10: Super VLAN Configuration37
Figure 11: Super VLAN Configuration with LAG Uplink39
Figure 12: Super VLAN Ring Topology Example41

Page 4

This chapter provides an overall understanding of Virtual Local Area Network (VLAN) concepts,
including different configuration examples.
The chapter contains the following sections:
Virtual LANs
VLANs are used to group users traffic with common requirements, as if they were on the
same LAN although they may be in separate physical locations. The key benefit of
VLANs is its flexibility in allowing any logical LAN to be implemented on any physical
infrastructure.
Super VLANs
The Super VLAN is a mechanism for aggregating VLANs that share the same default
router address and subnet mask, but remain isolated from one another's network traffic.

Page 5

Virtual LANs
Overview
VLAN tagging is a standard designed for grouping hosts with common requirements, allowing
them to communicate as if they were on the same LAN regardless of their physical location. This
allows a logical partition of a physical LAN into different broadcast domains.
This standard also ensures that VLAN traffic is isolated from hosts that are not members of the
VLAN.
This technology is based on tagging Ethernet frames with VLAN IDs, assigning each user to a
specific VLAN. This prohibits Layer 2 mutual access between workgroups with different VLAN
IDs.
The VLAN Tagging Benefits
Implementing VLANs on the network has the following advantages:
Flexibilitywhen a user moves to a different broadcast domain, the system administrator only
has to reconfigure the port the user is connected to.
SecurityVLANs provide a greater degree of security than a traditional LAN since data
packets of one VLAN are not transmitted to a different VLAN.
ScalabilityVLANs are not limited to a single device, spanning over an enterprise
organization or a WAN link.
Service per VLANyou can use separate VLANs for different services and features
corresponding to each VLAN.

Page 6

VLAN Traffic Behavior
VLAN tagging inserts a VLAN ID into the Ethernet frame header, associating each frame with a
specific VLAN. Using this method, the port that interconnects devices can carry traffic for multiple
VLANs over the same physical connection.

Figure 1: I EEE 802.1Q Frame Tag Structure
A port can be a member of one or more VLANs. However, only one of these VLANs can be the
ports default VLAN. Initially all the device ports are members of a VLAN named Default (VLAN
ID 1).
Ports assigned to different VLANs can communicate only through routing (and not on Layer 2).
VLAN Tagging and Ingress Traffic
The VLAN membership and the ports default VLAN affect the incoming (ingress) traffic process
as follows:
When the traffic has a VLAN tagging:
if the port is a member of the VLAN, it processes the traffic
otherwise, the port drops this traffic
If the traffic has no VLAN tagging, the port adds its default VLAN ID to the frames and
processes them accordingly.

Page 7

Figure 2: VLANs in I ngress Traffic
VLAN Tagging and Egress Traffic
In addition to the VLANs a port is assigned to, the system administrator defines whether the port is
a tagged or an untagged member of a specified VLAN. This affects the outgoing (egress) traffic
process:
If the port is an untagged member of a VLAN, it removes the VLAN ID tagging from these
VLANs frames before forwarding them
If the port is a tagged member of a VLAN, it forwards these VLANs frames with their
VLAN ID (without changing the frames)

Figure 3: VLANs in Egress Traffic


Page 8

VLAN Default Configuration
Table 1: VLAN Default Configuration
All ports VLAN VLAN 1
PVID of all ports VLAN 1
VLAN management Enabled

Page 9

VLAN Configuration Flow

Figure 4: VLAN Configuration Flow
Start
Yes
No
End
Remove the CPU port
Modify the CPU
port membership
Enter a specific VLAN
Configuration mode
Add port(s) as tagged or untagged
members
Enter VLAN Configuration mode
Create a VLAN
Yes
No
Secure management access
Remove CPU from VLAN
Modify
Management
VLANs
Yes
No
Add ports to a default VLAN
Configure a
Default VLAN

Page 10

VLAN Configuration Commands
Table 2: VLAN Configuration Commands
Command Description
vlan
Enters the VLAN Configuration mode (see Entering the VLAN
Configuration Mode)
create
Creates a VLAN with a specific name and ID number (see Creating
a New VLAN)
config
Enters a specific VLAN Configuration mode (see Entering an
Existing VLAN Configuration Mode)
add ports
Adds specified ports as either tagged or untagged ports (see Adding
Ports to a Default VLAN)
add ports default
Specifies a default VLAN for a group of ports (see Adding Ports to a
Default VLAN)
create range
Creates a range of VLANs (see Creating a Range of VLANs)

Table 3: VLAN Optional Commands
Command Description
management Limits the device management access to VLANs that you specify by
a list of VLAN ID numbers (see Securing Management Access
Based on VLAN ID)
add cpu-port
Enables the device to receive broadcast and multicast traffic in the
specified VLAN (see Modifying the CPU Port Membership)
remove cpu-port
Protects the device from receiving broadcast and multicast traffic in
the specified VLAN (see Removing the CPU Port)

Table 4: Commands for Removing VLANs
Command Description
delete
Deletes a VLAN, specified by its name (see Deleting a VLAN (by
VLAN Name))
delete id
Deletes a VLAN, specified by its VLAN ID (see Deleting a VLAN (by
VLAN ID))
delete range
Deletes a range of VLANs (see Deleting a Range of VLANs)

Table 5: Commands for Removing Ports from a VLAN
Command Description
remove ports
Removes ports from a VLAN (see Removing Ports from a VLAN)
remove ports default
Removes ports from the default VLAN (see Removing Ports from a
Default VLAN)


Page 11

Table 6: VLAN Display Commands
Command Description
show, show vlan
Displays the static VLAN configuration (see Displaying the VLAN
Configuration)
show vlan
management
Display VLAN management access information (see Displaying
VLAN Management Information)

Page 12

Entering the VLAN Configuration Mode
The vlan command enters the VLAN Configuration mode.
Command Syntax
device-name(config)#vlan
device-name(config vlan)#
Creating a New VLAN
The create command creates a VLAN with the specified name and ID (VLAN tag).
CLI Mode: VLAN Configuration

NOTE
vlan_ and default are reserved names and you cannot use them as VLAN names.
Attempting to do so generates the following message (vlan-id represents the VLAN
ID that the user is attempting to create): % VLAN <vlan-id> system name
Command Syntax
device-name(config vlan)#create NAME <vlan-id>
NAME The VLAN name.
vlan-id The VLAN tag number, in the range <24094>.
Example
Use the following example to create a VLAN named accountingwith tag number 2:
device-name(config vlan)#create accounting 2
Entering an Existing VLAN Configuration Mode
The config command enters the configuration mode for a specific VLAN.
Use this command in a Specific VLAN Configuration mode to switch to a different VLANs
Configuration mode.
CLI Mode: VLAN Configuration and Specific VLAN Configuration


Page 13

Command Syntax
device-name(config vlan)#config NAME1
device-name(config-vlan NAME1)#

device-name(config-vlan NAME1)#config NAME2
device-name(config-vlan NAME2)#
NAME1, NAME2 The names of existing VLANs.
Examples
Access vlan_52 configuration from Global VLAN Configuration mode, as indicated by the
prompt-line:
device-name(config vlan)#config vlan_52
device-name(config-vlan vlan_52)#
Switch from vlan_52 Configuration mode to XYZ Configuration mode, as indicated by the
prompt-line:
device-name(config-vlan vlan_52)#config XYZ
device-name(config-vlan XYZ)#
Adding Ports to a VLAN
The add ports command assigns ports to a VLAN. Ports drop ingress packets tagged with a
different VLAN-tag than the one they belong to.
In egress traffic tagged ports send tagged packets while untagged ports send these packets without a
VLAN tag.
CLI Mode: Specific VLAN Configuration

Command Syntax
device-name(config-vlan VLAN-NAME)#add ports PORT-LIST {tagged | untagged}
PORT-LIST
(Optional) specifies one or more port numbers. Use commas as separators
and hyphens to indicate sub-ranges (for example, 1/2/11/2/8, 1/1/2).

NOTE
Do not leave blank spaces before or after the comma separating
sequential lists.
tagged
(Optional) the specified ports are tagged.
untagged
(Optional) the specified ports are untagged

Page 14

Adding Ports to a Default VLAN
The add ports default command specifies a default VLAN for a group of ports.
Command Syntax
device-name(config-vlan VLAN-NAME)#add ports default PORT-LIST
See the Argument Description table above.
Creating a Range of VLANs
The create range command creates a range of VLANs and automatically assigns VLAN names
that match the tag-numbers.
The VLAN name format is Vlan_dddd, where ddddrepresents the matching VLAN ID. For
example, VLAN ID 123 is named Vlan_123.

Command Syntax
device-name(config vlan)#create range <vlan-id1> <vlan-id2> [PORT-LIST tagged
[PORT-LIST untagged]] [remove cpu-port]
device-name(config vlan)#create range <vlan-id1> <vlan-id2> [PORT-LIST untagged
[PORT-LIST tagged]] [remove cpu-port]
vlan-id1 The first VLAN ID, in the range of <24094>
vlan-id2 The last VLAN ID, in the range of <24094>
PORT-LIST (Optional) one or more port numbers, specified by the following options:
UU/SS/PPa single port specified by unit, slot, and port number
UUall ports on the specified unit
UU/SSall ports on the specified slot that
A hyphenated range of ports
(for example: 1/2/11/2/8 or 1/11/2)
Several port numbers and/or ranges, separated by commas (for
example: 1/1/1, 1/1/2, 1/2/11/2/8).
NOTE
sequential lists.
tagged (Optional) the specified ports are tagged
untagged (Optional) the specified ports are untagged

Page 15

remove cpu-
port
(Optional) prevents the device from receiving broadcast and multicast traffic
in the specified VLAN (see the remove cpu-port command)
Example
Use the following example to create a sequence of VLANs and then to display the results:
device-name(config vlan)#create range 15 21 1/1/1-1/1/2 untagged 1/2/2 tagged
device-name(config vlan)#show
==================================================================
Name | VTag| Rout I f | Tagged por t s | Unt agged por t s
- - - - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
Vl an_15 | 15 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_16 | 16 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_17 | 17 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_18 | 18 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_19 | 19 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_20 | 20 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_21 | 21 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Securing Management Access Based on VLAN ID
The management command limits the device management access only to VLANs that you specify
by a list of VLAN ID numbers. You may include VLANs that have not been created yet.
The management VLAN isolates the devices management IP address from data traffic, preventing
unauthorized access and malicious attacks.
When using this feature, you can manage the device though a PCconnected to a port assigned to
a management VLANvia Telnet or SNMP.
When management VLAN is disabled, you are not allowed to perform the following tasks:
SSH to the device
SNMP management
Ping the device
TFTP download or upload
Receive outgoing Syslog messages
You cannot delete the management VLAN 1.
By default, management of the device is accessible on all VLANs.
NOTE
You can also disable management on a port by the por t management command in
Global Configuration mode (refer to the Configuring Interfaces chapter of this User
Guide).
Management traffic on a VLAN is allowed on a port that is a member of that VLAN
only if management is enabled both on the port and on the VLAN.


Page 16

Command Syntax
device-name(config vlan)#management VLAN-LIST
device-name(config vlan)#no management VLAN-LIST
VLAN-LIST A list of VLAN IDs in the below format:
A hyphenated range of VLANs (for example: 832)
Several VLAN numbers and/or ranges, separated by commas (for example:
2,4,832)
no The list of VLANs with no management access.
Modifying the CPU Port Membership
The add cpu-port command enables the device to receive broadcast and multicast traffic in the
specified VLAN.
By default, the CPU port is a member of all VLANs.
Command Syntax
device-name(config-vlan VLAN-NAME)#add cpu-port
Removing the CPU Port
The remove cpu-port command protects the device's CPU from receiving broadcast and
multicast traffic on the specified VLAN.

NOTE
The device performs switching even if its CPU is not a member of the VLAN.
Enabling this feature does not block unicast traffic to the CPU.

Command Syntax
device-name(config-vlan VLAN-NAME)#remove cpu-port

Page 17

Deleting a VLAN (by VLAN Name)
The delete command deletes an existing VLAN by its VLAN name.

NOTE
The VLAN named default (VLAN ID 1) is part of the default configuration and you
cannot delete it.

Command Syntax
device-name(config vlan)#delete NAME
NAME The name of an existing VLAN
Example
The following example deletes the VLAN named accounting:
device-name(config vlan)#delete accounting
Deleting a VLAN (by VLAN ID)
The delete id command deletes an existing VLAN by its VLAN ID.
Command Syntax
device-name(config vlan)#delete id <vlan-id>
vlan-id An existing VLAN ID
Example
This following example deletes the VLAN with ID 10:
device-name(config vlan)#delete id 10

Page 18

Deleting a Range of VLANs
The delete range command deletes a range of VLANs.
Command Syntax
device-name(config vlan)#delete range <vlan-id1> <vlan-id2>
vlan-id1 The first VLAN ID in the range (must be smaller than vlan-id2).
The valid range is <24094>.
vlan-id2 The last VLAN ID (must be greater than vlan-id1).
Example
===================================================================
- - - - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
Vl an_15 | 15 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_16 | 16 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_17 | 17 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_18 | 18 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_19 | 19 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_20 | 20 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_21 | 21 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2

device-name(config vlan)#delete range 15 19
===================================================================
- - - - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
Vl an_20 | 20 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2
Vl an_21 | 21 | | 1/ 2/ 2 | 1/ 1/ 1, 1/ 1/ 2

Page 19

Removing Ports from a VLAN
The remove ports command removes the specified port(s).
Command Syntax
device-name(config-vlan VLAN-NAME)#remove ports PORT-LIST
PORT-
LIST
(Optional) one or more port numbers assigned to the VLANs, specified by the
following options:
UUall ports on the specified unit
UU/SSall ports on the specified slot that
(for example: 1/2/11/2/8 or 1/11/2)
Several port numbers and/or ranges, separated by commas (for example: 1/1/1,
1/1/2, 1/2/11/2/8).
NOTE
sequential lists.
Example
The example shows how to remove ports from the VLAN named xxx. The result displayed by the
show command that can be applied in any Specific or Global VLAN Configuration mode:
device-name(config-vlan xxx)#remove ports 1/2/2-1/2/4
device-name(config-vlan xxx)#show
==================================================================
- - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
xxx | 9 | | 1/ 1/ 1, 1/ 2/ 1, | 1/ 2/ 1, 1/ 2/ 5
| | | 1/ 2/ 5- 1/ 2/ 7 |

Page 20

Removing Ports from a Default VLAN
The remove ports default command removes ports from the default VLAN.
Command Syntax
device-name(config-vlan VLAN-NAME)#remove ports default PORT-LIST
See the argument table above.
Displaying the VLAN Configuration
The commands below display VLAN configuration information:
show command
CLI Mode: VLAN Configuration and Specific VLAN Configuration
show vlan command
Command Syntax
device-name#show vlan
device-name(config-vlan VLAN-NAME)#show
Displaying VLAN Management Information
The show vlan management command displays VLAN management access information.
Command Syntax
device-name#show vlan management
Example
The following example shows that by default, management is accessible on all VLANs.
Management VLANs: 1- 4094

Page 21

VLAN Configuration Example
The figure below represents an example of a simple VLAN configuration.

Figure 5: VLAN Configuration Example
1. Create VLAN user_100 with VLAN ID 100:
device-name(config vlan)#create user_100 100
2. Remove port 1/1/1 from Default VLAN, add port 1/1/1 as untagged (connected to a user) to
VLAN user_100 and add VLAN user_100 as PVID to port 1/1/1. Add port 1/2/1 as
tagged (connected to Device 4):
device-name(config vlan)#config default
device-name(config-vlan default)#remove ports 1/1/1
device-name(config-vlan default)#exit
device-name(config vlan)#config user_100
device-name(config-vlan user_100)#add ports 1/1/1 untagged
device-name(config-vlan user_100)#add ports default 1/1/1
device-name(config-vlan user_100)#add ports 1/2/1 tagged
device-name(config-vlan user_100)#exit

Page 22

VLAN user_101, and add VLAN user_101 as PVID to port 1/1/2. Add port 1/2/1 as
5. Create the VLAN user_102 with VLAN ID 102:
7. Display the configured VLANs:
device-name(config-vlan user_102)#show
==================================================================
- - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
user _100 | 100 | | 1/ 2/ 1 | 1/ 1/ 1
user _101 | 101 | | 1/ 2/ 1 | 1/ 1/ 2
user _102 | 102 | | 1/ 2/ 1 | 1/ 2/ 3

device-name(config-vlan user_102)#end
. . .
! Por t conf i gur at i on:
!
def aul t vl an 100
!
def aul t vl an 101
!

Page 23

def aul t vl an 102
!
. . .

! VLAN conf i gur at i on:
!
vl an
cr eat e user _100 100
conf i g user _100
add por t s 1/ 2/ 1 t agged
add por t s 1/ 1/ 1 unt agged
!
vl an
conf i g user _101
!
vl an
conf i g user _102
!
. . .
2. Remove port 1/1/1 from Default VLAN, add port 1/1/1 as untagged (connected to a user)
to VLAN user_200, and add VLAN user_200 as PVID to port 1/1/1. Add port 1/2/1 as

Page 24

4. Remove port 1/1/2 from Default VLAN add port 1/1/2 as untagged (connected to a user) to
tagged (connected to Device 4)
=================================================================
- - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
user _200 | 200 | | 1/ 2/ 1 | 1/ 1/ 1
user _201 | 201 | | 1/ 2/ 1 | 1/ 1/ 2
user _202 | 202 | | 1/ 2/ 1 | 1/ 2/ 3

. . .
!
def aul t vl an 200
!
def aul t vl an 201
!
def aul t vl an 202
!

Page 25

. . .

!
vl an
conf i g user _200
!
vl an
conf i g user _201
!
vl an
conf i g user _202
!
. . .

Page 26

tagged (connected to Device 4)
==================================================================
- - - - - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
user _300 | 300 | | 1/ 2/ 1 | 1/ 1/ 1
user _301 | 301 | | 1/ 2/ 1 | 1/ 1/ 2
user _302 | 302 | | 1/ 2/ 1 | 1/ 2/ 3

. . .
!
def aul t vl an 300
!
def aul t vl an 301
!
def aul t vl an 302
!

Page 27

. . .

!
vl an
conf i g user _300
!
vl an
conf i g user _301
!
vl an
conf i g user _302
!
. . .
2. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1 is
connected to the router) to VLAN user_100:
device-name(config-vlan user_100)#add ports 1/1/1,1/2/1 tagged
4. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1
is connected to the router) to VLAN user_101:

Page 28

6. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1
is connected to the router) to VLAN user_102:

Page 29

==================================================================
- - - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1- 1/ 2/ 8
user _100 | 100 | | 1/ 1/ 1, 1/ 2/ 1 |
user _101 | 101 | | 1/ 1/ 1, 1/ 2/ 1 |
user _102 | 102 | | 1/ 1/ 1, 1/ 2/ 1 |
user _200 | 200 | | 1/ 1/ 2, 1/ 2/ 1 |
user _201 | 201 | | 1/ 1/ 2, 1/ 2/ 1 |
user _202 | 202 | | 1/ 1/ 2, 1/ 2/ 1 |
user _300 | 300 | | 1/ 2/ 3, 1/ 2/ 1 |
user _301 | 301 | | 1/ 2/ 3, 1/ 2/ 1 |
user _302 | 302 | | 1/ 2/ 3, 1/ 2/ 1 |

device-name#show running-config vlan
. . .
!
vl an
conf i g user _100
add por t s 1/ 1/ 1, 1/ 2/ 1 t agged
!
vl an
conf i g user _101
add por t s 1/ 1/ 1, 1/ 2/ 1 t agged
!
vl an
conf i g user _102
add por t s 1/ 1/ 1, 1/ 2/ 1 t agged
!
vl an
conf i g user _200
add por t s 1/ 1/ 2, 1/ 2/ 1 t agged
!
vl an

Page 30

conf i g user _201
add por t s 1/ 1/ 2, 1/ 2/ 1 t agged
!
vl an
conf i g user _202
add por t s 1/ 1/ 2, 1/ 2/ 1 t agged
!
vl an
conf i g user _300
add por t s 1/ 2/ 3, 1/ 2/ 1 t agged
!
vl an
conf i g user _301
add por t s 1/ 2/ 3, 1/ 2/ 1 t agged
!
vl an
conf i g user _302
add por t s 1/ 2/ 3, 1/ 2/ 1 t agged
! . . .

Page 31

Management VLAN Configuration Example
This is an example for the management VLAN configuration. The device can be managed only by
VLAN 2. VLANs 100, 101 and 102 are created but the device cannot be managed from the
workstations, only from the management station.

Figure 6: Management VLAN Configuration Example
1. Enter VLAN Configuration mode:
2. Remove management from VLANs 1, 34094 (only ports configured with VLAN ID 2 can
be use to manage the device):
device-name(config vlan)#no management 1,3-4094
3. Create the VLAN manage with VLAN ID 2:
device-name(config vlan)#create manage 2
4. Add port 1/1/2 as untagged to VLAN manage and add VLAN manage as PVID to port
1/1/2:
device-name(config vlan)#config manage
device-name(config-vlan manage)#add ports 1/1/2 untagged
device-name(config-vlan manage)#add ports default 1/1/2
device-name(config-vlan manage)#exit
5. Create the VLAN v100 with VLAN ID 100:
device-name(config vlan)#create v100 100

Page 32

6. Add port 1/2/3 as untagged to VLAN v100 and add VLAN v100 as PVID to port 1/2/3.
Add port 1/2/7 as tagged to VLAN v100:
device-name(config vlan)#config v100
device-name(config-vlan v100)#add ports 1/2/3 untagged
device-name(config-vlan v100)#add ports default 1/2/3
device-name(config-vlan v100)#add ports 1/2/7 tagged
device-name(config-vlan v100)#exit
8. Add port 1/2/4 as untagged to VLAN v101 and set VLAN v101 as PVID. Add port 1/2/7
as tagged to VLAN v101:
10. Add port 1/2/5 as untagged to VLAN v102 and set VLAN v102 as PVID. Add port 1/2/7 as
tagged to VLAN v102:
11. Remove ports 1/1/21/2/5 from VLAN default:
device-name(config-vlan default)#remove ports 1/1/2-1/2/5
device-name(config-vlan default)#end
12. Display the management VLANs:
Management VLANs: 2
13. Display the VLAN configuration:
device-name#show vlan
===================================================================
- - - - - - - - - - - +- - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - -
def aul t | 1 | sw0 | | 1/ 1/ 1, 1/ 2/ 6- 1/ 2/ 8
manage | 2 | | | 1/ 1/ 2
v100 | 100 | | 1/ 2/ 7 | 1/ 2/ 3
v101 | 101 | | 1/ 2/ 7 | 1/ 2/ 4
v102 | 102 | | 1/ 2/ 7 | 1/ 2/ 5

Page 33

Super VLANs
Overview
Super VLAN is a mechanism used to separate users which reside in the same VLAN into multiple
virtual broadcast domains.
With Super VLAN, systems administrators can use the same IPv4 subnet and default gateway IP
address for users residing in the same switched infrastructure. This helps in decreasing IPv4 address
consumption and the need for dedicated IP subnet for each VLAN.
VLANs that are members of a Super VLAN are called sub-VLANs. Each sub-VLAN is a
broadcast domain isolated at Layer 2. When users in different sub-VLANs need to communicate
with each other, they use the IP address of the virtual interface of the Super VLAN as the IP
address of the gateway. The virtual interface IP address is shared by multiple VLANs. This
minimizes the number of required IP addresses.
In case a sub VLAN needs to communicate with a sub VLAN in a different sub VLAN at Layer 3,
or in case a sub-VLAN communicates with other networks, you need to enable ARP proxy (for
more information, refer to the DeviceAdministrationchapter of this User Guide).
The below example illustrates the traffic flow in case Super VLAN is not configured: traffic
entering the user device port is not restricted to the uplink port; therefore, all the broadcast,
unknown, and multicast packets are spread over the entire device VLANs.

Figure 7: Switching Decisions without the Super VLAN Agent
As oppose to the above, the below example illustrates the traffic flow in case Super VLAN is
configured: once switching decisions are done, the Super VLAN agent overrules these decisions
and directs the traffic to the Super VLAN uplink port.

Figure 8: Switching Decisions with the Super VLAN Agent

Page 34

Super VLAN Types
There are two types of Super VLAN:
Super VLAN layer 2Suitable for a Layer-2 switching environment, where the sub-VLANs
and Super VLAN share the same IP subnet mask. The Super VLAN provides enhanced
security between the customers, by disallowing communication between the sub-VLANs,
whether or not they are located in the same LAN.
Super VLAN ringtopologySuitable for ring topology networks using the Multiple Spanning
Tree Protocol (MSTP). In these cases traffic can flow either clockwise or counterclockwise.
Both ports connected to the ring are referred to as uplink ports, while the rest of the ports are
referred to as user ports. In this case the Super VLAN uplink has to be one of the two ports
that are connected to the rest of the ring.
Use this topology when the Super VLAN port has to be the root port of the bridge. In
this topology, the Super VLAN uplink-port is selected dynamically by the bridge between
the two uplink ports. If a topology change occurs, the Super VLAN uplink changes
automatically and the new Root port is selected as a Super VLAN uplink port.
In the figure below, one of the clients connected to device D sends broadcast traffic. The
traffic travels counterclockwise only, since the Super VLAN active uplink-port is the root
port. If the link between device B and A is disconnected, a topology change occurs and
Device D selects a new Super VLAN uplink-port. As a result traffic flows clockwise only.
Dynamic Super VLAN takes affect on all the bridges, except for the root bridge since it
does not have a root port (only designated ports).

Figure 9: Super VLAN Ring Mode Configuration Example

Page 35

The Super VLAN Default Configuration
Table 7: Super VLAN Default Configuration
Super VLAN Disabled
Residential user Disabled
Super VLAN ring mode Disabled
The Super VLAN Configuration Commands
Table 8: Super VLAN Commands
Command Description
super-vlan
Configures Super VLAN (see Defining a Super VLAN)
super-vlan ring-topology
Configures Super VLAN for networks with a ring topology
(see Configuring the Super VLAN Ring Topology)
show super-vlan
Displays the Super VLAN configuration (see Displaying
the Super VLAN Configuration)
Defining a Super VLAN
The super-vlan command configures Super VLAN on a physical port or a group of ports.
CLI Mode: Interface Configuration, Range Interface Configuration, LAG Range Interface
Configuration, and LAG Interface Configuration
Command Syntax
device-name(config-if UU1/SS1/PP1)#super-vlan {UU2/SS2/PP2 | ag0N}
device-name(config-if UU1/SS1/PP1)#no super-vlan

device-name(config-if-group)#super-vlan {UU2/SS2/PP2 | ag0N}
device-name(config-if-group)#no super-vlan

device-name(config-ag-group)#super-vlan {UU2/SS2/PP2 | ag0N}
device-name(config-ag-group)#no super-vlan

device-name(config-if AG0N)#super-vlan {UU2/SS2/PP2 | ag0N}
device-name(config-if AG0N)#no super-vlan
UU2/SS2/PP2 The Unit, slot, and port number of the uplink port.
ag0N The LAG interface name, where N represents the LAG ID number in the range of
<0107>.
For detailed information, refer to the Configuring Interfaces chapter of this User
Guide.

Page 36

no
Removes the Super VLAN from the port.
Configuring the Super VLAN Ring Topology
The super-vlan ring-topology command configures Super VLAN for networks with a ring
topology.

NOTE
You can enable the Super VLAN for a ring topology only if the MSTP (Multiple
Spanning Tree Protocol) is enabled.
By default, the Super VLAN ring topology is disabled.

CLI Mode:: Interface Configuration
Command Syntax
device-name(config-if UU/SS/PP)#super-vlan ring-topology UU1/SS1/PP1
UU2/SS2/PP2 [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no super-vlan
UU1/SS1/PP1 The first ring-port of the Super VLAN.
UU2/SS2/PP2 The second ring-port of the Super VLAN.
vlan <vlan-id> (Optional) an existing VLAN ID in the range <24094>. When you
specify this argument, only the corresponding MSTP instance root
decision is taken. If you do not use this argument, the MSTP instance
zero root decision is taken.
no
Removes Super VLAN from the configured user port.
Displaying the Super VLAN Configuration
The show super-vlan command displays the Super VLAN configuration.
Command Syntax
device-name#show super-vlan
Example
===========================================================
User I nt er f ace | Super VLAN Type | Upl i nk
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - -
1/ 1/ 1 | r egul ar | 1/ 2/ 2
1/ 2/ 2 | r egul ar | 1/ 2/ 4

Page 37

Super VLAN Configuration Example
In the figure below three users are connected to one uplink port. The users can connect only to this
uplink port.

Figure 10: Super VLAN Configuration
1. Enable Super VLAN on port 1/1/1 with the uplink 1/2/1:
device-name(config-if 1/1/1)#super-vlan 1/2/1

Page 38

4. Display the port 1/1/1 configuration:
device-name#show interface 1/1/1
Name =
Li nk = down
Def aul t VLAN = 1
Super VLAN Por t = 1/ 2/ 1
5. Display the Super VLAN configuration:
==================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - -
1/ 1/ 1 | r egul ar | 1/ 2/ 1
1/ 1/ 2 | r egul ar | 1/ 2/ 1
1/ 2/ 3 | r egul ar | 1/ 2/ 1

Page 39

Super VLAN with Aggregated Uplink Configuration Example
In the following example, two users are connected to one uplink LAG (Link Aggregation Group)
port.

Figure 11: Super VLAN Configuration with LAG Uplink
Configure static link aggregation on ports 1/1/1 and 1/1/2:
device-name(config-if 1/1/1)#link-aggregation static id 1

Page 40

1. Configure static link aggregation on ports 1/2/1 and 1/2/2:
2. Enable Super VLAN on ports 1/1/1 and 1/1/2 with uplink ag07:
device-name(config-if 1/1/1)#super-vlan ag07
device-name(config-if 1/1/2)#super-vlan ag07
=====================================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1/ 1/ 1 | r egul ar | AG07
1/ 1/ 2 | r egul ar | AG07

Page 41

Super VLAN Ring Topology Configuration
The figure below shows a ring topology with an entry point. Devices 2, 3 and 4 are configured with
Super VLAN in ring mode and MSTP is enabled. Device 1 is the MSTP Root and port 1/2/8 of
Device 4 is blocked.
For more information regarding the MSTP, refer to the ConfiguringMultipleSpanningTreeProtocol
(MSTP) chapter of this User Guide.

Figure 12: Super VLAN Ring Topology Example
Configuring Device 1
1. Configure Device 1 as MSTP Root and the bridge priority 0 for MST instance 0:
Device1(cfg protocol)#mstp 0 priority 0
Device1(cfg protocol)#exit
2. Configure the ring ports as Super VLAN ports:
Device1(config-if 1/2/6)#super-vlan ring-topology 1/1/1 1/1/2

Page 42

Device1#show super-vlan
=====================================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1/ 2/ 6 | r i ng- t opol ogy | 1/ 1/ 1 ( act i ve) , 1/ 1/ 2
1. Enable MSTP and MSTP fast ring:
Device2(cfg protocol)#mstp enable
Device2(cfg protocol)#mstp fast-ring enable
2. Configure the ring ports as Super VLAN ports:
=====================================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device3(cfg protocol)#mstp fast-ring ring-ports 1/1/1 1/1/2
2. Configure Super VLAN on the user port 1/2/2:
=====================================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1/ 2/ 2 | r i ng- t opol ogy | 1/ 1/ 1, 1/ 1/ 2 ( act i ve)

Page 43

2. Configure Super VLAN on the user port 1/2/2:
3. Display port 1/2/2 configuration:
Device4#show interface 1/2/2
Super VLAN Por t s = 1/ 2/ 7 ( act i ve) , 1/ 2/ 8

=====================================================================
- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. Display the MSTP Configuration:
Device4#show mstp
SpanI gmpFast Recover y = enabl ed

Fast Ri ng = enabl ed
01/ 01/ 21 128 Root f r wr d 200000 0 04096. 00A012170100 128. 002

01/ 01/ 22 128 Al t er nat e bl ock 200000 0 32768. 00A012171600 128. 001
01/ 01/ 24 128 Desi gnat ed f r wr d 200000 0 32768. 00A012010102 128. 024

Page 44

Supported Platforms
Virtual LANs + +
Super VLANs + +
Virtual LANs IEEE 802.1Q-1998
IEEE 802.1Q-2003
IEEE 802.1P
IEEE 802.1u-2001
IEEE 802.1Q No RFCs are
supported by this
feature.
Super VLANs No standards are
supported by this feature.
No MIBs are
supported by this
feature.
RFC 3069, VLAN
Aggregation for
Efficient IP Address
Allocation

Page 1
Configuring Transparent LAN Services (TLS) (Rev. 10)

Configuring Transparent LAN Services (TLS)
Table of Figures 3
TLS Overview 4
802.1Q Tunneling 4
Layer-2 Protocol Tunneling (L2PT) 5
The TLS Default Configuration 6
TLS Configuration Flow 7
The TLS Configuration Commands 8
Configuring a TLS Service10
Configuring TLS Service Distribution Paths (SDP)10
Configuring TLS Service Access Point (SAP)12
Configuring TLS13
Configuring the TLS EtherType Value13
Selecting a TLS Core (Uplink) Port13
Selecting a TLS Access (User) Port14
Securing the Management Device Access based on C-VLAN15
Configuring the Layer-2 Protocol Tunneling15
TLS Tunnel Profile Configuration Mode16
Configuring Layer-2 Protocol PDUs16
Defining Tunnel MAC Addresses for Predefined Protocols17
Defining Tunnel MAC Addresses for User-Defined Protocols19
Tunneling of Layer-2 Protocol PDUs for SDP20
Tunneling of Layer-2 Protocol PDUs for SAP21
Displaying the TLS Configuration22
Displaying the L2PT Encapsulation Information22
Displaying the L2PT Configuration Information23
Displaying Layer-2 Protocol Tunneling Statistics24
Displaying TLS Profile Names25
Displaying TLS Services 26
TLS Configuration Examples27

Page 2

Example 127
Example 228
Supported Standards, MIBs, and RFCs30

Page 3

Table of Figures
Figure 1: 802.1Q Tunneling Configuration 4
Figure 2: TLS Configuration Flow 7
Figure 3: TLS Interface Example27
Figure 4: TLS Tunneling Example28

Page 4

Overview
Deploying the Transparent LAN Services(TLS) requires network operators to transport a large
number of customers virtual LANs (VLANs) while keeping traffic secured in each VLAN. This
mechanism establishes Layer-2 tunnels inside the service provider network where traffic from
different customers is segregated and where it is marked with an appropriate tunnel name.
802.1Q Tunneling
802.1Q tunneling allows the deployment of secure TLS, using IEEE 802.1Q standard tags. The
main advantage of 802.1Q tunneling is that it enables service providers to use a separate VLAN
(service VLAN, S-VLAN) to support the customers who have multiple VLANs, while preserving
the customer VLAN IDs and keeping traffic in the different customers VLANs (C-VLAN)
segregated.
802.1Q tunneling expands the VLAN space by adding an additional 802.1Q tag (the tunnel ID) to
all previously-tagged packets when they enter the service provider infrastructure, as illustrated in
below figure.

Figure 1: 802.1Q Tunneling Configuration
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port that is configured to support 802.1Q tunneling is called a tunnel port. When you configure
tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling. To keep the
customer traffic segregated, each customer requires a separate VLAN, but that one VLAN
supports all of the customers VLANs.


Page 5

Three types of ports are defined in the network devices deployed by the service provider:
Residential porta port that is connected to a user and does not participate in the TLS. Packets
that are transmitted through this port have no added tag
Access(SAP) portsa port that is connected to a user. Packets that are transmitted through this
port have no added tag (see ConfiguringTLS ServiceAccessPoint (SAP))
Core(SDP) porta port that is connected to the service providers network. All packets that are
transmitted through this port are either control packets or packets with an additional tag. If the
packets arrive from an access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header will not be added (see ConfiguringTLS
ServiceDistributionPaths(SDP))
When a access port (SAP) receives tagged customer traffic from an 802.1Q-port on the customer
device, it does not strip the received 802.1Q tag from the frame header; instead, the access port
(SAP) leaves the 802.1Q tag intact, adds a 2-byte EtherType field (0x8100) followed by a 2-byte
field containing the priority (CoS) and the VLAN (see ConfiguringtheTLS EtherTypeValue).
An egress core port (SDP) strips the 2-byte EtherType field (0x8100) and the 2-byte length field
and transmits the traffic with the 802.1Q tag still intact to the customer device. The 802.1Q-port on
the customer device strips the 802.1Q tag and puts the traffic into the appropriate customer
VLAN.
Layer-2 Protocol Tunneling (L2PT)
Layer-2 protocol tunneling allows IEEE Layer-2 protocol data units (PDUs) to be tunneled
through a network. The L2PT is based on PDUs software encapsulating in the ingress service
provide edge devices. All devices inside the service provider network treat these encapsulated
frames as regular data packets and forward them out appropriately. The egress service provides
edge devices that listen for these special encapsulated frames and decapsulates them before
forwarding them out of the tunnel.
The encapsulation involves rewriting the destination media access control (MAC) address in the
PDU. An ingress service provides edge devices that rewrite the destination multicast MAC address
of the PDUs received with a predefined multicast tunnel MAC addresses that ensure transparent
L2CP traffic flow (see DefiningTunnel MAC Addressesfor PredefinedProtocolsand DefiningTunnel MAC
Addressesfor User-DefinedProtocols).

Page 6

The TLS Default Configuration
Table 1: TLS Default Configuration
Transparent LAN Services (TLS) Disabled
TLS port Residential port
EtherType 0x8100
IEEE control packets tunneling Disabled


Page 7

TLS Configuration Flow

Figure 2: TLS Configuration Flow
Start
End
Enable/disable
the Layer 2
Protocol
Tunneling
Yes
No
Create TLS service
Configure the
TLS tunnel
profile
Yes
No
Configure
Custom MAC
Address for
Tunneled
Packets
Yes
No
Set the TLS
EtherType
value
Yes
Create SDP
Create SAP
Specify the TLS
EtherType value
Define Tunnel MAC
Addresses for
Predefined Protocols
Configure the TLS
tunnel profile
Enable
Tunneling of
IEEE Control
Packets
Yes
Define Tunnel MAC
Addresses for User-
Defined Protocols
No

Page 8

The TLS Configuration Commands
Table 2: TLS Services Configuration Commands
Command Description
tls
Creates a specific TLS service instance (see Configuring
a TLS Service)
sdp
Configures a service distribution point (SDP) for the
specified TLS instance (see Configuring TLS Service
Distribution Paths (SDP))
sap
Configures a service access point (SAP) for the specified
TLS instance (see Configuring TLS Service Access Point
(SAP))

Table 3: TLS Services Optional Commands
Command Description
tls
Enables/disables the TLS (see Configuring TLS)
tls ethertype
Assigns an EtherType value (see Configuring the TLS
EtherType Value)
tls uplink
Configures a physical interface or group of interfaces as a
TLS core (uplink) port/groups (see Selecting a TLS Core
(Uplink) Port)
tls user
Configures a physical interface or group of interfaces as a
TLS access (user) port/groups (see Selecting a TLS
Access (User) Port )
management c-vlan
Limits the device management access only to a specified
C-VLAN
(see Securing the Management Device Access based on
C-VLAN)
The following table lists the command for configuring L2PT. The whole L2PT configuration is
optional.
NOTE
For the t l s t unnel ed- i eee- pdu command to take effect, first enable TLS
tunneling globally by the t l s t unnel ed- i eee- pdu enabl e command.
Table 4: L2PT Configuration Command
Command Description
tls tunneled-ieee-pdu
enable/disable
Enables/disables the Layer-2 protocol tunneling (see
Configuring the Layer-2 Protocol Tunneling)
tls tunnel-profile
Enables a configuration of a specific TLS tunnel profile
(see TLS Tunnel Profile Configuration Mode)
tls tunnel/discard
Specifies one of the allowed Layer-2 protocol PDUs to be
tunneled/discarded (see Configuring Layer-2 Protocol
PDUs)

Page 9

Command Description
HH:HH:HH:HH:HH:HH
Defines a multicast tunnel MAC address that rewrites the
original multicast destination MAC address (see Defining
Tunnel MAC Addresses for Predefined Protocols )
tls tunneled-ieee-pdu add
Defines a multicast tunnel MAC address that rewrites the
original multicast destination MAC address (Defining
Tunnel MAC Addresses for User-Defined Protocols)
(in SDP Service Configuration)
Enables tunneling of IEEE control packets for SDP (see
Tunneling of Layer-2 Protocol PDUs for SDP)
(in SAP Service Configuration)
Enables tunneling of IEEE control packets for SAP (see
Tunneling of Layer-2 Protocol PDUs for SAP)

Table 5: TLS Display Commands
Command Description
show tls
Displays the global TLS configuration (see Displaying the
TLS Configuration)
show tls tunneled-ieee-pdu
Displays the L2PT encapsulation information (see
Displaying the L2PT Encapsulation Information)
service
Displays the L2PT configuration information (see
Displaying the L2PT Configuration Information)
statistics
Displays Layer-2 protocol tunneling statistics (see
Displaying Layer-2 Protocol Tunneling Statistics)
show tls tunnel-profile
Displays the specified custom profile name (see
Displaying TLS Profile Names)
show tls-services
Displays information about all currently configured TLS
services (see Displaying TLS Services)

Page 10

Configuring a TLS Service
The tls command creates a specific TLS service instance.
Command Syntax
device-name(config)#tls SERVICE-NAME [<service ID>]
device-name(config)#no tls SERVICE-NAME
device-name(config)#no tls id <service ID>
SERVICE-NAME
A unique alpha-numeric string service name. When defining the service
via SNMP, it generates dynamically
service ID
(Optional) the unique service identifier, in the range <14294967295>
no
Removes the defined TLS instance
Example
device-name(config)#tls serv 5
device-name(config-tls serv)
Configuring TLS Service Distribution Paths (SDP)
The sdp command configures a service distribution point (SDP) for the specified TLS instance.
CLI Mode: TLS Service Configuration

NOTE
Create the SDP VLAN and add ports as tagged to this VLAN before creating the
SDP, see Example 1.
Command Syntax
device-name(config-tls SERVICE-NAME)#sdp {UU/SS/PP | ag0N} s-vlan <SVLAN-ID>
[primary | secondary]
device-name(config-tls SERVICE-NAME)#sdp {UU/SS/PP | ag0N} s-vlan <SVLAN-ID>
[option]
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#
device-name(config-tls-sdp AG0N:SVLAN-ID:)#
device-name(config-tls SERVICE-NAME)#no sdp {UU/SS/PP | ag0N}

Page 11

UU/SS/PP
The SDP port. The SDP port has to be a tagged member of the S-
VLAN
ag0N
The SDP aggregation port. N in the range <17>
s-vlan <SVLAN-ID>
The SDP Service VLAN ID, in the range of <14094>
primary
(Optional) SDP EPS primary
secondary
(Optional) SDP EPS secondary
option
(Optional) changes the mode to SDP Service Configuration mode (see
Example 2)
no
Removes the defined SDP
For detailed information about EPS, refer to the ITU-T G.8031 Ethernet ProtectionSwitching(EPS)
section of Operations, AdministrationandMaintenance(OAM) chapter.
Examples
1. Create the SDP VLAN and add ports as tagged to this VLAN before creating the SDP:
device-name(config vlan)#exit
device-name(config)#tls tunneled-ieee-pdu enable
device-name(config-tls serv)#sdp 1/2/1 s-vlan 5
device-name(config-tls serv)#
2. Enter SDP Service Configuration mode:
device-name(config-tls serv)#sdp 1/2/1 s-vlan 5 option
device-name(config-tls-sdp 1/2/1:5:)#

Page 12

Configuring TLS Service Access Point (SAP)
The sap command configures a service access point (SAP) for the specified TLS instance.

Command Syntax
device-name(config-tls SERVICE-NAME)#sap UU/SS/PP {c-vlans <CVLAN-ID> | c-
vlans VLAN-LIST | c-vlan-wildcard 0xffff 0xffff | c-vlan-wildcard all}
[option | untagged]

device-name(config-tls SERVICE-NAME)#no sap UU/SS/PP {c-vlans <CVLAN-ID> | c-
vlans VLAN-LIST | c-vlan-wildcard 0xffff 0xffff | c-vlan-wildcard all}
[untagged]
UU/SS/PP
The SAP port. The SAP port has to be an untagged member of the S-
VLAN. Default VLAN for SAP port is the S-VLAN
CVLAN-ID
The SAP Customer VLAN ID, in the range of <14094>
VLAN-LIST
The SAP Customer VLAN ID list (for example 24,8) defining the
number of SAPs
c-vlan-wildcard
0xffff 0xffff
A group of Customer VLANs, identified by matching mask
c-vlan-wildcard
all
Tunnels the tagged traffic only
option
(Optional) changes the mode to SAP Service Configuration mode (see
Example 2)
untagged
(Optional) tunnels untagged traffic only
no
Removes the defined SAP
Examples
1. Configure SAP:
device-name(config-tls serv)#sap 1/1/1 c-vlan-wildcard all
device-name(config-tls serv)#sap 1/2/2 c-vlans 4,7-9
device-name(config-tls serv)#sap 1/2/3 c-vlans 5 untagged
2. Enter SAP Service Configuration mode:
device-name(config-tls serv)#sap 1/2/2 c-vlans 4 option
device-name(config-tls-sap 1/2/2:4:)#

Page 13

Configuring TLS
The tls command enables/ disables the TLS.
Command Syntax
device-name(config)#tls {enable | disable}
enable
Enables TLS
disable
Disables TLS
Configuring the TLS EtherType Value
The tls ethertype command configures the EtherType value.
By default, the EtherType value is 0x8100.
Command Syntax
device-name(config)#tls ethertype <number>
number
Hexadecimal VLAN EtherType value (for example 0x9000)
Selecting a TLS Core (Uplink) Port
The tls uplink command configures a physical interface or group of interfaces as a TLS core
(uplink) port/ groups.
CLI Mode:
Interface Configuration, LAG Interface Configuration, Range Interface
Configuration, and LAG Range Interface Configuration
The TLS core port is configured at the Provider-network side of the provider-edge (PE) switch.

NOTE
For the t l s upl i nk command to take effect, first enable TLS by using the t l s
enabl e command.


Page 14

NOTE
For TLS to be successfully enabled on an uplink, which is a port aggregation (LAG),
the t l s upl i nk command should be executed in Interface LAG Configuration
mode. Enabling TLS on a single port of the LAG will have no effect on the
aggregation.
By default, all ports are residential.
Command Syntax
device-name(config-if UU/SS/PP)#[no] tls uplink
device-name(config-if AG0N)#[no] tls uplink
device-name(config-if-group)#[no] tls uplink
device-name(config-ag-group)#[no] tls uplink
no
Configures the selected port or link aggregation to a residential port/group of ports
Selecting a TLS Access (User) Port
The tls user command configures a physical interface or group of interfaces as a TLS access
(user) port/ groups.
CLI Mode:
Interface Configuration, LAG Interface Configuration, Range Interface
The TLS access port is configured at the Provider-network side of the Customer Edge (CE) switch.
NOTE
For the t l s user command to take effect, first enable TLS by using the t l s
enabl e command.
By default, all the ports are set as residential ports.
Command Syntax
device-name(config-if UU/SS/PP)#[no] tls user
device-name(config-if AG0N)#[no] tls user
device-name(config-if-group)#[no] tls user
device-name(config-ag-group)#[no] tls user
no
Configures the selected port or link aggregation to a residential port/group of ports

Page 15

Securing the Management Device Access based on
C-VLAN
The management c-vlan command limits the device management access only through specified C-
VLANs.
TLS service-enabled devices are located at the edge of two domains and thus at the administrative
edge of two business entities. A remote business entity manages these devices remotely through a
service-encapsulated traffic (the traffic that is encapsulated with TLS service tag).
The management service-encapsulated traffic is tunneled through a dedicated management C-
VLAN in order to separate it from the data service-encapsulated traffic.
Configuring a management C-VLAN is mandatory, in order to manage these devices through the
TLS Service.
If the management C-VLAN is disabled, the following are not allowed:
SSH to the device
SNMP management

NOTE
Only one management C-VLAN per TLS service is supported.
The management C-VLAN must not match C-VLANs that are used in SAP definitions.
By default, no management C-VLAN is configured on a TLS service.
Command Syntax
device-name(config-tls SERVICE-NAME)#management c-vlan <CVLAN-ID>
CVLAN-ID
The C-VLAN ID, in the range of <14094>(CVLAN-ID)
Configuring the Layer-2 Protocol Tunneling
The tls tunneled-ieee-pdu enable/disable command enables or disables the Layer-2
protocol tunneling.
By default, the Layer-2 protocol tunneling is disabled.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu {enable | disable}

Page 16

enable
Enables the Layer-2 protocol tunneling
disable
Disables the Layer-2 protocol tunneling
TLS Tunnel Profile Configuration Mode
The tls tunnel-profile command enters the configuration mode for a specific TLS tunnel
profile.
CLI Mode: Global Configuration and TLS Tunnel Profile Configuration

NOTE
Use this command in a Specific TLS Tunnel Profile Configuration mode to switch to
the Configuration mode of another TLS tunnel profile; see Example.

Command Syntax
device-name(config)#tls tunnel-profile TLS-PROFILE-NAME
device-name(tls-profile TLS-PROFILE-NAME)#

device-name(tls-profile TLS-PROFILE-NAME)#tls tunnel-profile TLS-PROFILE-
NAME1
device-name(tls-profile TLS-PROFILE-NAME1)#
TLS-PROFILE-NAME
The TLS profile name
Example
device-name(config)#tls tunnel-profile system
device-name(tls-profile system)#tls tunnel-profile p5
device-name(tls-profile p5)#tls tunnel stp
Configuring Layer-2 Protocol PDUs
The tls tunnel/discard command specifies one of the allowed Layer-2 protocol PDUs to be
tunneled or discarded.
CLI Mode: TLS Tunnel Profile Configuration
Command Syntax
device-name(tls-profile PROFILE-NAME)#tls {tunnel | discard} {all-brs | other
| dot1x | efm-oam | e-lmi | garp | lacp | lldp | pvst | pb-stp | stp}

Page 17

tunnel
Specifies one of the allowed Layer-2 Protocol PDUs to be tunneled
discard
Specifies one of the allowed Layer-2 Protocol PDUs to be discarded
all-brs
Specifies that the PDUs intended for the MAC address that is reserved
for the exclusive use by the All Bridges are tunneled
other
Specifies that the PDUs intended for the MAC addresses from the bridge
block but are not PDUs of any of the specified protocols are tunneled
dot1x
IEEE 802.1x standard
efm-oam
Ethernet in the First Mile-Operations, Administration and Maintenance
standard
e-lmi
Enhanced Local Management Interface
garp
Generic Attribute Registration Protocol
lacp
Link Aggregation Protocol
lldp
Link Layer Discovery Protocol
pvst
Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance for
each VLAN configured in the network. Since PVST treats each VLAN as
a separate network, it has the ability to load balance traffic (at layer-2) by
forwarding some VLANs on one link and other VLANs on another link
without causing a spanning tree loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp
Defining Tunnel MAC Addresses for Predefined
Protocols
The tls tunneled-ieee-pdu HH:HH:HH:HH:HH:HH command defines a multicast tunnel MAC
address that rewrites the original multicast destination MAC address in the encapsulated Layer-2
PDUs.
The Layer-2 PDU is transported across the provider network transparently to the other end of the
tunnel and the original multicast destination MAC address is restored when the packet is
transmitted.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu {all-brs | other | dot1x | efm-oam |
e-lmi | garp | lacp | lldp | pvst | pb-stp | stp} HH:HH:HH:HH:HH:HH

Page 18

all-brs
Specifies that PDUs intended for the MAC address that is reserved for
the exclusive use by the All Bridges are tunneled
other
Specifies that PDUs intended for the MAC addresses from the bridge
block but are not PDUs of any of the specified protocols are tunneled
dot1x
IEEE 802.1x standard
efm-oam
Ethernet in the First Mile-Operations, Administration and Maintenance
standard
e-lmi
Enhanced Local Management Interface
garp
Generic Attribute Registration Protocol
lacp
Link Aggregation Protocol
lldp
Link Layer Discovery Protocol
pvst
Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance
for each VLAN configured in the network. Since PVST treats each
VLAN as a separate network, it has the ability to load balance traffic
(at layer-2) by forwarding some VLANs on one link and other VLANs
on another link without causing a spanning tree loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp
HH:HH:HH:HH:HH:HH
Multicast tunnel MAC address, in hexadecimal format
Refer to Table 6 for default multicast tunnel MAC addresses
NOTE
If you do not specify a MAC address, the default
replacement MAC address for each of the specified
protocols is used.
Table 6: Default Multicast Tunnel MAC Addresses
Protocol MAC Address
xSTP 01-A0-12-FF-FF-00
LACP/LAMP 01-A0-12-FF-FF-02
Link OAM (802.3ah) 01-A0-12-FF-FF-02
Port Authentication (802.1x) 01-A0-12-FF-FF-03
E-LMI 01-A0-12-FF-FF-07
LLDP (802.1AB) 01-A0-12-FF-FF-0E
Bridge block of protocols 01-A0-12-FF-FF-0X
NOTE
X denotes a random digit from 0 to F. When it
is found in the original MAC, is preserved in
the replacement MAC.
All Bridges 01-A0-12-FF-FF-10

Page 19

Protocol MAC Address
GARP Block of protocols 01-A0-12-FF-FF-2X
NOTE
X denotes a random digit from 0 to F. When it
is found in the original MAC, is preserved in
the replacement MAC.
Provider bridge STP 01-A0-12-FF-FF-08
PVST 01-A0-12-CC-CC-CD
When you configure the destination MAC address for encapsulated PDUs, you must leave the last
byte of the MAC address for protocols Bridgeblock of protocolsand GARP Block of protocolsas default
values:
00for Bridge block of protocols
20for GARP Block of protocols
Defining Tunnel MAC Addresses for User-Defined
Protocols
The tls tunneled-ieee-pdu add command defines a multicast tunnel MAC address that
rewrites the original multicast destination MAC address in the encapsulated PDU for user-defined
Layer-2 protocols.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu add L2TUN-PROTOCOL-NAME
ORIGINAL_HH:HH:HH:HH:HH:HH [TUNNEL_HH:HH:HH:HH:HH:HH] [ETHERTYPE]
device-name(config)#no tls tunneled-ieee-pdu L2TUN-PROTOCOL-NAME
L2TUN-PROTOCOL-NAME
A text string of <116>characters
ORIGINAL_HH:HH:HH:HH:HH:HH
Original multicast destination MAC address of the specified
protocol
TUNNEL_HH:HH:HH:HH:HH:HH
(Optional) multicast tunnel MAC address used for the
replacement
ETHERTYPE
(Optional) indicates which protocol is encapsulated in the
payload of the Ethernet frame
no
Restores the original multicast destination MAC address

Page 20

Tunneling of Layer-2 Protocol PDUs for SDP
The tls tunneled-ieee-pdu command enables tunneling of Layer-2 protocol PDUs for SDP.
CLI Mode: SDP Service Configuration
By default, TLS tunneling is disabled. When TLS tunneling is enabled on a TLS service, the default
policy is Discard-all.
Command Syntax
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#tls tunneled-ieee-pdu [discard-
all | tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#no tls tunneled-ieee-pdu

device-name(config-tls-sdp AG0N:SVLAN-ID:)#tls tunneled-ieee-pdu [discard-all
| tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sdp AG0N:SVLAN-ID:)#no tls tunneled-ieee-pdu
discard-all (Optional) specifies a policy of discarding only Layer-2 protocol PDUs
tunnel-all (Optional) specifies a policy of tunneling only Layer-2 protocol PDUs
tunnel-bpdu (Optional) specifies a policy of tunneling only xSTP packets. When the
tunneling of xSTP protocols is enabled, it allows tunneling BPDUs
between the TLS access (user) ports over the TLS core (uplink) ports.
The tunneling is done for packets with Multicast DA of 01-80-c2-00-00-
00 (STP).
TLS-PROFILE-NAME
(Optional) specifies the custom profile name used to define the tunneling
policy on the specified SDP
no Disables tunneling of IEEE Control packets
Example
device-name(config-tls-sdp 1/1/1:4:)#tls tunneled-ieee-pdu tunnel-bpdu

Page 21

Tunneling of Layer-2 Protocol PDUs for SAP
The tls tunneled-ieee-pdu command enables tunneling of Layer-2 protocol PDUs for SAP.
CLI Mode: SAP Service Configuration

NOTE
In SAP Service Configuration mode also exist:
the appl y- qos- ser vi ce- pol i cy command. For more information, refer to the
Applying the Service Policy on a SAP section of the Configuring Quality of
Service (QoS) chapter.
the mac access- gr oup and i p access- gr oup commands. For more
information, refer to the Configuring Access Control Lists (ACLs) chapter.
the event - pr opagat i on pr of i l e command. For more information, refer to
the Applying a Profile to a SAP or a Port section of the Operations,
Administration & Maintenance (OAM) chapter.
By default, TLS tunneling is disabled. When TLS tunneling is enabled on a TLS service, the default
policy is Discard-all.
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#tls tunneled-ieee-pdu [discard-
all | tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no tls tunneled-ieee-pdu
discard-all (Optional) specifies a policy of discarding only Layer-2 protocol PDUs
tunnel-all (Optional) specifies a policy of tunneling only Layer-2 protocol PDUs
tunnel-bpdu (Optional) specifies a policy of tunneling only xSTP packets. When the
tunneling of xSTP protocols is enabled, it allows tunneling the BPDUs
between the TLS access (user) ports over the TLS core (uplink) ports.
The tunneling is done for packets with Multicast DA of 01-80-c2-00-00-
00 (STP).
TLS-PROFILE-NAME
(Optional) specifies the custom profile name used to define the
tunneling policy on the specified SAP
no
Disables tunneling of IEEE Control packets
Example
device-name(config-tls-sap 1/1/1:5:)#tls tunneled-ieee-pdu tunnel-all

Page 22

Displaying the TLS Configuration
The show tls command displays the TLS configuration.
The TLS configuration includes:
The TLS status
The TLS EtherType
The TLS core (uplink) ports
The TLS access (user) ports
Command Syntax
device-name#show tls
Example
TLS i s enabl ed
TLS Et her Type 0x8100
==============================+
| I nt er f ace | Mode |
- - - - - - - - - - - - - +- - - - - - - - - - - - - - - - +
| 1/ 2/ 1 | User |
| 1/ 3/ 1 | Upl i nk |
| AG01 | Resi dent i al |
Displaying the L2PT Encapsulation Information
The show tls tunneled-ieee-pdu command displays the L2PT encapsulation information.
Command Syntax
device-name#show tls tunneled-ieee-pdu

Page 23

Example
device-name#show tls tunneled-ieee-pdu
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - +
| Pr ot ocol | Pr ot ocol MAC | Encapsul at i on MAC | Et her Type |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - +
| st p | 01: 80: c2: 00: 00: 00 | 01: a0: 12: f f : f f : 00 | N/ A |
| l acp | 01: 80: c2: 00: 00: 02 | 01: a0: 12: f f : f f : 02 | 0x8809 |
| ef m- oam | 01: 80: c2: 00: 00: 02 | 01: a0: 12: f f : f f : 02 | 0x8809 |
| dot 1x | 01: 80: c2: 00: 00: 03 | 01: a0: 12: f f : f f : 03 | N/ A |
| e- l mi | 01: 80: c2: 00: 00: 07 | 01: a0: 12: f f : f f : 07 | N/ A |
| l l dp | 01: 80: c2: 00: 00: 0e | 01: a0: 12: f f : f f : 0e | N/ A |
| ot her | 01: 80: c2: 00: 00: 0X | 01: a0: 12: f f : f f : 0X | N/ A |
| al l - br s | 01: 80: c2: 00: 00: 10 | 01: a0: 12: f f : f f : 10 | N/ A |
| gar p | 01: 80: c2: 00: 00: 2X | 01: a0: 12: f f : f f : 2X | N/ A |
| pb- st p | 01: 80: c2: 00: 00: 08 | 01: a0: 12: f f : f f : 08 | N/ A |
| pvst | 01: 00: 0c: cc: cc: cd | 01: a0: 12: cc: cc: cd | N/ A |
| pr ot ocol _name | 01: 80: c2: 00: 00: 02 | 01: a0: 12: f f : f f : 02 | 0x9530 |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - - +
Displaying the L2PT Configuration Information
The show tls tunneled-ieee-pdu service command displays the L2PT configuration
information.
Command Syntax
device-name#show tls tunneled-ieee-pdu service <service ID> {sap SAPSTRING |
sdp SDPSTRING}
service ID
The unique service identifier, in the range of <14294967295>
sap SAPSTRING
The SAPSTRING has the form UU/SS/PP:CVLANID:
sdp SDPSTRING
UU/SS/PP:SVLANID:use it if you configured the SDP on a port
aggregation
The S-VLAN ID is in the range of <14094>

Page 24

Example
device-name(config-tls-sdp 1/2/1:5:)#end
device-name#show tls tunneled-ieee-pdu service 5 sdp 1/2/1:5:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Vi I d | Pr of i l e Appl i ed |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| 1/ 2/ 1: 5: | t unnel - bpdu |
Displaying Layer-2 Protocol Tunneling Statistics
The show tls tunneled-ieee-pdu statistics command displays Layer-2 protocol tunneling
statistics.
Command Syntax
device-name#show tls tunneled-ieee-pdu statistics
Example
device-name#show tls tunneled-ieee-pdu statistics
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| SVC_I D| SAP/ SDP_STRI NG| PROTO_NAME| ACTI ON| RX| TX|
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| 7268| 1/ 1/ 2: 5| st p| t unnel | 0| 0|
| 7268| 1/ 1/ 2: 5| l acp| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| ef m- oam| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| dot 1x| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| e- l mi | di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| l l dp| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| ot her | di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| al l - br s| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| gar p| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| pb- st p| di scar d| 0| 0|
| 7268| 1/ 1/ 2: 5| pvst | di scar d| 0| 0|
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

Page 25

Displaying TLS Profile Names
The show tls tunnel-profile command displays the TLS profile names used to define the
tunneling policy.
Command Syntax
device-name#show tls tunnel-profile [TLS-PROFILE-NAME]
TLS-PROFILE-NAME
(Optional) displays the specified custom profile name used to define
the tunneling policy on a specified port
Example
device-name#show tls tunnel-profile
Pr of i l eName: my_t unnel
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +
| Pr ot ocol | Act i on |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +
| st p | t unnel |
| l acp | t unnel |
| ef m- oam | di scar d |
| dot 1x | di scar d |
| e- l mi | di scar d |
| l l dp | di scar d |
| ot her | di scar d |
| al l - br s | t unnel |
| gar p | di scar d |
| pb- st p | di scar d |
| pvst | di scar d |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +

Pr of i l eName: l acp_t unnel
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +
| Pr ot ocol | Act i on |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +
| st p | di scar d |
| l acp | t unnel |
| ef m- oam | di scar d |
| dot 1x | di scar d |
| e- l mi | di scar d |
| l l dp | di scar d |
| ot her | di scar d |
| al l - br s | di scar d |
| gar p | di scar d |
| pb- st p | di scar d |

Page 26

| pvst | di scar d |
+- - - - - - - - - - - - - - - - - +- - - - - - - - - - - +
Displaying TLS Services
The show tls-services command displays information about all currently configured TLS
services.
CLI Mode:
Privileged (Enable), and TLS Service Configuration
Command Syntax
device-name#show tls-services
device-name(config-tls SERVICE-NAME)#show tls-services
Example
+- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - +
| I dx | Ser vi ce Name | S- VLAN| Encap| St at e|
+- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - +
| 00007615 | t est | 0002 | Qi nQ | Up |

Page 27

TLS Configuration Examples
Example 1
The following figure shows an example of an interface TLS configuration.

Figure 3: TLS I nterface Example
1. Enable TLS:
device-name(config)#tls enable
2. Configure the TLS core (uplink) port on port 1/ 2/ 1:
device-name(config-if 1/2/1)#tls uplink
3. Configure the TLS access (user) port on port 1/ 2/ 8:
device-name(config-if 1/2/8)#tls user
4. Add the TLS core (uplink) port as a tagged member to VLAN 10. Also add access (user) port
as an untagged member to that VLAN.
device-name(config-vlan v10)#end

Page 28

5. Display the TLS configuration:
TLS i s enabl ed
TLS Et her Type 0x8100

+===========+================+
| I nt er f ace | Mode |
+- - - - - - - - - - - +- - - - - - - - - - - - - - - - +
| 1/ 2/ 1 | upl i nk |
| 1/ 2/ 8 | user |

Example 2
Figure4 shows an example of a TLS tunneling configuration.

Figure 4: TLS Tunneling Example
1. Create the VLAN vl5 with ID 5 and add to it the 1/ 2/ 1 port (SDP port) as tagged and 1/ 2/ 2
port (SAP port) as untagged:
2. Define a new TLS service and enable TLS tunneling:
3. Define SDP:
device-name(config-tls-sdp 1/2/1:5:)#exit

Page 29

4. Add wildcard VLAN for SAP:
device-name(config-tls serv)#sap 1/2/2 c-vlans 6
device-name(config-tls-sap 1/2/2:6:)#tls tunneled-ieee-pdu tunnel-bpdu
device-name(config-tls-sap 1/2/2:6:)#end
5. Display TLS services:
+- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - +
| I dx | Ser vi ce Name | S- VLAN| Encap| St at e|
+- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - +
| 00000005 | ser v | 0005 | Qi nQ | Up |
6. Display TLS tunneling:
device-name#show tls tunneled-ieee-pdu service 5 sdp 1/2/1:5:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| 1/ 2/ 1: 5: | t unnel - bpdu |

device-name#show tls tunneled-ieee-pdu service 5 sap 1/2/2:6:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| 1/ 2/ 2: 6: | t unnel - bpdu |

Page 30

Supported Platforms
Feature T-Marc 340 T-Marc 380
Transparent LAN Services (TLS) + +
Feature Standards MIBs RFCs
Transparent LAN
Services (TLS)
No standards are
supported by this
feature.
Private MIBs:
prvt_serv.mib
prvt_L2tunneling.mib
No RFCs are
supported by this
feature.

Page 1
Configuring Spanning Tree Protocol (STP) (Rev. 06)

Configuring Spanning Tree Protocol (STP)
Table of Figures 3
Overview 4
Architecture 4
The Election Algorithm 4
Selecting a Root Bridge 4
Selecting a Designated Bridge per Network Segment 4
Selecting the Root and Alternate Ports 5
Line Error Detection 5
Bridge Protocol Data Units (BPDUs) 5
The STP Path Cost 6
The STP Port States 6
Topology Changes Detection 8
Broadcasting an Event to the Network 9
The STP Timers 9
Message Age 10
The STP Diameter11
Calculating the STP Timers11
STP Address Management12
STP Loop Guard12
Internet Group Multicast Protocol (IGMP) Fast Recovery 13
STP Default Configuration 15
STP Configuration Flow16
STP Configuration Commands17
Enabling/Disabling STP19
Enabling/Disabling STP per Port19
Defining the STP Bridge Priority 20
Defining the STP Priority per Port 20

Page 2

Defining the Hello-Time21
Defining the Maximum Aging Timer 21
Defining the Forward-Delay Timer 22
Defining the Port Path Cost 22
Enabling/Disabling STP Topology Change Detection 23
Enabling/Disabling Line Error Detection 23
Enabling/Disabling Line Flapping Detection 24
Setting the BPDU Guard 24
Enabling/Disabling the Loop Guard per Port25
Enabling/Disabling Root Restriction25
Configuring the BPDUs MAC Address 26
Restoring STP Port Parameters to Defaults26
Configuring IGMP Fast Recovery 26
Displaying the STP Configuration 27
Displaying the Ports STP Configuration28
Displaying the STP Topology for a Specific Port 32
Enabling STP Debug Information33
Displaying the STP Debug Status 33
STP Configuration Example34


Page 3

Table of Figures
Figure 1: The Spanning Tree Port States 7
Figure 2: Topology Change 8
Figure 3: Topology Change with TC Message 9
Figure 4: BPDU Age Parameter 10
Figure 5: Calculating the Diameter 11
Figure 6: Spanning Tree IGMP Configuration13
Figure 7: Spanning Tree IGMP Fast Recovery Configuration 14
Figure 8: STP Configuration Flow16
Figure 9: Spanning Tree Configuration Example34

T-Marc 300 Series Series User Guide
Page 4

Overview
Spanning Tree Protocol (STP, IEEE 802.1d) is a Layer 2 protocol that provides path redundancy,
ensuring a loop-free topology for bridged LANs.
Using this protocol, a network can include redundant links that provide automatic backup paths in
case of an active link failure. It controls the links, leaving only a single active path between any two
network nodes.
Architecture
The STP algorithm calculates each path cost throughout all the devices within the networks
spanning tree, remaining the paths with the lower cost as active paths and blocking others. It
activates the blocked paths in case the active link fails or if the path cost changes.
The Election Algorithm
Selecting a Root Bridge
In order to elect the active paths within a network, STP first determines a Rootbridge. The Root is
the device towards which all other devices calculate the path cost. The protocol then selects the
path with the lowest cost between each device to the Root as the active path, while blocking all
other redundant paths.
Each bridge within the spanning tree has a unique ID that is made up of the bridges user-defined
priority and MAC address. The protocol selects the bridge with the lowest ID as the Root.
System administrators can alter the bridge ID by configuring the bridge priority, thus control the
probability of a bridge becoming a Root.
Selecting a Designated Bridge per Network Segment
After selecting the Root bridge, STP selects a Designatedbridge per network segment. This is the
closest bridge to the Root, forwarding packets from that segment towards the root bridge.
Each segment has only one Designated bridge. The Designated bridge has one Designated port
that forwards packets from the Root bridge to this segment.

Page 5

Selecting the Root and Alternate Ports
The last election step is selecting a Root port (per bridge) that sends data towards the Root bridge.
In order to avoid loops, all other ports that provide redundant paths to the Root bridge are set as
Alternate ports. These ports do not forward traffic unless the Root port goes down.
Each bridge has only one Root port, as a single path toward the Root bridge.
Line Error Detection
The protocol allows interchanging the roles of the Root port and an Alternate port when the CRC
errors on the line reach a critical level. In this case the Root ports path cost automatically changes
into a higher value, triggering the interchange of the Root and Alternate port statuses.
For detailed information regarding the port role assignments, refer to the RSTP Port Rolessection
from ConfiguringRapidSpanningTreeProtocol (RSTP) chapter.
Bridge Protocol Data Units (BPDUs)
Bridges exchange the above information using Bridge Protocol Data Units (BPDUs) that include
the following information:
the Root bridge ID
the designated bridge ID
the path costthe distance between the Root to the device
the designated port ID
The protocol uses three BPDU types:
Configuration BPDUs, used for the election algorithm
Topology Change Notification (TCN) BPDUs, announcing network topology changes
Topology Change Notification Acknowledgment BPDUs, sent when a device receives a TCN,
forwarding the TCN on its Root port.

Page 6

The STP Path Cost
Each bridge port has an assigned path cost, a user-definable parameter that determines the ports
preference to be included in the active spanning tree topology. During BPDU exchange, STP sums
up the path costs along all Designated ports (Designatedpathcost). This value then serves as the
bridges distance from the Root.
The lower the cost, the closer the device is to the Root. If two devices have identical path costs,
STP selects the path based on port priority and bridge IDs as a tiebreaker.
The STP Port States
STP uses five port states controlling the BDPU traffic.
To ensure a loop-free network during topology changes inactive ports:
cannot start forwarding prior to the new topology-information propagating through the
switched LAN
have to allow framesthat were forwarded using the old topologyto expire
Table 1: STP States
STP State Description
Blocking The port does not forward frames. It moves to this state after the initialization
phase, when a different device/port was elected as Root.
If there is only one device in the network, no exchange occurs, the forward-
delay timer expires, and the ports move to Listening state.
A port in blocking state:
discards frames
discards frames switched from another port for forwarding
does not learn MAC addresses
receives BPDUs
A Blocking port can enter Listening or Disabled states.
Listening This is the first state a Blocking port transitions to when STP determines that
the port should participate in frame forwarding. The device processes
BPDUs and waits for possible new information that might cause it to return to
the Blocking state.
A port in Listening state performs the same steps as Blocking state.
From this state the port can enter Learning or Disabled states.

Page 7

STP State Description
Learning This is the second state the port enters when preparing to participate in
frame-forwarding.
The port does not yet forward frames. However it learns source addresses
from received frames, adding them to the filtering database.
A port in Learning state:
discards frames
discards frames switched from another port for forwarding
learns MAC addresses
receives BPDUs
From this state the port can enter Forwarding or Disabled states.
Forwarding The port forwards frames. The device processes BPDUs and waits for
possible new information that might cause it to return to Blocking state to
prevent a loop.
A port in Forwarding state:
receives and forwards frames
forwards frames switched from other ports
learns MAC addresses
receives BPDUs
From this state the port can enter Disabled state.
Disabled A port in this state does not participate in frame forwarding and spanning
tree.
The port performs the same steps as Blocking state, except it does not
receive BPDUs.
The following figure illustrates how a port moves through the above states.

Figure 1: The Spanning Tree Port States

Page 8

Topology Changes Detection
When a bridge detects a topology change in the network (such as a link failure or the link changing
to Forwarding state), it sends this event to the entire bridged network.
The process is done in two stages:
1. The bridge notifies the STP Root.
2. The Root broadcasts the information to the whole network.
Upon a topology change the address tables of all devices are flushed and new paths are learned.
The below figure illustrates the networks reaction to a topology change. The initial data path
between Computer 1 and Computer 2 is via Device ADevice BDevice C.

Figure 2: Topology Change
After a topology change the new data path becomes Device ADevice DDevice C.
During the topology-change period, devices C and D are not aware of the topology change. During
this period frames sent from Computer 1 are forwarded to Device B and there is no connection
between the Computer 1 and Computer 2 until the address table ages out.
To avoid connection loss caused by a topology change, STP implements a mechanism called
Topology Change Notification (TCN). This mechanism flushes the devices MAC addresses upon a
topology change.

Page 9

Broadcasting an Event to the Network
When the Root is aware of a topology change, it sends out configuration BPDUs with the
Topology Change (TC) flag set. As a result, all bridges become aware of the topology change and
reduce the MaxAge timer to the forward-delay timer (see below TheSTP Timers).
Bridges receive topology-change BPDUs on both forwarding and blocking ports.

Figure 3: Topology Change with TC Message
The STP Timers
The following table describes the timers affecting the STP performance.
Table 2: STP Timers
Variable Description
Hello timer The interval between two consecutive BPDUs a device sends to other
devices.
Forward-delay timer The time a port is in Listening and Learning states before the port begins
forwarding.
Maximum-age timer
(MaxAge)
The time the device stores protocol information received on a port.
Message Age How far a device is from the Root when it receives a BDPU


Page 10

Message Age
The message age value of all BPDUs the Root sends are zero. Each subsequent device increments
the message age value by one, as illustrated in the below figure:

Figure 4: BPDU Age Parameter
After receiving a new BPDU equal to or greater than the recorded information on the port, all
BPDU information is stored, and the age timer begins to run, starting at the message age. If this age
timer reaches MaxAgebefore receiving another BPDU, the information ages out for that port.
For example, in the above figure:
Device B and C receive a BPDU from Device A with message age value zero. On the port
going to Device A, it takes MaxAgeseconds before the information ages out.
Device D and E receive a BPDU from Device B with message age value one. On the port
going to Device A, it takes MaxAge-1seconds before the information ages out.
Device F receives a BPDU from Device E with message age value two. On the port going to
Device E, it takes MaxAge-2 seconds before the information ages out.

Page 11

The STP Diameter
The STP timers settings are based on the STP diameter, the maximum number of bridges between
any two end points on the network. IEEE 802.1D specification recommends a maximum network
diameter of 7 hops. (Therefore the maximum STP ring size is 14 devices: a distance of seven hops
from the root to the last bridge in the ring.)
The below figure illustrates a network built up of a diameter of five (path A-C-B-E-D). It contains
three access devices (C, D, and E) attached to two distribution devices (A and B) and a Layer 3
boundary between the distribution devices and the core. The bridged domain stops at the
distribution devices.
The maximum STP diameter of five is between:
C-A-D-B-E
D-A-C-B-E

Figure 5: Calculating the Diameter

Calculating the STP Timers
To calculate the STP timers use the following formulas:
Max_age = 4 x hello +2 x dia - 2

Forward_delay = (4 x hello + 3 x dia) / 2
Based on the above formulas, lowering the hello-timer value decreases the other STP parameters.
However, it doubles the amount of BPDUs sent/received by each bridge, causing additional load
on the CPU.

Page 12

STP Address Management
IEEE 802.1D specifies 17 multicast MAC addresses, with a valid range from 0x0180C2000000 to
0x0180C2000010, to use by different bridge protocols. These addresses are static addresses that
cannot be removed.
Regardless of the STP state, the device receives but does not forward packets destined for addresses
between 0x0180c2000000 and 0x0180C200000F.
If STP is enabled, the CPU of the device receives packets destined for 0x0180C2000000 and
0x0180C2000010. If STP is disabled, the device forwards those packets as unknown multicast
addresses.
STP Loop Guard
STP relies on continuous reception or transmission of BPDUs based on port roles.
However, there are cases where an STP loop is created when a Blocking port in a redundant
topology transitions to Forwarding state by mistake. This happens when one of the ports of a
physically redundant topology no longer receives STP BPDUs. As a result the Alternate port,
Backup port, or Root port eventually becomes Designated and moves to Forwarding state, creating
a loop.
The STP Loop Guard feature provides additional protection against STP loops. This feature
implements a mechanism that maintains the port in Blocking state, instead of transitioning it to
Forwarding state, whenever BPDUs from a neighbor are lost.

Page 13

Internet Group Multicast Protocol (IGMP) Fast
Recovery
When using the IGMP Fast Recovery feature, the multicast traffic takes advantage of the
connectivity and convergence time provided by STP.
In the following figure, all devices run IGMP snooping and a spanning tree protocol (STP, RSTP,
or MSTP). In this figure:
1. The Multicast Router floods traffic for multicast groups that the client is subscribed to.

Figure 6: Spanning Tree I GMP Configuration
2. The Multicast Router sends an IGMP query to the clients for their multicast group
memberships.
3. The client(s) reply with IGMP Reports. The traffic flows from the Multicast Router, through
Device D and Device A, to Device C. All ports between the devices and the Multicast Router
are mrouter ports. Device Cs mrouter port that links to Device B is blocked. If a topology
change occurs and the link between Device C and Device A goes down, the Device Cs
blocked port transitions into Forwarding state.
4. If you configure IGMP Fast Recovery on Device C, the device reacts to the topology change
by sending an IGMP General Query to all its non-mrouter ports.

Page 14

5. The client(s) respond to the General IGMP Query with an IGMP report.
6. Device C forwards the IGMP report to its mrouter ports and the report is then sent to the
Multicast Router through Device B and Device D.
7. Client(s) traffic connected to Device C is transmitted through Device B instead of Device A,
as shown on the figure below.

Figure 7: Spanning Tree I GMP Fast Recovery Configuration


Page 15

STP Default Configuration
Table 3: STP Default Configuration
Spanning Tree Protocol Disabled
STP bridge priority 32768
STP hello-time 2 seconds
STP forward-delay timer 15 seconds
STP MaxAge timer 20 seconds
Line error detection Disabled
STP path cost 10
STP port priority 128
STP topology change detection Enabled
Debug STP Disabled

Page 16

STP Configuration Flow

Figure 8: STP Configuration Flow
Start
Enable STP
Change the priority to the
lowest in the network
Set the STP Timers (hello-timer, MaxAge, forward-delay)
Is this bridge the
root?
Yes
Define the ports path cost
Disable TC detection on loop-free ports (Optional)
No
End
Optional STP Configuration

Page 17

STP Configuration Commands
The STP default values are sufficient for obtaining a loop-free redundant network topology.
However, to enforce topology demands on the dynamically built topology, configure several
parameters before connecting the network.
Table 4: STP Configuration Commands
Command Description
spanning-tree Enables/disables the STP on the device (see
Enabling/Disabling STP)
spanning-tree Enables/disables the STP per port (see Enabling/Disabling
STP per Port)
spanning-tree priority Defines the STP bridge priority (see Defining the STP Bridge
Priority)
spanning-tree priority Defines the STP port priority (see Enabling/Disabling STP per
Port)
spanning-tree hello-time Defines the hello-time interval (see Defining the Hello-Time)
spanning-tree max-age Defines the Maximum Age timer (see Defining the Maximum
Aging Timer)
spanning-tree forward-
delay
Defines the forward-delay timer (see Defining the Forward-
Delay Timer)
spanning-tree path-cost Defines the STP port path cost (see Defining the Port Path
Cost)

Table 5: Optional STP Configuration Commands
Command Description
spanning-tree detect-tc Enables topology-change detection on the configured port
(see Enabling/Disabling STP Topology Change Detection)
spanning-tree line-
error-detect
Enables line-error detection (see Enabling/Disabling Line Error
Detection)
spanning-tree line-
flapping-detect
Causes the Root and Alternate ports to change roles in case
of flapping (see Enabling/Disabling Line Flapping Detection)
spanning-tree bpdu-rx Prevents an STP port from receiving BPDUs (see Setting the
BPDU Guard)
spanning-tree detect-
bpdu-loss
Enables/disables the Loop Guard on a port (see
Enabling/Disabling the Loop )
spanning-tree restrict-
root
Enables/disables the selection of a port as the Root port (see
Enabling/Disabling Root Restriction)
spanning-tree
destination
Specifies the MAC address used for BPDUs destination
address (see Configuring the BPDUs MAC Address)
spanning-tree defaults Restores a ports STP parameters to their defaults (see
Restoring STP Port Parameters to Defaults)
spanning-tree igmp-fast-
recovery
Configures the IGMP fast recovery feature (see Configuring
IGMP Fast Recovery)

Page 18

Table 6: STP Display Commands
Command Description
spanning-tree Displays the current STP configuration (see Displaying the
STP Configuration)
spanning-tree interface
spanning-tree all
show spanning-tree
Displays the STP settings and topology per port or for all ports
(see Displaying the Ports STP Configuration)
show spanning-tree
interface
Displays the spanning tree topology for a specified port (see
Displaying the STP Topology for a Specific Port)

Table 7: STP Debugging Commands
Command Description
debug stp Enables the debugging STP information (see Enabling STP
Debug Information)
show debug stp Displays the STP debug status (see Displaying the STP
Debug Status)

Page 19

Enabling/Disabling STP
The spanning-tree command enables/disables STP on the device.
STP is disabled by default.
Command Syntax
device-name(cfg protocol)#spanning-tree [enable | disable]
device-name(cfg protocol)#no spanning-tree
enable (Optional) enables STP, the device becoming a node in the tree
disable (Optional) disables STP
no Restores to default
Enabling/Disabling STP per Port
The spanning-tree command enables/disables STP per port. You can enable/disable STP per
port only if the feature is enabled on the device.
CLI Modes: Interface Configuration and Interface Range Configuration
By default, enabling STP on the device enables the feature on all ports. Disabling STP on the device
disables it on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree [enable | disable | all]
device-name(config-if-group)#spanning-tree [enable | disable]
enable (Optional) enables STP on the specified port
disable (Optional) disables STP on the specified port
all (Optional) enables STP on all ports


Page 20

Defining the STP Bridge Priority
The spanning-tree priority command defines the STP bridge priority.
The default bridge priority is 32768.
Command Syntax
device-name(cfg protocol)#spanning-tree priority <bridge-priority>
device-name(cfg protocol)#no spanning-tree priority
bridge-priority
The bridge priority, in the range of <065535>. The bridge with the highest
bridge priority (the lowest numerical priority value) is selected as Root
device
no
Restores to default
Defining the STP Priority per Port
The spanning-tree priority command defines the STP port priority. The STP port priority
represents the location of a port in the network topology and determines how well it is located for
forwarding traffic.
The default port priority is 128.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree priority <priority>
device-name(config-if UU/SS/PP)#no spanning-tree priority

device-name(config-if-group)#spanning-tree priority <priority>
device-name(config-if-group)#no spanning-tree priority
priority
The port STP priority, in the range of <0240>. This value is a multiple of 16.
Assign lower values (higher priorities) to preferred ports.
If all the ports have the same priority value, STP selects the port with the lowest
number in Forwarding state and blocks other ports.
no
Restores to default


Page 21

Defining the Hello-Time
The spanning-tree hello-time command defines the interval between consecutive BPDUs the
device transmits.
Use this command when the device is the Root, or trying to become one.
The default hello-time is 2 seconds.
Command Syntax
device-name(cfg protocol)#spanning-tree hello-time <hello-time>
device-name(cfg protocol)#no spanning-tree hello-time
hello-time
The interval between transmitting BPDUs, in the range of <19>seconds.
This value must be less than MaxAge/2-1 (refer to the Defining the Maximum
Aging Timer section).
no
Configures the hello-time interval to its default value.
Defining the Maximum Aging Timer
The spanning-tree max-age command defines the interval the device waits for receiving a
BPDU before attempting a reconfiguration.
The default value is 20 seconds.
Command Syntax
device-name(cfg protocol)#spanning-tree max-age <max-age>
device-name(cfg protocol)#no spanning-tree max-age
max-age
The maximum aging time, in the range of <628>seconds.
The MaxAge value must be greater than 2*(hello-time+1) and less than 2*(forward-
delay-1).
no
Restores to default


Page 22

Defining the Forward-Delay Timer
The spanning-tree forward-delay command defines the interval the device waits before
transitioning from Learning and Listening states to Forwarding state.
The default forward-delay value is 15 seconds.

NOTE
The forward-delay value must be greater than MaxAge/ 2+1.
Command Syntax
device-name(cfg protocol)#spanning-tree forward-delay <forward-delay>
device-name(cfg protocol)#no spanning-tree forward-delay
forward-delay
The interval before transitioning from Listening and Learning states to
Forwarding State, in the range of <1130>seconds.
This value must be greater than MaxAge/2+1.
When a topology change is underway and is detected, use this parameter to
age all dynamic entries in the Forwarding database.
no
Restores to default
Defining the Port Path Cost
The spanning-tree path-cost command defines the STP port path cost.
The default port path cost is 10.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree path-cost <path-cost>
device-name(config-if UU/SS/PP)#no spanning-tree path-cost

device-name(config-if-group)#spanning-tree path-cost <path-cost>
device-name(config-if-group)#no spanning-tree path-cost
path-cost
The path cost value, in the range of <1200000000>.
Assign lower cost values to ports that you want to select first. If all ports have
the same cost value, STP selects the port with the lowest number in
Forwarding state and blocks other ports.
no
Restores to default

Page 23

Enabling/Disabling STP Topology Change Detection
The spanning-tree detect-tc command enables topology change detection on the configured
port.
Topology change detection is enabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree detect-tc
device-name(config-if UU/SS/PP)#no spanning-tree detect-tc

device-name(config-if-group)#spanning-tree detect-tc
device-name(config-if-group)#no spanning-tree detect-tc
no
Disables topology change detection on specified ports, preventing the switch from
detecting and propagating topology changes on the specified port/s.
Enabling/Disabling Line Error Detection
The spanning-tree line-error-detect command enables/disables line error detection. The
error level is considered critical when the CRC error rate exceeds 1% within a 3 seconds interval.
Line error detection is disabled by default.
Command Syntax
device-name(cfg protocol)#spanning-tree line-error-detect {enable | disable}
enable Enables line error detection
disable Disables line error detection


Page 24

Enabling/Disabling Line Flapping Detection
The spanning-tree line-flapping-detect command causes the Root and Alternate ports to
change roles in case of flapping (continued and uncontrolled link up and down event) on a physical
port.
Command Syntax
device-name(cfg protocol)#spanning-tree line-flapping-detect {enable | disable}
enable Enables line flapping detection
disable Disables line flapping detection
Setting the BPDU Guard
The spanning-tree bpdu-rx command defines the STP reaction when receiving a BPDU on the
specified port.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree bpdu-rx {discard | disable-port
| standard}
device-name(config-if-group)#spanning-tree bpdu-rx {discard | disable-port |
standard}
discard The device drops received BPDUs (ignores the BPDU information)
disable-port Receiving a BPDU disables the port
standard BPDUs are processed according to standard STP mechanisms (default)

Page 25

Enabling/Disabling the Loop Guard per Port
The spanning-tree detect-bpdu-loss command enables/disables the Loop Guard on a
specific port.
The Loop Guard is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree detect-bpdu-loss {enable |
disable}
device-name(config-if-group)#spanning-tree detect-bpdu-loss {enable | disable}
enable Enables BPDU loss detection (Loop Guard is disabled).
disable Disables BPDU loss detection (Enables Loop Guard on the port).
This parameter does not change the ports state, if the port is not a
Designated port, even if the port stops receiving BPDUs from its peer port.
Disables Loop Guard on the specified port: the port state does not change,
even if stops receiving BPDUs.
Enabling/Disabling Root Restriction
The spanning-tree restrict-root command enables/disables selecting a port as the Root port.
Root restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree restrict-root {enable |
disable}
device-name(config-if-group)#spanning-tree restrict-root {enable | disable}
enable Enables root restriction on the specified port (the port is not selected as Root
port)
disable Disables root restriction

Page 26

Configuring the BPDUs MAC Address
The spanning-tree destination command specifies the MAC address used for BPDUs
destination address.
This command configures STP to send BPDUs to destination MAC address 01:80:C2:00:00:08.
The default value is customer, when BPDUs are sent to destination MAC address
01:80:C2:00:00:00.
Command Syntax
device-name(cfg protocol)#spanning-tree destination {customer | provider}
customer Customer mode 802.1D compliant
provider Provider mode 802.1ad compliant
Restoring STP Port Parameters to Defaults
The spanning-tree defaults command restores the ports STP parameters to default values.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree defaults
device-name(config-if-group)#spanning-tree defaults
Configuring IGMP Fast Recovery
The spanning-tree igmp-fast-recovery command configures the IGMP fast recovery feature
on the device.
Command Syntax
device-name(cfg protocol)#spanning-tree igmp-fast-recovery {enable | disable |
vlan VLAN-LIST ports PORT-LIST}
device-name(cfg protocol)#no spanning-tree igmp-fast-recovery vlan VLAN-LIST
ports PORT-LIST

Page 27

enable
Globally enables the fast recovery
disable
Globally disables the fast recovery
Disabled
vlan VLAN-LIST
A list of VLAN IDs, in the range of <14094>, in the below format:
Several VLAN numbers and/or ranges, separated by commas (for
example: 2,4,832)
ports PORT-LIST
Specifies one or more port numbers. Use commas as separators and
hyphens to indicate sub-ranges (for example: 1/1/1, 1/2/11/2/8)
no
Disables the fast recovery on specified VLAN and port lists.
Displaying the STP Configuration
The spanning-tree command displays the current STP configuration.

NOTE
You can also display the current STP configuration using the show spanni ng- t r ee
command.
Command Syntax
device-name(cfg protocol)#spanning-tree
Example
device-name(cfg protocol)#spanning-tree
Spanni ng t r ee enabl ed
Pr ot ocol Speci f i cat i on = i eee8021d
Pr i or i t y = 32768
TopChanges = 3
MaxAge = 20 ( Sec)
Hol dTi me = 1 ( Sec)

Page 28

Table 8: The Parameters Displayed by the STP show Commands
Spanni ng t r ee The STP global state
Pr ot ocol Speci f i cat i on The protocol standard
Pr i or i t y The bridge priority
Ti meSi nceTopol ogyChange The time since the last topology change, in seconds
TopChanges The number of times the topology change flag parameter for
the bridge was set the last time the device was turned on
Desi gnat edRoot The Roots unique bridge identifier. This value is used in all
Configuration BPDUs transmitted by the bridge.
MaxAge The configured maximum-aging timer, in seconds
Hel l oTi me The configured hello timer, in seconds
For war dDel ay The configured forward-delay timer, in seconds
Hol dTi me The minimum interval between Configuration BPDUs
transmission through a given LAN port (this parameter is fixed
to 1 second)
Br i dgeMaxAge The maximum-aging timer when the bridge is the Root or is
attempting to become the Root, in seconds
Br i dgeHel l oTi me The hello timer when the bridge is the Root or is attempting to
become the Root, in seconds
Br i dgeFor war dDel ay The forward-delay timer when the bridge is the Root or is
attempting to become the Root, in seconds
Det ect Li neCRCReconf i g Indicates whether line error detection is enabled or not
Det ect Li neFl appi ng Indicates whether link flapping is enabled or not
SpanI gmpFast Recover y Indicates whether IGMP fast recovery is enabled or disabled
Displaying the Ports STP Configuration
The spanning-tree interface command displays the STP settings for a specified port. This
command also enters the Interface Configuration mode.
The spanning-tree all command displays the STP topology for all ports.
The show spanning-tree command displays the STP settings and the STP topology for all ports.


Page 29

Command Syntax
device-name(cfg protocol)#spanning-tree interface UU/SS/PP

device-name(cfg protocol)#spanning-tree interface all

device-name(config-if UU/SS/PP)#spanning-tree all

device-name#show spanning-tree
UU/SS/PP The port number, in a unit, slot, and port number format
all Displays the STP settings for all ports
Example 1
Display the STP settings for port 1/1/1:
device-name(cfg protocol)#spanning-tree interface 1/1/1
Por t Pr i or i t y = 128
Por t St at e = di sabl ed
Por t Enabl e = di sabl ed
Por t Pat hCost = 10
Desi gnat edRoot = 08192. 00: A0: 12: 00: 00: 03
Desi gnat edCost = 19
Desi gnat edBr i dge = 32768. 00: A0: 12: 11: 29: 82
Desi gnat edPor t = 128. 1
Fr wr dTr ansi t i ons = 0
TopChangeDet ect i on = Enabl ed
Example 2
Display the STP topology for all ports:
device-name(cfg protocol)#spanning-tree interface all
========================================================================
Por t | Pr i | St at e| PCost | DCost | Desi gnat ed br i dge | DPr t | Fwr dT| Dt ct Tc
- - - - - - - - +- - - +- - - - - +- - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - -
01/ 02/ 01 128 l i st n 19 19 32768. 00A012000003 128. 01 2 Di sabl ed
01/ 02/ 02 128 bl ock 19 0 32768. 000002030405 128. 63 0 Enabl ed
01/ 02/ 03 128 l i st n 19 0 32768. 000002030405 128. 62 2 Enabl ed

Page 30

Example 3
Display the STP settings and topology for all ports:
device-name#show spanning-tree
Pr i or i t y = 32768
TopChanges = 0
MaxAge = 20 ( Sec)
- - - - - - - - +- - - +- - - - - +- - - - - - +- - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - - -
01/ 02/ 01 128 l i st n 19 19 32768. 00A012000003 128. 02 2 Di sabl ed
01/ 02/ 02 128 bl ock 19 0 32768. 000002030405 128. 03 0 Enabl ed
01/ 02/ 03 128 l i st n 19 0 32768. 000002030405 128. 04 2 Enabl ed
Table 9: Parameters Displayed by the spanni ng- t r ee i nt er f ace command
Por t Pr i or i t y The port priority
Por t St at e The port state
Por t Enabl e Displays whether the port is enabled or disabled
Por t Pat hCost The STP port path cost
Desi gnat edRoot The unique Root bridge identifier, in the root identifier parameter of
Configuration BPDUs transmitted by the designated bridge of the
LAN to which the port is attached.
Use this parameter to test the root identifier parameter value
conveyed in received Configuration BPDUs.
Desi gnat edCost The designated ports path cost (equal to the root path cost of the
bridge), offered to the LAN to which the port is attached.
Otherwise, this is the path cost to the root offered by the
designated port on the LAN to which this port is attached.
Use this parameter to test the value of the root path-cost
parameter conveyed in received Configuration BPDUs.

Page 31

Desi gnat edBr i dge The unique bridge identifier of one of the following:
in the case of a designated port, the bridge the port belongs
to
the designated bridge of the LAN to which this port is
attached
Use this parameter:
together with the designated port and port identifier
parameters to test if this port is the designated port for the
LAN to which it is attached
to test the value of the bridge identifier parameter conveyed
in received configuration BPDUs
Desi gnat edPor t The designated bridge-port identifier, through which the bridge
transmits the configuration message-information stored by this
port.
Use this parameter:
together with the designated bridge and port identifier
parameters to test if this port is the designated port for the
LAN to which it is attached
by management to determine the topology of the bridged LAN
Fr wr dTr ansi t i ons The number time the port transitioned into Forwarding state.
TopChangeDet ect i on Indicates whether topology-changes detection is enabled or not.

Table 10: Parameters Displayed by the spanni ng- t r ee al l and spanni ng- t r ee
i nt er f ace al l commands
Por t The ports unit/slot/port
Pr i Refer to Por t Pr i or i t y in the above table
St at e Refer to Por t St at e in the above table
PCost Refer to Por t Pat hCost in the above table
DCost Refer to Desi gnat edCost in the above table
Desi gnat ed br i dge Refer to Desi gnat edBr i dge in the above table
DPr t Refer to Desi gnat edPor t in the above table
Fwr dT Refer to Fr wr dTr ansi t i ons in the above table
Dt ct Tc Refer to TopChangeDet ect i on in the above table

Page 32

Displaying the STP Topology for a Specific Port
The show spanning-tree interface command displays the STP topology for the specified port.
Table 9 describes the parameters displayed by this command.
Command Syntax
device-name#show spanning-tree interface UU/SS/PP
Example 1
Display the STP topology when the bridge is not the root bridge:
device-name#show spanning-tree interface 1/1/1
Desi gnat edBr i dge = 32768. 00: A0: 12: 11: 29: 82
Example 2
Display the STP topology when the bridge is the root bridge:
device-name#show spanning-tree interface 1/1/1
Desi gnat edBr i dge = Thi s br i dge

Page 33

Enabling STP Debug Information
The debug stp command enables the STP debug information.
This command is not saved after a device reload.
Debugging is disabled by default.
Command Syntax
device-name#debug stp {all | flush | tc | tcn}
device-name#no debug stp {all | flush | tc | tcn}
all Activates all STP debug options
flush Activates MAC address table flush debugging
tc Activates debugging when the device receives or transmits BPDUs with topology
changes
tcn Activates debugging when the device receives TCNs or transmits BPDUs with
topology change acknowledgment
no Disables the debug information display
Displaying the STP Debug Status
The show debug stp command displays the STP debug status.
Command Syntax
device-name#show debug stp
Example
device-name#show debug stp
STP debuggi ng st at us:
STP debug TNC i s on
STP debug f l ush i s on
STP debug TC i s on

Page 34

STP Configuration Example
The following figure is a configuration example using STP.

Figure 9: Spanning Tree Configuration Example
Configuring Device A:
1. Enable STP:
DeviceA#configure terminal
DeviceA(config)#protocol
DeviceA(cfg protocol)#spanning-tree enable
2. Set the STP bridge priority to 4096, to make Device A the Bridge Root.
DeviceA(cfg protocol)#spanning-tree priority 4096
3. Set the STP MaxAge timer to 10. Calculate the timer according to the following formula:
Max_age= (4 x hello) + (2 x dia) - 2, when the hello-timeis 2 and the diameteris 2 (based on
the figure above):
DeviceA(cfg protocol)#spanning-tree max-age 10

Page 35

4. Set the STP forward-delay timer to 7. Calculate this timer according to the following formula:
Forward_delay= ((4 x hello) + (3 x dia)) / 2, when the hello-timeis 2 and the diameteris 2
(based on the figure above):
DeviceA(cfg protocol)#spanning-tree forward-delay 7
Configuring Device B:
1. Enable STP:
DeviceB#configure terminal
DeviceB(config)#protocol
DeviceB(cfg protocol)#spanning-tree enable
2. Set port 1/2/1 with path cost 1:
DeviceB(config)#interface 1/2/1
DeviceB(config-if 1/2/1)#spanning-tree path-cost 1
Configuring Device C:
Enable STP:
DeviceC(config)#protocol
DeviceC(cfg protocol)#spanning-tree enable
Configuring Device D:
1. Enable STP:
DeviceD#configure terminal
DeviceD(config)#protocol
DeviceD(cfg protocol)#spanning-tree enable
DeviceD(cfg protocol)#exit
2. Set port 1/2/1 with path cost 4:
DeviceD(config)#interface 1/2/1
DeviceD(config-if 1/2/1)#spanning-tree path-cost 4
3. Disable topology change detection on ports 1/2/3 and 1/2/4 (these ports are attached to
PCs):
DeviceD(config-if 1/2/1)#interface 1/2/3
DeviceD(config-if 1/2/3)#no spanning-tree detect-tc
DeviceD(config-if 1/2/4)#no spanning-tree detect-tc
DeviceD(config-if 1/2/4)#end

Page 36

Configuring Device E:
1. Enable STP:
DeviceE#configure terminal
DeviceE(config)#protocol
DeviceE(cfg protocol)#spanning-tree enable
DeviceE(cfg protocol)#exit
2. Disable topology change detection on ports 1/2/3 and 1/2/4 (these ports are attached to
PCs):
DeviceE(config)#interface 1/2/3
DeviceE(config-if 1/2/3)#no spanning-tree detect-tc
DeviceE(config-if 1/2/3)#interface 1/2/4
DeviceE(config-if 1/2/4)#no spanning-tree detect-tc
DeviceE(config-if 1/2/4)#end
Displaying Device D Configuration:
DeviceD#show spanning-tree
Pr i or i t y = 32768
TopChanges = 4
Desi gnat edRoot = 04096. 00: A0: 12: 27: 00: C0
Root Por t = 1/ 2/ 1
Root Cost = 8
MaxAge = 10 ( Sec)

===============================================================================
- - - - - - - - +- - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - - -
01/ 01/ 01 128 f r wr d 4 8 32768. 00A012271420 128. 01 1 Enabl ed
01/ 02/ 01 128 f r wr d 4 4 32768. 00A012270080 128. 03 1 Enabl ed
01/ 02/ 02 128 bl ock 19 4 32768. 00A012270080 128. 04 1 Enabl ed
01/ 02/ 03 128 f r wr d 19 8 32768. 00A012010101 128. 05 1 Di sabl ed
01/ 02/ 04 128 f r wr d 19 8 32768. 00A012010101 128. 06 1 Di sabl ed

Page 37

Displaying Device E Configuration:
DeviceE#show spanning-tree
Pr i or i t y = 32768
TopChanges = 2
Root Cost = 12
MaxAge = 10 ( Sec)

===============================================================================
- - - - - - - - +- - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - - -
01/ 01/ 01 128 f r wr d 4 8 32768. 00A012271420 128. 01 2 Enabl ed
01/ 02/ 02 128 bl ock 19 1 32768. 00A012271240 128. 01 2 Enabl ed
01/ 02/ 03 128 f r wr d 19 38 32768. 00A012270120 128. 03 1 Di sabl ed
01/ 02/ 04 128 f r wr d 19 38 32768. 00A012270120 128. 04 1 Di sabl ed

Page 38

Supported Platforms
Spanning Tree Protocol (STP) + +
Spanning Tree Protocol (STP) IEEE 802.1d-1998 Public MIBs:
bridge.mib
rstp.mib
Private MIB,
prvt_switch.mib
RFC 1493,
Definitions of
Managed Objects for
Bridges
RFC 2863, Interfaces
Group MIB
(configL2IfaceTable)

Page 1
Configuring Rapid Spanning Tree Protocol (RSTP) (Rev. 04)

Configuring Rapid Spanning Tree Protocol
(RSTP)
Table of Figures 3
Architecture 4
RSTP Port States 4
RSTP Port Roles 5
Rapid Recovery and Convergence 6
Determining the Port Link-Type 7
Synchronization of Port Roles 7
RSTP BPDU Format and Processing 8
Line Error Detection 9
IGMP Fast Recovery 9
RSTP Default Configuration10
RSTP Configuration Flow 11
RSTP Configuration Commands12
Enabling/ Disabling RSTP on the Device14
Enabling/ Disabling RSTP per Port15
Defining the RSTP Bridge Priority15
Defining the RSTP Priority per Port16
Defining the RSTP Hello-Time17
Defining the RSTP Maximum Aging Timer17
Defining the RSTP Forward-Delay Timer18
Defining Edge Port(s)18
Defining the RSTP Port Path Cost 20
Defining the Link-Type21
Forcing a Port to Work with RSTP22
Restoring the RSTP Port Parameters to Defaults23
Displaying the RSTP Configuration23
Displaying the RSTP Port Configuration25
Displaying the RSTP for a Specific Port28

Page 2

Displaying the RSTP Configuration and Topology for All Ports29
Enabling RSTP Debug Information30
Displaying the RSTP Debug Status31
RSTP Configuration Example32

Page 3

Table of Figures
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence 6
Figure 2: Sequence of Events during Rapid Convergence 8
Figure 3: RSTP BPDU Flags 8
Figure 4: RSTP Configuration Flow11
Figure 5: Point-to-point MAC21
Figure 6: Rapid Spanning Tree Configuration Example32

Page 4

Overview
Rapid Spanning Tree Protocol (RSTP) is an evolution of STP providing faster convergence (less
than one second) upon a network topology change. This is critical in networks that carry voice,
video, and other delay-sensitive traffic.
The RSTP algorithm dynamically creates a tree through the network, used to efficiently direct
packets to their destinations. It reduces the bridged network to a single spanning tree topology in
order to eliminate packet loops (multiple paths linking one device to another, resulting in an infinite
loop situation).
The RSTP algorithm reactivates redundant connections in the event of a link or device failure.
Architecture
RSTP distinguishes between the port state and the port role:
The port statedescribes the relationship of that port to the frame processing (filtering and
forwarding) and learning functions.
The port roledescribes the role of the port in the spanning tree function.
RSTP Port States
There are three RSTP port states (as oppose to five STP states):
Table 1: RSTP Port States
Port State Description
Learning As in STP, the port prepares to participate in frame-forwarding. It learns
source addresses from frames received and adds them to the filtering
database.
From this state the port can enter a Forwarding state.
Forwarding As in STP, the port enters this state from the Learning state. The device
processes BPDUs and waits for possible new information that may cause
it to switch to the Discarding state to prevent a loop.
A port in Forwarding state:
Receives and forwards frames
Forwards frames switched from another port
Learns MAC addresses
Receives BPDUs
From this state, the port can only switch to Discarding state.
Discarding STP states Disabled, Blocking, and Listening are merged into this state.
This state describes a port that does not forward user traffic in either
direction. The port discards received frames and no learning occurs. As a
result, there are no entries in the filtering database pointing to this port and
no traffic is forwarded across it.

Page 5

RSTP Port Roles
In order to create a loop-free environment and to provide rapid convergence, RSTP selects the
device with the highest priority as the root bridge, assigns port roles, and determines the active
topology.
RSTP assigns a role to each bridge port throughout the bridged LAN:
Table 2: RSTP Port Role Assignments
Port Role Description
Root port Provides the best path (lowest cost) for packets forwarded from a device
to the root device.
A Root port is in Forwarding state.
Designated port Connects to the designated device that provides the best path for packets
forwarded from that LAN to the root device.
A Designated port is in Forwarding state.
Alternate port Offers an alternative path to the one provided by the current Root port.
Alternate ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Backup port Acts as a backup for the path provided by a Designated port in the
direction of the spanning tree leaves (end nodes).
A Backup port exists only when two ports are connected together in a
loopback by a point-to-point link or when a device has two or more
connections to a shared LAN segment.
Backup ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Disabled port Disabled ports do not participate in frame forwarding and are not
operational. These ports:
discard frames
discard frames switched from another port for forwarding
do not learn MAC addresses
do not receive BPDUs

Page 6

Rapid Recovery and Convergence
Edge ports, new Root ports, and ports connected through point-to-point links converge rapidly
upon a link failure.
Table 3: The RSTP Rapid Convergence
Port Type Description
Edge ports Edge ports are configured by users on RSTP enables devices. Once
configured, these ports immediately transit to Forwarding state.
NOTE
You should configure Edge ports only on ports
connected to end devices (such as hosts and printers).
Root ports When RSTP selects a new Root port, it blocks the old Root port and
immediately transitions the new Root port to Forwarding state.
Point-to-point links Point-to-point links are links directly connecting two devices.
When you connect two devices using a point-to-point link the
Designated port negotiates rapid transition with the remote port by using
the proposal-agreement handshake to ensure a loop-free topology.

The figure below shows a rapid convergence example. In this example, Devices A and B are
connected through a point-to-point link and all the ports are in blocking state. Assume that Device
As priority is higher than Device Bs.
The proposal-agreement handshaking proceeds as follows:
1. Device A proposes itself as the designated device by sending a proposal message (a
configuration BPDU with the proposal flag set).
2. Device B reacts to Device As proposal message as follows:
1.1. It assigns the port on which the proposal message was received as its new Root port.
1.2. It forces all non-edge ports to Discarding state to avoid loops.
1.3. It sends an agreement message to Device A (a BPDU with the agreement flag set)
through its new Root port.

Figure 1: Proposal and Agreement Handshaking for Rapid Convergence

Page 7

3. Device A immediately transitions its Designated port to Forwarding state.
4. The same handshaking process is repeated for each device that joins the active topology,
progressing from the root toward the leaves of the spanning tree as the network converges.
Determining the Port Link-Type
RSTP can implement a rapid transition only on point-to-point links. The link type is automatically
derived from the ports duplex mode:
A port operating in full-duplex mode is assumed to be point-to-point
A port operating in half-duplex mode is considered as a shared port by default.
You can override this automatic link-type setting by explicit configuration.
Today in most switched networks most links operate in full-duplex mode and are treated as point-
to-point links by RSTP. This makes them candidates for rapid transition to Forwarding state.
You can override the default setting that is determined by the duplex mode by using the rapid-
spanning-tree link-type command.
Synchronization of Port Roles
Upon receiving a proposal message for best path to the root through a port, the RSTP selects that
port as the new Root port and forces all other ports to synchronize with the new root information.
An individual port on the device is synchronized if:
the port is in Discarding state
it is an edge port
If a Designated port is in Forwarding state and is not configured as an edge port, it transitions to
Discarding state when RSTP forces it to synchronize with new root information. When RSTP
forces a port to synchronize with root information and the port does not satisfy any of the above
conditions, it transitions to Discarding state.
After synchronizing all ports, the device sends an agreement message to the designated device
corresponding to its Root port. At this point RSTP immediately transitions the port states to
Forwarding.

Page 8

The sequence of events is displayed in the figure below:

Figure 2: Sequence of Events during Rapid Convergence
RSTP BPDU Format and Processing
The RSTP BPDU has the same format as the STP BPDU except for the protocol version that is
set to 2.

Figure 3: RSTP BPDU Flags
The sending device proposes itself to be the designated device by setting:
the Proposal flag (bit 1)
the Port Role flag (bits 2-3) to Designated port
The receiving device accepts the proposal by setting:
the Agreement flag (bit 6)
the Port role flag to Root port

Page 9

RSTP uses the Topology Change (TC) flag to indicate topology changes. Unlike STP, the RSTP
does not have a separate topology change notification (TCN) BPDU. However, for interoperability
with STP devices, the RSTP device processes and generates TCN BPDUs.
The Learning and Forwarding flags (bits 4 and 5) are determined according to the sending port
state.
Line Error Detection
This feature is the same as in STP. For more information, refer to the LineError Detectionsection of
ConfiguringSpanningTreeProtocol (STP) chapter of this User Guide.
IGMP Fast Recovery
This feature is the same as in STP. For more information, refer to the Internet GroupMulticast Protocol
(IGMP) Fast Recoverysection of the ConfiguringSpanningTreeProtocol (STP) chapter of this User Guide.

Page 10

RSTP Default Configuration
Table 4: RSTP Default Configuration

Rapid Spanning Tree Protocol Disabled
RSTP bridge priority 32768
RSTP hello-time 2 seconds
RSTP forward-delay 15 seconds
RSTP MaxAge time 20 seconds
RSTP edge port Disabled
RSTP link-type Auto
RSTP port path cost See
Table 5
RSTP port priority 128
RSTP debug Disabled

Table 5: Path Cost Default Configuration (IEEE802.1s)

Link Speed Recommended Value Recommended Range Range
<=100 Kbps 200,000,000 20,000,000200,000,000 1200,000,000
1 Mbps 20,000,000 2,000,00020,000,000 1200,000,000
10 Mbps 2,000,000 200,0002,000,000 1200,000,000
100 Mbps 200,000 20,000200,000 1200,000,000
1 Gbps 20,000 2,000200,000 1200,000,000
10 Gbps 2,000 20020,000 1200,000,000
100 Gbps 200 202,000 1200,000,000
1 Tbps 20 2200 1200,000,000
10 Tbps 2 120 1200,000,000


Page 11

RSTP Configuration Flow

Figure 4: RSTP Configuration Flow

Yes
No
Start
Enable RSTP
Change the priority to be
the lowest in the network
Set the RSTP Timers (hello-time, MaxAge, forward-
delay)
Is the bridge selected
as root?
Set the loop free ports as edge ports
Optional RSTP Configuration
End
Change the path cost of ports to customize the topology

Page 12

RSTP Configuration Commands
Normally, the RSTP default parameter values are sufficient for obtaining a loop free redundant
network topology. However, to enforce topology demands on the dynamically built topology,
configure several parameters before connecting the network.

Table 6: RSTP Global Configuration Commands
Command Description
rapid-spanning-tree
Enables/disables the RSTP option (see
Enabling/Disabling RSTP on the Device)
rapid-spanning-tree
Enables/disables the Rapid Spanning Tree Protocol per
port (see Defining the RSTP Priority per Port)
rapid-spanning-tree priority
Assigns the RSTP bridge priority value (see Defining the
RSTP Priority)
rapid-spanning-tree priority
Sets the RSTP priority for the configured port (see
Defining the RSTP Priority per Port)
rapid-spanning-tree
hello-time
Sets the time interval, in seconds, between BPDU
transmissions from the ports of this device (see Defining
the RSTP Hello-Time)
rapid-spanning-tree max-age
Sets the time, in seconds, that learned Rapid Spanning
Tree information is kept before being discarded (see
Defining the RSTP Maximum Aging Timer)
rapid-spanning-tree
forward-delay
Sets the time duration in Listening and Learning states
that precede the Forwarding state, in seconds (see
Defining the RSTP Forward-Delay Timer)
rapid-spanning-tree edge-port
Changes the ports admin status (see Defining Edge
Port(s))
rapid-spanning-tree path-cost
Sets the RSTP port path cost for the configured port
(see

Defining the RSTP Port Path Cost)


Page 13

Table 7: Optional RSTP Configuration Commands
Command Description
rapid-spanning-tree link-type
Sets the RSTP ports administrative link-type (see
Defining the Link-Type)
rapid-spanning-tree detect-
protocols
Forces the port to work using the RSTP instead of the
STP (see Forcing a Port to Work with RSTP)
rapid-spanning-tree defaults
Restores the RSTP parameters to their defaults for the
configured port (see
Restoring the RSTP Port Parameters to Defaults)

Table 8: RSTP Display Commands
Command Description
rapid-spanning-tree
Displays the current RSTP parameter configuration (see
Enabling/Disabling RSTP on the Device)
rapid-spanning-tree interface
and
rapid-spanning-tree all
Displays the RSTP settings for a specified port or for all
ports (see Displaying the RSTP Port Configuration)
show rapid-spanning-tree
interface
Displays the RSTP topology for the specified port (see
Displaying the RSTP for a Specific Port)
show rapid-spanning-tree
Displays the current RSTP parameters settings and the
RSTP topology for all ports (see Displaying the RSTP
Configuration and Topology for All Ports)

Table 9: RSTP Debugging Commands
Command Description
debug rstp
Enables and displays RSTP-related debug information
(see Enabling RSTP Debug Information)
show debug rstp
Displays the status of Rapid Spanning Tree protocol
(RSTP) debugging (see Displaying the RSTP Debug
Status)

Page 14

Enabling/Disabling RSTP on the Device
The rapid-spanning-tree command enables/ disables the RSTP. Using this command without
any argument displays the RSTP configuration.
By default, RSTP is disabled.
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree [enable | disable]
device-name(cfg protocol)#no rapid-spanning-tree
enable
(Optional) enables RSTP. When enabling RSTP, the device acts as a node in
the tree.
disable
(Optional) disables RSTP.
no
Removes the RSTP configuration.
Example 1
device-name(cfg protocol)#rapid-spanning-tree
%Rst p i s di sabl ed
device-name(cfg protocol)#rapid-spanning-tree enable
Example 2
Pr i or i t y = 32768
TopChanges = 4
MaxAge = 20 ( Sec)
TxHol dCount = 3

Page 15

Enabling/Disabling RSTP per Port
The rapid-spanning-tree command enables/ disables the Rapid Spanning Tree Protocol per
port.
Using this command without any argument displays the RSTP configuration.
CLI Mode: Interface Configuration, Interface Range Configuration, LAG Configuration, and
LAG Range Configuration

NOTE
You can enable/ disable RSTP per port only if RSTP is enabled globally.
By default, when enabling RSTP in Protocol Configuration mode, it is enabled on all ports and
when disabling RSTP in Protocol Configuration mode, it is disabled on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree [enable | disable | all]
device-name(config-if-group)#rapid-spanning-tree [enable | disable]
device-name(config-ag-group)#rapid-spanning-tree [enable | disable]
device-name(config-if AG0N)#rapid-spanning-tree [enable | disable]
enable
(Optional) enables RSTP on the specified port.
disable
(Optional) disables RSTP on the specified port.
all
(Optional) displays RSTP on all ports.
Defining the RSTP Bridge Priority
The rapid-spanning-tree priority command defines the RSTP bridge priority value. Using
this command without any argument displays the configured bridge priority.
By default, the RSTP priority value is 32768 (IEEE802.1w).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree priority [<bridge-priority>]
device-name(cfg protocol)#no rapid-spanning-tree priority

Page 16

bridge-
priority
(Optional) specifies the RSTP bridge priority in increments of 4096.
The valid priority values are: 0, 4096, 8192, 12288, 16384, 20480, 24576,
28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
no
Example
device-name(cfg protocol)#rapid-spanning-tree priority
Rapi d- spanni ng- t r ee br i dge pr i or i t y i s 32768
Defining the RSTP Priority per Port
The rapid-spanning-tree priority command defines the ports RSTP priority.
By default, the priority value is 128.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree priority <priority>
device-name(config-if UU/SS/PP)#no rapid-spanning-tree priority

device-name(config-if-group)#rapid-spanning-tree priority <priority>
device-name(config-if-group)#no rapid-spanning-tree priority

device-name(config-ag-group)#rapid-spanning-tree priority <priority>
device-name(config-ag-group)#no rapid-spanning-tree priority

device-name(config-if AG0N)#rapid-spanning-tree priority <priority>
device-name(config-if AG0N)#no rapid-spanning-tree priority
priority
Specifies the RSTP priority value in the range of 0 (highest priority) to 240
(lowest priority) in increments of 16.
Assign high-priority values (low numerical values) to ports that you want to
select first and low-priority values to ports that you want to select last.
If all ports that connect to the root-bridges redundant paths have the same
priority, RSTP puts the port with the lowest port number in Forwarding state
and blocks all other ports.
no

Page 17

Defining the RSTP Hello-Time
The rapid-spanning-tree hello-time command sets the time interval between BPDU
transmissions by the root, indicating that the device is alive.
By default, the hello-time value is 2 seconds and its range depends on the MaxAge value (between 1
and 9 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree hello-time <hello-time>
device-name(cfg protocol)#no rapid-spanning-tree hello-time
hello-time
The hello-time interval in the range of <19>seconds.
NOTE
Define a value that is less than MaxAge/ 2-1(see below command)
no
Defining the RSTP Maximum Aging Timer
The rapid-spanning-tree max-age command defines the time that learned RSTP information is
kept before being discarded.
By default, the MaxAge value is 20 seconds, and its range depends on the hello-time and forward-
delay values (between 6 and 28 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree max-age <max-age>
device-name(cfg protocol)#no rapid-spanning-tree max-age
max-age
The MaxAge time in the range of <460>seconds.
NOTE
The value must be greater than 2*(hello-time+1) and less
than 2*(forward-delay-1).
no

Page 18

Defining the RSTP Forward-Delay Timer
The rapid-spanning-tree forward-delay command defines the time duration for the listening
and learning states that precede Forwarding state. In addition this timer is used when aging the
dynamic Forwarding database entries when a topology change is detected
By default, the forward-delay value is 15 seconds, and its range depends on the MaxAge value
(between 11 and 30 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree forward-delay <forward-delay>
device-name(cfg protocol)#no rapid-spanning-tree forward-delay
forward-delay
The forward-delay time, in the range of <460>seconds).
NOTE
The value must be greater than MaxAge/ 2+1.
no
Defining Edge Port(s)
The rapid-spanning-tree edge-port command changes the ports administrative status, setting
it as an Edge Port.

NOTES
If the device receives a BPDU on a port configured as an edge port, the port
automatically changes its operational state to operate as a non-Edge Port. After a
link up/ down, the port returns to the Edge port administrative status.
By default, the Adminstatusis disabled.

Page 19

The EdgePort parameter is controlled by the RSTP state machine and CLI:
Table 10: RSTP Edge Port
Type Description
Admin
EdgePort
Configuring a port as an Edge port is known as Administrative Edge Port. This
indicates that the port is permitted to transition directly to Forwarding state when
it becomes designated.
Configure Edge ports on ports that are known to be at the edge of the bridged
LAN in order to transition to Forwarding without delay.
EdgePort The ports actual status is known as its operational state. This indicates whether
the port operates as an Edge Port or not.
When a port that was configured as Administrative Edge Port receives a BPDU,
it automatically changes its operational state to operate as a non-Edge Port, in
order to prevent loops in the network.
Therefore, if a port marked as an edge port proves not to be one (due to the
presence of another bridge), it ceases to behave like an edge port until it is
reinitialized (either by a link up/down event or by reissuing the CLI command).
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree edge-port
device-name(config-if UU/SS/PP)#no rapid-spanning-tree edge-port

device-name(config-if-group)#rapid-spanning-tree edge-port
device-name(config-if-group)#no rapid-spanning-tree edge-port

device-name(config-ag-group)#rapid-spanning-tree edge-port
device-name(config-ag-group)#no rapid-spanning-tree edge-port

device-name(config-if AG0N)#rapid-spanning-tree edge-port
device-name(config-if AG0N)#no rapid-spanning-tree edge-port
no


Page 20

Defining the RSTP Port Path Cost
The rapid-spanning-tree path-cost command defines the RSTP path cost for the configured
port.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree path-cost <path-cost>
device-name(config-if UU/SS/PP)#no rapid-spanning-tree path-cost

device-name(config-if-group)#rapid-spanning-tree path-cost <path-cost>
device-name(config-if-group)#no rapid-spanning-tree path-cost

device-name(config-ag-group)#rapid-spanning-tree path-cost <path-cost>
device-name(config-ag-group)#no rapid-spanning-tree path-cost

device-name(config-if AG0N)#rapid-spanning-tree path-cost <path-cost>
device-name(config-if AG0N)#no rapid-spanning-tree path-cost
path-cost
The RSTP path cost value, in the range of <1200000000>.
You can use the path cost value to give priority to preferred links (for
example physical speed and bandwidth). When building the active
spanning tree, the port path-cost determines which port is included in the
active topology. Ports with lower-cost values are preferred to ports with
higher cost values. If all ports that provide redundant paths to the root
bridge have the same path-cost value, RSTP puts the port with the lowest
number in Forwarding state and blocks the other ports.
no

Table 11: Path Cost Default Configuration
Link Speed Default Value
4 Mbps 5,000,000
10 Mbps 2,000,000
16 Mbps 1,250,000
100 Mbps 200,000
1 Gbps 20,000
2 Gbps 10,000
10 Gbps 2,000

Page 21

Defining the Link-Type
The rapid-spanning-tree link-type command defines the RSTP ports administrative link-type.
By default, the admin link type is Auto.
There are two statuses of link-type:
Table 12: RSTP Link-types
Link-Type Description
auto
The device automatically manages the port's link-type.
The device considers the port connected to a point-to-
point LAN segment if any of the following conditions
are met:
The MST algorithm determines that the LAN
segment operates in full duplex mode.
If you configure the port by management means
to a full duplex operation. Otherwise, consider the
MAC to be connected to a LAN segment that is
not point-to-point (shared media).
point-to-
point
Consider the device connected to a point-to-point LAN
segment that forces the operational link-type to be
point-to-point.
Admin Link-Type
shared
Consider the device connected to a shared media
LAN segment that forces the operational link-type to
be shared.
Operational
Link-Type
If you configure Admin link-type to auto, then you can determine the
value of Operational link-type in accordance with the specific procedures
defined for the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then
Operational link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of
link-type is shared.

Figure 5: Point- to- point MAC

Page 22

Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree link-type {auto | point-
to-point | shared}
device-name(config-if UU/SS/PP)#no rapid-spanning-tree link-type

device-name(config-if-group)#rapid-spanning-tree link-type {auto | point-to-
point | shared}
device-name(config-if-group)#no rapid-spanning-tree link-type
auto
Sets the RSTP link-type to auto.
point-to-point
Sets the RSTP link-type to point-to-point.
shared
Sets the RSTP link-type to share.
no
Forcing a Port to Work with RSTP
A device running RSTP supports a built-in protocol migration mechanism that enables RSTP to
interoperate with legacy 802.1D STP.
When an RSTP device receives a legacy 802.1D configuration BPDU (BPDU with protocol
version 0) it starts transmitting legacy 802.1D BPDUs (configuration messages and TCN messages).
However, when the device stops receiving BPDUs, it does not automatically revert to RSTP mode.
The device cannot determine whether the legacy device is removed from that link unless the legacy
device is a designated device.
RSTP supports a mechanism that forces the port to restart a protocol migration process (force re-
negotiation with neighboring devices).
The rapid-spanning-tree detect-protocols command forces the port to operate using RSTP
instead of the STP in the case of a link up event

Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree detect-protocols
device-name(config-if-group)#rapid-spanning-tree detect-protocols
device-name(config-ag-group)#rapid-spanning-tree detect-protocols
device-name(config-if AG0N)#rapid-spanning-tree detect-protocols

Page 23

Restoring the RSTP Port Parameters to Defaults
The rapid-spanning-tree defaults command restores the ports RSTP parameters to their
default values.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree defaults
device-name(config-if-group)#rapid-spanning-tree defaults
Displaying the RSTP Configuration
The rapid-spanning-tree command displays the current RSTP configuration.

You can also use the show rapid-spanning-tree command.
Command Syntax
Example
Pr i or i t y = 32768
TopChanges = 4
MaxAge = 20 ( Sec)
TxHol dCount = 3

Page 24

Table 13: Parameters Displayed by the r api d- spanni ng- t r ee Commands
Rapid Spanning tree
The RSTP global state.
ProtocolSpecification
The protocol standard.
Priority
The bridge priority that is part of the bridge identifier.
TimeSinceTopologyChange
The time since the last topology change in seconds.
TopChanges
The number of times the Topology Change flag was changed
since the device was turned on.
DesignatedRoot
The unique Bridge Identifier of the root.
Use this parameter as the Root Identifier value in all
Configuration BPDUs transmitted by the bridge.
MaxAge
The maximum time, in seconds, of learned protocol
information before it is discarded.
HelloTime
The time interval, in seconds, between the transmission of
Configuration BPDUs by a bridge that is attempting to become
the root or is the root.
ForwardDelay
The minimum time period, in seconds, to elapse between the
transmissions of Configuration BPDUs through a given LAN
port. At most, one Configuration BPDU is transmitted in any
hold-time period. This parameter is fixed at 1 second.
BridgeMaxAge
The value of the MaxAge parameter, in seconds, when the
bridge is the root or is attempting to become the root.
BridgeHelloTime
The value of the hello-time parameter, in seconds,
determining the time interval between transmissions of:
BPDUs to all Designated ports of the root device
BPDUs to Designated ports of all devices in the topology
having the same root
BPDUs to the Root port during Topology Change
notification
BridgeForwardDelay
The value of the forward-delay parameter, in seconds, when
the bridge is the root or is attempting to become the root.
TxHoldCount
Maximum number of BPDUs transmitted during the hello-time
interval.
MigrationTimer
The time interval to wait before performing protocol
migrations. A protocol migration occurs when the device
degrades from RSTP to a legacy spanning protocol (such as,
STP).
DetectLineCRCReconfig
Indicates whether CRC errors detection is enabled.
DetectLineFlapping
Indicates whether link flapping detection is enabled on the
line.
SpanIgmpFastRecovery
Indicates whether IGMP fast recovery is enabled on the line.

Page 25

Displaying the RSTP Port Configuration
The rapid-spanning-tree interface command displays the ports RSTP parameters. The
command also changes the mode to the Interface Configuration mode and enables the setting of
the RSTP in the specified port.
The rapid-spanning-tree all command displays the settings of the RSTP parameters for all
ports.
CLI Mode: Protocol Configuration and Interface Configuration
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree interface UU/SS/PP

device-name(cfg protocol)#rapid-spanning-tree interface all
device-name(config-if UU/SS/PP)#rapid-spanning-tree all
UU/SS/PP
Specifies the unit, slot, and port number
all
Displays the RSTP settings for all ports. The configuration mode does not
change.
Example 1
Display the output of the RSTP configuration for port 1/ 1/ 1 with link enabled:
device-name(cfg protocol)#rapid-spanning-tree interface 1/1/1
Por t St at e = f or war di ng
Por t Rol e = Desi gnat ed Por t
Por t Enabl e = enabl ed
Desi gnat edBr i dge = Thi s br i dge
Admi n EdgePor t = di sabl ed
EdgePor t = di sabl ed
Admi nLi nk- Type = Aut o
Li nk- Type = P2P
Mi gr at i onTi mer = 3
Det ect ed Pr ot ocol = RSTP

Page 26

Example 2
Display the RSTP topology for all ports:
device-name(cfg protocol)#rapid-spanning-tree interface all
============================================================================
Por t | Pr i | Pr t r ol e| St at e | PCost | DCost | Desi gnat ed br i dge | DPr t | Fwr dT
- - - - - - - - +- - - +- - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +-
01/ 01/ 01 128 Desi gnat f r wr d 40000 400000 32768. 00A012010101 128. 01 2
01/ 01/ 02 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 03 1
01/ 02/ 01 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 04 1
01/ 02/ 02 128 Al t er n di scr 200000 200000 32768. 00A012112990 128. 20 1
01/ 02/ 03 128 Root f r wr d 200000 200000 32768. 00A012112990 064. 21 3
Example 3
Display the RSTP topology for all ports from Interface Configuration mode:
device-name(config-if 1/1/1)#rapid-spanning-tree all
============================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +-
01/ 01/ 01 128 Desi gnat f r wr d 40000 400000 32768. 00A012010101 128. 01 2
01/ 01/ 02 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 03 1
01/ 02/ 01 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 04 1
01/ 02/ 02 128 Al t er n di scr 200000 200000 32768. 00A012112990 128. 20 1
01/ 02/ 03 128 Root f r wr d 200000 200000 32768. 00A012112990 064. 21 3
Table 14: Parameters Displayed by r api d- spanni ng- t r ee i nt er f ace command
Por t Pr i or i t y
The port priority that is part of the port identifier.
Por t St at e
The current port state of the port.
Por t Rol e
The current port role of the port
Por t Enabl e
The ports link state of the port.
Por t Pat hCost
The contribution of the path through this port, when the port is the
Root port, to the total cost of the path to the root for this bridge.
Desi gnat edRoot
The topology's root device.
Desi gnat edCost
For a Designated port, the path cost (equal to the root path cost of
the bridge) offered to the LAN to which the port is connected;
otherwise, it is the cost of the path to the root offered by the
Designated port on the LAN to which this port is connected.
Use this parameter to test the value of the root path cost parameter

Page 27

Desi gnat edBr i dge
The unique bridge Identifier of one of the following:
The bridge the port belongs to in case of a Designated port.
The bridge assumed to be the designated bridge for the LAN to
which this port is attached.
Use this parameter:
Together with the Designated port and port Identifier
parameters for the port to know if this port is the Designated
port for the LAN to which it is attached.
To test the value of the bridge Identifier parameter conveyed in
received Configuration BPDUs.
Desi gnat edPor t
The port Identifier of the bridge port, on the designated bridge,
through which the designated bridge transmits the configuration
message information stored by this port.
Use this parameter:
Together with the designated bridge and port Identifier
parameters for the port to know if this port is the Designated
port for the LAN to which it is attached.
By management to determine the topology of the bridged LAN.
Fr wr dTr ansi t i ons
Number of port state transitions into forwarding state that have
occurred.
Admi n EdgePor t
This value indicates whether the user forced the port to be an edge
port (a port attached to a PC or any non spanning tree capable
device on the edge of the network), or it is set by the RSTP.
EdgePor t
The actual value of the edge port parameter for this port either
forced by the user or set automatically by the RSTP.
Admi nLi nk- Type
This value reflects the user-defined link-type of this port. If you set it
to auto, then set the link-type according to the duplex mode of the
port.
Li nk- Type
The actual value of the link-type for this port either forced by the
user or set automatically by the RSTP.
Mi gr at i onTi mer
The time interval to wait before performing protocol migrations. A
protocol migration occurs when the device degrades from RSTP to
a legacy spanning protocol (such as, STP).


Page 28

Table 15: Parameters Displayed by r api d- spanni ng- t r ee i nt er f ace al l and r api d-
spanni ng- t r ee al l commands
Por t
The ports unit/slot/port.
Pr i
See PortPriority in the above table.
Pr t Rol e
See PortRole in the above table.
St at e
See PortState in the above table.
PCost
See PortPathCost in the above table.
DCost
See DesignatedCost in the above table.
Desi gnat ed br i dge
See DesignatedBridge in the above table.
DPr t
See DesignatedPort in the above table.
Fwr dT
See FrwrdTransitions in the above table.
Displaying the RSTP for a Specific Port
The show rapid-spanning-tree interface command displays the RSTP topology for the
specified port.
Table 14 describes the parameters displayed by this command.
Command Syntax
device-name#show rapid-spanning-tree interface UU/SS/PP
Example
In the following example the DesignatedRoot value indicates that the bridge is the root:
device-name#show rapid-spanning-tree interface 1/1/1
Por t Rol e = Desi gnat ed Por t
Desi gnat edRoot = Thi s br i dge
Admi n EdgePor t = di sabl ed
EdgePor t = di sabl ed
Admi nLi nk- Type = Aut o
Li nk- Type = P2P
Mi gr at i onTi mer = 3

Page 29

Det ect ed Pr ot ocol = RSTP
Displaying the RSTP Configuration and Topology for
All Ports
The show rapid-spanning-tree command displays the current RSTP parameters settings and the
RSTP topology for all ports.
Table 13 and Table 15 describe the parameters displayed by this command.
Command Syntax
device-name#show rapid-spanning-tree
Example
device-name#show rapid-spanning-tree
Pr i or i t y = 32768
TopChanges = 5
Root Cost = 400000
MaxAge = 20 ( Sec)
TxHol dCount = 3

===================================================================
Por t | Pr i | Pr t r ol e| St at e | PCost | DCost | Desi gnat ed br i dge | DPr t Fwr dT
- - - - - - - - +- - - +- - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - - - - -
01/ 01/ 01 128 Desi gnat f r wr d 40000 400000 32768. 00A012010101 128. 01 2
01/ 02/ 01 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 03 1
01/ 02/ 02 128 Desi gnat f r wr d 200000 400000 32768. 00A012010101 128. 04 1
01/ 02/ 03 128 Al t er n di scr 200000 200000 32768. 00A012112990 128. 20 1
01/ 02/ 04 128 Root f r wr d 200000 200000 32768. 00A012112990 064. 21 3

Page 30

Enabling RSTP Debug Information
The debug rstp command enables and displays RSTP-related debug information.
The RSTP debug commands are not saved after reload.
By default, RSTP debug information is disabled.
Command Syntax
device-name#debug rstp {all | hand-shake | roles | flush}
device-name#no debug rstp {all | hand-shake | roles | flush}
all
Activates all RSTP debug options.
hand-shake
Activates Hand Shake protocol debugging (IEEE 802.1w).
roles
Activates port-role selection debugging
flush
Activates debugging of port table flushing (MAC addresses).
no
Disables the RSTP-related debug information display.
Example:
Below is an example of the debug output after a link failure:
t SpanRecv: 2008/ 01/ 01 04: 11: 03 : l i nk down on por t 1/ 2/ 4

0xa1391880 ( t SpanPRS) :
0xa1391880 ( t SpanPRS) : Sel ect - Por t - Rol es
=================
0xa1391880 ( t SpanPRS) : Por t 1/ 2/ 1 I s Desi gnat edPor t
0xa1391880 ( t SpanPRS) : End- Rol es- Sel ect i on

t SpanRecv: 2008/ 01/ 01 04: 11: 06 : l i nk up on por t 1/ 2/ 4

=================

Page 31


0xa139eb20 ( t SpanPRT) : Desi gnat ed synced por t 1/ 2/ 4
0xa139eb20 ( t SpanPRT) : Desi gnat ed pr oposi ng por t 1/ 2/ 4
=================

=================
0xa1391880 ( t SpanPRS) : Por t 1/ 2/ 4 I s BackupPor t
Displaying the RSTP Debug Status
The show debug rstp command displays the RSTP debug status.
Command Syntax
device-name#show debug rstp
Example
device-name#show debug rstp
RSTP debuggi ng st at us:
RSTP debug r ol es i s on
RSTP debug f l ush i s on
RSTP debug handshake i s on

Page 32

RSTP Configuration Example
The following is details RSTP configuration in a network and the devices within the network. For
more information regarding the formulas that appear in this example, refer to CalculatingtheSTP
Timerssection of the ConfiguringSpanningTreeProtocol (STP) chapter.

Figure 6: Rapid Spanning Tree Configuration Example
1. Enable RSTP:
DeviceA#configure terminal
DeviceA(config)#protocol
DeviceA(cfg protocol)#rapid-spanning-tree enable
2. Set the RSTP bridge priority to 4096, As a result the Device A becomes the Root Bridge:
DeviceA(cfg protocol)#rapid-spanning-tree priority 4096
3. Set the RSTP MaxAge timer to 10, due to the following calculation: Max_age = (4 x hello) +
(2 x dia) - 2, where the hello-time is 2 and the diameter is 2, according to the above figure:
DeviceA(cfg protocol)#rapid-spanning-tree max-age 10

Page 33

4. Set the RSTP forward-delay timer to 7, due to the following calculation: Forward_delay= ((4 x
hello) + (3 x dia)) / 2, where the hello-time is 2 and the diameter is 2, according to the above
figure:
DeviceA(cfg protocol)#rapid-spanning-tree forward-delay 7
Enable RSTP:
DeviceB#configure terminal
DeviceB(config)#protocol
DeviceB(cfg protocol)#rapid-spanning-tree enable
1. Enable RSTP:
DeviceC(config)#protocol
DeviceC(cfg protocol)#rapid-spanning-tree enable
DeviceC(cfg protocol)#exit
2. Set port 1/ 1/ 1 priority to 64 to cause it to be the forwarding port of Device C:
DeviceC(config)#interface 1/1/1
DeviceC(config-if 1/1/1)#rapid-spanning-tree priority 64
1. Enable RSTP:
DeviceD#configure terminal
DeviceD(config)#protocol
DeviceD(cfg protocol)#rapid-spanning-tree enable
DeviceD(cfg protocol)#exit
2. Set port 1/ 1/ 1 with path cost 40000:
DeviceD(config)#interface 1/1/1
DeviceD(config-if 1/1/1)#rapid-spanning-tree path-cost 40000
3. Configure ports 1/ 2/ 3 and 1/ 2/ 4 on Device D as edge ports, since they are attached to PCs.
This disables the topology change detection on these ports:
DeviceD(config-if 1/2/3)#rapid-spanning-tree edge-port
DeviceD(config-if 1/2/4)#rapid-spanning-tree edge-port
DeviceD(config-if 1/2/4)#end

Page 34

1. Enable RSTP:
DeviceE#configure terminal
DeviceE(config)#protocol
DeviceE(cfg protocol)#rapid-spanning-tree enable
DeviceE(cfg protocol)#exit
2. Configure ports 1/ 2/ 3 and 1/ 2/ 4 on Device E as edge ports, since they are attached to PCs:
DeviceE(config)#interface 1/2/3
DeviceE(config-if 1/2/3)#rapid-spanning-tree edge-port
DeviceE(config-if 1/2/3)#interface 1/2/4
DeviceE(config-if 1/2/4)#rapid-spanning-tree edge-port
DeviceE(config-if 1/2/4)#end
Displaying Device D Configuration:
DeviceD#show rapid-spanning-tree
Pr i or i t y = 32768
TopChanges = 5
Root Cost = 220000
MaxAge = 10 ( Sec)
TxHol dCount = 3
====================================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - -
01/ 01/ 01 128 Desi gnat f r wr d 40000 220000 32768. 00A012271420 128. 01 2
01/ 02/ 01 128 Root f r wr d 200000 20000 32768. 00A012270080 128. 03 2
01/ 02/ 02 128 Al t er n di scr 200000 20000 32768. 00A012270080 128. 04 1
01/ 02/ 03 128 Desi gnat f r wr d 200000 220000 32768. 00A012271420 128. 05 2
01/ 02/ 04 128 Desi gnat f r wr d 200000 220000 32768. 00A012271420 064. 06 2

NOTE
Port 1/ 2/ 2 is the Alternate port since the value of DPrt (the port Identifier of
the bridge port) for 1/ 2/ 1is better than 1/ 2/ 2. Device A is the root since its
bridge priority has the lowest value (4096).


Page 35

Displaying Device E Configuration:
DeviceE#show rapid-spanning-tree
Pr i or i t y = 32768
TopChanges = 5
Root Cost = 240000
MaxAge = 10 ( Sec)
TxHol dCount = 3

===============================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - +- - - - -
01/ 01/ 01 128 Root f r wr d 20000 220000 32768. 00A012271420 128. 01 2
01/ 02/ 02 128 Al t er n di scr 200000 200000 32768. 00A012271240 128. 03 1
01/ 02/ 03 128 Desi gnat f r wr d 200000 240000 32768. 00A012270120 128. 04 2
01/ 02/ 04 128 Desi gnat f r wr d 200000 240000 32768. 00A012270120 128. 04 2

NOTE
Select port 1/ 2/ 2 (connected to Device D) as alternate since the cost to the
root via this port is higher than via port 1/ 1/ 1.


Page 36

Supported Platforms
RSTP + +
Feature Standard MIBs RFCs
RSTP
IEEE 802.1d-1998
IEEE 802.1t-2001
IEEE 802.1w-2001
Public MIBs:
bridge.mib
rstp.mib
Private MIB,
prvt_switch.mib
RFC 1493, Definitions of
Managed Objects for Bridges
RFC 2863, Interfaces Group
MIB (configL2IfaceTable)

Page 1
Configuring Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) (Rev. 04)

Configuring Multiple Spanning Tree Protocol
(MSTP, IEEE 802.1s)
Table of Figures 3
Overview 4
MSTP Regions 4
MST Instances (MSTI) 4
MST-to-Single Spanning Tree (SST) Interoperability 5
The MSTI Parameters 6
Interoperability with 802.1D STP 7
Fast Ring Modes 8
Fast Ring 8
Interoperability Fast Ring10
IGMP Fast Recovery12
Cisco Compliance12
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs12
MSTP Default Configuration17
MSTP Configuration Flow19
MSTP Configuration Commands20
Enabling/ Disabling MSTP22
Defining the Bridge Priority22
Defining the Port Priority23
Enabling/ Disabling MSTP and an MSTP Instance on a Port23
Mapping VLANs to an MST Instance24
Defining the MSTP Region Name24
Defining the Region Revision-Number 25
Saving the MSTP VLAN Mapping25
Exiting the MSTP Protocol Configuration Mode without Saving the MST Mapping25
Defining the Hello-Time26

Page 2

Defining the Forward-Delay Timer26
Defining the Maximum Aging Timer27
Defining the Maximum Hop Count 27
Enabling the MSTP Fast Ring Mode28
Configuring the Device as an MSTP Border Bridge28
Defining the Learning/ Flushing Mode in a Fast Ring29
Configuring Edge Ports29
Configuring the Path Cost31
Enabling the BPDU Guard31
Enabling/ Disabling BPDU Transmission32
Enabling/ Disabling the Loop Guard32
Enabling MSTP Migration (Interoperability with 802.1D) 33
Enabling MSTP Link Flapping33
Defining the Ports Link Type34
Enabling/ Disabling Root Restriction35
Enabling/ Disabling TCN Restriction35
Configuring the Cisco-Compliant Mode36
Restoring the Ports MSTP Defaults36
Displaying the MSTP Temporary Configuration36
Displaying the Current MSTP Configuration37
Displaying the MSTP Region Configuration38
Displaying the MSTP Configuration38
Displaying the MST Instances Configuration42
Enabling MSTP Debug Information44
Displaying the MSTP Debug45
MSTP Configuration Examples46
Pending Configuration46
MSTP Port Configuration47
MSTP Global Parameters Configuration48
Network Configuration50
Fast Recovery Configuration61
MSTP BPDU Guard, Loop Guard, Restricted Root and Restricted TCN Configuration63
Configuring a Fast Ring65

Page 3

Table of Figures
Figure 1: MSTP within a Region 5
Figure 3: MSTP in Ring Topology in a Link-Down Event 9
Figure 4: MSTP in Ring Topology with a Device in Link-Down Event 10
Figure 5: MSTP Configuration Flow19
Figure 6: Schematic MSTI Configuration50
Figure 7: Link Failure between Two Devicees58
Figure 8: Spanning Tree IGMP Fast Recovery Configuration Example61
Figure 9: BPDU Guard, Loop Guard, Restricted Root and Restricted TCN63
Figure 10: Fast Ring Topology65


Page 4

Overview
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI) while mapping each
VLAN or VLAN group to the most appropriate instance. Each MSTI is an RSTP instance that has
its own independent topology, thus improving network fault tolerance.
This protocol provides a faster convergence-time and load balancing. Telco Systems recovery time
for link or device failure is less than 50 milliseconds and can be tuned to as low as 15 milliseconds
(in a ring of up to 14 devices).
MSTP includes all its spanning tree information in a single BPDU format. This reduces the number
of BPDUs required on a LAN to communicate spanning tree information for each VLAN and
ensures backward compatibility with RSTP and STP.
For more information regarding VLANs, refer to the ConfiguringVLANsandSuper VLANs
MSTP Regions
An MSTP region is a collection of interconnected bridges that share the same MSTP configuration.
Devices in the same MST region share the following attributes:
region name
the regions revision number
the MST instance-to-VLAN assignment map (each VLAN can be maped only to one instance)
MST Instances (MSTI)
Each bridge in the MSTP region contains up to 16 MSTIs which act like separate RSTP bridges for
a specific set of configured VLANs. All MSTIs within the same region share the same protocol
timers, but each instance has its own topology parameters, such as root-device ID, root path-cost,
and active topology. By manipulating these parameters, systems administrator can modify the
spanning tree topology (defining forwarding ports and blocked ports) for the MSTI VLANs, thus
achieving traffic load-balancing within the region.
The MSTIs are identified by their instance ID:
Instance 0: this is the Common Internal Spanning Tree (CIST) to which all VLANs are
mapped by default. This instance is obligatory and cannot be removed.
Instances 115: user-configurable, optional instances, to which the system administrator maps
sets of VLANs.

Page 5

The figure below illustrates load balancing. In MSTI 1:
Device C is the MST Root
The port on Device B connected to Device A is blocked
Traffic for VLANs 101200 flows between Device C and Device A
However, for MSTI 2:
Device B is the MST Root
The port on Device C connected to Device A is blocked
Traffic for VLANs 201300 flows between Device B and Device A

Figure 1: MSTP within a Region
MST-to-Single Spanning Tree (SST) Interoperability
Load balancing is supported only within the MSTP region.
Outside the region the spanning tree information is carried by MST instance 0, enabling the MST
region to participate in the Common Spanning Tree (CST ) of legacy xSTP bridges and other
MSTP regions it is connected to.
This region is responsible for combining all Internal Spanning Tree (IST) information and
forwarding it to the CST, handling the CST information and setting the roles of the regions
boundary ports. As a consequence each MSTP region acts as a single RSTP bridge within the CST
topology.
Each region has only one boundary port that can be the regions Root port, connecting the region
to the CST Root bridge (the CIST Root). This port is called the Master port. Boundary ports
providing alternative paths from the region to the CIST Root are blocked (set to Alternative).
Boundary ports that provide connectivy to Designated LANs can be set as Designated ports.


Page 6

The MSTI Parameters
Table 1: MSTI Parameters
Boundary Ports Connect the designated bridge (an SST bridge or a bridge with a
different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the boundary flag
set) if it detects an STP bridge or receives an agreement message from
an RST or MST bridge with a different configuration.
The MST ports role at the boundary is not important; since they are
forced the same state as the IST port state. The IST port at the
boundary can take any port role except a backup port role.
IST Master The IST master of an MST region is the bridge with the lowest bridge
identifier and the lowest path cost to the CST root.
If an MST bridge is the root bridge of the CIST in a region, then it is
the IST master of that MST region.
If the CST root is outside the MST region, then one of the MST
bridges at the boundary is selected as the IST master. Other
bridges on the boundary that belong to the same region eventually
block the boundary ports that lead to the root.
If two or more bridges have an identical path to the root, you can
set a lower bridge priority value to make a specific bridge the IST
master.
The root path-cost and message age inside a region stay constant.
However the IST path cost is incremented and the IST remaining hops
are decremented at each hop.
Regional Root The MSTI Regional root is the root bridge of each MSTI within a region.
In case of IST, it is the CIST Regional root. Therefore, the terms IST
Master and CIST Regional root are interchangeable.
Edge Ports A port connected to a non-bridging device (for example, a host or a
device). A port that connects to a hub is also an edge port if the hub or
any LAN that is connected to it does not have a bridge.
An edge port can start forwarding as soon as its link is up.
Link-Type Rapid connectivity is established only on point-to-point links.
When connecting a port to another port through a point-to-point link and
the local port becomes a designated port, RSTP negotiates a rapid
transition with the other port, using the proposal-agreement handshake
to ensure a loop-free topology.
By default, the link-type is automatically determined by the ports duplex
state. However in case of a half-duplex link physically connected point-
to-point to a single port on a remote device running RSTP, you can
override the link-type default setting and enable rapid transitions to
Forwarding state.

Page 7

Message Age and
Hop Count
IST and MSTIs use a hop count mechanism similar to the IP time-to live
(TTL) mechanism. Users can configure the maximum MST bridge hop
count.
The MSTI root bridge sends a BPDU (or M-record) with the remaining
hop count. The bridge receiving the BPDU (or M-record) decrements the
remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge discards
the BPDU and ages out the port information. Non-root bridges propagate
the decremented count as the remaining hop count in the BPDUs they
generate.
Port Priority The port priority determines the ports Forwarding state in case of a loop.
MSTP selects the port with the highest priority (lower priority value) first.
In case all ports have the same priority, MSTP selects the port with the
lowest number and blocks all other ports.
Path Cost MSTP uses the path cost when selecting the forwarding port in case of a
loop.
The ports default path-cost derives from its link speed. However, you
can define lower cost values to ports you want selected first and higher
cost values to ports you want selected last.
In case all ports have the same path cost value, MSTP selects the port
with the lowest number and blocks all other ports.
Interoperability with 802.1D STP
A device running both MSTP and RSTP supports a built-in protocol migration mechanism that
enables it to interoperate with legacy 802.1D devices.
If this device receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set
to 0), it sends only 802.1D BPDUs on that port. An MSTP device can also detect that a port is at
the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated
with a different region, or an RST BPDU (version 2).
However, the device cannot determine whether the legacy device is removed from the link (unless
the legacy device is the designated device). Therefore, it does not automatically revert to the MSTP
mode if it no longer receives 802.1D BPDUs.
Also, a device might continue to assign a boundary role to a port when the device to which it is
connected has joined the region.
If all the legacy devices on the link are RSTP devices, they can process MSTP BPDUs as if they are
RSTP BPDUs. Therefore, MSTP devices send either a version 0 configuration and TCN BPDUs
or version 3 MSTP BPDUs on a boundary port. A boundary port connects the designated device
to a LAN that is either a single spanning tree device or a device with a different MST configuration.

Page 8

Fast Ring Modes
Telco Systems fast ring mode shortens the MSTP convergence time below 50 milliseconds in case
of a disconnection in a ring topology.
To achieve this recovery time you have to ensure the following conditions:
Set the mstp learn-mode command to none or temporary-disabled (see Definingthe
Learning/ FlushingModeina Fast Ring). Alternatively use up to 100 MAC addresses in a standard
learning mode.
Configure up to 50 VLANs in MSTI 0.

NOTE
You can use the MSTP Fast Ring solution only in instance 0 .

Telco Systems offers two Fast Ring solutions:
Fast Ring
Interoperability Fast Ring

NOTE
Use a standard MSTP as a ring solution, if your network demands a topology
different from the one offered here.
Fast Ring
Use this solution when all the devices in the ring are Telco Systems devices.
To use Fast Ring:
1. Select one bridge to be the root bridge: set this bridges priority to the lowest value (0) and do
not enable the Fast Ring feature on this bridge (to avoid instability).
2. Configure all the user ports as MSTP edge ports.
3. To optimize network performance, increment the bridges priority value as you draw away
from the root bridge.

Page 9

The figure below shows a ring topology using MSTP:
Device 1 is the MST root bridge
All the ports have equal priority thus one of Device 8's uplink ports is in Alternate state.
In case of a link failure between Device 14 and Device 1:
1. Device 14 detects the link failure on its root port.
2. Telco Systems ring solution immediately changes the traffic flow to a new direction.

Figure 2: MSTP in Ring Topology in a Link- Down Event

Page 10

Interoperability Fast Ring
This solution is designed especially for interoperation with devices that do not support MSTP or
RSTP protocols. Use Interoperability Fast Ring when you use a non Telco Systems gateway as a
part of the ring.
The figure below shows a ring topology using MSTP, when one of the devices (Router, in the figure
below) does not support MSTP, but is capable of switching the MSTP BPDUs between the ports
connected in the topology.

Figure 3: MSTP in Ring Topology with a Device in Link- Down Event
To use an Interoperability Fast Ring:
1. Configure the two devices closest to the Router (Device 1 and Device 8) as Border Bridges to
avoid network-performance degrade.
2. Do not define any MSTP priorities on Border Bridges. These are automatically set once the
brdiges are set as border bridges.

Page 11

3. Increment the bridges priority value as you draw away from the root bridge, starting with
priority value 8192.
4. Configure all the user ports as MSTP edge ports.

Page 12

In case the link between Device 8 and the Router fails:
Device 1 becomes the root
Traffic changes its direction toward the new root
IGMP Fast Recovery
When using the IGMP Fast Recovery feature, multicast traffic takes advantage of the connectivity
and convergence time provided by MSTP.
For more information, refer to the Internet GroupMulticast Protocol (IGMP) Fast Recoverysection of the
ConfiguringSpanningTreeProtocol (STP) chapter of this User Guide.
Cisco Compliance
Cisco compliance is a feature that enables the Cisco-compliant mode, changing the BPDU format
to conform to the standard adopted in Cisco devices.
When the device is not in Cisco-compliant mode, the root port is synchronized only if it receives an
agreement together with the proposal flag from the designated port.
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs
Both Cisco-compliant and IEEE 802.1s-compliant modes, send an Agreement flag in response to a
Proposal flag when the port transitions to Root role. However there are differences between the
two modes in the conditions under which the Agreement flag is set:
In the standard IEEE 802.1s-compliant mode, MSTP sets the Agreement flag when:
the port is either a Designated or a Root port
and
all the device ports are synchronized (when all the ports participate only in loop-free
topologies)
In Cisco-compliant mode the Agreement flag is set also when the port is going to Alternate
role.
The following two tables compare two BPDUs:
Table2 displays a BPDU generated in IEEE 802.1s-compliant mode and includes two
M-records.
Table3 displays a BPDU generated in Cisco-compliant mode, parsed in the format generated
by Cisco devices.

Page 13

Standard BiNOS Dump (IEEE 802.1s-Compliant)
01 80 c2 00 00 00 00 a0 12 11 29 92 00 89 42 42
03 00 00 03 02 4e 80 00 00 a0 12 11 29 92 00 00
00 00 80 00 00 a0 12 11 29 92 80 0b 00 00 14 00
02 00 0f 00 00 00 60 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 60 b0 d3 6e cc e1
45 40 14 da 65 22 bd 08 f 3 cd 00 00 00 00 80 00
00 a0 12 11 29 92 28 4e 80 01 00 a0 12 11 29 92
00 00 00 00 80 80 28 4e 80 02 00 a0 12 11 29 92
00 00 00 00 80 80 28
Cisco-Compliant Dump
01 80 c2 00 00 00 00 08 a3 37 f 1 c1 00 84 42 42
03 00 00 03 02 68 60 00 00 07 eb d5 a2 00 00 00
00 00 60 00 00 07 eb d5 a2 00 80 01 00 00 14 00
02 00 0f 00 00 00 00 5a 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 64 b1 f 4 bb 1f 3c
6d 4d a3 00 94 c1 11 b7 c0 92 60 00 00 07 eb d5
a2 00 00 00 00 00 14 00 01 69 60 01 00 07 eb d5
a2 00 00 00 00 00 60 01 00 07 eb d5 a2 00 80 01
14 00

Table 2: BiNOS BPDU Parsed According to IEEE 802.1s
Field Name Content
ETH Dest. 01 80 c2 00 00 00
ETH Src 00 a0 12 11 29 92
ETH Len 00 89
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 4e
CIST Root Identifier 80 00 00 a0 12 11 29 92
CIST Ext. Path Cost 00 00 00 00
CIST Regional Root Identifier 80 00 00 a0 12 11 29 92
CIST Port Identifier 80 0b
Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00

Page 14

Field Name Content
Version 1 length (must be 0) 00
Version 3 length (Mrecords total length) 00 60
MSTI configuration Identifier (Key,
Revision, Name) 51 Bytes
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 60
b0 d3 6e cc e1 45 40 14 da 65 22 bd
08 f3 cd
CIST Internal Root Path Cost 00 00 00 00
CIST Bridge Identifier 80 00 00 a0 12 11 29 92
CIST Remaining hops 28
MSTI1
Flags
MSTI Regional Root Identifier
MSTI Internal root path cost
MSTI Bridge Priority
MSTI Port Priority
MSTI Remaining hops

4e
80 01 00 a0 12 11 29 92
00 00 00 00
80
80
28
MSTI2
Flags
MSTI Regional Root Identifier
MSTI Internal root path cost
MSTI Bridge Priority
MSTI Port Priority
MSTI Remaining hops

4e
80 02 00 a0 12 11 29 92
00 00 00 00
80
80
28

Table 3: Cisco BPDU Parsed by a Telco Systems Device
Field Name Content Notes
ETH Dest. 01 80 c2 00 00 00 Matches the IEEE-802.1s
ETH Src 00 08 a3 37 f1 c1
ETH Len 00 84
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 68
CIST Root Identifier 60 00 00 07 eb d5 a2 00
CIST Ext. Path Cost 00 00 00 00
CIST Bridge Identifier 60 00 00 07 eb d5 a2 00
CIST Port Identifier 80 01

Page 15

Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00
Version 1 length (must be
0)
00
Extra byte 00 If the Cisco BPDUs are parsed
as specified in the IEEE 802.1s
standard, some offsets and
shifts may cause wrong values
for the M-records and for the
matching fields that are located
after the version 3 length
CIST Internal root path cost,
CIST Bridge identifier, CIST
remaining hops.
Version 3 length (Mrecords
total length)
00 5a
MSTI configuration
Identifier (Key, Revision,
Name) 50 Bytes.
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 64 b1 f4 bb 1f 3c
6d 4d a3 00 94 c1 11 b7 c0 92
The first byte of the
configuration is called selector,
and is omitted (or over-ridden
by the version 3 length field).
CIST Regional Root
Identifier
60 00 00 07 eb d5 a2 00 Fields order is flipped.
CIST Remaining hops2
bytes instead of 1.
14 00 Extra byte-Cisco BPDU with no
MSTIs ends here and contains
the extra byte.
MSTI1 The whole M-Record structure
is different. In the 802.1s there
is no MSTID field. The priority
of the sending bridge and the
port priority are sent without
bridge ID and port ID of the
sending bridge.
MSTID 01 The whole M-Record structure
sending bridge.
Flags 69 The whole M-Record structure
sending bridge.

Page 16

MSTI Regional Root
Identifier
60 01 00 07 eb d5 a2 00 The whole M-Record structure
sending bridge.
MSTI Internal root path
cost
00 00 00 00 The whole M-Record structure
sending bridge.
MSTI Transmitting Bridge
Identifier
60 01 00 07 eb d5 a2 00 The whole M-Record structure
sending bridge.
MSTI Port Identifier 80 01 The whole M-Record structure
sending bridge.
MSTI Remaining hops 14 00 The whole M-Record structure
sending bridge.

Page 17

MSTP Default Configuration
Table 4: MSTP Default Configuration
MSTP Disabled
MSTP port priority 128
Hello-time 2 seconds
Forward-delay time 15 seconds
Maximum aging time 20 seconds
Maximum hop count 40 hops
Revision number 1
Default MST Instance 0
Bridge priority 32768
Path cost See Table 5
Edge port Disabled
Flush edge port Disabled
Link-type Auto
MSTP Link Flapping feature Disabled
Cisco MSTP compliance Disabled (IEE 802.1s-2002 compliance is enabled)
Fast Ring mode Disabled
Fast Ring Border Bridge mode Disabled
Learn mode Standard
BPDU guard Disabled
Loop guard Disabled
Restricted root Disabled
Restricted TCN Disabled
MSTP debug Disabled

Page 18

Table 5: Default Path Cost Configuration (IEEE802.1s)
<=100 Kbps 200,000,000 20,000,000200,000,000 1200,000,000
1 Mbps 20,000,000 2,000,00020,000,000 1200,000,000
10 Mbps 2,000,000 200,0002,000,000 1200,000,000
100 Mbps 200,000 20,000200,000 1200,000,000
1 Gbps 20,000 2,000200,000 1200,000,000
10 Gbps 2,000 20020,000 1200,000,000
100 Gbps 200 202,000 1200,000,000
1 Tbps 20 2200 1200,000,000
10 Tbps 2 120 1200,000,000

Page 19

MSTP Configuration Flow

Figure 4: MSTP Configuration Flow
Start
Define the MSTP Timers (hello-time, forward-delay,
MaxAge, max-hops)
Configure the loop free ports as edge ports
Enable the BPDU Guard
Enable the MSTP Fast Ring mode
Configure the learning mode
End

Page 20

MSTP Configuration Commands
The MSTP default values are sufficient for obtaining a loop-free redundant network topology.
However, to enforce topology demands on the dynamically built topology, configure several
parameters before connecting the network.
Table 6: MSTP Global Configuration Commands
Command Description
mstp Enables/disables MSTP (see Enabling/Disabling MSTP)
mstp priority Defines the MSTP bridge priority (see Defining the Bridge
Priority)
mstp port-priority Defines the MSTP port priority (see Defining the Port Priority)
mstp Enables/disables MSTP on a specified port (see
Enabling/Disabling MSTP and an MSTP Instance on a Port)
instance vlan Maps a VLAN to an MSTP instance (see Mapping VLANs to an
MST Instance)
name Defines the configuration name (see Defining the MSTP Region
Name)
revision Defines the configuration revision (see Defining the Region
Revision-Number)
apply Saves the MST configuration map and exits the configuration
(see Saving the MSTP VLAN Mapping)
abort Exits the MSTP configuration without saving the MST
configuration map (see Exiting the MSTP Protocol Configuration
Mode without Saving the MST Mapping)
mstp hello-time Defines the hello-time (see Defining the Hello-Time)
mstp forward-delay Defines the forward-delay timer (see Defining the Forward-Delay
Timer)
mstp max-age Defines the maximum aging time (seeDefining the Maximum
Aging Timer)
mstp max-hops Defines the max-hop count (see Defining the Maximum Hop
Count)
mstp fast-ring ring-
ports
Enables the Fast Ring mode (see Enabling the MSTP Fast Ring
Mode)
mstp fast-ring border-
bridge
Enables the Ring Border Bridge functionality (see Configuring
the Device as an MSTP Border Bridge)
mstp learn-mode Defines the mode in which the MAC addresses are
learnt/flushed (see Defining the Learning/Flushing Mode in a
Fast Ring)
mstp edge-port Configures the edge port (see Configuring Edge Ports)
mstp path-cost Configures sn MSTP port path-cost (see Configuring the Path
Cost )
mstp bpdu-rx Prevents an MSTP edge port from receiving BPDUs (see
Enabling the BPDU Guard)


Page 21

Table 7: MSTP Port Configuration Commands
Command Description
mstp bpdu-tx Enables/disables sending BPDU packets on a specified port
(see Enabling/Disabling BPDU Transmission)
mstp detect-bpdu-loss Enables/disables Loop Guard on a port (see Enabling/Disabling
the Loop Guard)
mstp detect-protocols Enables MSTP migration (see Enabling MSTP Migration
(Interoperability with 802.1D))
mstp link-flapping Enables the MSTP Link Flapping feature (see Enabling MSTP
Link Flapping)
mstp link-type Specifies a ports link type (see Defining the Ports Link Type)
mstp restrict-root Enables/disables the selection of a port as the root port (see
Enabling/Disabling Root Restriction)
mstp restrict-tcn Enables/disables the propagation of TCNs to other ports on the
device (see Enabling/Disabling TCN Restriction)
mstp cisco-compliant Forces the port to work in compliance with Cisco devices (see
Configuring the Cisco-Compliant Mode)
mstp default Restores the default MSTP settings (see Restoring the Ports
MSTP Defaults)

Table 8: MSTP Display Commands
Command Description
show pending Displays the temporary MSTP configuration (see Displaying the
MSTP Temporary Configuration)
show Displays the MSTP configuration (see Displaying the Current
MSTP Configuration)
show mstp configuration Displays the MSTP configuration in the current region (see
Displaying the MSTP Region Configuration)
show mstp Displays the whole MSTP configuration (see Displaying the
MSTP Configuration)
show mstp instance Displays the configured instances (see Displaying the MST
Instances Configuration)

Table 9: MSTP Debug Commands
Command Description
debug mstp Debugs the port roles and port handshaking (see Enabling
MSTP Debug Information)
show debug mstp Displays the debug MSTP logs (see Displaying the MSTP
Debug)

Page 22

Enabling/Disabling MSTP
The mstp command enables/ disables the MSTP and enters MSTP Protocol Configuration mode.
MSTP is disabled by default.
Command Syntax
device-name(cfg protocol)#mstp [enable | disable]
enable
(Optional) enables MSTP
disable
(Optional) disables MSTP
Defining the Bridge Priority
The mstp priority command defines the bridge priority of an MSTP instance.

NOTE
Do not define any bridge priority to 0 or 4096 when using Fast Ring Border Bridge
mode.

The default MSTP priority is 32768.
Command Syntax
device-name(cfg protocol)#mstp <instance-id> priority <priority>
device-name(cfg protocol)#no mstp <instance-id> priority
instance-id
The MSTP instance ID, in the range of <115>
priority
<priority>
The bridge priority values: 0, 4096, 8192, 12288, 16384, 20480, 24576,
28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
The bridge with the highest bridge priority (the lowest numerical priority
value) is selected as Root device.
no
Restored to default


Page 23

Defining the Port Priority
The mstp port-priority command defines the MSTP port priority.
The default port priority is 128.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> port-priority <priority>
device-name(config-if UU/SS/PP)#no mstp <instance-id> port-priority
instance-id
priority
<priority>
The port priority value, in the range of <0240>, in multiple of 16 (for
example: 0, 16, 32)
Assign higher priority (lower values) to ports you want selected first
no
Restores to default
Enabling/Disabling MSTP and an MSTP Instance on a
Port
The mstp command enables/ disables MSTP on a specified port.
Using this command, you can also enable/ disable an MSTP instance on the port. When enabling
this option, the port forwards traffic of all VLANs belonging to the particular MSTP instance.
By default, all instances are enabled on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> {enable | disable}
device-name(config-if-group)#mstp <instance-id> {enable | disable}
enable
Enables MSTP on the specified port
disable
Disables MSTP on the specified port
instance-id
If you specify this option, the selected MSTP instance is disabled and the
MSTP port role in that instance is disabled.


Page 24

Mapping VLANs to an MST Instance
The instance vlan command maps VLANs to an MST instance. You can map each VLAN to
one MST instance; therefore mapping a VLAN to an MST instance removes them from the VLAN
list.
CLI Mode: MSTP Protocol Configuration
By default, all VLANs are mapped to instance 0.
Command Syntax
device-name(cfg protocol mstp)#instance <instance-id> vlan VLAN-LIST
device-name(cfg protocol mstp)#no instance <instance-id>
instance-id
The MSTP instance ID, in the range of <115>. Instance 0 is mandatory while
others are optional.
VLAN-LIST
The list of VLANs mapped to this instance, in the range of <24094>.
To specify a VLAN rane, use a hyphen, for example:
instance 1 vlan 1-63
To specify a VLAN list, type the VLAN numbers in an increasing order,
separating them with commas, for example:
instance 1 vlan 10, 20, 30
no
Restores to default
Defining the MSTP Region Name
The name command defines the MSTP region name.
Command Syntax
device-name(cfg protocol mstp)#name NAME
device-name(cfg protocol mstp)#no name
NAME
The MSTP region name, a case-sensitive string of up to 31 characters
no
Removes the name
Example
device-name(cfg protocol mstp)#name region1

Page 25

Defining the Region Revision-Number
The revision command defines the region revision-number.
The default revision number is 1.
Command Syntax
device-name(cfg protocol mstp)#revision <revision-number>
device-name(cfg protocol mstp)#no revision
revision-number
The revision number, in the range of <065535>
no
Restores to default
Example
device-name(cfg protocol mstp)#revision 1
Saving the MSTP VLAN Mapping
The apply command saves the MSTP VLAN mapping and exits the MSTP Protocol
Configuration mode (this commands has the same affect as the exit command or <Ctrl+D>).
Command Syntax
device-name(cfg protocol mstp)#apply
Exiting the MSTP Protocol Configuration Mode without
Saving the MST Mapping
The abort command exits the MSTP Protocol Configuration mode without saving the MST
configuration map. Use this command if you do not want to save the VLAN mapping.
Command Syntax
device-name(cfg protocol mstp)#abort

Page 26

Defining the Hello-Time
The mstp hello-time command defines the hello-time for all MST instances. The hello-time is
the interval between consecutive configuration messages generated by the root device, indicating
that the device is alive.
The default hello-time is 2 seconds.
Command Syntax
device-name(cfg protocol)#mstp hello-time <seconds>
device-name(cfg protocol)#no mstp hello-time
seconds
The MSTP hello-time, in the range of <110>seconds
no
Restores to default
Defining the Forward-Delay Timer
The mstp forward-delay command configures the forward-delay time for all MST instances. The
forward-delay is the time the port waits in Learning and Listening states before moving to
Forwarding state.
The default forward-delay time is 15 seconds.
Command Syntax
device-name(cfg protocol)#mstp forward-delay <seconds>
device-name(cfg protocol)#no mstp forward-delay
seconds
The MSTP forward-delay time, in the range of <430>seconds
no
Restores to default


Page 27

Defining the Maximum Aging Timer
The mstp max-age command configures the maximum-aging (MaxAge) time for all MST
instances. The MaxAge time is the number of seconds a device waits without receiving
configuration messages before attempting a reconfiguration.
The default maximum aging time is 20 seconds.
Command Syntax
device-name(cfg protocol)#mstp max-age <seconds>
device-name(cfg protocol)#no mstp max-age
seconds
The MSTP MaxAge time, in the range of <640>seconds
no
Restores to default
Defining the Maximum Hop Count
The mstp max-hops command defines the maximum number of hops allowed in a region before
discarding a BPDU.
The default max-hops count is 40.
Command Syntax
device-name(cfg protocol)#mstp max-hops <hops-count>
device-name(cfg protocol)#no mstp max-hops
hops-count
The number of hops in a region, in the range of <140>
no
Restores to default


Page 28

Enabling the MSTP Fast Ring Mode
The mstp fast-ring ring-ports command enables the MSTP Fast Ring mode. The command
defines the two physical ports that provide connectivity in the ring.

NOTE
Avoid using this command for any topology other than a ring topology.

By default, MSTP Fast Ring is disabled.
Command Syntax
device-name(cfg protocol)#mstp fast-ring ring-ports UU1/SS1/PP1 UU2/SS2/PP2
device-name(cfg protocol)#no mstp fast-ring
UU1/SS1/PP1
Specifies the first ring port
UU2/SS2/PP2
Specifies the second ring port
no
Restores to default
Configuring the Device as an MSTP Border Bridge
The mstp fast-ring border-bridge command configures the device as a border bridge,
enabling the Ring Border Bridge functionality.
By default, the MSTP Ring Border Bridge is disabled.
Command Syntax
device-name(cfg protocol)#mstp fast-ring <instance-id> border-bridge
preferred-link UU/SS/PP
device-name(cfg protocol)#no mstp fast-ring <instance-id> border-bridge
instance-id
The instance ID the Ring Border Bridge functionality operates.
NOTE
Uou can use the MSTP Fast Ring solution only in instance 0
(CIST).
preferred-link
The preferred MSTP Fast Ring physical port that connects the ring
topology to the network gateway.
Configure the preferred Fast Ring physical using the mstp fast-ring
ring-ports command.

Page 29

UU/SS/PP
The preferred ring port.
no
Restores to default
Defining the Learning/Flushing Mode in a Fast Ring
The mstp learn-mode command defines the mode in which MAC addresses are learned and
flushed.
By default, learning/ flushing is permanently enabled, using a standard learning mode.
Command Syntax
device-name(cfg protocol)#mstp learn-mode {none | temporary-disabled [<2-100>]
| standard}
none
Permanently disables learning on non-edge/ring ports
temporary-
disabled
Enables learning, except for cases where an MSTP topology change occurs
and learning is temporarily disabled
2-100
(Optional) defines the time period learning is disabled after a topology change
occurred, in the range of <2100>seconds
standard
Permanently enables learning on non-edge/ring ports
Configuring Edge Ports
The mstp edge-port command changes the ports administrative status, setting it as an Edge Port

NOTE
If the device receives a BPDU on a port configured as an edge port, the port
automatically reverts to Disabled status. After a link up/ down, the port returns to the
Edge port administrative status.


Page 30

The EdgePort parameter is controlled by the MSTP state machine and the CLI.
Table 10: MSTP Edge Port
Type Description
Admin
EdgePort
Configuring a port as an Edge port is known as Administrative Edge Port. This
indicates that the port is permitted to transition directly to Forwarding state when
it becomes designated.
Configure Edge ports on ports that are known to be at the edge of the bridged
LAN in order to transition to Forwarding without delay.
EdgePort The ports actual status is known as its operational state. This indicates whether
the port operates as an Edge Port or not.
When a port that was configured as Administrative Edge Port receives a BPDU,
it automatically changes its operational state to operate as a non-Edge Port, in
order to prevent loops in the network.
Therefore, if a port marked as an edge port proves not to be one (due to the
presence of another bridge), it ceases to behave like an edge port until it is
reinitialized (either by a link up/down event or by reissuing the CLI command).
By default, the port is not an edge port. If you set the port as an edge port, the Flush Port option is
disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp edge-port [flush-port]
device-name(config-if UU/SS/PP)#no mstp edge-port [flush-port]

device-name(config-if-group)#mstp edge-port [flush-port]
device-name(config-if-group)#no mstp edge-port [flush-port
flush-port
(Optional) MSTP flushes the edge port it is configured on, when the link on
the port is down.
Use the MSTP edge port when neither the device connected to the port nor
the network connected to this device is MSTP enabled (configure an MSTP
edge port only if there is no possibility that BPDUs are received on the
connected port). If you connect a network (not a single device) to the port,
use the Flush Port option to prevent sending packets to unconnected links.
no
Configures the edge port value to its default settings. Also it disables the
admin status.


Page 31

Configuring the Path Cost
The mstp path-cost command configures the path cost of an MST instance. A lower path cost
represents a higher-speed transmission.
Table5 displays the default value calculated by the ports media speed.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> path-cost <cost>
device-name(config-if UU/SS/PP)#no mstp <instance-id> path-cost
instance-id
cost
The path cost value, in the range of <1200000000>. Assign lower cost
values to ports you want to select first and higher-cost values to other
ports.
no
Restores to default
Enabling the BPDU Guard
The mstp bpdu-rx command prevents an MSTP edge port from receiving BPDUs.

NOTE
This command takes effect only if the port is an MSTP edge port.

The default value is standard.
Command Syntax
device-name(config-if UU/SS/PP)#mstp bpdu-rx {discard | disable-port |
standard}
device-name(config-if-group)#mstp bpdu-rx {discard | disable-port | standard}
discard
The port drops BPDUs received on it and continues to operate as an edge
port.
NOTE
Use this option to prevent receiving unwanted BPDU packets
from user ports.
disable-port
Disables the port when it receives
standard
Processes received BPDUs and invalidates the edge ports operational status

Page 32

Example
Configure the device to disable port 1/ 2/ 3 if a BPDU is received on it:
device-name(config-if 1/2/3)#mstp bpdu-rx disable-port
Enabling/Disabling BPDU Transmission
The mstp bpdu-tx command enables/ disables BPDU packets transmission on the specified port.
CLI Mode: Interface Configuration, Interface Range Configuration
BPDU transmission is enabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp bpdu-tx {enable | disable}
device-name(config-if-group)#mstp bpdu-tx {enable | disable}
enable
Enables the BPDU transmission
disable
Disables the BPDU transmission
Enabling/Disabling the Loop Guard
The mstp detect-bpdu-loss command enables/ disables the Loop Guard on a port.
For more information regarding this feature, refer to the STP LoopGuardsection of Configuring
SpanningTreeProtocol (STP) chapter.
CLI Mode: Interface Configuration, Interface Range Configuration
Loop Guard is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp detect-bpdu-loss {enable | disable}
device-name(config-if-group)#mstp detect-bpdu-loss {enable | disable}
enable
Enables Loop Guard on the port
disable
Disables Loop Guard on the port
This parameter does not change the ports state, if the port is not a Designated
port, even if the port stops receiving BPDUs from its peer port.

Page 33

Example
device-name(config-if 1/2/2)#mstp detect-bpdu-loss disable
Enabling MSTP Migration (Interoperability with 802.1D)
The mstp detect-protocols command defines the MSTP communication mode. The command
instructs MSTP to send the next BPDU as an MSTP/ RSTP BPDU.
The command does not reboot the port or send a BPDU immediately.
Command Syntax
device-name(config-if UU/SS/PP)#mstp detect-protocols
device-name(config-if-group)#mstp detect-protocols
Enabling MSTP Link Flapping
The mstp link-flapping command enables the MSTP Link Flapping detection feature.
MSTP Link Flapping is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp link-flapping <period>
device-name(config-if UU/SS/PP)#no mstp link-flapping

device-name(config-if-group)#mstp link-flapping <period>
device-name(config-if-group)#no mstp link-flapping
period
The flapping interval (the time between a LinkDown and LinkUp status), in the range
of <20010000>milliseconds (recommended interval is 2000 ms). The link shuts
down if the flapping interval is lower than the time defined.
no
Example 1
Set the MSTP Link Flapping control period to 1.5 seconds on port 1/ 1/ 1:
device-name(config-if 1/1/1)#mstp link-flapping 1500

Page 34

Example 2
Disable MSTP Link Flapping on ports 1/ 2/ 11/ 2/ 4:
device-name(config)#interface range 1/2/1-1/2/4
device-name(config-if-group)#no mstp link-flapping
Defining the Ports Link Type
The mstp link-type command defines the RSTP ports administrative link-type.
There are two statuses of link-type:
Table 11: MSTP Link-types
Link-Type Description
auto The device automatically manages the port's link-type. The
device considers the port connected to a point-to-point LAN
segment if any of the following conditions are met:
The MST algorithm determines that the LAN segment
operates in full duplex mode.
If you configure the port by management means to a
full duplex operation. Otherwise, consider the MAC to
be connected to a LAN segment that is not point-to-
point (shared media).
point-to-point Consider the device connected to a point-to-point LAN
segment that forces the operational link-type to be point-to-
point.
Admin Link-Type
shared Consider the device connected to a shared media LAN
segment that forces the operational link-type to be shared.
Operational Link-
Type
If you configure Admin link-type to auto, then you can determine the value of
Operational link-type in accordance with the specific procedures defined for
the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then Operational
link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of link-
type is shared.

The default link type is Auto.
Command Syntax
device-name(config-if UU/SS/PP)#mstp link-type {auto | point-to-point |
shared}
device-name(config-if UU/SS/PP)#no mstp link-type {auto | point-to-point |
shared}

device-name(config-if-group)#mstp link-type {auto | point-to-point | shared}
device-name(config-if-group)#no mstp link-type {auto | point-to-point | shared}

Page 35

auto Sets the RSTP link-type to auto.
point-to-point Sets the RSTP link-type to point-to-point.
shared Sets the RSTP link-type to share.
Enabling/Disabling Root Restriction
The mstp restrict-root command enables/ disables the selection of a port as the Root port.
Root restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp restrict-root {enable | disable}
device-name(config-if-group)#mstp restrict-root {enable | disable}
enable
Enables root restriction on the specified port (the port is not selected as Root
port)
disable
Disables root restriction
Enabling/Disabling TCN Restriction
The mstp restrict-tcn command enables/ disables receiving Topology Change notifications
(TCN) and propagating them to other ports on the device (for more information refer to the
ConfiguringSpanningTreeProtocol (STP) chapter).
TCN restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp restrict-tcn {enable | disable}
device-name(config-if-group)#mstp restrict-tcn {enable | disable}
enable
Enables TCN restriction: the port does not propagate detected topology
changes to other ports on the bridge and other bridges in the topology. This
prevents the unnecessary update of learnt devices locations.
disable
Disables TCN restriction.


Page 36

Configuring the Cisco-Compliant Mode
The mstp cisco-compliant command changes the ports mode to Cisco-compliant mode. Use
this mode for ports connected to Cisco devices.
By default, the device is IEEE 802.1s-compliant.
Command Syntax
device-name(config-if UU/SS/PP)#mstp cisco-compliant
device-name(config-if UU/SS/PP)#no mstp cisco-compliant

device-name(config-if-group)#mstp cisco-compliant
device-name(config-if-group)#no mstp cisco-compliant
no
Restores to default
Restoring the Ports MSTP Defaults
The mstp default command restores the ports MSTP configuration default values.
Command Syntax
device-name(config-if UU/SS/PP)#mstp default
device-name(config-if-group)#mstp default
Displaying the MSTP Temporary Configuration
The show pending command displays the temporary MSTP configuration. The command displays
the region name, revision number, and the VLAN-to-MSTI mapping.
Command Syntax
device-name(cfg protocol mstp)#show pending

Page 37

Example
Pendi ng MST conf i gur at i on
Name r egi on 1
Revi si on 1
I nst ance Vl ans mapped
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 1- 4094
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Displaying the Current MSTP Configuration
The show command displays the current MSTP configuration. The command displays the region
name, revision number, and the VLAN-to-MSTI mapping.
Command Syntax
device-name(cfg protocol mstp)#show
Example
device-name(cfg protocol mstp)#show
Name [ ]
Revi si on 1
- - - - - - - - - - - - - - - - - - - - - - - - - - -
0 1- 10, 12- 13
1 14- 4094
6 11
- - - - - - - - - - - - - - - - - - - - - - - - - - - -

Page 38

Displaying the MSTP Region Configuration
The show mstp configuration command displays the current regions MSTP configuration.
CLI Mode: MSTP Protocol Configuration and Privileged (Enable)
Command Syntax
device-name(cfg protocol mstp)#show mstp configuration
device-name#show mstp configuration
Example
device-name(cfg protocol mstp)#show mstp configuration

Name [ man]
Revi si on 56
- - - - - - - - - - - - - - - - - - - - - - -
0 1- 10, 12- 13
1 14- 4094
6 11
- - - - - - - - - - - - - - - - - - - - - - - -
Displaying the MSTP Configuration
The show mstp command displays the MSTP configuration and the MSTP ports state.
The tables below describe the parameters displayed by this command.
Command Syntax
device-name#show mstp

Page 39

Example
Mul t i pl e spanni ng t r ees = enabl ed
Pr ot ocol Speci f i cat i on = i eee8021s
Pr i or i t y = 32768
TopChanges = 1
CI ST Root = 32768. 00: A0: 12: 0A: 01: B6
CI ST Por t = 01/ 02/ 01
CI ST Ext er nal Pat h Cost = 200000
MaxAge = 20 ( Sec)
Pr ot oMi gr at i oDel ay = 3 ( Sec)
MaxHopCount = 40
TxHol dCount = 3
Fast Ri ng = di sabl ed
Lear nMode = St andar d

MST00
VLAN mapped = 1- 4094
Pr i or i t y = 32768
Regi onal Root = Thi s br i dge i s t he r oot
Remai ni ngHopCount = 40
TopChanges = 1
Bor der Br i dge = di sabl ed
=====================================================================
Por t | Pr i | Pr t r ol e| St at e| PCost | DCost | Desi gnat ed br i dge | DPr t
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 02 128 Root f r wr d 200000 0 00000. 00A0120F2F27 128. 006

MST01
VLAN mapped = 3
Pr i or i t y = 32768
TopChanges = 0
Bor der Br i dge = di sabl ed
========================================================================
Por t | Pr i | Pr t r ol e | St at e| PCost | DCost | Desi gnat ed br i dge | DPr t
- - - - - - - - - +- - - +- - - - - - - - - - - +- - - - - +- - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 01 128 Desi gnat ed f r wr d 200000 200000 32768. 00A012270120 128. 002
01/ 02/ 02 128 Root f r wr d 200000 200000 32768. 00A0120A01B6 128. 024
01/ 02/ 03 128 Al t er nat e bl ock 200000 200000 32768. 00A012270120 128. 007

Page 40

Table 12: Parameters Displayed by show mst p Command
Mul t i pl e spanni ng t r ees Indicates whether MSTP is enabled or disabled on the device
Pr ot ocol Speci f i cat i on Displays the supported IEEE standard
Pr i or i t y The bridge priority
Ti meSi nceTopol ogyChange The time since the last topology change, in seconds
TopChanges The number of topology changes detected for all the MSTIs
CI ST Root The CIST regional root Identifier (the bridge Identifier of the
current CIST regional root)
CI ST Por t The port from which traffic flows to the CIST root
CI ST Cost The CIST path cost from the transmitting bridge to the CIST
regional root
MaxAge The maximum age of received protocol information before it is
discarded, in seconds
Hel l oTi me The hello-time time interval in seconds
For war dDel ay The forward-delay time in seconds
Br i dgeMaxAge The Max Age time in seconds
Br i dgeHel l oTi me The value of the hello-time parameter in seconds determining
the interval between transmissions of the following BPDUs:
BPDUs to all designated ports of the root device
BPDUs to designated ports of all devices in the topology
that have the same root
BPDUs to the root port during TCN
Br i dgeFor war dDel ay The forward-delay time in seconds, when the bridge is the root
or is attempting to become the root
Pr ot oMi gr at i oDel ay This value is used by the Protocol Migration Machine to limit the
transition between port states
MaxHopCount The maximum number of hops in a region before the BPDU is
discarded
TxHol dCount The value used to limit the rate of at which packets are sent
(relates to the port transmit state machine)
SpanI gmpFast Recover y Indicates whether the IGMP Fast Recovery feature is enabled
on the device
Fast Ri ng Indicates whether the Fast Ring feature is enabled on the device
MST00 Indicates MST instance 0
VLAN mapped The MSTI VLAN mapping
Regi onal Root The MSTI regional root
Remai ni ngHopCount The value that determines the scope of an MSTP region
TopChanges The number of the topology changes occurred in the specified
MSTI
Bor der Br i dge The MSTP ring border bridge status


Page 41

Table 13: Interface Parameters Displayed by show mst p Command
Por t The ports unit/slot/port
Pr i The port priority
Pr t Rol e The current port role(Root, Designated, Alternate, Backup, or
Disabled)
St at e The current port state(Disabled, Listening, Learning, Forwarding,
or Discarding)
PCost The actual cumulative distance to the Root bridge through this
port, when the port is the Root port, This is the sum of all
designated costs of the bridges along the path to the Root.
This value is added to the designaed cost parameter of the
Designated ports of this bridge and transmitted in the BPDUs
through Designated ports.
DCost The Root bridge path cost in the Configuration BPDUs root
identifier parameter, transmitted by the designated bridge for the
LAN the port is connected to.
Use this parameter to test the port identifier parameter value
Desi gnat ed br i dge The unique bridge identifier of one of the following:
(in case of a designated port) the bridge the port belongs to
the bridge believed to be the designated bridge for the LAN to
which the port is attached
Use this parameter:
together with the designated port and port identifier
parameters for the port to verify if this port is the designated
port of the LAN it is attached to
to test the value of the bridge identifier parameter conveyed
in received Configuration BPDUs
DPr t The bridge ports identifier through which the designated bridge
transmits configuration message information stored by this port.
Use this parameter:
together with the designated bridge and port identifier
parameters to verify if this port is the designated port of the
LAN to which the port is attached
by management to determine the topology of the bridged LAN

Page 42

Displaying the MST Instances Configuration
The show mstp instance command displays the specified MST instance configuration for a
specified port or for all ports.
Command Syntax
device-name#show mstp instance {<instance-id> | all} [interface UU/SS/PP]
instance-id
The MST instance ID, in the range of <015>
all
Displays all instances
interface UU/SS/PP
(Optional) specifies a port to display
Example
device-name#show mstp instance 0 interface 1/1/1
MST i nst ance 0
For war d Tr ansi t i ons = 34
Por t Rol e = Root
Por t Pat h Cost = 200000
CI ST Root = 24576. 0009B7990300
Ext er nal Por t Pat hCost = 200000
Desi gnat ed Root = Thi s br i dge i s t he r egi onal r oot
Desi gnat ed Br i dge = 24576. 0009B7990300
Desi gnat ed Por t I d = 96. 1
Desi gnat ed Pat h Cost = 200000
Admi nEdgePor t = di sabl ed
Oper EdgePor t = di sabl ed
BPDU pr ocessi ng = St andar d
Admi nLi nk- Type = Poi nt ToPoi nt
Li nk- Type = Poi nt ToPoi nt
Rest r i ct Root = enabl ed
Rest r i ct TCN = di sabl ed
Det ect l ost BPDUs = enabl ed
Runni ng Ver si on = RSTP
Li nk f l appi ng = di sabl ed

Page 43

Table 14: The MSTP show mst p i nst ance Command Parameters
Por t Enabl e
Indicates whether the port is enabled or disabled
Por t Pr i or i t y
The port priority for this MST instance
Por t St at e
The port state for this MST instance
For war d Tr ansi t i ons
The number of times the port has transitioned into Forward state
Por t Rol e
The port role for this MST instance
Por t Pat h Cost
The port path cost for this MST instance
CI ST Root
The CIST regional root identifier (the bridge identifier of the current
CIST regional root)
Ext er nal Por t Pat hCost
The external port path cost
Desi gnat ed Root
The designated root ID
Desi gnat ed Br i dge
The designated bridge ID for this network
Desi gnat ed Por t I d
The designated bridge port ID
Desi gnat ed Pat h Cost
The designated bridge port path cost
Admi nEdgePor t
The edge ports administrative settings
Oper EdgePor t
The current edge port working mode
BPDU pr ocessi ng
The port action if it receives a BPDU (applies to edge ports only)
Admi nLi nk- Type
The link-type administrative settings
Li nk- Type
The current link-type working mode
Rest r i ct Root
Whether root restriction is enabled
Rest r i ct edTCN
Whether TCN restriction is enabled
Det ect l ost BPDUs
Whether a loss of BPDUs is an indication for a link failure
Runni ng Ver si on
The MSTP version:
RSTP when the neighbor is an RSTP or MSTP device
STP when the neighbor is an STP device
Cisco-compliant if the Cisco-compliant mode is defined
Li nk Fl appi ng
The Link Flapping feature status and (if enabled) the control period

Page 44

Enabling MSTP Debug Information
The debug mstp command displays information related to port roles and port handshaking.
This command is not saved after a device reload.
Debug is disabled by default.
Command Syntax
device-name#debug mstp {roles | handshake} {all | <instance-id>}
device-name#no debug mstp {roles | handshake} {all | <instance-id>}
roles
The port roles to debug
handshake
Specifies the mechanism of proposals and agreements
all
Debugs all instances
instance-id
The MST instance ID, in the range of <015>
no
Disables the debug information display
Example
Below is a debug output:
mst p: Por t 1/ 1/ 1 mst i 1 Synced

mst p: Por t 1/ 1/ 1 mst i 1 Agr ees

mst p: Por t 1/ 1/ 1 mst i 0 Agr ees

mst p: Rer oot br i dge by ( 1/ 1/ 1 )

mst p: Por t 1/ 1/ 1 mst i 0 Rer oot ed

Page 45

Displaying the MSTP Debug
The show debug mstp command displays the MSTP debug status.
Command Syntax
device-name#show debug mstp
Example
device-name#show debug mstp
MSTP debuggi ng st at us:
| MSTI | Dbg Rol e| Dbg Handshake|
| 0 | ON | ON |
| 10 | ON | ON |
| 11 | ON | ON |

Page 46

MSTP Configuration Examples
Pending Configuration
The following example shows how to configure MSTP and display the temporary (pending)
configuration.
1. Enter the MSTP Protocol Configuration mode and map the VLANs ranging from 1 to 10 to
MST instance 1:
device-name(cfg protocol)#mstp
device-name(cfg protocol mstp)#instance 1 vlan 1-10
2. Assign the name region1 and the revision number 1 to the MSTP region:
device-name(cfg protocol mstp)#name region1
device-name(cfg protocol mstp)#revision 1
3. Display the pending configuration:

Name [ r egi on1]
Revi si on 1
- - - - - - - - - - - - - - - - - - - - - - -
0 11- 4094
1 1- 10

Page 47

MSTP Port Configuration
The following example shows how to configure MSTP on port 1/ 1/ 1 and how to display the
configuration.
1. Enable MSTP:
device-name(cfg protocol)#mstp enable
2. Assign port priority 16 to instance 0, and path cost 22 to instance 1. Enable BPDU guard,
restrict root, and restrict TCN on port 1/ 1/ 1:
device-name(config-if 1/1/1)#mstp 0 port-priority 16
device-name(config-if 1/1/1)#mstp 1 path-cost 22
device-name(config-if 1/1/1)#mstp detect-bpdu-loss enable
device-name(config-if 1/1/1)#mstp restrict-root enable
device-name(config-if 1/1/1)#mstp restrict-tcn enable
3. Display the MSTP port configuration:
device-name#show mstp instance all interface 1/1/1
MST i nst ance 0
Por t Rol e = Desi gnat ed
CI ST Root = 00000. 00A0120F2F27
Desi gnat ed Root = Thi s br i dge i s t he r egi onal r oot
Desi gnat ed Br i dge = 32768. 00A01211227A
Desi gnat ed Pat h Cost = 0
Rest r i ct edRoot = enabl ed
Rest r i ct edTCN = enabl ed
MST i nst ance 1

Page 48

Por t Rol e = Root
CI ST Root = 00000. 000000000000
Desi gnat ed Root = 32768. 00A012110708
Desi gnat ed Br i dge = 32768. 00A01211227A
Rest r i ct edRoot = enabl ed
Rest r i ct edTCN = enabl ed
MSTP Global Parameters Configuration
The following example shows how to configure MSTP global parameters.
1. Enable MSTP and set the forward-delay value to 5 seconds:
device-name(cfg protocol)#mstp enable
device-name(cfg protocol)#mstp forward-delay 5
2. Configure the following parameters: hello-time to 4 seconds, MaxAge time to 34 seconds, and
max-hop count to 23.
device-name(cfg protocol)#mstp hello-time 4
device-name(cfg protocol)#mstp max-age 34
device-name(cfg protocol)#mstp max-hops 23

Page 49

3. Display the MSTP configuration:
Pr i or i t y = 32768
TopChanges = 8
CI ST Root = 00001. 00: A0: 12: 0F: 2F: 27
CI ST Por t = 01/ 01/ 01
CI CT Ext er nal Pat h Cost = 200000
MaxAge = 20 ( Sec)
MaxHopCount = 23
TxHol dCount = 3

MST00
VLAN mapped = 2- 4094
Pr i or i t y = 32768
TopChanges = 8
Bor der Br i dge = Di sabl ed

====================================================================
Por t | Pr i | Pr t r ol e| St at e| PCost | DCost | Desi gnat ed br i dge | Pr t
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 01/ 01 128 Desi gnat f r wr d 200000 200000 32768. 00A01211227A 128. 001
01/ 02/ 01 128 Root f r wr d 200000 200000 00000. 00A0120F2F27 128. 006

MST01
VLAN mapped = 1
Pr i or i t y = 32768
Regi onal Root = 32769. 00: A0: 12: 11: 07: 08
TopChanges = 4

====================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 01/ 01 0 Root f r wr d 200000 0 32768. 00A01211227A 128. 001

Page 50

01/ 02/ 01 128 Boundar y f r wr d 200000 0 32768. 00A01211227A 128. 010
Network Configuration
In the following example, four devices are connected via VLANs V100 and V200 that are mapped
to two MST instances on each device. The example shows the redundancy achieved with MSTP.
After configuring the network, use the show mstp command on each device to verify that the MST
instances are configured correctly.

Figure 5: Schematic MSTI Configuration
1. Create VLANs V100 and V200 and add the appropriate ports to each VLAN:
Device1(config)#vlan
Device1(config vlan)#config default
Device1(config-vlan default)# remove ports 1/2/1-1/2/3
Device1(config-vlan default)#exit
Device1(config vlan)#create v100 100
Device1(config vlan)#config v100
Device1(config-vlan v100)#add ports 1/2/1,1/2/3 tagged
Device1(config-vlan v100)#add ports 1/2/4 untagged
Device1(config-vlan v200)#exit
Device1(config vlan)#exit
2. Enable MSTP:
3. Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:
4. Enter the MSTP Protocol Configuration mode:
Device1(cfg protocol)#mstp

Page 51

5. Add the VLANs to MSTIs 0, 1, and 2:
Device1(cfg protocol mstp)#instance 0 vlan 1-99,101-199,201-4094
Device1(cfg protocol mstp)#instance 1 vlan 100
Device1(cfg protocol mstp)#end
Device2(config-vlan default)# remove ports 1/2/1-1/2/3
2. Enable MSTP:
3. Set priority 0 to MSTI 2 to force Device 2 to be MSTI2 root:
5. Add the VLANS to MSTIs 0, 1, and 2:

Page 52

Device3(config-vlan default)#remove ports 1/2/1,1/2/2,1/2/4
2. Enable MSTP:
4. Add the VLANS to MSTIs 0, 1, and 2:
1. Create VLAN V200 and add the appropriate ports to each VLAN:
Device4(config-vlan default)#remove ports 1/2/1,1/2/2
2. Enable MSTP:

Page 53

4. Add the VLANs to MSTIs 0, 1 and 2:
Device1#show mstp
Pr i or i t y = 0
TopChanges = 6
CI ST Root = 32768. 00: A0: 12: 27: 00: 80
CI ST Por t = 01/ 02/ 01
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
Regi onal Root = 32768. 00: A0: 12: 27: 00: 80
TopChanges = 6
No act i ve por t s ar e mapped t o t he mst i

MST01
VLAN mapped = 100
Pr i or i t y = 32768
TopChanges = 5

==========================================================================

Page 54

- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 01 128 Desi gnat f r wr d 200000 0 00000. 00A0122700C0 128. 003
01/ 02/ 04 128 Desi gnat f r wr d 200000 0 00000. 00A0120A0168 128. 006

MST02
VLAN mapped = 200
Pr i or i t y = 32768
Regi onal Root = 00002. 00: A0: 12: 27: 14: 20
TopChanges = 7
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 03 128 Root f r wr d 200000 0 00000. 00A012271420 128. 005
Pr i or i t y = 0
TopChanges = 4
CI ST Root = 32768. 00: A0: 12: 27: 00: 80
CI ST Por t = 01/ 02/ 01
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
Regi onal Root = 32768. 00: A0: 12: 27: 00: 80
TopChanges = 4
==========================================================================

Page 55

- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 04 128 Desi gnat f r wr d 200000 0 32768. 00A012271420 128. 005

MST01
VLAN mapped = 100
Pr i or i t y = 32768
Regi onal Root = 00001. 00: A0: 12: 27: 00: C0
TopChanges = 4
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 01 128 Al t er nat bl ock 200000 200000 32768. 00A012270080 128. 004
01/ 02/ 03 128 Root f r wr d 200000 200000 00000. 00A0122700C0 128. 005

MST02
VLAN mapped = 200
Pr i or i t y = 32768
TopChanges = 4
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 02 128 Desi gnat f r wr d 200000 0 00000. 00A012271420 128. 002
01/ 02/ 03 128 Desi gnat f r wr d 200000 0 00000. 00A012271420 128. 003
01/ 02/ 04 128 Desi gnat f r wr d 200000 0 00000. 00A012271420 128. 005
Device3#show mstp
Pr i or i t y = 0
TopChanges = 3
CI ST Root = Thi s br i dge i s t he r oot
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

Page 56


MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
TopChanges = 3

MST01
VLAN mapped = 100
Pr i or i t y = 32768
Regi onal Root = 0001. 00: A0: 12: 27: 00: C0
TopChanges = 2
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 01 128 Root f r wr d 200000 0 00000. 00A012270080 128. 003
01/ 02/ 02 128 Desi gnat f r wr d 200000 0 32768. 00A012270080 128. 004
01/ 02/ 04 128 Desi gnat f r wr d 200000 0 32768. 00A012270080 128. 006

MST02
VLAN mapped = 200
Pr i or i t y = 32768
Regi onal Root = 00002. 00: A0: 12: 27: 14: 20
TopChanges = 3

Page 57

Device4#show mstp
Pr i or i t y = 0
TopChanges = 2
CI ST Root = 32768. 00: A0: 12: 27: 00: 80
CI ST Por t = 01/ 02/ 01
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
Regi onal Root = 32768. 00: A0: 12: 27: 00: 80
TopChanges = 2
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 01 128 Al t er nat f r wr d 200000 0 32768. 00A012271420 128. 003
01/ 02/ 02 128 Root f r wr d 200000 0 32768. 00A0122700C0 128. 004
01/ 02/ 04 128 Desi gnat f r wr d 200000 0 32768. 00A012271420 128. 006

MST01
VLAN mapped = 100
Pr i or i t y = 32768
Regi onal Root = 00001. 00: A0: 12: 27: 00: C0
TopChanges = 5

MST02
VLAN mapped = 200

Page 58

Pr i or i t y = 32768
Regi onal Root = 00002. 00: A0: 12: 27: 14: 20
TopChanges = 2

In this example if the direct link between Device 1 and Device 3 fails. MSTI01 is recalculated and
port 1/ 2/ 2 in Device 3 changes its role from alternate to root.

Figure 6: Link Failure between Two Devicees
In this case, the show mstp command displays the following:
Device1#show mstp
Pr i or i t y = 0
TopChanges = 6
CI ST Root = 32768. 00: A0: 12: 27: 00: 80
CI ST Por t = 01/ 02/ 01
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
Regi onal Root = 32768. 00: A0: 12: 27: 00: 80

Page 59

TopChanges = 6

MST01
VLAN mapped = 100
Pr i or i t y = 32768
TopChanges = 5
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -

MST02
VLAN mapped = 200
Pr i or i t y = 32768
Regi onal Root = 00002. 00: A0: 12: 27: 14: 20
TopChanges = 7
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 03 128 Root f r wr d 200000 0 00000. 00A012271420 128. 003
Device3#show mstp
Pr i or i t y = 0
TopChanges = 3
CI ST Root = Thi s br i dge i s t he r oot
MaxAge = 20 ( Sec)
MaxHopCount = 40
TxHol dCount = 3

Page 60


MST00
VLAN mapped = 1- 99, 101- 199, 201- 4094
Pr i or i t y = 32768
TopChanges = 3

MST01
VLAN mapped = 100
Pr i or i t y = 32768
Regi onal Root = 00001. 00: A0: 12: 0A: 01: 68
TopChanges = 3
==========================================================================
- - - - - - - - +- - - +- - - - - - - - +- - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - +- - - - - - -
01/ 02/ 02 128 Root f r wr d 200000 400000 32768. 00A00001090B 128. 002
01/ 02/ 04 128 Desi gnat f r wr d 200000 400000 32768. 00A012BBBBBB 128. 006

MST02
VLAN mapped = 200
Pr i or i t y = 32768
Regi onal Root = 00002. 00: A0: 12: 27: 14: 20
TopChanges = 3

On Device 2 and Device 4:
This topology change does not affect Device 2 and Device 4 output.

Page 61

Fast Recovery Configuration
Following is a configuration example of a spanning tree IGMP fast recovery. The figure below
shows a network configuration with a triangle topology and the configuration steps of the three
devices. Device 1 is the MSTP Root for Instance 0 and there is one blocked port in the topology.
The multicast traffic flows from port 1/ 2/ 3 of Device 1 to port 1/ 2/ 3 of Device 3.

Figure 7: Spanning Tree I GMP Fast Recovery Configuration Example
1. Enable MSTP:
2. Configure the bridge priority for MST instance 0 to zero:
3. Enable spanning tree IGMP fast recovery:
Device1(cfg protocol)#spanning-tree igmp-fast-recovery enable
4. Configure port 1/ 2/ 3 as an edge port:
Device1(config-if 1/2/3)#mstp edge-port
Device1(config-if 1/2/3)#exit
5. Enable IGMP snooping and configure ports 1/ 1/ 1 and 1/ 1/ 2 as mrouter ports:
Device1(config)#ip igmp snooping
Device1(config)#ip igmp snooping vlan 1 mrouter interface 1/1/1

Page 62

1. Enable MSTP:
2. Enable MSTP fast ring for accelerating its operation in a ring topology:
Device2(cfg protocol)#mstp learn-mode temporary-disabled 2
3. Enable spanning tree IGMP fast recovery:
Device2(cfg protocol)#spanning-tree igmp-fast-recovery enable
4. Configure port 1/ 2/ 8 as an edge port:
1. Enable MSTP:
2. Enable MSTP fast ring for accelerating its operation in a ring topology:
Device3(cfg protocol)#mstp learn-mode temporary-disabled 2
3. Configure the port 1/ 2/ 3 as an edge port:

Page 63

MSTP BPDU Guard, Loop Guard, Restricted Root and
Restricted TCN Configuration
The figure below shows a network configuration with a triangle topology followed by the
configuration of the three devices. BPDU guard, restricted root and restricted TCN are enabled on
edge port 1/ 2/ 4 to protect the backbone network from unauthorized user intervention in MSTP.
Loop guard is enabled on Device 2 and Device 3 for the ports connected to root Device 1.

Figure 8: BPDU Guard, Loop Guard, Restricted Root and Restricted TCN
1. Enable MSTP:
2. Set MST instance 0 bridge priority to 0:
3. Configure port 1/ 2/ 4 as an edge port. Enable BPDU guard, restricted root and restricted
TCN on this port:
Device1(config-if 1/2/4)#mstp bpdu-rx discard
Device1(config-if 1/2/4)#mstp restrict-root enable
Device1(config-if 1/2/4)#mstp restrict-tcn enable

Page 64

1. Enable MSTP:
TCN on this port:
3. Enable loop guard on ports 1/ 2/ 1 and 1/ 2/ 2:
Device2(config-if 1/2/1)#mstp detect-bpdu-loss enable
1. Enable MSTP:
TCN on this port:
3. Enable loop guard on ports 1/ 2/ 1 and 1/ 2/ 2:

Page 65

Configuring a Fast Ring
The following example shows how to configure the devices in a fast ring so that traffic is
distributed correctly among client networks.

Figure 9: Fast Ring Topology
1. Enable MSTP, disable learning, and configure Device 1 to be the root device:
Device1(cfg protocol)#mstp learn-mode none
2. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device1(config-vlan default)#remove ports 1/1/1-1/2/2
Device1(config-vlan default)#config v10

Page 66

Device1(config-vlan v10)#config v20
Device1(config-vlan v30)#end
1. Enable MSTP, disable learning, and configure fast ring ports:
2. Configure an edge port and enable port security on the client port:
Device2(config-if 1/1/1)#port security
Device2(config-vlan v10)#add ports default 1/1/1

Page 67


Page 68


Page 69


Page 70

Supported Platforms
Multiple Spanning Tree Protocol (MSTP) + +
Multiple Spanning Tree
Protocol (MSTP)
IEEE 802.1d-1998
IEEE 802.1t-2001
IEEE 802.1w-2001
IEEE 802.1s-2002
Private MIBs:
prvt_mst.mib
prvt_switch.mib
Group MIB

Page 1
Configuring Access Control Lists (ACLs) (Rev. 09)

Configuring Access Control Lists (ACLs)
Table of Figures 3
Overview 4
ACL Types 4
ACL Process Options 5
Access Control Groups (ACG) 5
ACL Processing Rules 6
Traffic Remarking 6
Traffic Rate Limit and Shaping 6
Single Rate Three Color Marker (RFC 2697) 7
Two Rate Three Color Marker (RFC 2698) 7
Exceed Action 7
Color-Blind and Color-Aware 7
The ACL Default Configuration 8
ACL Configuration Flow 9
ACL Configuration Commands10
Creating a Standard IP ACL12
Creating an Extended IP ACL14
Creating an Extended MAC ACL16
Adding a Comment to an ACL20
Assigning an IP ACG 21
Assigning a MAC ACG22
Applying Rate Limiting by ACGs24
Adding a new VLAN Tag in Frames26
Applying QoS Settings on an ACG27
Changing the DSCP Value27
Changing the VPT Value28
Saving the ACG Configuration29
Page 2
Configuring Access Control Lists (ACLs) (Rev 09)

Enabling Match Statistics29
Displaying the IP ACLs30
Displaying the MAC ACLs30
Displaying the IP ACG 32
Displaying the IP ACG Statistics33
Displaying the MAC ACG34
Displaying Match Statistics for MAC ACGs34
Clearing the IP ACG Statistics35
Clearing the MAC ACG Statistics36
Configuring IP ACLs37
Configuring MAC ACLs39
Creating ACLs per SAP41
Configuring an ACG per Egress42
Configuring Rate Limit with DSCP Mapping42
Configuring Rate Limit with Priority Remarking44

Page 3

Table of Figures
Figure 1: Configuration Flow for ACL 9
Figure 2: MAC ACG over Port Configuration Example23
Figure 3: Creating Standard and Extended IP ACLs37
Figure 4: Rate Limit over Port Configuration39

Page 4

Overview
Access Control Lists (ACLs) are sets of numbered rules that process packets going through the
device and provide the ability to control network traffic. Using ACLs, system administrators can
filter packets that pass through a port by defining different criteria, in order to ensure the network's
security, Quality of Service (QoS), traffic control, and traffic rate-limitation.
These rules are processed in a sequential order, either permitting or denying the traffic, based on the
specified ACL conditions. The hardware tests the packets parameters against the ACLs and acts
upon the first condition matched.
The main advantages in using ACLs are:
Securityby forwarding or dropping ingress traffic, ACLs aid administrators in managing
network security policies.
Traffic Controlby enforcing redirection rules, administrators can manipulate network traffic
flow, thus reducing bottlenecks and congestions.
Traffic Rate Limitationusing ACLs, administrators can control traffic rate per port, or SAP
port according to user defined criteria.
Quality of Service (QoS)administrators can assign packet-handling priority to data flow,
sorting the flow into eight priority queues, based on the ACL criteria. You can also use ACLs
to re-mark ToS/ DSCP values.
ACL Types
There are three basic ACL types, in predefined range of numbers. Each type matches specific fields
in the packets:
Standard IP ACLs (#199, or #10002999): match the packets source IP address.
Extended IP ACLs (#100199, or #1000011999): match both the source and destination IP
addresses. In addition, these ACLs can also match protocol types and optional DSCP values
for finer granularity of control.
Extended MAC ACLs (#400499, or #4000041999): match both the source and
destination MAC addresses. In addition, these ACLs can also match VPT, ToS, and other
Layer 2 header fields for finer granularity of control.
Page 5

ACL Process Options
Systems administrators can apply ACLs to both ingress (inbound) traffic and egress (outbound)
traffic:
Ingress ACLs process incoming packets, manipulating permitted packets and switching them
according to matched ACL conditions. Packets that do not match any of the ACLs are
discarded
Egress ACLs are only used for traffic remarking
Egress ACLs do not filter packets originated by the device (such as outgoing Telnet
session packets, NTP service packets, and various broadcast packets).
Access Control Groups (ACG)
An ACG is a collection of ACLs applied to port(s) or aggregation of ports or SAP port determining
the process of ingress or egress traffic.
They manipulate permitted ingress packets before forwarding them and discard denied packets,
performing an action that is based on the ACL conditions matched. When configured on egress
traffic, they manipulate permitted outgoing packets.
Using ACGs you can:
filter (drop) traffic
limit rate of the traffic
assign a priority to traffic
remark 802.1p / DSCP bits only for egress ACLs
redirect traffic to a specified VLAN
statistics collections
You can apply multiple ACGs per port/ aggregation/ SAP
Page 6

ACL Processing Rules
In order to use ACLs effectively, it is essential to understand the ACL processing rules:
Sequential processing: ACLs are processed sequentially, in the order they are entered
Once created, users can add new rules to the end of the ACL
Users cannot selectively add or remove ACL lines from a specific ACL
The device tests the packets only until it finds the first match, defining whether to permit or
deny the packets
If the packets do not match any of the ACLs:
in case of ingress ACL, they are denied. This is because the last rule is an implicit deny
statement
in case of egress ACL, they are permitted (unless the user configures a rule to implicitly
deny packets that do not match any of the rules)
Orderedprocessing: when applying multiple ACLs, these ACLs are applied in the same order the
user applies them. For example, when applying ACL5 and ACL2 to a port, the device first
matches ACL5 rules. If the packets do not match any rules in ACL 5, the device then matches
ACL2 rules
Due to the above processing rules, the order of the rules within an ACL and the order the ACLs
are applied is critical.
The total number of conditions for a single ACL rule that can be applied to the ports is limited to
62.
Traffic Remarking
ACLs allow users to impact QoS and its various aspects such as, bandwidth limitation, latency,
traffic prioritization, and drop precedence.
Users can also use ACLs to remark the ToS field values by defining a new ToS/ DSCP value, and to
perform rate control and priority assignment per flow.
Traffic Rate Limit and Shaping
Traffic congestion, caused by heavy network traffic, can cause incoming packet to drop.
To prevent congestion on provider networks, system administrators can use traffic rate limit and
traffic shaping by allocating a specific bandwidth per user port or traffic.
A traffic rate limiter monitors the incoming traffic by:
forwarding conforming traffic (within the predefined rate)
dropping non-conforming traffic or marking this traffic
Page 7

Single Rate Three Color Marker (RFC 2697)
The Single Rate Three Color Marker (srTCM) meters a traffic stream and marks it according to
three parameters:
The Committed Information Rate (CIR) determines the long-term average transmission rate
The Committed Burst Size (CBS) determines how large traffic bursts can be before some of
the traffic exceeds the rate limit
The traffic is then marked as follows:
Traffic within CIR always conforms and is marked green
Traffic that exceeds CBS is dropped or marked yellow
Two Rate Three Color Marker (RFC 2698)
The two rate Three Color Marker (trTCM) meters a traffic stream and marks it according to the
below parameters.
The Committed Information Rate (CIR) determines the long-term average transmission rate
The Committed Burst Size (CBS), associated with CIR, determines how large traffic bursts can
be before some of the traffic exceeds the rate limit
The Peak Information Rate (PIR) determines the long-term delimiter between yellow packets
and red ones
The Peak Burst Size (PBS), associated with PIR, determines the burst size before the traffic
exceeds PIR
The traffic is then marked as follows:
Traffic within CIR and CBS always conforms and is marked green
Traffic not conforming to CIR and CBS but conforming to PIR and PSB is marked yellow
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device:
either drops the packet
mark the packet with a yellow color and continue
Color-Blind and Color-Aware
Rate limiting operates in one of the below two modes:
in a Color-Blindmode, assumes that the packet stream is uncolored
in a Color-Awaremode, assumes that some preceding entity has pre-colored the incoming
packet stream so that each packet can be colored green or yellow.
Page 8

The ACL Default Configuration
Table 1: ACL Default Configuration
Access Control List (ACL) Not defined
Access Control Group (ACG) Not defined
Rate limit color awareness Color blind
Rate limit exceed action Drop
Page 9

ACL Configuration Flow

Figure 1: Configuration Flow for ACL
Start
End
Apply an ACG per port/SAP
Filter by source IP address
Filter traffic by source/destination IP
and/or IP type protocol
Filter by source/destination MAC
address
Select additional ACG options:
Assign Traffic Priority
Statistics
VLAN redirect
QoS Settings
Select additional ACG options:
Remark DSCP
Remark VPT
Filter by FC and color
Filter by FC, color and DSCP
Ingress or Egress
ACL
Ingress Egress
Apply an ACG per port
Page 10

ACL Configuration Commands
Table 2: ACLs Configuration Commands
Command Description
access-list ( st andar d i p) Defines standard IP ACLs (see Creating a Standard IP
ACL)
access-list ( ext ended i p) Defines extended IP ACL (see Creating an Extended IP
ACL)
access-list ( ext ended mac) Defines extended MAC ACL (see Creating an Extended
MAC ACL)
access-list remark Associates a remark to a specified IP ACL (see Adding a
Comment to an ACL)

Table 3: ACG Configuration Commands
Command Description
ip access-group Assigns an IP ACG to a port, LAG or SAP port (see
Assigning an IP ACG)
mac access-group Assigns a MAC ACG to a port, LAG or SAP port (see
Assigning a MAC ACG)

Table 4: Additional ACG Commands
Command Description
rate-limit single-rate Applies a single rate-limit (RFC 2697) on the ACG for the
specified port, LAG or SAP port (see Applying Rate
Limiting by ACGs)
rate-limit dual-rate Applies a dual rate-limit (RFC 2698) on the ACG for the
specified port, LAG or SAP port (see Applying Rate
Limiting by ACGs)
set vlan Changes the VLAN ID in the packet header (see Adding a
new VLAN Tag in Frames)
set txq Applies QoS on packets matching the ACG (see Applying
QoS Settings on an ACG)
set dscp Changes the DSCP field value of the packets on egress
interfaces (Changing the DSCP Value)
set vpt Changes the VPT field value of the packets on egress
interfaces (Changing the VPT Value)
apply Saves the ACG options and exits the ACG Configuration
mode (see Saving the ACG Configuration)
statistics Enables match statistics on a port, LAG or SAP port (see
Enabling Match Statistics)

Page 11

Table 5: ACL and ACG Display Commands
Command Description
show ip access-lists Displays the configured IP ACLs (see Displaying the IP
ACLs)
show mac access-lists Displays the configured MAC ACLs (see Displaying the
MAC ACLs)
show ip access-groups Displays the IP ACGs configured on ports, LAGs, and
VLANs (see Displaying the IP ACG)
show ip access-groups
statistics
Displays how many packets match the applied IP ACG
(see Displaying the IP ACG Statistics)
show mac access-groups Displays the MAC ACGs configured on ports, LAGs, and
VLANs (see Displaying the MAC ACG)
show mac access-groups
statistics
Displays how many packets match the applied MAC ACG
(see Displaying Match Statistics for MAC ACGs)

Table 6: Clear ACG Statistics Commands
Command Description
clear ip access-groups
statistics
Clears the IP ACG statistics (see Clearing the IP ACG
Statistics)
clear mac access-groups
statistics
Clears the MAC ACG statistics (see Clearing the MAC
ACG Statistics)
Page 12

Creating a Standard IP ACL
The access-list <acl-number> defines standard IP ACLs.
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} SOURCE [SOURCE-
MASK] [fc FC-TYPE drop-level {green | yellow}]
device-name(config)#no access-list <acl-number>
acl-number The standard IP ACL number is in the range of <1-99>, or
<1000-2999>
{deny | permit}
Specifies whether this is a permit or deny rule
SOURCE
The packets source-address (network or host) specified as:
IP address in dotted-decimal notation (A.B.C.D)
the keyword any as an abbreviation for a source of 0.0.0.0 and
source-mask of 255.255.255.255
the keyword host source as an abbreviation for a source of 0.0.0.0
and source-mask of 0.0.0.0
SOURCE-MASK
(Optional) mask bits applied to source, specified as:
dotted-decimal notation (A.B.C.D). Place one in the bit positions
you want to ignore
CIDR notation (/M)
Page 13

fc FC-TYPE
Specifies a forwarding class traffic (FC) that match the ACL
(only for egress ACL)

FC Type
Description
be
Specifies that the forwarding class to be mapped is the
Best-Effort Forwarding Class
12
Low-2 Forwarding Class
af
Assured Forwarding Class
l 1
h2
High-2 Forwarding Class
ef
Expedited Forwarding Class
h1
nc
Network Control Forwarding Class

drop-level
Specifies the color of packets for which the following ACL takes effect
green
Match specific FC with color green
yellow
Match specific FC with color yellow
no
Removes the specified ACL
Examples
1. The IP address 192.98.2.1 is permitted, subnet 192.98.0.0/ 16 except for this address is denied,
but the entire subnet 192.0.0.0/ 8 is permitted. All other traffic is denied:
device-name(config)#access-list 1 permit host 192.98.2.1
device-name(config)#access-list 1 deny 192.98.0.0/16
device-name(config)#access-list 1 permit 192.0.0.0/8
2. To apply this ACL to port 1/ 1/ 1, use the ip access-group command:
device-name(config-if 1/1/1)#ip access-group 1
Page 14

Creating an Extended IP ACL
The access-list <acl-number> command defines extended IP ACLs.
The extended IP ACL filters the traffic by the following parameters:
SourceIP address in the IP packet header
DestinationIP address in the IP packet header
IP protocol in the IP packet header
DSCP matches DSCP value in the packet
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} {ip | icmp | igmp
| tcp | udp | <protocol-number>} SOURCE [SOURCE-MASK] DESTINATION
[DESTINATION-MASK] [dscp <dscp>] [fc FC-TYPE drop-level {green |
yellow}]
device-name(config)#no access-list <acl-number>
acl-number
The extended IP ACL number in the range of <100-199>, or
<10000-11999>.
{deny | permit}
protocol-number Specifies the name or number of an IP protocol:
Valid IP protocol names are: tcp, udp, ip, igmp, icmp
Valid IP protocol numbers are integers in the range of <0255>
representing an IP protocol number
(http://www.iana.org/assignments/protocol-numbers (RFC5237))
To match any Internet protocol, use the keyword ip
Some protocols allow further qualifiers, as described below
SOURCE
The packets source-address (network or host) specified as:
the keyword any as an abbreviation for a source of 0.0.0.0 and
source-mask of 255.255.255.255.
the keyword host source as an abbreviation for a source of 0.0.0.0
and source-mask of 0.0.0.0.
SOURCE-MASK
(Optional) mask bits applied to source, specified as:
dotted-decimal notation (A.B.C.D). Place one in the bit positions you
want to ignore
CIDR notation (/M)
Page 15

DESTINATION
The network or hosts number the packet is sent to:
the keyword any as an abbreviation for a destination of 0.0.0.0 and
destination-mask of 255.255.255.255.
the keyword host source as an abbreviation for a destination of
0.0.0.0 and destination-mask of 0.0.0.0.
DESTINATION-
MASK
(Optional) the mask bits applied to the destination specified as:
dotted-decimal notation (M.M.M.M). Place one in the bit positions you
want to ignore
CIDR notation (/M)
dscp <dscp> (Optional) the number of packets filtered by DSCP value, in the valid range
of <063>.
fc FC-TYPE

FC Type Description
be
Best-Effort Forwarding Class
12
af
Assured Forwarding Class
l 1
h2
ef
Expedited Forwarding Class
h1
nc
Network Control Forwarding Class

drop-level
Specifies the color of packets for which the following ACL takes effect
green
Match the traffic with the above FC value with color green.
yellow
Match the traffic with the above FC value with color yellow.
no
Removes the specified ACL
Page 16

Creating an Extended MAC ACL
The access-list <acl-number> command defines extended MAC ACLs.
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} {SOURCE-MAC
SOURCE-MAC-MASK | host SOURCE-MAC | any} {DESTINATION-MAC DESTINATION-
MAC-MASK | host DESTINATION-MAC | any} {unicast | multicast | broadcast}
[vlan <vlan-id> <VLAN mask>] [vpt <priority>] [inner-vlan <vlan-id>
<VLAN mask>] [inner-vpt <priority>] [untagged] [ether-type <ether-type>]
[dscp <dscp>] [tos <tos>] [precedence <precedence>] [fc FC-TYPE drop-
level {green | yellow}]

device-name(config )#no access-list <acl-number>
acl-number
The extended MAC ACL number in the range of <400-499>, or
<40000-41999>.
{deny | permit}
SOURCE-MAC
The packets source MAC-address. Valid values are:
HH:HH:HH:HH:HH:HH notation
the keyword any representing all MAC addresses
the keyword host representing an abbreviation for a source-
mask of 00:00:00:00:00:00
SOURCE-MAC-MASK The source MAC address mask in HH:HH:HH:HH:HH:HH notation.
Use 0 for meaningful bits (exact-match) and 1 for meaningless bits
(any).
Examples:
permit 00:aa:bb:cc:dd:ee 00:00:00:00:00:00 equals
permit host 00:aa:bb:cc:dd:ee
permit 00:aa:bb:cc:dd:ee FF:FF:FF:FF:FF:FF equals
permit any
permit 00:aa:bb:cc:dd:ee 00:00:00:FF:FF:FF permits
the range <00:aa:bb:00:00:0000:aa:bb:ff:ff:ff>
DESTINATION-MAC
The destination MAC address the packet is sent to. Valid values are:
HH:HH:HH:HH:HH:HH notation
the keyword any representing all MAC addresses
the keyword host representing as an abbreviation for a
destination-mask of 00:00:00:00:00:00
DESTINATION-MAC-MASK
The destination MAC address mask in HH:HH:HH:HH:HH:HH
notation.
Use 0 for meaningful bits (exact-match), and 1 for meaningless bits
(any).
unicast
(Optional) matches the unicast traffic
Page 17

multicast
(Optional) matches the multicast traffic
broadcast
(Optional) matches the broadcast traffic
vlan <vlan-id>
(Optional) the VLAN ID in the outer VLAN tag header.
VLAN mask
(Optional) matches the VLAN mask in hexadecimal format, 1 to 3
hexadecimal digits, prefixed with "0x".
Use 0 for meaningful bits (exact-match) and 1 for meaningless bits
(any).
vpt <priority> (Optional) the VPT in the outer VLAN tag header.
inner-vlan <vlan-id>
(Optional) matches the VLAN ID number in the inner VLAN tag
header. The valid range is <1-4092>.
inner-vpt <priority>
(Optional) matches packets by the VPT in the VLAN inner tag
header.
untagged
(Optional) matches untagged packets only.
If you do not specify the untagged option, all tagged and untagged
frames are matched.
ether-type <ether-
type>
(Optional) the EtherType filed in the Ethernet header of a packet.
The field is matched for non-IP and non-ARP traffic only.
Table 9 lists the valid EtherType known values.
dscp <dscp>
(Optional) the DiffServ Code Point (DSCP) value from IP header of a
packet. The valid range is <063>.
tos <tos> (Optional) matches packets by the service level type, in the range of
<07>or by any of the valid literal ToS values listed below (see
Table 8).
precedence
<precedence>
(Optional) matches packets by the precedence level, in the range of
<07>or by any of the valid literal precedence values listed below
(see Table 7).
Page 18

fc FC-TYPE

FC Type Description
be
Specifies that the forwarding class to be mapped is
the Best-Effort Forwarding Class
12
the Low-2 Forwarding Class
af
the Assured Forwarding Class
l 1
the Low-1 Forwarding Class
h2
the High-2 Forwarding Class
ef
the Expedited Forwarding Class
h1
the High-1 Forwarding Class
nc
the Network Control Forwarding Class

drop-level
Specifies the color of packets for which the following ACL takes
effect
green
Match the traffic with the above FC value with color green.
yellow
Match the traffic with the above FC value with color yellow.
no Removes the specified ACL
Table 7: Valid Precedence Literal Values
Valid Literal Value Description Value
cr i t i cal
Critical precedence 5
f l ash
Flash precedence 3
f l ash- over r i de
Flash override precedence 4
i mmedi at e
Immediate precedence 2
i nt er net
Internetwork control precedence 6
net wor k
Network control precedence 7
pr i or i t y
Priority precedence 1
r out i ne
Routine precedence 0
Page 19

Table 8: Valid ToS Literal Values
Valid Literal Value Description Value
max- r el i abi l i t y
Max reliable TOS 1
max- t hr oughput
Max throughput TOS 2
mi n- del ay
Min delay TOS 4
nor mal
Min monetary cost TOS 0
Table 9: EtherType Known Values
Value Description
0x00000x05DC
IEEE 802.3 length
0x0800
IP (Internet Protocol)
0x0806
ARP (Address Resolution Protocol)
0x8035
DRARP (Dynamic RARP)
RARP (Reverse Address Resolution Protocol)
0x80F3
AARP (AppleTalk Address Resolution Protocol)
0x8100
IPX (Internet Packet Exchange)
0x8137
IPv6 (Internet Protocol version 6)
0x86DD
PPP (Point-to-Point Protocol)
0x880B
GSMP (General Switch Management Protocol)
0x880C
MPLS (Multi-Protocol Label Switching) unicast
0x8863
MPLS (Multi-Protocol Label Switching) multicast
0x8864
PPPoE (PPP Over Ethernet) Discovery Stage
0x88BB
PPPoE (PPP Over Ethernet) PPP Session Stage
0x8E88
LWAPP (Light Weight Access Point Protocol)
0xFFFF
EAPOL (EAP over LAN)
Examples
Create extended MAC ACLs:
device-name(config)#access-list 404 permit host 00:00:0a:00:00:01 any
unicast
device-name(config)#access-list 405 permit host 00:00:09:00:00:01 any
unicast
device-name(config)#access-list 406 permit host 00:00:09:00:00:4e any
multicast
device-name(config)#access-list 407 permit host 00:00:0A:00:00:6e any
broadcast
Here, any tagged traffic is denied. Only the untagged traffic that ingresses a port, with the
default VLAN 20, is accepted:
device-name(config)#access-list 433 permit any any vlan 20 0x000 untagged
Page 20

Adding a Comment to an ACL
The access-list remark command associates an explanatory remark to a specified standard,
extended or MAC extended ACLs.
Command Syntax
device-name(config)#access-list <acl-number> remark REMARK
device-name(config)#no access-list <acl-number> [remark REMARK]
acl-number The number of an existing ACL.
Valid values are:
<199>or <1000-2999>the ID for the standard ACL
<100199>or <10000-11999>the ID for the extended ACL
<400499>or <40000-41999>the ID for the MAC extended ACL
REMARK A string of up to 40 characters
no Removes the remark.
CAUTION
Using the no form of the command without specifying a remark
removes the ACL.
Example
Add the remark test-acl to the ACL with number 401:
device-name(config)#access-list 401 remark test-acl
device-name(config)#access-list 401 permit host 00:a0:12:02:43:32 any
Page 21

Assigning an IP ACG
The ip access-group command assigns an IP ACG to a port, LAG or SAP port.
CLI Mode:
Interface Configuration, LAG Interface Configuration and SAP Service
Configuration
Command Syntax
device-name(config-if UU/SS/PP)#ip access-group [in | out] <acl-number>
[option]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#
device-name(config-if UU/SS/PP)#no ip access-group [in | out] <acl-number>

device-name(config-if AG0N)#ip access-group [in] <acl-number> [option]
device-name(config-if AG0N acg ACL-NUMBER)#
device-name(config-if AG0N)#no ip access-group [in] <acl-number>

device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#ip access-group [in] <acl-
number> [option]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no ip access-group [in] <acl-
number>
acl-number The number of an existing ACL. Valid values are:
in (Optional) applies the ACL on the ingress traffic. If no keyword is specified, the
ACL is applied only on incoming traffic.
out
(Optional) applies the ACL on the egress traffic.
option (Optional) defines an action applied on matching traffic and changes the CLI
mode to the specified ACG configuration mode
no Removes the specified IP ACG.
Example
device-name(config-tls-sap 1/1/1:10:)ip access-group 100 option
device-name(config-tls-sap 1/1/1:10: acg 100)#
Page 22

Assigning a MAC ACG
The mac access-group assigns a MAC ACG to a port, LAG or SAP port.
CLI Mode:
Interface Configuration, LAG Interface Configuration, and SAP Service
Configuration
Command Syntax
device-name(config-if UU/SS/PP)#mac access-group [in | out] <acl-number>
[option]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#
device-name(config-if UU/SS/PP)#no mac access-group [in | out] <acl-number>

device-name(config-if AG0N)#mac access-group [in] <acl-number> [option]
device-name(config-if AG0N acg ACL-NUMBER)#
device-name(config-if AG0N)#no mac access-group <acl-number>

device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#mac access-group [in] <acl-
number> [option]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no mac access-group [in] <acl-
number>
acl-number The number of an existing ACL. Valid values are in the range of <400499>, or
<4000041999>.
in (Optional) applies the ACL on the ingress traffic. If no keyword is specified, the
ACL is applied only on incoming traffic.
out
(Optional) applies the ACL on the egress traffic.
option (Optional) defines an action applied on matching traffic and changes the CLI
mode to the specified ACG configuration mode
no Removes the specified MAC ACG

Page 23

Examples
In the following example:
1. Port 1/ 1/ 1 is connected to a group of users. ACL 400 permits access to the server only for
users with MAC addresses 00:00:5a:63:56:78 (PC1) and 00:00:54:67:f5:61 (PC2).
2. Port 1/ 1/ 2 is connected to a server.

Figure 2: MAC ACG over Port Configuration Example
device-name(config)#access-list 400 permit 00:00:5a:63:56:78
00:00:00:00:00:00 00:a0:cc:d6:b0:fa 00:00:00:00:00:00
device-name(config)#access-list 400 permit 00:00:54:67:f5:61
00:00:00:00:00:00 00:a0:cc:d6:b0:fa 00:00:00:00:00:00
device-name(config-if 1/1/1)#mac access-group 400 option
device-name(config-if 1/1/1 acg 400)#end
Page 24

Applying Rate Limiting by ACGs
The rate-limit command applies a rate-limit on the ACG for the specified port, LAG or SAP
port.
CLI Mode:
Interface ACG Configuration, LAG Interface ACG Configuration, and SAP
Service ACG Configuration
This command takes affect only upon exiting the ACG Configuration mode.
By default, the color marking of the packet is ignored (color-blind).

NOTE
The real values for CIR, CBS, PIR, and PBS may be different than the configured
ones, due to granularity limitations. After configuring these values, a warning
message appears:
[ War ni ng] Rat e can be r ounded t o t he next suppor t ed val ue!

NOTE
You cannot configure the dual - r at e on uplink ports for the T-Marc 340.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#rate-limit single-rate <cir>
<cbs> [color-aware | [exceed-action mark-yellow] | [statistics]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#rate-limit dual-rate <cir>
<cbs> <pir> <pbs> [statistics]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no rate-limit

device-name(config-if AG0N acg ACL-NUMBER)#rate-limit single-rate <cir> <cbs>
[color-aware | [exceed-action mark-yellow] | [statistics]
device-name(config-if AG0N acg ACL-NUMBER)#rate-limit dual-rate <cir> <cbs>
<pir> <pbs> [statistics]
device-name(config-if AG0N acg ACL-NUMBER)#no rate-limit

device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#rate-limit
single-rate <cir> <cbs> [color-aware | [exceed-action mark-yellow] |
[statistics]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#rate-limit dual-
rate <cir> <cbs> <pir> <pbs> [statistics]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no rate-limit
single-rate
The Single Rate Three Color Marker (RFC 2697).
dual-rate
The Two Rate Three Color Marker (RFC 2698).
cir
The CIR in K, M or G (in bps). The valid range is <64K1G>with 64 kbps
granularity.
cbs
The CBS in K, M or G (in bytes). The valid range is <4K16384K>.
pir The PIR in K, M or G (in bytes). The valid range is <64K1G>with 64 kbps
granularity.
Page 25

pbs The PBS in K, M or G (in bytes). The valid range is <4K16384K>.
color-aware (Optional) the rate limit is color aware. If you do not specify the option, the rate
limit is color blind.
exceed-
action
(Optional) The action performed once the packet is classified as exceeding the
CIR. If you do not specify this option, the out-of-profile traffic is dropped.
mark-yellow Marks in yellow the packet classified as exceeding the CIR. If you do not
specify this option, the out-of-profile traffic is dropped.
statistics
(Optional) specifies the Bind counter set to a traffic police, when specified. The
statistics data consists of counts of the in-profile (green) and out-of-profile
bytes (yellow or dropped). There are up to sixteen supported counters.
no
Removes the rate limit from the configured ACG.
Example
Configure the single rate limit:
device-name(config-if 1/1/1 acg 410)#rate-limit single-rate 100k 128k
exceed-action mark-yellow
device-name(config-if 1/1/1 acg 410)#apply
Configure the dual rate limit:
device-name(config-if 1/1/2 acg 412)#rate-limit dual-rate 100k 128k 256k
64k
Page 26

Adding a new VLAN Tag in Frames
The set vlan command changes the VLAN ID in the packet header. The switching decision is
made based on the new VLAN ID.
CLI Mode:
This command takes affect only upon exiting the ACG Configuration mode.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set vlan {<vlan-id> | tls
<vlan-id>}
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set vlan [tls]

device-name(config-if AG0N acg ACL-NUMBER)#set vlan {<vlan-id> | tls <vlan-
id>}
device-name(config-if AG0N acg ACL-NUMBER)#no set vlan [tls]

device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set vlan
{<vlan-id> | tls <vlan-id>}
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set vlan
[tls]
vlan-id The new VLAN ID in the range of <14094>.
tls The egress port treats the matching packets as untagged (like they are
received), regardless of whether packets are received tagged or not. If the
egress port is a tagged to VLAN port member, a new VLAN tag is added to the
packet based on the device VLAN ID assignment.
This parameter is optional for the no form of the command.
no Cancels this action for the configured ACG.
Example
Redirect traffic that matches ACL 410 on port 1/ 1/ 1 to VLAN ID 300:
device-name(config-if 1/1/1 acg 410)#set vlan tls 300
Page 27

Applying QoS Settings on an ACG
The set txq command applies QoS on packets matching the ACG. New values of txq and Drop
Precedence (DP) are assigned to a matching traffic.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set txq <txq> drop-level
{green | yellow}
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set txq

device-name(config-if AG0N acg ACL-NUMBER)#set txq <txq> drop-level {green |
yellow}
device-name(config-if AG0N acg ACL-NUMBER)#no set txq

device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set txq <txq>
drop-level {green | yellow}
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set txq
txq Specifies to which txq matching traffic is mapped. The valid range is <07>
queues.
green The packets DP level is green.
yellow The packets DP level is yellow.
no Cancels this action for the configured ACG.
Changing the DSCP Value
The set dscp command changes the DSCP field value of packets on egress interfaces.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set dscp <0-63>
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set dscp
device-name(config-if AG0N acg ACL-NUMBER)#set dscp <0-63>
device-name(config-if AG0N acg ACL-NUMBER)#no set dscp
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set dscp <0-63>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set dscp
0-63 DSCP value, configured for the remarked traffic on egress interfaces.
no Cancels this action for the changing the DSCP value.
Page 28

Changing the VPT Value
The set vpt command changes the VPT field value of the packets on egress interfaces.
CLI Mode:
Interface ACG Configuration, LAG Interface ACG Configuration and SAP
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set vpt <0-7>
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set vpt
device-name(config-if AG0N acg ACL-NUMBER)#set vpt <0-7>
device-name(config-if AG0N acg ACL-NUMBER)#no set vpt
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set vpt <0-7>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set vpt
0-7 VPT value, configured for the remarked traffic on egress interfaces.
no Cancels this action for the changing the VPT value.
Examples:
Egress remarking:
device-name(config)#access-list 400 permit any any fc h1 drop-level green
device-name(config-if 1/1/1)#mac access-group out 400 option
device-name(config-if 1/1/1 acg 400)#set dscp 4
Egress VPT remarking:
device-name(config)#access-list 400 permit any any fc h1 drop level yellow
device-name(config-if 1/1/1)#mac access-group out 400 option
device-name(config-if 1/1/1 acg 400)#set vpt 3
The color aware ACLs cannot be applied as ingress ACG Otherwise a warning message is
displayed:
device-name(config)#access-list 400 permit any any fc h1 drop-level green
device-name(config-if 1/1/1)#mac access-group in 400 option
[ Er r or ] Col or awar e access l i st can not be appl i ed on i ngr ess.
The VPT and DSCP options are mutually exclusive. Otherwise a warning message is displayed:
device-name(config)#access-list 111 permit ip any any fc ef drop-level
green
device-name(config-if 1/1/1)#ip access-group out 111 option
device-name(config-if 1/1/1 acg 111)#set vpt 4
%onl y one r emar k t ype i s al l owed
Page 29

Saving the ACG Configuration
The apply command saves the ACG options and exits the ACG Configuration mode.
CLI Mode:
Interface ACG Configuration, LAG Interface ACG Configuration and SAP

NOTE
The appl y command has the same effect as the exi t command or the <Ct r l +D>.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#apply
device-name(config-if AG0N acg ACL-NUMBER)#apply
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#apply
Example
Enabling Match Statistics
The statistics command enables match statistics on a port, LAG or SAP port.
The match statistics data provides the dropped and non-dropped packets/ bytes counts, useful for
traffic monitoring.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#statistics
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no statistics

device-name(config-if AG0N acg ACL-NUMBER)#statistics
device-name(config-if AG0N acg ACL-NUMBER)#no statistics

device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#statistics
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no statistics
no Disables collecting statistics on the ACG.
Page 30

Displaying the IP ACLs
The show ip access-lists command displays the configured IP ACLs. You can restrict the
output to a specified ACL by using the acl-number argument.
Command Syntax
device-name#show ip access-lists [<acl-number>]
acl-number (Optional) the ACL number displayed.
Valid values are:
Examples
device-name(config)#access-list 1 permit host 192.98.2.1
device-name(config)#access-list 1 deny 192.98.0.0/16
device-name(config)#access-list 1 permit 192.0.0.0/8
St andar d I P access l i st 1
per mi t host 192. 98. 2. 1
deny 192. 98. 0. 0 0. 0. 255. 255
per mi t 192. 0. 0. 0 0. 255. 255. 255
Displaying the MAC ACLs
The show mac access-lists command displays the configured MAC ACLs. You can restrict the
output to a specified ACL by using the acl-number argument.
Command Syntax
device-name#show mac access-lists [<acl-number>]
acl-number (Optional) the ACL number displayed, in the range of <400499>, or <40000
41999>(extended MAC ACLs).

Page 31

Examples
device-name(config)#access-list 400 permit any host 00:00:0a:00:00:4e ether-
type 0x8080
device-name(config)#access-list 401 permit 00:00:0A:00:00:65
00:00:00:00:00:03 any broadcast
The ACL mat ches BROADCAST l ayer 2 t r af f i c.

device-name(config)#access-list 402 permit 00:00:0b:21:19:75
00:00:00:00:00:00 00:00:12:64:53:15 00:00:00:00:00:01
device-name(config)#access-list 403 permit host 00:00:0a:09:00:7F any vpt 4
00:00:00:00:00:00 any vlan 9 0x00FF
device-name(config)#access-list 405 permit any host 00:a0:12:02:43:32 dscp 20
device-name(config)#access-list 406 permit any host 00:a0:12:02:43:32 tos 2
precedence 4
device-name(config)#access-list 407 permit 00:00:09:00:00:01
00:00:00:00:00:00 any unicast
The ACL mat ches UNI CAST l ayer 2 t r af f i c.

device-name(config)#access-list 408 permit 00:00:0A:00:00:6E
00:00:00:00:00:03 any multicast
The ACL mat ches MULTI CAST l ayer 2 t r af f i c.
device-name(config)#access-list 409 permit any host 00:00:09:00:00:78 untagged
device-name(config)#access-list 410 permit 00:00:0A:00:00:65
00:00:00:00:00:03 any precedence priority
device-name#show mac access-lists
Ext ended MAC access- l i st 400
per mi t any host 00: 00: 0a: 00: 00: 4e et her - t ype 0x8080
per mi t 00: 00: 0a: 00: 00: 65 00: 00: 00: 00: 00: 03 any br oadcast
per mi t host 00: 00: 0b: 21: 19: 75 00: 00: 12: 64: 53: 15 00: 00: 00: 00: 00: 01
per mi t host 00: 00: 0a: 09: 00: 7f any vpt 4
per mi t host 00: 00: 0a: 00: 00: 09 any vl an 9 0x00FF
per mi t any host 00: a0: 12: 02: 43: 32 dscp 20
per mi t any host 00: a0: 12: 02: 43: 32 t os max- t hr oughput pr ecedence f l ash-
over r i de
per mi t host 00: 00: 09: 00: 00: 01 any uni cast
per mi t 00: 00: 0a: 00: 00: 6e 00: 00: 00: 00: 00: 03 any mul t i cast
per mi t any host 00: 00: 09: 00: 00: 78 unt agged
per mi t 00: 00: 0a: 00: 00: 65 00: 00: 00: 00: 00: 03 any pr ecedence pr i or i t y
Page 32

Displaying the IP ACG
The show ip access-groups command displays the IP ACGs configured on ports, LAGs, and
VLANs.
Command Syntax
device-name#show ip access-groups [<acl-number>]
acl-number (Optional) the IP ACG number displayed.
Valid values are:
<199>or <10002999>the ID for the standard ACL
<100199>or <1000011999>the ID for the extended ACL
Examples
device-name#show ip access-groups
i p access- gr oup 100
Page 33

Displaying the IP ACG Statistics
The show ip access-groups statistics command displays how many packets match the
applied IP ACG.
Command Syntax
device-name#show ip access-groups <acl-number> statistics [interface UU/SS/PP
| sap UU/SS/PP c-vlan <vlan-id>]
acl-number (Optional) the IP ACG number displayed.
Valid values are:
interface UU/SS/PP (Optional) the specified port
sap UU/SS/PP (Optional) the specified SAP port
vlan-id The C-VLAN ID, in the valid range of <14094>
Examples
device-name(config-if 1/1/1)#ip access-group 100 option
device-name(config-if 1/1/1 acg 100)#statistics
device-name#show ip access-groups 100 statistics
Access Li st 100 st at i st i cs:
Mat ch St at i st i cs:
Cl assi f i ed packet s: 926359

device-name(config-if 1/1/2 acg 102)#rate-limit single-rate 10M 128K
statistics
device-name#show ip access-groups 102 statistics
Si ngl e r at e l i mi t :
Gr een byt es: 100500
Yel l ow byt es: NA
Dr op byt es: 35080
Page 34

Displaying the MAC ACG
The show mac access-groups command displays the MAC ACGs configured on ports, LAGs,
and VLANs.
Command Syntax
device-name#show mac access-groups [<acl-number>]
acl-number (Optional) the MAC ACG number displayed, in the range of <400499>or
<4000041999>.
Example
device-name#show mac access-groups
mac access- gr oup 400 opt i on
set vl an 4094
set t xq 7 dr op- l evel gr een
Displaying Match Statistics for MAC ACGs
The show mac access-groups statistics command displays how many packets match the
applied MAC ACG.
Command Syntax
device-name#show mac access-groups <acl-number> statistics [interface UU/SS/PP
acl-number The MAC ACG number displayed, in the range of <400499>or
<4000041999>.
Page 35

Example
statistics
device-name#show mac access-groups 402 statistics
Si ngl e r at e l i mi t :
Gr een byt es: 100500
Yel l ow byt es: NA
Dr op byt es: 35080
Clearing the IP ACG Statistics
The clear ip access-groups statistics command clears the IP ACG statistics.
Command Syntax
device-name#clear ip access-groups <acl-number> statistics [interface UU/SS/PP
acl-number (Optional) the IP ACG number cleared.
Valid values are:
Page 36

Clearing the MAC ACG Statistics
The clear mac access-groups statistics command clears the MAC ACG statistics.
Command Syntax
device-name#clear mac access-groups <acl-number> statistics [interface
UU/SS/PP | sap UU/SS/PP c-vlan <vlan-id>]
acl-number The MAC ACG number cleared, in the range of <400499>, or
<4000041999>.
Page 37

Configuring IP ACLs
In the example below:
the inbound and outbound traffic for PC 1 is limited to 3 Mbps for each direction
the inbound and outbound traffic for PC 2 is limited to 1 Mbps for each direction
the rest of the traffic that passes through the device is not controlled

Figure 3: Creating Standard and Extended I P ACLs
1. Define an ACL for the traffic from PC1 to the server:
device-name(config)#access-list 100 permit ip 211.202.212.1/26 any
2. Define an ACL for the traffic from the server to PC1:
device-name(config)#access-list 101 permit ip any 211.202.212.3/26
device-name(config)#access-list 102 permit ip 211.202.212.2/26 any
4. Define an ACL for the traffic from the server to PC2:
device-name(config)#access-list 103 permit ip any 211.202.212.3/26
5. Define an ACL that permits the all traffic:
device-name(config)#access-list 1 permit any
Page 38

6. Define the rate limit on the server port: 3M to PC1 and 1M to PC2, and no rate limit to the
rest of the traffic on this port:
device-name(config-if 1/1/1 acg 101)#rate-limit single-rate 3m 256k
device-name(config-if 1/1/1 acg 101)#exit
7. Define the rate limit of 3M on PC1 connection to the server, and no rate limit to the rest of
the traffic on the port:
9. Display the configured ACLs:
St andar d I P access l i st 1
per mi t any
Ext ended I P access l i st 100
per mi t i p 211. 202. 212. 1 0. 0. 0. 63 any
per mi t i p any 211. 202. 212. 3 0. 0. 0. 63
per mi t i p 211. 202. 212. 2 0. 0. 0. 63 any
per mi t i p any 211. 202. 212. 3 0. 0. 0. 63
Page 39

10. Display the configured ACGs:
device-name#show ip access-groups
i p access- gr oup 101 opt i on
r at e- l i mi t si ngl e- r at e 3000K 256K
Configuring MAC ACLs
The example below shows how to define MAC ACLs and to assign rate limits to them.

Figure 4: Rate Limit over Port Configuration
00:00:00:00:00:00 any
00:00:00:00:00:00 any
3. Define an ACL for the traffic from the server to PC1 and PC2:
device-name(config)#access-list 403 permit any 00:00:05:00:00:14
00:00:00:00:00:00
Page 40

4. Define the rate limit on the server port, 10M, and no rate limit to the rest of the traffic on this
port:
7. Display the configured ACLs:
device-name#show mac access-lists
per mi t host 00: 00: 00: 05: 00: 11 any
per mi t host 00: 00: 05: 00: 00: 08 any
per mi t host 00: 00: 05: 00: 00: 14 any
8. Display the configured ACGs:
Page 41

Creating ACLs per SAP
In the following example (based on Figure2):
Port 1/ 1/ 1 is connected to a group of users. ACL 400 allows access to the server only to the
users with MAC addresses 00:00:5a:63:56:78 (PC1) and 00:00:54:67:f5:61 (PC2).
Port 1/ 1/ 2 is connected to a server.

1. Create the VLAN v20 with ID 20 and add to it the 1/ 1/ 2 port (SDP port) as tagged and
1/ 1/ 1 port (SAP port) as untagged:
device-name(config-vlan v20)#add ports default 1/1/1,1/1/2
device-name(config-vlan v20)#end
2. Create MAC ACLs:
00:00:00:00:00:00 any
device-name(config)#access-list 411 permit 00:00:54:67:f5:61
00:00:00:00:00:00 any
3. Create a TLS service:
device-name(config-tls serv)#sap 1/1/1 c-vlan 11
4. Apply the MAC ACL 410 per SAP port with a rate-limit:
device-name(config-tls serv)#sap 1/1/1 c-vlan 11 option
device-name(config-tls-sap 1/1/1:11:)#mac access-group 410 option
device-name(config-tls-sap 1/1/1:11: acg 410)#rate-limit single-rate 3m 1m
statistics
device-name(config-tls-sap 1/1/1:11: acg 410)#statistics
device-name(config-tls-sap 1/1/1:11: acg 410)#apply
5. Apply the MAC ACL 411 per SAP port with a rate-limit:
device-name(config-tls serv)#sap 1/1/1 c-vlan 11 option
device-name(config-tls-sap 1/1/1:11:)#mac access-group 411 option
device-name(config-tls-sap 1/1/1:11: acg 411)#rate-limit single-rate 3m 1m
statistics
device-name(config-tls-sap 1/1/1:11: acg 411)#statistics
device-name(config-tls-sap 1/1/1:11: acg 411)#apply
Page 42

Configuring an ACG per Egress
The following example shows how to use ACL per egress. Traffic flows towards the interface
where an ACG per egress is applied.
1. Define an ACL with VPT 6:
device-name(config)#access-list 101 permit ip any any
2. Define the ACG on the desired interface with VPT rate-limit:
device-name(config-if 1/1/2)#ip access-group out 101 option
device-name(config-if 1/1/2 acg 101)#rate-limit single-rate 3m 1m exceed-
action drop
3. Display the existing ACLs:
per mi t i p any any
Configuring Rate Limit with DSCP Mapping
Configure a device with a single rate limiter with the following configuration:
traffic up to 1 Mbps with DSCP 0 is marked green and is remapped with priority 7 (according
to the given QoS policy rule)
traffic above 1 Mbps is marked as yellow

4. Create a MAC ACL:
00:00:00:00:00:00 any
5. Define trust DSCP mode per ingress network-policy:
device-name(config)#qos
device-name(config qos)#network-policy trust
device-name(config qos-net trust)#ingress
device-name(config qos-net-in trust)#trust-dscp
device-name(config qos-net-in trust)#end
6. Define trust DSCP network-policy per ingress port 1/ 1/ 2:
device-name(config-if 1/1/2)#qos-network-policy trust
7. Change the DSCP mapping policy:
device-name(config qos)#map dscp 0 fc nc drop-level green
device-name(config qos)#map dscp 2 fc h1 drop-level yellow
device-name(config qos)#exit
Page 43

8. Define a rate limit on port 1/ 1/ 2:
device-name(config-if 1/1/2 acg 400)#rate-limit single-rate 1M 256K color-
aware exceed-action mark-yellow
9. Display the ACG configuration:
r at e- l i mi t si ngl e- r at e 1000K 256K col or - awar e exceed- act i on mar k- yel l ow
10. Display network-policy per port and DSCP mapping:
device-name#show qos network-policy trust
Pol i cy Name: t r ust
Descr i pt i on:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| I ngr ess Pol i cy Conf i gur at i on |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
| Tr ust Mode | FC | Dr op Level |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
| t r ust - dscp | | |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Egr ess Pol i cy Conf i gur at i on |
+- - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Schedul er Pr of i l e | Shaper Pr of i l e |
+- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| I D | Type | Shaper I D | CI R | CBS |
+- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| - | - | - | - | - |
+- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| Queue I d | Shaper I d | CI R | CBS |
+- - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| | | | |
+- - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
Pol i cy i s appl i ed on t he f ol l owi ng por t ( s) :
1/ 1/ 2

device-name#show qos ingress dscp-map
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| DSCP | FC | Dr op Level |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 1 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 2 | h1 | yel l ow |
Page 44

+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 3 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 4 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 5 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 6 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 8 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 9 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - ++-
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 61 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 62 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 63 | nc | gr een |
+-----------+--------+-------------+
Configuring Rate Limit with Priority Remarking
The following example configures a single rate limit on the device and remark the VPT on egress
packets. Any packet with source MAC 00:00:10:02:00:00 on port 1/1/2 is rate limited to 1
Mbps.
1. Create an ACL:
device-name(config)#access-list 401 permit host 00:00:10:02:00:00 any
2. Set the priority remarking policy:
device-name(config qos)#remark fc be drop-level green priority 5
3. Set the rate limit and apply statistics on port 1/ 1/ 2 :
device-name(config-if 1/1/2 acg 401)#statistics
Page 45

4. Display the priority remarking policy:
device-name#show qos egress remark
+- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - +
| QoS Par amet er s | Tx Remar k |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| FC | Dr op Level | Pr i or i t y |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| be | gr een | 5 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| be | yel l ow | 0 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 2 | gr een | 1 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 2 | yel l ow | 1 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| af | gr een | 2 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| af | yel l ow | 2 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 1 | gr een | 3 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 1 | yel l ow | 3 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h2 | gr een | 4 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h2 | yel l ow | 4 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| ef | gr een | 5 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| ef | yel l ow | 5 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h1 | gr een | 6 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h1 | yel l ow | 6 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| nc | gr een | 7 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| nc | yel l ow | 7 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
5. Display configured MAC ACG:
6. Display configured MAC ACG statistics per port:
device-name#show mac access-groups 401 statistics interface 1/1/2
Mat ch St at i st i cs:
Cl assi f i ed packet s: 0
Page 46

Supported Platforms
Access Control Lists (ACLs) + +
Access Control Lists
(ACLs)
No standards are
supported by this
feature.
Private MIB,
prvt_switch_access_list.mib
RFC 2697, A Single
Rate Three Color
Marker
RFC 2698, A Two
Rate Three Color
Marker

Page 1
Dhcp Snooping (Rev. 01)

DHCP Snooping
Table of Contents
Table of Figures 3
DHCP Snooping 4
Overview 4
The DHCP Snooping Command Hierarchy 5
Enabling/Disabling DHCP Snooping 7
Enabling DHCP Snooping on Ports 7
Enabling/Disabling DHCP Snooping on Trusted/Untrusted Ports 8
Configuring DHCP Snooping 9
Enabling/Disabling the DHCP-Snooping Binding Table 9
Adding Entries to the DHCP-Snooping Binding Table 10
Defining the Number of DHCP-Snooping Binding Table Entries 10
Copying the DHCP-Snooping Binding Table 11
Immediately Copying the DHCP-Snooping Binding Table 11
Configuring the DHCP-Snooping Port Security12
Enabling/Disabling the MAC-Address Match-Option 12
Enabling the DHCP-Snooping Chain Mode13
Enabling the Option-82 on a Port 14
Defining the Option-82 Circuit-ID14
Defining the Option-82 Fields Format 14
Filling the Relay Agent Field15
Defining the DHCP Option-82 Tag 16
Clearing the DHCP-Snooping Binding Table16
Clearing DHCP-Snooping Binding Entries 17
Displaying the DHCP-Snooping Binding Table 17
Displaying the DHCP Snooping Configuration Information 18
Displaying the DHCP Snooping Port Configuration Information 19
Displaying the DHCP-Snooping Option-82 Configuration 20

Page 2

Displaying the GiaddrField Information 20
Configuration Example 21


Page 3

Table of Figures
Figure 1: DHCP Snooping in Action 4
Figure 2: DHCP Snooping Configuration Example21


Page 4

DHCP Snooping
Overview
DHCP Snooping provides network security by filtering untrusted DHCP messages, (received from
outside the network and causing traffic attacks), and by building and maintaining a DHCP-
snooping binding table (see Enabling/ DisablingtheDHCP-SnoopingBindingTable).
DHCP Snooping works with information from a DHCP server to:
Track the physical location of hosts (DHCP clients)
Ensure that hosts only use the IP addresses assigned to them
Ensure that only authorized DHCP servers are accessible
DHCP Snooping acts like a firewall between untrusted hosts (DHCP clients) and DHCP servers.

Figure 1: DHCP Snooping in Action

Page 5

The DHCP Snooping Command Hierarchy
+ enable
+ configure terminal
- ip dhcp snooping {enable | disable}
- [no] ip dhcp snooping interface-mode interface {PORT-LIST | PORT-
AG-LIST} [vlan VLAN-LIST]
- ip dhcp snooping interface {PORT-LIST | PORT-AG-LIST} {trusted |
untrusted}
- [no] ip dhcp snooping force-broadcast-request
- ip dhcp snooping binding-table {enable | disable}
- [no] ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH vlan
<vlan-id> interface UU/SS/PP
- ip dhcp snooping binding-table max-entries <binding-entries>
- [no] ip dhcp snooping binding-table tftp A.B.C.D file name FILE-
NAME write-delay <time period>
- ip dhcp snooping binding-table upload tftp A.B.C.D filename FILE-
NAME
- [no] ip dhcp snooping port-security interface PORT-LIST [vlan-id
<vlan-id>]
- ip dhcp snooping match-mac {enable | disable}
- ip dhcp snooping information option chain-mode
- [no] ip dhcp snooping information option circuit-id WORD port
UU/SS/PP vlan-id <vlan-id>
- ip dhcp snooping set-relay-agent-address
- ip dhcp snooping information option chain-mode set-relay-agent-
address
+ interface UU/SS/PP
- [no] ip dhcp snooping information option
- [no] ip dhcp snooping information option format binary
[remote-id]
- ip dhcp snooping information option tag <1-65535>
- no ip dhcp snooping information option tag
- ip dhcp snooping interface {trusted | untrusted}
- clear ip dhcp snooping binding-table [static | learned | all]
- clear ip dhcp snooping binding-table ip A.B.C.D vlan <vlan-id>
- clear ip dhcp snooping binding-table mac HH:HH:HH:HH:HH:HH vlan <vlan-
id>
- show ip dhcp snooping binding {interface UU/SS/PP | vlan <vlan-id>}
- show ip dhcp snooping configuration
- show ip dhcp snooping interface {UU/SS/PP | aggregations | all}
- show ip dhcp snooping option82

Page 6

- show ip dhcp snooping set-relay-agent-address

Page 7

Enabling/Disabling DHCP Snooping

Caution

Do not enable DHCP Snooping while DHCP Relay is enabled. DHCP Snooping
and DHCP Relay cannot operate concurrently on a device.

The ip dhcp snooping command enables/disables the DHCP Snooping globally.

NOTE
For DHCP Snooping to function properly, all DHCP servers must be connected to
the device through trusted interfaces.

Command Syntax
device-name(config)#ip dhcp snooping {enable | disable}
enable
Enables DHCP Snooping
disable
Disables DCHP Snooping
Disabled
Enabling DHCP Snooping on Ports
The ip dhcp snooping interface-mode command enables DHCP Snooping on ports and
optionally defines VLANs to which the ports belong.
Command Syntax
device-name(config)#ip dhcp snooping interface-mode interface {PORT-LIST |
PORT-AG-LIST} [vlan VLAN-LIST]
device-name(config)#no ip dhcp snooping interface-mode interface {PORT-LIST |
PORT-AG-LIST} [vlan VLAN-LIST]
PORT-LIST
List of ports. Use commas as separators and hyphens to indicate sub-
ranges (for example: 1/2/11/2/8, 1/1/2)
PORT-AG-LIST
LAG names list (for example, ag01, ag04ag07), in the range of <17>

Page 8

VLAN-LIST
(Optional) a list of VLAN IDs to which the ports belong, in the following
format:
Several VLAN numbers and/or ranges, separated by commas (for
example: 2,4,832)
no
Restores to default
Enabling/Disabling DHCP Snooping on
Trusted/Untrusted Ports
The ip dhcp snooping interface command enables/disables DHCP Snooping on
trusted/untrusted ports.
CLI Mode: Global Configuration and Interface Configuration
Command Syntax
device-name(config)#ip dhcp snooping interface {PORT-LIST | PORT-AG-LIST}
{trusted | untrusted}
device-name(config-if UU/SS/PP)#ip dhcp snooping interface {trusted |
untrusted}
PORT-LIST
List of ports. Use commas as separators and hyphens to indicate sub-
ranges (for example: 1/2/11/2/8, 1/1/2)
PORT-AG-LIST
LAG names list (for example, ag01, ag04ag07), in the range of <17>
trusted
Enables DHCP Snooping on trusted port(s). Trusted ports receive only
packets from within the network, the outside-coming packets are simply
forwarded.
The trusted ports are used to reach a DHCP server or relay agent, and
DHCP information from them is not logged in the DHCP-snooping
binding table.
untrusted
Enables DHCP Snooping on untrusted port(s). Untrusted ports receive
messages from outside the network.
Untrusted


Page 9

Configuring DHCP Snooping
The ip dhcp snooping force-broadcast-request command invokes DHCP Snooping when
intercepting a unicast RENEWING request. The renewing packet is rewritten with a full broadcast
destination address.

Command Syntax
device-name(config)#ip dhcp snooping force-broadcast-request
device-name(config)#no ip dhcp snooping force-broadcast-request
no
Disables the force-broadcast-request option
Enabling/Disabling the DHCP-Snooping Binding Table
The ip dhcp snooping binding-table command enables/disables the DHCP-snooping
binding table.
The DHCP-snooping binding table contains the MAC address, the IP address, the lease time, the
binding type, the VLAN number, and the ports information that corresponds to the local
untrusted ports.
The DHCP-snooping binding table does not contain information about hosts that are connected to
trusted ports.
Command Syntax
device-name(config)#ip dhcp snooping binding-table {enable | disable}
enable
Enables the DHCP-snooping binding table.
disable
Disables the DHCP-snooping binding table
Disabled


Page 10

Adding Entries to the DHCP-Snooping Binding Table
The ip dhcp snooping binding command adds staticentries to the DHCP-snooping binding
table.
Command Syntax
device-name(config)#ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH vlan
<vlan-id> interface UU/SS/PP
device-name(config)#no ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH
vlan <vlan-id> interface UU/SS/PP
A.B.C.D
The binding entrys IP address
HH:HH:HH:HH:HH:HH
The binding entrys MAC address
vlan <vlan-id>
The VLAN to which the port belongs, in the range of <14094>
UU/SS/PP
An untrusted port for which to add/delete a binding entry
no
Deletes entries from the binding table
Defining the Number of DHCP-Snooping Binding Table
Entries
The ip dhcp snooping binding-table max-entries command defines the maximum number
of entries of the DHCP-snooping binding table.
Command Syntax
device-name(config)#ip dhcp snooping binding-table max-entries <binding-
entries>
binding-entries
The maximum number of the table entries, in the range of <10010000>


Page 11

Copying the DHCP-Snooping Binding Table
The ip dhcp snooping binding-table tftp command periodically copies the DHCP-
snooping binding table to a TFTP server. Upon reload, the device reads the file to build the
database for the bindings.

Command Syntax
device-name(config)#ip dhcp snooping binding-table tftp A.B.C.D file name
FILE-NAME write-delay <time period>
device-name(config)#no ip dhcp snooping binding-table tftp
A.B.C.D
The TFTP servers IP address
FILE-NAME
The name of the copied file
write-delay
<time period>
The time at which the file is uploaded to the TFTP server, in the range of
<6086400>seconds
300 seconds
no
Disables the coping
Immediately Copying the DHCP-Snooping Binding
Table
The ip dhcp snooping binding-table upload tftp command immediately copies the
DHCP-snooping binding table to a TFTP server.
Command Syntax
device-name(config)#ip dhcp snooping binding-table upload tftp A.B.C.D
filename FILE-NAME
A.B.C.D
The TFTP servers IP address
FILE-NAME
The name of the copied file


Page 12

Configuring the DHCP-Snooping Port Security
The ip dhcp snooping port-security interface command enables DHCP-snooping port
security (see chapter ConfiguringInterfacesof this User Guide) on an untrusted port(s). This feature
blocks the network traffic to DHCP clients that have not obtained their IP addresses from DHCP
servers connected to trusted ports. To communicate, the DHCP clients have to renew their IP
addresses.
Each time, when the DHCP client is plugged into an untrusted port on which DHCP-snooping
port security option is enabled, the DHCP clients have to renew their IP addresses.

NOTE
When the DHCP clients IP address is statically changed, the combination of Port
Security and Dynamic ARP Inspection features ensure blocking of the Layer-3 traffic
on untrusted ports of the DHCP-snooping-enabled device.

Command Syntax
device-name(config)#ip dhcp snooping port-security interface PORT-LIST [vlan-
id <vlan-id>]
device-name(config)#no ip dhcp snooping port-security interface PORT-LIST
[vlan-id <vlan-id>]
PORT-LIST
List of ports. Use commas as separators and hyphens to indicate sub-ranges
(for example: 1/2/11/2/8, 1/1/2).
vlan-id
<vlan-id>
(Optional) defines a VLAN ID in the range of <14094>to which the ports
belong.
no
Restores to default
Disabled
Enabling/Disabling the MAC-Address Match-Option
The ip dhcp snooping match-mac command enables/disables the MAC-address match-option.
Command Syntax
device-name(config)#ip dhcp snooping match-mac {enable | disable}

Page 13

enable
Enables the MAC address match-option: the source MAC address in the
Ethernet header is compared to the chaddr field in the DHCP payload (within
the DHCP packet):
If the address does not match the chaddr field, the DHCP packet is
dropped
If the address matches the chaddr field, the deviceon which DHCP
Snooping is enabledforwards the packet
This comparison procedure is not performed for trusted ports.
disable
Disables the MAC address match-option
Disabled
Enabling the DHCP-Snooping Chain Mode
The ip dhcp snooping information option chain-mode command enables the DHCP-
snooping chain mode i.e. DHCP Snooping is enabled on more than one device on the providers
network. This feature allows DHCP packets to be exchanged between the DHCP client and
DHCP server without being dropped by the DHCP-snooping devices located between the DHCP
client and DHCP server.
Enabling the DHCP-snooping chain mode is also required when the DHCP server and the DHCP
client are located on different Layer-2 networks, and a DHCP-relay device exits between these
networks.
In the DHCP-snooping chain mode, DHCP Snooping requires all DHCP packets to contain
Option-82 data. Option 82 allows a DHCP-relay device to insert specific information into a request
forwarded to a DHCP server (see RFC 3046).
DHCP Snooping defines the DHCP packets destination by checking Option-82 fields. When a
DHCP-Snooping-enabled device receives a packet that is not destined for it, the device forwards
the packet to all trusted ports.
DHCP servers that do not support Option-82, strip the Option-82 field from the replies.

NOTE
Configure Option-82 on all devices in the ring topology.
Each device must have a unique Option-82 value. The unique Option-82 value
can be a remote-ID (MAC), a unique TAG, or a unique circuit-id.
In the ring topology, when the DHCP-snooping chain mode is enabled, all
Option-82-enabled devices and the DHCP servers must be in the same subnet.

Command Syntax
device-name(config)#[no] ip dhcp snooping information option chain-mode
no
Disables the chain mode

Page 14

Defining the Option-82 Circuit-ID
The ip dhcp snooping information option circuit-id command defines the circuit-ID. The
circuit-ID describes the port originating the packet.
Command Syntax
device-name(config)#ip dhcp snooping information option circuit-id WORD port
device-name(config)#no ip dhcp snooping information option circuit-id port
WORD
Circuit-ID, a text string of 256 characters. The circuit-ID string cannot be
configured to 8, 15, 18, or 20 characters. Otherwise, a warning message
appears:
[ War ni ng] The speci f i ed ci r cui t I D mi ght not wor k pr oper l y
i f combi ned wi t h ot her conf i gur ed i nf or mat i on opt i ons.
More than one circuit-ID can be defined per port. If a port is a member of
several VLANs, only one circuit-id can be defined for a port-VLAN
combination.
UU/SS/PP
The related port
vlan-id
VLAN ID, in the range of <14094>
no
Removes the defined circuit-ID: the information contained in the Option-82
field is used to define the packet retransmit path
Enabling the Option-82 on a Port
The ip dhcp snooping information option command enables the Option-82 on a port.
Command Syntax
device-name(config-if UU/SS/PP)#[no] ip dhcp snooping information option
no
Disables the Option-82
Disabled


Page 15

Defining the Option-82 Fields Format
The ip dhcp snooping information option format binary command determines the format
of Option-82 field contained in packets coming from the DHCP client.
Command Syntax
device-name(config-if UU/SS/PP)#ip dhcp snooping information option format
binary [remote-id]
device-name(config-if UU/SS/PP)#no ip dhcp snooping information option format
binary
remote-id
(Optional) inserts the MAC address of the relay agent at the end of the Option-
82 field
no
Restores to default
ASCII format
Filling the Relay Agent Field
The ip dhcp snooping set-relay-agent-address and ip dhcp snooping information
option chain-mode set-relay-agent-address commands fill in the giaddr field (IP address of
a DHCP-relay device) of the DHCP clients packet. As a result, the DHCP server includes Option-
82 when returns DHCP packets to the DHCP clients.
DHCP servers do not echo Option-82 when a DHCP packet with giaddr field of 0 is received.

NOTE
To fill in the giaddr field using the i p dhcp snoopi ng set - r el ay- agent - addr ess
command in chain mode, first execute the i p dhcp snoopi ng i nf or mat i on
opt i on chai n- mode set - r el ay- agent - addr ess command.

Command Syntax
device-name(config)#ip dhcp snooping set-relay-agent-address
device-name(config)#ip dhcp snooping information option chain-mode set-relay-
agent-address

Page 16

Defining the DHCP Option-82 Tag
The ip dhcp snooping information option tag command defines the DHCP Option-82 tag
value.
Command Syntax
device-name(config-if UU/SS/PP)#ip dhcp snooping information option tag <1-
65535>
device-name(config-if UU/SS/PP)#no ip dhcp snooping information option tag
tag <1-65535>
Option-82 tag value, in the range of <165535>
no
Removes the Option-82 tag
Clearing the DHCP-Snooping Binding Table
The clear ip dhcp snooping binding-table command clears all entries from the DHCP-
snooping binding table.
Command Syntax
device-name#clear ip dhcp snooping binding-table [static | learned | all]
static
(Optional) only static entries are cleared.
learned
(Optional) only dynamically learned entries are cleared.
all
(Optional) all entries are cleared.


Page 17

Clearing DHCP-Snooping Binding Entries
The clear ip dhcp snooping binding-table ip command clears a DHCP-snooping binding
entry specified by the DHCP clients IP address.
The clear ip dhcp snooping binding-table mac command clears a DHCP-snooping binding
entry specified by the DHCP clients MAC address.
Command Syntax
device-name#clear ip dhcp snooping binding-table ip A.B.C.D vlan <vlan-id>
device-name#clear ip dhcp snooping binding-table mac HH:HH:HH:HH:HH:HH vlan
<vlan-id>
A.B.C.D
The DHCP clients IP address
HH:HH:HH:HH:HH:HH
The DHCP clients MAC address
vlan <vlan-id>
The VLAN ID, in the range of <14094>
Displaying the DHCP-Snooping Binding Table
The show ip dhcp snooping binding command displays DHCP-snooping binding table entries
learned from DHCP Snooping. If no argument is specified, all entries are displayed.
Command Syntax
device-name#show ip dhcp snooping binding {interface UU/SS/PP | vlan <vlan-
id>}
UU/SS/PP
Displays table entries for the selected untrusted port
vlan <vlan-id>
Displays table entries for the selected VLAN ID, in the range of <1
4094>


Page 18

Example
Display the DHCP-snooping binding entries for a specified VLAN:
device-name#show ip dhcp snooping binding vlan 1
Fl ags : V - val i d, P - per m. l ease, I - i ncompl et e, L - l ear ned, S - st at i c
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
| I P addr ess | VLAN | MAC addr ess | I nt er f ace | Fl ags | Lease |
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
| 1. 1. 1. 2| 1| 00: FF: 00: 00: 00: 01 | 1/ 1/ 2| V L | 43187|
| 1. 1. 1. 3| 1| 00: FF: 00: 00: 00: 02 | 1/ 1/ 2| V L | 43199|
| 1. 1. 1. 1| 1| 00: FF: 00: 00: 00: 00 | 1/ 1/ 2| V L | 43175|
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
Table 1: Parameters Displayed by the show i p dhcp snoopi ng bi ndi ng Command
Field Description
IP Address DHCP clients IP address
VLAN VLAN ID of the DHCP clients port
MAC Address DHCP clients MAC address
Interface Port connected to the DHCP client
Type Binding type; statically configured from CLI or dynamically learned
Lease (seconds) IP address lease time
Displaying the DHCP Snooping Configuration
Information
The show ip dhcp snooping configuration command displays DHCP Snooping
configuration.
Command Syntax
device-name#show ip dhcp snooping configuration
Example
device-name#show ip dhcp snooping configuration
=====================================================================
| DHCP SNOOPI NG - CONFI GURATI ON SUMMARY |
=====================================================================
DHCP Snoopi ng modul e cur r ent st at e : ENABLE
Cur r ent Mode : RI NG MODE
Mat ch MAC addr ess : DI SABLE
DHCP Snoopi ng Dat abase Use : ENABLE
DHCP Snoopi ng Dat abase Max Ent r i es Val ue : 10000
TFTP Ser ver I P addr ess : 192. 168. 0. 34

Page 19

The f i l ename of Upl oaded DB : snoop_db. 4. 134. t xt
The i nt er val of per i odi c upl oads i n seconds : 180
set - r el ay- agent - addr ess opt i on : conf i gur ed
DHCP Snoopi ng debug messages : DI SABLE
===========================================================
| DHCP Snoopi ng I nt er f aces St at es |
===========================================================
TRUSTED 1/ 2/ 2
UNTRUSTED 1/ 2/ 1 | 1/ 2/ 3 - 1/ 2/ 8

===========================================================
| DHCP Snoopi ng Vl ans - I nt er f ace mode |
===========================================================
VLAN I D | 1
===========================================================
| DHCP Snoopi ng Aggr egat i ons - I nt er f ace mode |
===========================================================
AGGREGATI ON TRUSTED
AGGREGATI ON UNTRUSTED AG01
=====================================================================
| DHCP Snoopi ng Opt i on 82 Conf i gur at i on |
| I nt er f ace | Opt i on For mat | Tag | Opt i on Pol i cy |
=====================================================================

on vl an: 1 asci i 00001 dr op
Displaying the DHCP-Snooping Port Information
The show ip dhcp snooping interface command displays DHCP-snooping configuration
information for port(s).
Command Syntax
device-name#show ip dhcp snooping interface {UU/SS/PP | aggregations | all}
UU/SS/PP
Displays information for a specific port
aggregations
Displays information for all trusted and untrusted LAGs
all
Displays information for all trusted and untrusted ports
Example
device-name#show ip dhcp snooping interface 1/1/1
| 1/ 1/ 1 | TRUSTED

Page 20

Displaying the DHCP-Snooping Option-82 Information
The show ip dhcp snooping option82 command displays the DHCP-snooping Option-82
configuration information.
Command Syntax
device-name#show ip dhcp snooping option82
Example
device-name#show ip dhcp snooping option82
ON PORT: 1/ 1/ 2
FORMAT: ASCI I
TAG: 1
POLI CY: DROP
Displaying the Giaddr Field Information
The show ip dhcp snooping set-relay-agent-address command displays whether the giaddr
field is inserted in the DHCP packet.
Command Syntax
device-name#show ip dhcp snooping set-relay-agent-address
Example
device-name#show ip dhcp snooping set-relay-agent-address
set - r el ay- agent - addr ess i s enabl ed

Page 21

The following example is based on Figure 2 and shows how to configure DHCP Snooping on the
devices.

Figure 2: DHCP Snooping Configuration Example
1. Enter the VLAN Configuration mode and select the default VLAN:
DeviceA(config)#vlan
DeviceA(config vlan)#config default
2. Remove ports 1/2/1 to 1/2/8 from the default VLAN:
DeviceA(config-vlan default)#remove ports 1/2/11/2/8
DeviceA(config-vlan default)#exit
3. Configure a VLAN named V9 with VLAN ID 9 and add to it a port list 1/2/11/2/8 as
untagged:
DeviceA(config vlan)#create v9 9
DeviceA(config vlan)#config v9
DeviceA(config-vlan v9)#add ports 1/2/11/2/8 untagged
DeviceA(config-vlan v9)#add ports default 1/2/11/2/8
DeviceA(config-vlan v9)#exit
DeviceA(config-vlan)#exit
4. Enable DHCP Snooping:
DeviceA(config)#ip dhcp snooping enable
5. Enable DHCP-snooping binding table:
DeviceA(config)#ip dhcp snooping binding-table enable
6. Enable DHCP-snooping on a port list 1/2/11/2/8:
DeviceA(config)#ip dhcp snooping interface-mode interface 1/2/11/2/8 vlan
9
7. Define port 1/2/3 as trusted:
DeviceA(config)#ip dhcp snooping interface 1/2/3 trusted

Page 22

Configuring DHCP server:
1. Define a subnet number:
DHCPS(config)#service dhcp
DHCPS(config-dhcp)#subnet 9.0.0.0/8
2. Define a IP address range for clients to 9.20.1.10 up to 9.20.1.100:
DHCPS(config-dhcp-subnet)#range 9.20.1.10 9.20.1.100
DHCPS(config-dhcp-subnet)#exit
3. Enable the DHCP server:
DHCPS(config)#service dhcp enable
Configuring Host1 as DHCP client:
Restart the DHCP client:
Host1(config)#ip address dhcp renew
Checking the DHCP-Snooping database:
DeviceA#show ip dhcp snooping binding interface 1/2/5

Fl ags : V - val i d, P - per m. l ease, I - i ncompl et e, L - l ear ned, S - st at i c
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
| I P addr ess | VLAN | MAC addr ess | I nt er f ace | Fl ags | Lease |
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
| 9. 20. 1. 99| 9| 00: 0B: 2B: 01: 56: 86 | 1/ 2/ 5| V L | 120|
+- - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +
Display configuration information for all ports on Device A:
DeviceA#show ip dhcp snooping configuration
=====================================================================
| DHCP SNOOPI NG - CONFI GURATI ON SUMMARY |
=====================================================================
DHCP Snoopi ng modul e cur r ent st at e : ENABLE
Cur r ent Mode : I NTERFACE MODE
Mat ch MAC addr ess : DI SABLE
DHCP Snoopi ng Dat abase Use : ENABLE
DHCP Snoopi ng Dat abase Max Ent r i es Val ue : 10000
TFTP Ser ver I P addr ess : NOT CONFI GURED
The f i l ename of Upl oaded DB : NOT CONFI GURED
The i nt er val of per i odi c upl oads i n seconds : 180
set - r el ay- agent - addr ess opt i on : conf i gur ed
DHCP Snoopi ng debug messages : DI SABLE
===========================================================
| DHCP Snoopi ng I nt er f aces St at es |
===========================================================
TRUSTED 1/ 2/ 3
UNTRUSTED 1/ 2/ 5

Page 23

===========================================================
| DHCP Snoopi ng Vl ans - I nt er f ace mode |
===========================================================
VLAN I D | 9
===========================================================
| DHCP Snoopi ng Aggr egat i ons - I nt er f ace mode |
===========================================================
AGGREGATI ON TRUSTED
AGGREGATI ON UNTRUSTED AG01
=====================================================================
| DHCP Snoopi ng Opt i on 82 Conf i gur at i on |
| I nt er f ace | Opt i on For mat | Tag | Opt i on Pol i cy |
=====================================================================
i p dhcp snoopi ng i nf or mat i on opt i on not set


Page 24

DHCP Snooping No standards are
supported by this
feature.
Private MIB,
prvt_dhcp.mib
RFC 951, Bootstrap
Protocol (BOOTP)
RFC 1542, Clarifications
and Extensions for the
Bootstrap Protocol
RFC 2131, Dynamic Host
Configuration Protocol
RFC 2132, DHCP Options
and BOOTP Vendor
Extensions
RFC 3046, DHCP Relay
Agent Information Option

Page 1
Configuring Quality of Service (QoS) (Rev. 11)

Configuring Quality of Service (QoS)
Table of Figures 4
Overview 5
Implementation 5
Traffic Analysis 5
Basic QoS Architecture 7
The Packets QoS Attributes 8
QoS Profile 8
Sorting Packets for QoS 9
Traffic Scheduling10
Strict Priority (SP) 10
Weighted Round Robin (WRR) 11
Hybrid Scheduling12
Egress Traffic Shaping12
Storm Control12
QoS Default Configuration13
QoS Mappings Default Configuration14
Scheduler Profile Default Configuration16
Shaper Default Configuration16
Port Default Configuration16
QoS Configuration Flow17
QoS Configuration Commands18
Configuring QoS22
Configuring the Network Policy22
Applying the Network Policy per Port 23
Adding the Description for Network Policy23
Configuring the Network Ingress Policy24
Enabling/ Disabling the Trusted Mode DSCP24
Enabling/ Disabling the Trusted Mode Priority24

Page 2

Applying the QoS Default Mapping on Port 25
Configuring the Network Egress Remarking25
Defining Tail-Drop Profiles26
Configuring the Network Egress Policy27
Configuring the Queue on Egress Network27
Applying Tail-Drop Profiles28
Applying the Shaping Profile28
Applying Scheduling Profile on Egress Policy29
Configuring the DSCP to FC and Color Mapping29
Configuring the Dot1p to FC and Color Mapping30
Configuring the Service Policy31
Adding the Description for the Service Policy31
Configuring the Service Ingress Policy32
Configuring the Service Queues32
Applying Tail-Drop Profiles32
Applying the Service Policy Shaping Profile33
Applying the Service Scheduling Profile33
Binding the Service Policy on a TLS Service34
Applying the Service Policy on a SAP35
Configuring the Shaper Profile36
Configuring Scheduling SP Profile37
Configuring the Scheduling WRR Profile37
Configuring the Scheduling Hybrid-1 Profile38
Displaying the Network Policy Configuration41
Displaying the QoS Port Configuration43
Displaying the Scheduler Profile Configuration43
Displaying the Shaper Profile Configuration44
Displaying the Tail-Drop Profile Information45
Displaying the SAP Service Information46
Displaying the Service Policy Information47
Displaying the Dot1p to FC Mapping48

Page 3

Displaying the DSCP to FC Mapping48
Displaying the Egress Mapping and Remarking50
Configuring the Traffic Type51
Displaying the Storm Control Settings 52
Filtering Egress Broadcast Packets53
Filtering Egress Unknown-Unicast Packets53
Filtering Egress Multicast Packets54
Mapping Priority55
Configuring the DSCP-to-FC Mapping56
Configuring the Traffic Shaping Per-port57
Configuring QoS Service Policy58

Page 4

Table of Figures
Figure 1: Basic QoS Architecture 7
Figure 2: 802.1p Priority Header Fields 9
Figure 3: Type of Service (ToS) Header Fields 9
Figure 4: Strict Priority Queuing11
Figure 5: Weighted Round Robin Queuing12
Figure 6: QoS Configuration Flow17


Page 5

Overview
QoS refers to the mechanisms used for controlling and reserving network resources in order to
provide different priority to specific applications/ data flows and to guarantee their level of
performance. This preferential treatment might be at the expense of other traffic flows.
Implementing QoS in a network makes its performance more predictable and bandwidth utilization
more effective.
QoS policies have little effect during periods of light traffic since packets are transmitted as soon as
they arrive. They are effective at times of congestion, when a port cannot transmit all packets
simultaneously and there is a need for defining the order in which the queued packets are
transmitted.
Implementation
The typical QoS model is based on the following:
At the network edge (ingress), the packet is assigned to a QoS service. The service is assigned
based on the packet header information (if the packet is trusted) or on the ingress port
configuration (in cases where the packet is untrusted).
The QoS service defines the packet internal QoS handling (Class of ServiceCoS and drop
precedenceColor) and optionally the packet external QoS marking, through either the
802.1p User Priority and/ or the IP header DSCP field.
Subsequent devices within the network core provide consistent QoS treatment to traffic, based
on the packet 802.1p or DSCP marking. As a result, an end-to-end QoS solution is provided.
A device may modify the assigned CoS if a packet stream exceeds the configured profile. In
this case, the packet may be dropped or reassigned to a lower CoS.
The device incorporates the required QoS features to implement network-edge as well as network-
core devices:
The device provides flexible mechanisms to classify packets into as many as 128 different
services.
Up to 256 Traffic Policers may be used to control the maximum rate of specific traffic flows,
each of them can be bound to a flow or a flow aggregate.
The packet header may have its User Priority and/ or DSCP set to reflect the CoS assignment.
Service application mechanism is based on eight egress priority queues per port (including the
CPU port), on which congestion-avoidance and congestion-resolution policies are applied.
Traffic Analysis
To effectively configure QoS, analyze the types of traffic using the port and determine their relative
bandwidth demands. Also evaluate the supported applications sensitivity to:
Delay/ latencythe time a packet takes before it reaches its destination.

Page 6

Jitterthe variation of delay/ latency that can seriously affect the quality of streaming audio
and/ or video.
Packet lossthe routers may fail to deliver some packets if they arrive when their buffers are
already full. Some, none, or all of the packets may be dropped, depending on the state of the
network. The receiving application might ask for this information to be retransmitted, possibly
causing severe delays in the overall transmission.
The below table details general guidelines for classifying traffic types:
Table 1: Traffic Types
Traffic Type Description
Voice Demands small amounts of bandwidth. However, the bandwidth must be
constant and predictable because voice applications are sensitive to latency
(inter-packet delay) and jitter.
Video Similar to voice application but requires larger bandwidth, depending on the
encoding.
Some applications can transmit large amounts of data for multiple streams in
one spike or burst, causing the device to buffer significant amounts of sent
video-stream data. This might cause difficulties at the network infrastructure
level, since it must be able to buffer the transmitted spikes when they occur
especially where there are line rate differences (for example, going from
Gigabit Ethernet to Fast Ethernet).
Database Does not demand significant bandwidth and is tolerant to delay. Therefore it
requires minimum bandwidth and can be set to use lower priority than the
more delay-sensitive applications.
Web browsing Cannot be generalized into a single category. You can distinguish casual and
application-oriented traffic from each other by their server source and
destinations.
Most browser-based applications have an asymmetric dataflow (small
dataflow from the clients browser and large dataflow from the server to the
client). An exception to this pattern might be created by some J ava-based
applications.
Web-based applications are generally tolerant of latency, jitter, and some
packet loss. However even a small amount of packet-loss m might have a
large impact on perceived performance, due to the nature of TCP.
File server Has the greatest demand on bandwidth, although it is tolerant to latency,
jitter, and some packet loss, depending on the network operating system and
the use of TCP or UDP.


Page 7

Basic QoS Architecture
The following figure illustrates QoS processing, divided in ingress and egress pipe units.

Figure 1: Basic QoS Architecture
Table 2: Ingress & Egress Pipes
Ingress & Egress Pipes Description
(Ingress) QoS Initial
Marking
QoS initial marking associates every packet classified as data with a
set of QoS attributes that determine the QoS processing by
subsequent stages. The sequence of the markers is important and is
as shown in the above figure.
(Ingress) Traffic Policing
and QoS Remarking
If enabled on a policy-based traffic flow, and if the packet is
classified as data, the policer meters the given flow according to a
configurable rate profile and classifies packets as either in-profile or
out-of-profile. Out-of-profile packets may be discarded or have their
QoS attributes remarked.
(Egress) QoS
Enforcement
QoS enforcement utilizes eight egress queue-priorities per port.
Congestion avoidance and congestion resolution techniques are
used to provide the required service.
(Egress) QoS Initial
Marking
QoS initial marking associates every packet with a set of QoS
attributes that determine QoS processing by subsequent stages.
Potentially, all types of packetsdata, control, and mirrored to
analyzer portare subject to egress QoS initial marking.
(Egress) Setting the
Packet Headers QoS
Fields
The packet header 802.1p User Priority and/or IP-DSCP is defined
or modified.

Page 8

The Packets QoS Attributes
Every packet classified as data has an assigned set of QoS attributes that can be modified by each
ingress pipeline engine.
Each of the ingress pipeline engines contains several Initial QoS Markers that assign the packet
initial QoS attribute, as described in the next section.
The ingress pipeline engine also contains a QoS Remarker that can modify the initial QoS
attributes, as described in next section. The packet QoS attributes are:
QoS Precedencethe device incorporates multiple QoS markers operating in sequence. As a
result, a later marker overrides an earlier QoS attribute assignment. By setting the QoS
Precedence flag to HARD, a QoS marker can prevent modification of packet QoS attributes
by subsequent QoS markers.
QoS Profile Indexis used as a direct index, ranging from 0 to 127, into the global QoS
Profile table.
Modify DSCPenables Packet DSCP field when the packet egresses the device.
0=Packet DSCP field is not modified when the packet egresses the device
1=Packet DSCP field is modified to the DSCP value of the QoS Profile entry for the
packet QoS Profile index.
Modify User Priorityenables packet 802.1p-User Priority field modification.
0=Packet User Priority is preserved when the packet egresses the device
1=Packet User Priority field is modified to the <UP> value of the QoS Profile entry for
the packet QoS Profile index, when the packet egresses the device.
Default User Priorityis assigned by the ingress port configuration, only when the <Modify
UP> is cleared and the packet are received untagged.
QoS Profile
The device supports up to 128 QoS Profiles (for default profile values, refer to Table4).
Every packet classified as data has assigned the QoS attribute <QoS Profile index> that is used by
the egress pipeline to apply the QoS service.
The QoS Profile index is used as a direct index, ranging from 0 to 127, into the global QoS Profile
table.
Each entry in the QoS Profile table contains the set of attributes:
TCTraffic class queue assigned to the packet.
DPDrop precedence assigned to the packet.
UPIf the packet QoS attribute <Modify UP> is set and the packet is received untagged, this
field is the value used in the packet 802.1p User Priority field and packet is transmitted tagged.
If receive the packet tagged, the existing User Priority is modified with this value.
DSCPIf setting the packet QoS attribute <Modify DSCP>, and the packet is IPv4 or IPv6,
this field is the value used to modify the packet IP-DSCP field.
QoS profiles 015 are used for all types of services. Indexes 015 are referred to as traffic
classes, where indexes 07 are duplicated to indexes 815 with DP being set to Yellow.

Page 9

Sorting Packets for QoS
Sorting Packets by 802.1p Priority Values
The devices support standard 802.1p priority bits (VLAN Priority Tag, VPT) that are part of tagged
Ethernet packets. The below figure illustrates the 802.1p priority header fields.

Figure 2: 802.1p Priority Header Fields
The device examines the 802.1p priority of ingressing packets. Based on this priority, it maps the
packets to various hardware queues of egress ports.

NOTE
The device does not change the VPT of switched packets with an 802.1Q tag,
assuming that the sender of the packet has already determined the VPT.
You can define the VPT of packets received without a tag using the map pr i or i t y
command.
Sorting Packets by the IP Type of Service (ToS, DiffServ)
Each IP packet header contains a field for the IP ToS.
The below figure illustrates the ToS fields in the IP packet header.

Figure 3: Type of Service ( ToS) Header Fields

Page 10

BiNOS can use ToS values for sorting packets into QoS queues. Individual ToS values, or ranges
of values, are mapped to 802.1p priority values. Based on 802.1p priority, the packets are sorted
into QoS queues.
When a packet arrives at the device on an ingress port, the device examines the first six of eight
ToS bits, called the codepoint. The device can assign the QoS priority to subsequently transmit the
packet based on the code point. The QoS priority controls a hardware queue used when
transmitting the packet out of the device, and determines the forwarding characteristics of a
particular code point. Each hardware queue represents a specific Class of Service (CoS). The Class
of Service is the priority level afforded each packet.
You can use one of the following traffic classes: be (Best-Effort), 12(Low-2), af (Assured), 11
(Low-1), h2(High-2), ef (Expedited), h1(High-1), nc (Network Control).
To map the DSCP values to traffic classes you can use ACL. For more information using ACL for
implementing QoS, refer to the ConfiguringAccessControl Lists(ACLs) chapter.
Traffic Scheduling
Traffic Scheduling allows you to control the packet transmission, based on priorities assigned to
packets and the queuing mechanism configured on the port.
Strict Priority (SP)
SP provides preferential treatment to high priority traffic, making sure that mission-critical traffic
gets priority treatment. It handles queues by their order: the highest ranking queue, txq8, is serviced
first until it is empty. Then the lower queue, txq7, is serviced and so on, down to txq1.
In addition, SP provides a faster response time for high priority traffic than other methods of
queuing.
Use the SP mechanism to guarantee a fixed portion of available bandwidth to an application (for
example, interactive multimedia applications), possibly at the expense of less critical traffic.
When selecting SP, consider that lower priority traffic is often denied in favor of higher priority
traffic. In the worst case, lower priority traffic is never transmitted. However, you can avoid these
scenarios by using rate-limit to control higher-priority traffic rate.
The below figure illustrates the SP process in a four-queue architecture.

Page 11

Figure 4: Strict Priority Queuing
Weighted Round Robin (WRR)
WRR is a scheduling mechanism that cycles through the queues. A weighting factor determines
how many bytes of data the system delivers from each queue before moving to the next queue.
Using this mechanism, packets in the queue are sent until the number of bytes transmitted exceeds
the bandwidth determined by the queues weighting factor, or until the queue is empty. Then WRR
moves to the next queue. If a queue is empty, the device sends packets from the next queue that
has packets to send.
If a packets length exceeds the queues allowed bandwidth, the packet is still transmitted during its
time slot, but its quota is overdrawn so next time it receives a smaller allocation. This mechanism
guarantees a minimum bandwidth for each queue, but allows the minimum to be exceeded if one
or more of the ports other queues are idle. However, when loading all the queues, each is limited to
its maximum bandwidth according to its assigned weight.
Relative percentages are calculated by byte counts rather than by packets, thus providing a greater
degree of bandwidth fairness.
The below figure illustrates the WRR queuing in four-queue architecture:

Page 12

Figure 5: Weighted Round Robin Queuing
Hybrid Scheduling
This scheduling method combines SP and WRR scheduling. Queues with higher priority are
serviced with SP while the remaining queues are serviced in accordance with WRR, after the higher
priority queues are empty.
Hybrid queuing guarantees immediate delivery of packets from high-ranking queues while avoiding
lowest-ranking queues starvation.
Egress Traffic Shaping
When congestion occurs, the device transmits the packets on the outgoing port and the assigned
queues. Traffic shaping allows you to shape output traffic (egress traffic) on a per-port and per-
queue basis.

Storm Control
The storm control mechanism prevents broadcast, multicast, and unicast storms from
overwhelming a network. Traffic storm control (also called traffic suppression) occurs when
packets flood the LAN, creating excessive traffic and degrading network performance. The traffic
storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or
unicast traffic storm on physical ports. This mechanism regulates the rate at which devices forward
broadcast, multicast and unicast traffic.
Each port has a single traffic storm control level that is used for all types of traffic (broadcast,
multicast, and unicast).
With the storm control feature, you can configure the ingress line rate limit per port or group ports.

Page 13

QoS Default Configuration
Table 3: Default QoS Configuration
Priority-to-queue assignment 0
Priority remark 0
QoS scheduling algorithm Strict Priority
Port profile ID
See Table 4
DSCP priority 0
DSCP-to-profile assignment
See Table 5
Traffic shaping Disabled
Trust mode Untrusted
SP scheduling Applied for all ports

Table 4: QoS Profile Default Configuration
Profile ID TC DP UP DSCP
0 0 Green 0 0
1 1 Green 1 0
2 2 Green 2 0
3 3 Green 3 0
4 4 Green 4 0
5 5 Green 5 0
6 6 Green 6 0
7 7 Green 7 0
8 0 Yellow 0 0
9 1 Yellow 1 0
10 2 Yellow 2 0
11 3 Yellow 3 0
12 4 Yellow 4 0
13 5 Yellow 5 0
14 6 Yellow 6 0
15 7 Yellow 7 0
16127 Not Used Not Used Not Used Not Used

Page 14

Table 5: DSCP-to-QoS Profile Index Mapping
07 0
815 1
1623 2
2431 3
3239 4
4047 5
4855 6
5663 7
Table 6: Default Storm Control Values
Traffic storm control Disabled

Table 7: Default Egress Filtering Values
Broadcast, unknown unicast, and multicast
packets
Disabled

Table 8: Default Tail-drop Values
ID Yellow Thershold
1 50
2 25
QoS Mappings Default Configuration
Table 9: CoS to FC and Color Mapping
Priority Txq Drop Level
0 1 green
1 2 green
2 3 green
3 4 green
4 5 green
5 6 green
6 7 green
7 8 green

Page 15

Table 10: DSCP to FC and Color Mapping
DSCP Txq Drop Level
07 1 green
815 2 green
1623 3 green
2431 4 green
3239 5 green
4047 6 green
4855 7 green
5663 8 green

Table 11: Egress Remarking with Dot1p
Dot1p Drop Level Priority FC
0 green 0 be
1 green 1 l2
2 green 2 af
3 green 3 l1
4 green 4 h2
5 green 5 ef
6 green 6 h1
7 green 7 nc
0 yellow 0 be
1 yellow 1 l2
2 yellow 2 af
3 yellow 3 l1
4 yellow 4 h2
5 yellow 5 ef
6 yellow 6 h1
7 yellow 7 nc

Page 16

Scheduler Profile Default Configuration
All the ports in the system are bound to profile 1, which is SP scheduling.
Shaper Default Configuration
By default, per-port and per-queue shaper is disabled.
Port Default Configuration
All ports in the system are:
Bound to a SP scheduling profile 1
Untrusted (port default) with default policy
Default mapping to TC=be and color green
Default port settings are applied in the following cases:
Untrusted modeall packets
L2 trust modeL2 packets only
L2+L3 trust modeDSCP mapping is used for all IP packets.

Page 17

QoS Configuration Flow

Figure 6: QoS Configuration Flow
Egress Ingress
Start
Configure priority remark
Apply traffic shaping
Configure trusted priority
Apply scheduling profile
Configure trusted DSCP
End
Network
Policy
Configure priority mapping to profile index (FC, DP pair)
Create and configure the QoS service policy
Apply tail-drop
Configure DSCP mapping to profile index (FC, DP pair)
Configure scheduling profile and shaper profile
Define remarking of dot1p field (FC, DP pair)

Page 18

QoS Configuration Commands
Table 12: Configuring Network Policy
Command Description
qos Configures the QoS configuration and enters QoS Configuration mode
(see Configuring QoS)
network-policy Creates a network QoS policy and enters QoS Network Configuration
mode (see Configuring the Network Policy)
qos-network-policy Applies per port the created network QoS policy (see Applying the
Network Policy per Port)
description Adds a description strings to the network policy (see Adding the
Description for Network Policy)

Table 13: Configuring QoS Ingress Classification
Command Description
ingress Configures the ingress network policy and enters QoS Ingress
Network Configuration mode (see Configuring the Network Ingress
Policy)
trust-dscp Enables/disables L3 trusted mode DSCP per ingress network policy
(see Enabling/Disabling the Trusted Mode DSCP)
trust-priority Enables/disables L2 trusted mode priority per ingress network policy
(see Enabling/Disabling the Trusted Mode Priority)
fc Defines default mapping of port to FC and color (see Applying the QoS
Default Mapping on Port)

Table 14: Configuring QoS Egress Classification
Command Description
remark fc priority Configures dot1p egress global remarking (see Configuring the
Network Egress Remarking)
congestion-
avoidance-profile
tail-drop
Configures the profile parameters to be used in the tail-drop
calculations (see Defining Tail-Drop Profile)
egress Configures service egress QOS policy and enters QoS Egress
Network Configuration mode (see Configuring the Network Egress
Policy)
queue Configures queue on egress network and enters QoS Egress Queue
Network Configuration mode (see Configuring the Queue on Egress
Network).
congestion-
avoidance-profile
tail-drop
Applies the profile of the tail-drop congestion avoidance mechanism
on a queue in an egress network policy or directly on the egress
network policy (see Applying Tail-Drop Profile)
shaper-profile Applies the shaper profile on a queue in an egress network policy or
directly on the egress policy (see Applying the Shaping Profile)

Page 19

Command Description
scheduling-profile Applies scheduling profile on egress policy (see Applying Scheduling
Profile on Egress Policy)

Table 15: Configuring Service QoS Mapping Classification
Command Description
map dscp fc Defines a DSCP to forwarding class (FC) mapping and colors traffic to
a specified value (see Configuring the DSCP to FC and Color
Mapping)
map priority fc Defines a dot1p to FC mapping and colors traffic to a specified value
(see Configuring the Dot1p to FC and Color Mapping)

Table 16: Configuring QoS Service Policy
Command Description
service-policy Creates a QoS service policy (see Configuring the Service Policy)
description Adds a description string to the created QoS service policy (see
Adding the Description for the Service Policy)
ingress Configures the QoS service ingress policy (see Configuring the
Service Ingress Policy)
queue Creates a QoS service ingress queue (see Configuring the Service
Queues)
congestion-
avoidance-profile
tail-drop
Applies a tail-drop profile on a service ingress queue (Applying Tail-
Drop Profiles)
shaper-profile Applies the already created service shaper profile on the service policy
or on the queue (see Applying the Shaping Profile)
scheduling-profile Applies the already created service scheduling profile on the service
policy (see Applying the Service Scheduling Profile)
qos-service-policy Binds the already created QoS service policy on the TLS service (see
Binding the Service Policy on a TLS Service)
apply-qos-service-
policy
Applies the already created QoS service policy on the specified SAP
(see Applying the Service Policy on a SAP)

Table 17: Configuring Shaper Profile and Scheduling Profile
Command Description
shaper-profile Configures the shaper profile for network policy, service policy, and
queues (see Configuring the Shaper Profile)
scheduling-profile
sp
Configures SP (Strict Priority) scheduling (see Configuring Scheduling
SP Profile)
scheduling-profile
wrr
Applies and configures Weighted Round-Robin (WRR) scheduling
(see Configuring the Scheduling WRR Profile)
scheduling-profile
hybrid-1
Applies and configures the first hybrid QoS algorithm (see Configuring
the Scheduling Hybrid-1 Profile)

Page 20

Command Description
scheduling-profile
hybrid-2
Applies and configures the second hybrid QoS algorithm (see
Configuring the Scheduling Hybrid-2 Profile)
scheduling-profile
hybrid-3
Applies and configures the third hybrid QoS algorithm (see Configuring
scheduling-profile
hybrid-4
Applies and configures the forth hybrid QoS algorithm (see
scheduling-profile
hybrid-5
Applies and configures the fifth hybrid QoS algorithm (see Configuring
scheduling-profile
hybrid-6
Applies and configures the sixth hybrid QoS algorithm (see

Table 18: Display Commands
Command Description
show qos network-
policy
Displays the information for all configured network policies or for the
specified policy (see Displaying the Network Policy Configuration)
show qos
interface
Displays the configuration for all ports or for the specified port (see
Displaying the QoS Port Configuration)
show qos
scheduler-profile
Displays the scheduler profile configuration for all profiles or for the
specified scheduler profile ID (see Displaying the Scheduler Profile
Configuration)
show qos shaper-
profile
Displays the shaper profile configuration for all network and service
profiles or for the specified shaper profile ID (see Displaying the Shaper
Profile Configuration)
show qos
congestion-
avoidance-profile
tail-drop
Displays information for all configured tail-drop profiles or for the
specified tail-drop profile (see Displaying the Tail-Drop Profile
Information)
show qos service Displays information for the SAP service (see Displaying the SAP
Service Information)
show qos service-
policy
Displays information for all configured service policies or for the
specified service policy (see Displaying the Service Policy Information)
show qos ingress
priority-map
Displays dot1p to FC Mapping (see Displaying the Dot1p to FC
Mapping)
show qos ingress
dscp-map
Displays DSCP to FC mapping (see Displaying the DSCP to FC
Mapping)
show qos egress
remark
Displays egress mapping and remarking (see Displaying the Egress
Mapping and Remarking)

Table 19: Storm Control Commands
Command Description
storm-control Configures the storm-control threshold rate of the incoming traffic and
blocks forwarding of unnecessary flooded traffic (see Configuring the
Traffic Type)

Page 21

Command Description
show storm-control Displays the storm control levels configured on a port or for all ports
(see Displaying the Storm Control Settings)
Table 20: Egress Filtering Commands
Command Description
tx-drop-broadcast
Enables egress filtering of broadcast packets (see Filtering Egress
Broadcast Packets)
tx-drop-unknown
Enables egress filtering of multicast packets (see Filtering Egress
Unknown-Unicast Packets)
tx-drop-multicast
Enables egress filtering of unknown unicast packets (see Filtering
Egress Multicast Packets)

Page 22

Configuring QoS
The qos command configures the QoS configuration. The command enters the QoS Configuration
mode, see the Examplebelow.
Command Syntax
Example
device-name(config qos)#
Configuring the Network Policy
The network-policy command creates a network QoS policy. The command enters the QoS
Network Configuration mode, see the Examplebelow.
CLI Mode: QoS Configuration (see ConfiguringQoS)
Command Syntax
device-name(config qos)#network-policy <network-policy-name>
device-name(config qos-net policy_name)#

device-name(config qos)#no network-policy <network-policy-name>
network-policy-
name
Sets the policy name up to 6 characters. The default is the name of
the default policy.
no Removes the network policy
Example
device-name(config qos)#network-policy batm
device-name(config qos-net batm)#

Page 23

Applying the Network Policy per Port
The qos-network-policy command applies per port the created network QoS policy.
Command Syntax
device-name(config UU/SS/PP)#qos-network-policy <network-policy-name>
device-name(config UU/SS/PP)#no qos-network-policy
network-policy-
name
The policy name to be applied on a port. The name has up to 6
characters
no Removes the network policy from the port
Example
device-name(config 1/1/1)#qos-network-policy batm
Adding the Description for Network Policy
The description command adds a description string to the created network policy.
CLI Mode: QoS Network Configuration (see ConfiguringtheNetwork Policy)
Command Syntax
device-name(config qos-net policy_name)#description <description-string>
device-name(config qos-net policy_name)#no description
description-string
A string up to 30 characters
no Removes the description

Page 24

Configuring the Network Ingress Policy
The ingress command configures the ingress network policy. The command enters the QoS
Ingress Network Configuration mode, see the Examplebelow.
Command Syntax
device-name(config qos-net policy_name)#ingress
device-name(config qos-net-in policy_name)#
Example
device-name(config qos-net batm)#ingress
device-name(config qos-net-in batm)#
Enabling/Disabling the Trusted Mode DSCP
The trust-dscp command enables L3 trusted mode DSCP per ingress network policy.
CLI Mode: QOS Ingress Network Configuration (see ConfiguringtheNetwork Ingress Policy)
Command Syntax
device-name(config qos-net-in policy_name)#trust-dscp
device-name(config qos-net-in policy_name)#no trust-dscp
no Enables untrusted mode, or disables the trusted mode
Enabling/Disabling the Trusted Mode Priority
The trust-priority command enables L2 trusted mode priority per ingress network policy.
Command Syntax
device-name(config qos-net-in policy_name)#trust-priority [preserve-priority]
device-name(config qos-net-in policy_name)#no trust-priority
preserve-priority Disables L2 remarking
no Enables untrusted mode, or disables the trusted mode

Page 25

Applying the QoS Default Mapping on Port
The fc command defines default mapping of port to FC and color. Traffic that enters the port
applies these settings.
By default, the default mapping of the port is fc be green.
Command Syntax
device-name(config qos-net-in policy_name)#fc {be | l2 | af | 11 | h2 | ef |
h1 | nc} {green | yellow}
be
The forwarding class to be mapped is the Best-Effort Forwarding Class
12
The forwarding class to be mapped is the Low-2 Forwarding Class
af
The forwarding class to be mapped is the Assured Forwarding Class
11
The forwarding class to be mapped is the Low-1 Forwarding Class
h2
The forwarding class to be mapped is the High-2 Forwarding Class
ef
The forwarding class to be mapped is the Expedited Forwarding Class
h1
The forwarding class to be mapped is the High-1 Forwarding Class
nc
The forwarding class to be mapped is the Network Control Forwarding Class
green
The traffic with the above VPT or DSCP value is marked as green
yellow
The traffic with the above VPT or DSCP value is marked as yellow
Configuring the Network Egress Remarking
The remark fc priority command configures dot1p egress global remarking.
By default, the remark priority is 0.
Command Syntax
device-name(config qos)#remark fc {be | l2 | af | 11 | h2 | ef | h1 | nc} drop-
level (green | yellow) priority <0-7>

Page 26

be
12
af
11
h2
ef
h1
nc
Refer to the Argument Description above.
drop-level
The drop level.
green
yellow
priority
<07>
The mapping of packets according to DSCP fields, in the valid range of <07>.
Defining Tail-Drop Profiles
The congestion-avoidance-profile tail-drop command defines a tail-drop profile for queue
congestion-avoidance.
Only egress network queues use the tail-drop congestion-avoidance mechanism.

Command Syntax
device-name(config qos)#congestion-avoidance-profile tail-drop
<tail_drop_profile_id> <yellow-threshold>
device-name(config qos)#no congestion-avoidance-profile tail-drop
<tail_drop_profile_id>
tail_drop_profile_id
The tail-drop profile ID (corresponding to a specific threshold level),
in the range of <15>. Profile ID 1 and profile ID 2 are default and
cannot be modified.
By default:
ID 1 uses 50% of the queue's memory (queuing up to 500
frames)
ID 2 uses 25% of the queue's memory (queuing up to 250)
yellow-threshold
The allocated memory threshold value for yellow packets, in the
range of <0-100>%.
Permitted values are: 25%, 50%, 75% and 100%.
The red threshold has to be less than or equal to the yellow
threshold.

Page 27

no
Restores to default
Example
device-name(config qos)#congestion-avoidance-profile tail-drop 4 75
device-name(config qos)#congestion-avoidance-profile tail-drop 3 100
Configuring the Network Egress Policy
The egress command configures service egress QoS policy. The command enters the QoS Egress
Network Configuration mode, see the Examplebelow.
Command Syntax
device-name(config qos-net policy_name)#egress
device-name(config qos-net-eg policy_name)#
Example
device-name(config qos-net batm)#egress
device-name(config qos-net-eg batm)#
Configuring the Queue on Egress Network
The queue command configures the queue on the egress network. The command enters the QoS
Egress Queue Network Configuration mode, see the Examplebelow.
CLI Mode: QoS Egress Network Configuration (see ConfiguringtheNetwork Egress Policy)
Command Syntax
device-name(config qos-net-eg policy_name)#queue <queue_id>
device-name(config qos-net-queue queue_id)#
queue_id
The queue ID, in the valid range of <18>
Example
device-name(config qos-net-eg batm)#queue 3
device-name(config qos-net-queue 3)#

Page 28

Applying Tail-Drop Profiles
The congestion-avoidance-profile tail-drop command applies a tail-drop profile on a queue
of the egress network policy or directly on an egress network policy.
CLI Mode:
QoS Egress Queue Network Configuration (see ConfiguringtheQueueon Egress
Network) and QoS Egress Network Configuration (see ConfiguringtheNetwork Egress
Policy)
Command Syntax
device-name(config qos-net-queue queue_id)#congestion-avoidance-profile tail-
drop <tail_drop_profile_id>
device-name(config qos-net-queue queue_id)#no congestion-avoidance-profile
tail-drop

device-name(config qos-net-eg policy_name)#congestion-avoidance-profile tail-
device-nam(config qos-net-eg policy_name)#no congestion-avoidance-profile
tail-drop
The tail-drop profile ID, in the range of <15>.
Profile ID 1 and profile ID 2 are default (see Defining Tail-Drop
Profiles)
Applying the Shaping Profile
The shaper-profile command applies the shaper profile on queue in an egress network policy or
directly on the egress network policy.
CLI Mode:
QoS Egress Queue Network Configuration (see ConfiguringtheQueueon Egress
Network) and QoS Egress Network Configuration (see ConfiguringtheNetwork Egress
Policy)
Command Syntax
device-name(config qos-net-queue queue_id)#shaper-profile <shaper_profile_id>
device-name(config qos-net-queue queue_id)#no shaper-profile

device-name(config qos-net-eg policy_name)#shaper-profile <shaper_profile_id>
device-name(config qos-net-eg policy_name)#no shaper-profile

Page 29

shaper_profile_id
The shaper profile ID to be applied on the egress policy or queue. The
valid range is <18>.
no Removes the shaper profile from the configured egress policy or
queue.
Applying Scheduling Profile on Egress Policy
The scheduling-profile command applies the scheduler profile on the egress policy.
CLI Mode: QOS Egress Network Configuration (see ConfiguringtheNetwork Egress Policy)
Command Syntax
device-name(config qos-net-eg policy_name)#scheduling-profile
<profile_number>
device-name(config qos-net-eg policy_name)#no scheduling-profile
profile_number
The scheduling profile ID to be applied on the egress policy. The valid
range is <18>.
no Removes the scheduler profile.
Configuring the DSCP to FC and Color Mapping
The map dscp fc command defines a DSCP to FC mapping and colors traffic to a specified
value.
Command Syntax
device-name(config qos)#map dscp <0-63> fc {be | l2 | af | 11 | h2 | ef | h1 |
nc} drop-level {green | yellow}
dscp <0-63> The mapping of packets according to DSCP fields, in the valid range of <0
63>.
be
12
af
11
h2
ef

Page 30

h1
nc
drop-level
The drop level.
green
yellow
Example
device-name(config qos)#map dscp 1 fc nc drop-level green
Configuring the Dot1p to FC and Color Mapping
The map priority fc command defines a dot1p to FC mapping and colors traffic to a specified
value.
By default, 802.1p priority information is not replaced or manipulated, and the information
observed on ingress is preserved when the packet is transmitted. This behavior is not affected by
the switching or routing configuration of the device. However, the device is capable of inserting
and/ or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. The
802.1p priority information that is transmitted is determined by the hardware queue used when
transmitting the packet.
Command Syntax
device-name(config qos)#map priority <0-7> fc {be | l2 | af | 11 | h2 | ef |
h1 | nc} drop-level {green | yellow}
priority
<0-7>
The mapping of packets according to dot1p fields, in the valid range of <07>.
be
12
af
11
h2
ef
h1
nc
drop-level
The drop level.
green
yellow

Page 31

Example
device-name(config qos)#map priority 2 fc l2 drop-level yellow
Configuring the Service Policy
The service-policy command creates a service QoS policy. The command enters the QoS
Service Configuration mode, see the Examplebelow.
Command Syntax
device-name(config qos)#service-policy <qos-service-policy-name>
device-name(config qos)#no service-policy <qos-service-policy-name>
qos-service-
policy-name
The policy name up to 6 characters. The maximum number of network
policies is 64.
no Removes the service Policy
Example
device-name(config qos)#service-policy batm
device-name(config qos-serv batm)#
Adding the Description for the Service Policy
The description command adds a description string to the created QoS service policy.
CLI Mode: QoS Service Configuration (see ConfiguringtheServicePolicy)
Command Syntax
device-name(config qos-serv policy_name)#description <description_string>
device-name(config qos-serv policy_name)#no description
description_string
Adds a description to the service policy. It is a string up to 30 characters.
no Removes the description

Page 32

Configuring the Service Ingress Policy
The ingress command configures the QoS service ingress policy. The command enters the QoS
Ingress Service Configuration mode, see the Examplebelow.
CLI Mode: QoS Service Configuration (see ConfiguringtheServicePolicy)
Command Syntax
device-name(config qos-serv policy_name)#ingress
Example
device-name(config qos-serv batm)#ingress
device-name(config qos-serv-in batm)#
Configuring the Service Queues
The queue command creates the QoS service ingress queue. The command enters the QoS Ingress
Queue Service Configuration mode, see the Examplebelow.
CLI Mode: QoS Ingress Service Configuration ( see ConfiguringtheServiceIngress Policy)
Command Syntax
device-name(config qos-serv-in policy_name)#queue <queue_id>
queue_id
Queue ID in the valid range of <18>
Example
device-name(config qos-serv-in batm)#queue 3
device-name(config qos-queue 3)
Applying Tail-Drop Profiles
The congestion-avoidance-profile tail-drop command applies a tail-drop profile on a
service ingress queue.

Command Syntax
device-name(config qos-serv-in policy_name)#congestion-avoidance-profile tail-

Page 33

device-name(config qos-serv-in policy_name)#no congestion-avoidance-profile
tail-drop
The tail-drop profile ID, in the range of <15>.
Profile ID 1 and profile ID 2 are default (see Defining Tail-Drop
Profiles)
Applying the Service Policy Shaping Profile
The shaper-profile command applies the already created service shaper profile on the service
policy or on the queue.

NOTE
Use the shaper - pr of i l e <ser vi ce_shaper _pr of i l e_i d> command to configure
the service shaper profile ID.

CLI Mode:
QoS Ingress Service Configuration ( see ConfiguringtheServiceIngress Policy) and
QoS Ingress Queue Service Configuration (see ConfiguringtheServiceQueues)
Command Syntax
device-name(config qos-serv-in policy_name)#shaper-profile
<service_shaper_profile_id>
device-name(config qos-serv-in policy_name)#no shaper-profile

device-name(config qos-queue queue_id)#shaper-profile
<service_shaper_profile_id>
device-name(config qos-queue queue_id)#no shaper-profile
service_shaper_profile_id
The service shaper profile ID to be applied on the policy or on
the queue. The valid range is <957>.
no Removes the shaper profile.
Applying the Service Scheduling Profile
The scheduling-profile command applies the already created service scheduling profile on the
service policy.

NOTE
Use the schedul i ng- pr of i l e sp command to configure the service scheduling
profile ID.


Page 34

Command Syntax
device-name(config qos-serv-in policy_name)#scheduling-profile
<profile_number>
device-name(config qos-serv-in policy_name)#no scheduling-profile
profile_number
The service scheduling profile ID to be applied on the policy. The valid range
is <18>.
no Removes the scheduling profiles
Binding the Service Policy on a TLS Service
The qos-service-policy command binds the already created QoS service policy on the TLS
service.
To enter the above mode, refer to the Configuringa TLS Servicesection of the ConfiguringTransparent
LAN Services(TLS) chapter.

NOTE
To execute this command (see Example below):
1. Create the QoS service policy with the ser vi ce- pol i cy command.
2. Create the TLS service with correct SDPs and SAPs. Configure the SDPs
before the SAPs.
3. Apply the created policy on the TLS service, and on desired SAP ports.
Command Syntax
device-name(config-tls SERVICE-NAME)#qos-service-policy <qos-service-policy-
name>
device-name(config-tls SERVICE-NAME)#no qos-service-policy <qos-service-
policy-name>
qos-service-
policy-name
The policy name up to 6 characters. The maximum number of network
policies is 64.
no Removes the service Policy.
Example
device-name(config qos)#shaper-profile 10 10m 1m
[ War ni ng] Shaper CI R and CBS can be changed t o t he near est suppor t ed val ue
device-name(config qos-serv-in batm)#shaper-profile 10

Page 35

device-name(config qos-serv-in batm)#exit
device-name(config-tls serv)#qos-service-policy batm
Applying the Service Policy on a SAP
The apply-qos-service-policy command applies the already created QoS service policy on the
specified SAP.
CLI Mode: SAP Service Configuration
To enter the above mode, refer to the ConfiguringTLS ServiceAccessPoint (SAP) section of the
ConfiguringTransparent LAN Services(TLS) chapter.

NOTE
To execute this command (see Example below):
1. Create the QoS service policy with the ser vi ce- pol i cy command.
2. Create the TLS service with correct SDPs and SAPs. Configure the SDPs
before the SAPs.
3. Apply the created policy on the TLS service, and on desired SAP ports.
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#apply-qos-service-policy
Example
device-name(config qos)#shaper-profile 10 10m 1m
device-name(config qos-serv-in batm)#shaper-profile 10
device-name(config qos-serv-in batm)#end
device-name(config-tls serv)#qos-service-policy batm
device-name(config-tls-sap 1/2/2:100:)#apply-qos-service-policy

Page 36

Configuring the Shaper Profile
The shaper-profile command configures shaper profile for network policy, service policy, and
queue.
Command Syntax
device-name(config qos)#shaper-profile {<shaper_profile_id> |
<service_shaper_profile_id>} <cir> <cbs>
device-name(config qos)#no shaper-profile {<shaper_profile_id> |
<service_shaper_profile_id>}

NOTE
If you specify cir or cbs without K, M or G, the CLI assumes a default of K.

NOTE
The real shaper values for CIR and CBS may be different than the configured ones, due
to granularity limitations. After configuring these values, a warning message appears:
[ War ni ng] Shaper CI R and CBS can be changed t o t he near est suppor t ed
val ue
shaper_profile_id
The shaper profile ID for network policy and queue, in the
valid range of <18>.
service_shaper_profile_id
The service shaper profile ID to be applied on the policy or on
the queue. The valid range is <957>.
cir
The committed information rate (CIR) value, in the valid range
of <64 Kbps1 Gbps>in K, M or G.
NOTE
The real shaper value may be different than the
configured one, due to granularity limitations.
cbs
The committed burst size (CBS) value, in the valid range of
<12 K16 M>in K or M (granularity of 4K).
no Removes the scheduler profile.

Page 37

Configuring Scheduling SP Profile
The scheduling-profile sp command configures SP (Strict Priority) scheduling.
By default, SP scheduling is applied for all ports.
Command Syntax
device-name(config qos)#scheduling-profile sp <profile_number>
device-name(config qos)#no scheduling-profile <profile_number>
sp The SP scheduling profile
profile_number The scheduling profile ID, in the range of <18>. The default SP scheduling
is with profile number 1.
no Clears the specified profile ID.
Configuring the Scheduling WRR Profile
The scheduling-profile wrr command applies and configures Weighted Round-Robin (WRR)
scheduling.
In WRR scheduling, bandwidth is allocated proportionally for each queue. Network resources are
shared among all of the applications the user services, each having the specific bandwidth
requirements that you can identify.
Command Syntax
device-name(config qos)#scheduling-profile wrr <profile_number> <txq1-weight>
<txq2-weight> <txq3-weight> <txq4-weight> <txq5-weight> <txq6-weight>
<txq7-weight> <txq8-weight>
wrr The WRR profile.
profile_number The scheduling profile ID, in the range of <18>.
<txq1-weight>

<txq8-weight>
The weight of queue <txq1txq8>. The valid range is <1255>.

Page 38

no Clears the specified profile ID.
NOTE
When you use the no schedul i ng- pr of i l e command, the
range of profile_number is limited to <28> because
profile_number 1 is the default SP scheduling and, thus,
you cannot clear it.
Configuring the Scheduling Hybrid-1 Profile
The scheduling-profile hybrid-1 command applies and configures the first hybrid QoS
algorithm.
In the first hybrid algorithm, txq8 is assigned to strict priority scheduling, and the remaining queues
are assigned to Weighted Round Robin (WRR) scheduling.
Command Syntax
device-name(config qos)#scheduling-profile hybrid-1 <profile_number>
hybrid-1 Creates hybrid profile type 1 scheduling.
profile_number Refer to Argument Description above.
<txq1-weight>

<txq7-weight>
The weight of queue <txq1txq7>.
Weight value is in the range of <1255>.
no Refer to Argument Description above.
The scheduling-profile hybrid-2 command applies and configures the second hybrid QoS
algorithm.
In the second hybrid algorithm, txq7 and txq8 behave according to strict priority scheduling and the
rest of the queues behave according to Weighted Round Robin (WRR).
Command Syntax
<txq6-weight>

Page 39

<txq1-weight>

<txq6-weight>
The scheduling-profile hybrid-3 command applies and configures the third hybrid QoS
algorithm.
In the third hybrid algorithm, txq6txq8 behave according to strict priority scheduling and the rest
of the queues behave according to Weighted Round Robin (WRR).
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight> <txq4-weight> <txq5-weight
<txq1-weight>

<txq5-weight>
The scheduling-profile hybrid-4 command applies and configures the forth hybrid QoS
algorithm.
In the forth hybrid algorithm, txq5txq8 behave according to strict priority scheduling, and the rest
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight> <txq4-weight>

Page 40

<txq1-weight>

<txq4-weight>
The scheduling-profile hybrid-5 command applies and configures the fifth hybrid QoS
algorithm.
In the fifth hybrid algorithm, txq4txq8 behave according to strict priority scheduling, and the rest
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight>
<txq1-weight>

<txq3-weight>
The scheduling-profile hybrid-6 command applies and configures the sixth hybrid QoS
algorithm.
In the sixth hybrid algorithm, txq3txq8 behave according to strict priority scheduling, and the rest
of the queues behave according to Weighted Round Robin (WRR)
Command Syntax

Page 41

<txq1-weight>
<txq2-weight>
The weight of queue txq1 and txq2.
Displaying the Network Policy Configuration
The show qos network-policy command displays the information for all configured network
policies or for the specified network policy.
Command Syntax
device-name#show qos network-policy [<policy_name>]
policy_name (Optional) the name of the network policy to be displayed, up to 6 characters.
Example 1
Display the information for all configured network policies:
device-name#show qos network-policy
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Net wor k Pol i cy |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Pol i cy Name | Descr i pt i on |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Def Pol | Def aul t net wor k pol i cy |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| User | |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Test | Thi s i s a t est pol i cy |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

Page 42

Example 2
Display the information for Test network policy:
device-name#show qos network-policy Test
Pol i cy Name: Test
Descr i pt i on: Thi s i s a t est pol i cy
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| I ngr ess Pol i cy Conf i gur at i on |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
| Tr ust Mode | FC | Dr op Level |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
| unt r ust | be | gr een |
+- - - - - - - - - - - - - - +- - - - - +- - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Egr ess Pol i cy Conf i gur at i on |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Schedul er Pr of | Shaper Pr of i l e |
+- - - - - +- - - - - - - - - - +- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| I D | Type | I D | CI R | CBS |
+- - - - - +- - - - - - - - - - +- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| - | - | - | - | - |
+- - - - - +- - - - - - - - - - +- - - - - +- - - - - - - - - - +- - - - - - - - - - +
Egr ess Congest i on Avoi dance Conf i gur at i on
+- - - - - - - - - - - - - - - - - - - - - +
| Tai l - dr op Pr of |
+- - - - - +- - - - - - - +- - - - - - - +
| I D | Yel T | Red T |
+- - - - - +- - - - - - - +- - - - - - - +
| 1 | 50 | NA |
+- - - - - +- - - - - - - +- - - - - - - +

+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +
| Queue I d | Shaper I d | CI R | CBS | Tai l - dr op |
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +
| 2 | 2 | 1000 | 2048 | |
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - - +
Pol i cy i s appl i ed on t he f ol l owi ng por t ( s) :
1/ 2/ 7 1/ 2/ 8

Page 43

Displaying the QoS Port Configuration
The show qos interface command displays the configuration for all ports or for the specified
port.
Command Syntax
device-name#show qos interface [UU/SS/PP]
UU/SS/PP (Optional) the physical port (Unit/Slot/Port). If you do not specify the port, the
configuration of all ports is displayed.
Example
device-name#show qos interface 1/1/1
+- - - - - - - - - - - +- - - - - - - - - - - - - - - - - +
| I nt er f ace | Net wor k Pol i cy |
+- - - - - - - - - - - +- - - - - - - - - - - - - - - - - +
| 1/ 1/ 1 | Def Pol |
+- - - - - - - - - - - +- - - - - - - - - - - - - - - - - +
Displaying the Scheduler Profile Configuration
The show qos scheduler-profile command displays the scheduler profile configuration for all
profiles or for the specified scheduler profile ID.
Command Syntax
device-name#show qos scheduler-profile [<profile_number>]
profile_number (Optional) the scheduler profile ID, in the range <18>. If you do not
specify the scheduler profile ID, all scheduler profiles are displayed.

Page 44

Example 1
device-name#show qos scheduler-profile
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
| I d | Type | Q1 | Q2 | Q3 | Q4 | Q5 | Q6 | Q7 | Q8 |
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
| 1 | sp | - | - | - | - | - | - | - | - |
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
| 2 | hybr i d- 6 | 7 | 7 | - | - | - | - | - | - |
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
Example 2
device-name#show qos scheduler-profile 2
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
| I d | Type | Q1 | Q2 | Q3 | Q4 | Q5 | Q6 | Q7 | Q8 |
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
| 2 | hybr i d- 6 | 7 | 7 | - | - | - | - | - | - |
+- - - - - - +- - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +- - - - - +
Displaying the Shaper Profile Configuration
The show qos shaper-profile command displays the shaper profile configuration for all
network and service profiles or for the specified shaper profile ID.
Command Syntax
device-name#show qos shaper-profile [<shaper_profile_id> |
<service_shaper_profile_id>]
shaper_profile_id (Optional) the shaper profile ID, in the range of <18>. If you
do not specify the shaper profile ID, all shaper profiles are
displayed.
service_shaper_profile_id (Optional) the service shaper profile ID, in the valid range of
<957>. If you do not specify the service shaper profile ID, all
shaper profiles are displayed.

Page 45

Example 1
device-name#show qos shaper-profile
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| I d | CI R | CBS |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 1 | 500 | 100 |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 2 | 100 | 100 |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 50 | 1000 | 2048 |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
Example 2
device-name#show qos shaper-profile 1
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 1 | 500 | 100 |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
Displaying the Tail-Drop Profile Information
The show qos congestion-avoidanceprofile tail-drop command displays information for
all configured tail-drop profiles or for the specified tail-drop profile.
Command Syntax
device-name#show qos congestion-avoidanceprofile tail-drop
[<tail_drop_profile_id>]
tail_drop_profile_id (Optional) the tail-drop profile ID for which information is displayed.
The valid range is <15>. ID 1 and ID 2 are default and cannot be
modified.

Page 46

Example
device-name#show qos congestion-avoidance-profile tail-drop
+- - - - - - +- - - - - - - - +- - - - - - - - +
| I d | Yel l ow | Red |
+- - - - - - +- - - - - - - - +- - - - - - - - +
| 1 | 50 %| NA |
+- - - - - - +- - - - - - - - +- - - - - - - - +
| 2 | 25 %| NA |
+- - - - - - +- - - - - - - - +- - - - - - - - +
| 3 | 75 %| NA |
+- - - - - - +- - - - - - - - +- - - - - - - - +

device-name#show qos congestion-avoidance-profile tail-drop 1
+- - - - - - +- - - - - - - - +- - - - - - - - +
| I d | Yel l ow | Red |
+- - - - - - +- - - - - - - - +- - - - - - - - +
| 1 | 50 %| NA |
+- - - - - - +- - - - - - - - +- - - - - - - - +
Displaying the SAP Service Information
The show qos service command displays information for the SAP service.
Command Syntax
device-name#show qos service
Example
Ser vi ce: 4 Ser vi ce pol i cy: pol i cy
Enabl ed on SAPs: 1/ 2/ 3: 10:

Page 47

Displaying the Service Policy Information
The show qos service-policy command displays information for all configured service policies
or for the specified service policy.
Command Syntax
device-name#show qos service-policy [<qos-service-policy-name>]
qos-service-policy-name (Optional) the service policy name for which information is
displayed. It is up to 6 characters.
Example
device-name#show qos service-policy policy
Pol i cy Name: pol i cy
Descr i pt i on: t hi s i s t he ser vi ce pol i cy
+- - - - - - - - - - - - - - - - +- - - - - - - - - - +
| Shaper Pr of i l e |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| I D | CI R | CBS |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 10 | 10000 | 200 |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - - - - - - - - - - - +
| Schedul er Pr of |
+- - - - - +- - - - - - - - - - +
| I D | Type |
+- - - - - +- - - - - - - - - - +
| 1 | sp |
+- - - - - +- - - - - - - - - - +
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 1 | 11 | 1000 | 200 |
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +

device-name#show qos service-policy
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Ser vi ce Pol i cy |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Pol i cy Name | Descr i pt i on |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| pol i cy | t hi s i s t he ser vi ce pol i cy |
+- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

Page 48

Displaying the Dot1p to FC Mapping
The show qos ingress priority-map command displays the dot1p priority to FC mapping
(default mapping).
Command Syntax
device-name#show qos ingress priority-map
Example
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| Pr i or i t y | FC | Dr op Level |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 1 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 2 | af | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 3 | l 1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 4 | h2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 5 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 6 | h1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
Displaying the DSCP to FC Mapping
The show qos ingress dscp-map command displays the DSCP to FC mapping (not default).
Command Syntax

Page 49

Example
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 8 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 15 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 16 | af | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 23 | af | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 24 | l 1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 31 | l 1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 32 | h2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 39 | h2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 40 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 47 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 48 | h1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 55 | h1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 56 | nc | gr een |
| 63 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +

Page 50

Displaying the Egress Mapping and Remarking
The show qos egress remark command displays the egress mapping and remarking.
Command Syntax
Example
+- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - - +
| QoS Par amet er s | Tx Remar k |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| FC | Dr op Level | Pr i or i t y |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| be | gr een | 0 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| be | yel l ow | 0 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 2 | gr een | 1 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 2 | yel l ow | 1 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| af | gr een | 2 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| af | yel l ow | 2 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 1 | gr een | 3 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| l 1 | yel l ow | 3 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h2 | gr een | 4 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h2 | yel l ow | 4 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| ef | gr een | 5 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| ef | yel l ow | 5 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h1 | gr een | 6 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| h1 | yel l ow | 6 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| nc | gr een | 7 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +
| nc | yel l ow | 7 |
+- - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +

Page 51

Configuring the Traffic Type
The storm-control command configures the storm-control threshold rate of the incoming traffic
and blocks forwarding of unnecessary flooded traffic. All traffic that exceeds that rate is dropped.
CLI Mode:
Interface Configuration, Range Interface Configuration, LAG Interface
Per ports, the ingress rate limit granularity is as follows:
from 64 Kbps to 1 Mbps in increments of 64 Kbps
from 1 Mbps to 1 Gbps in increments of 62,5 Kbps
By default, traffic storm control is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#storm-control {broadcast | multicast |
unknown} <rate>
device-name(config-if UU/SS/PP)#no storm-control

device-name(config-if-group)#storm-control {broadcast | multicast | unknown}
<rate>
device-name(config-if-group)#no storm-control

device-name(config-if AG0N)#storm-control {broadcast | multicast | unknown}
<rate>
device-name(config-if AG0N)#no storm-control

device-name(config-ag-group)#storm-control {broadcast | multicast | unknown}
<rate>
device-name(config-ag-group)#no storm-control
broadcast Rate limits broadcast input traffic only.
multicast Rate limits known multicast traffic only.
unknown Rate limits unknown-unicast and unknown-multicast traffic only.
rate The desired ingress rate limit. Must be a number between 64 Kbps and 1 Gbps.
The number must be specified with K, M or G at the end.

NOTE
If the actual ingress line rate is different from your desired ingress
line rate, a relevant message appears, see the Example below.
no Disables storm control.

Page 52

Example
If you limit the ingress line rate to 250 Kbps, the actual rate is set to 256 Kbps. If you limit the
ingress line rate to 400 Kbps, the actual rate is set to 384 Kbps:
device-name(config-if 1/1/1)#storm-control broadcast 250K
Act ual l i ne r at e was set t o 256kbps due t o gr anul ar i t y l i mi t at i on
device-name(config-if 1/1/1)#interface ag01
device-name(config-if AG01)#storm-control unknown multicast 400K
Act ual r at e i s set t o 384Kbps due t o gr anul ar i t y l i mi t at i on.
Displaying the Storm Control Settings
The show storm-control command displays the storm control levels configured on a port or on
all ports.
Command Syntax
device-name#show storm-control {all | interface UU/SS/PP | interface ag0N}
all Displays the storm-control settings for all ports on the device.
interface Displays the storm-control settings for the specified port or aggregation port.
UU/SS/PP The desired port where you previously configured the ingress-rate limit.
ag0N The aggregation port where you previously configured the ingress-rate limit.
LAG ID is in the valid range of <17>.
Examples
Display the storm control levels for port 1/ 1/ 1:
device-name#show storm-control interface 1/1/1
Tr af f i c t ype = br oadcast
I ngr ess l i ne r at e l i mi t = 320Kbps
Display the storm control levels configured for all ports:
device-name#show storm-control all
I nt er f ace 1/ 1/ 1
Tr af f i c t ype = br oadcast
I ngr ess r at e l i mi t = 256Kbps

I nt er f ace ag01
Tr af f i c t ype = unknown, mul t i cast
I ngr ess r at e l i mi t = 384Kbps

Page 53

Filtering Egress Broadcast Packets
The tx-drop-broadcast command filters egress broadcast packets on a specified port, blocking
unregistered broadcast traffic on the port.
CLI Mode: Interface Configuration, Range Interface Configuration
By default, egress broadcast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-broadcast
device-name(config-if UU/SS/PP)#no tx-drop-broadcast

device-name(config-if-group)#tx-drop-broadcast
device-name(config-if-group)#no tx-drop-broadcast
no Disables egress broadcast packets filtering
Filtering Egress Unknown-Unicast Packets
The tx-drop-unknown command filters egress unknown-unicast packets on a specified port,
blocking unregistered unknown unicast traffic on the port.
By default, egress unknown-unicast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-unknown
device-name(config-if UU/SS/PP)#no tx-drop-unknown

device-name(config-if-group)#tx-drop-unknown
device-name(config-if-group)#no tx-drop-unknown
no Disables egress unknown-unicast packets filtering


Page 54

Filtering Egress Multicast Packets
The tx-drop-multicast command filters egress multicast packets on a specified port, blocking
unregistered multicast traffic on the port.
By default, egress multicast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-multicast
device-name(config-if UU/SS/PP)#no tx-drop-multicast

device-name(config-if-group)#tx-drop-multicast
device-name(config-if-group)#no tx-drop-multicast
no Disables egress multicast packets filtering

Page 55

Mapping Priority
Change the mapping of the FC priority levels to the following:
Priority 0 and 1FC l2, drop-level green
Priority 2 and 3FC l1, drop-level yellow
Priority 4 and 5FC ef, drop-level green
Priority 6 and 7FC nc, drop-level yellow

1. Display the default priority of the FC levels:
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 1 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 2 | af | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 3 | l 1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 4 | h2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 5 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 6 | h1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
2. Change the mapping of the FC priority levels:
device-name(config qos)#map priority 0 fc l2 drop-level green
device-name(config qos)#map priority 4 fc ef drop-level green
device-name(config qos)#map priority 6 fc nc drop-level yellow
device-name(config qos)#map priority 7 fc nc drop-level yellow
device-name(config qos)#end

Page 56

3. Display the new priority of the FC levels:
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 1 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 2 | l 1 | yel l ow |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 3 | l 1 | yel l ow |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 4 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 5 | ef | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 6 | nc | yel l ow |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | nc | yel l ow |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
Configuring the DSCP-to-FC Mapping
Configure the mapping of DSCP 2 and 4 with FC priorities l1 and h2, respectively:
1. Configure DSCP 2 with FC priority l1 and mark it as green:
device-name(config qos)#map dscp 2 fc l1 drop-level green
2. Configure DSCP 4 with FC priority h2 and mark it as yellow:
device-name(config qos)#map dscp 4 fc h2 drop-level yellow
3. Display the DSCP-to-CoS configuration:
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 0 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 1 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 2 | l 1 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 3 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 4 | h2 | yel l ow |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +

Page 57

| 5 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 5 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 7 | be | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 8 | l 2 | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
| 63 | nc | gr een |
+- - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - +
Configuring the Traffic Shaping Per-port
The shaper boundaries are:
Min Burst size 4KB Resolution: 4KB
Max Burst size 16MB Resolution: 4KB
Min shaper rate limit 64Kbps Using slow rate
Max shaper rate limit 1Gbps

To assign a transmission rate of 800K:
1. Configure the traffic shaping:
device-name(config qos)#shaper-profile 2 800k 1m
2. Display the traffic shaping configuration:
device-name#show qos shaper-profile
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 2 | 800 | 1024 |
+- - - - - - +- - - - - - - - - - +- - - - - - - - - - +

Page 58

Configuring QoS Service Policy
To configure the QoS service policy:
1. Configure the shaper profile:
device-name(config qos)#shaper-profile 10 10000K 200K
device-name(config qos)#shaper-profile 11 5000K 200K
2. Create the service QoS policy named policy:
device-name(config qos)#service-policy policy
3. Add description for the QoS policy:
device-name(config qos-serv policy)#description This is an ingress policy
4. Configure the QoS service ingress policy:
device-name(config qos-serv policy)#ingress
5. Apply the created shaper profile on the service policy:
device-name(config qos-serv-in policy)#shaper-profile 10
6. Create the QoS service ingress queue:
device-name(config qos-serv-in policy)#queue 3
7. Apply the created shaper profile on the queue.
device-name(config qos-serv-queue 3)#shaper-profile 11
device-name(config qos-serv-queue 3)#end
8. Create the VLAN vl10 with ID 10 and add to it port 1/ 2/ 1 (SDP port) as tagged and port
1/ 2/ 2 (SAP port) as untagged:
device-name(config vlan)#create vl10 10
device-name(config vlan)#config vl10
device-name(config-vlan vl10)#add ports 1/2/1 tagged
device-name(config-vlan vl10)#add ports 1/2/2 untagged
device-name(config-vlan vl10)#exit

Page 59

9. Configure the SDP and SAP for TLS service:
10. Apply the created QoS service policy on the TLS service:
device-name(config-tls serv)#qos-service-policy policy
11. Enable the QoS policy for the specified SAP:
device-name(config-tls-sap 1/2/2:100:)#apply-qos-service-policy
12. Display the QoS service policy:
device-name#show qos service-policy policy
Pol i cy Name: policy
Descr i pt i on: This is an ingress policy
++- - - - - - - - - - - - - - - - +- - - - - - - - - - +
| Shaper Pr of i l e |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| I D | CI R | CBS |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 10 | 10000 | 200 |
+- - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| 3 | 11 | 5000 | 200 |
+- - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
13. Display the SAP service policy:
Ser vi ce: 5 Ser vi ce pol i cy: pol i cy
Enabl ed on SAPs: 1/ 2/ 2: 100:

Page 60

Supported Platforms
Quality of Service (QoS) + +
Quality of Service (QoS) IEEE 802.1p
Priority Queuing
IEEE 802.1ad
Describes port-
based service
Private MIB,
prvt_qos.mib
RFC 2474, Definition
of the Differentiated
Services Field (DS
Field) in the IPv4 and
IPv6 Headers
RFC 2475, An
Architecture for
Differentiated
Services
RFC 2597, Assured
Forwarding PHB
Group
RFC 2598, An
Expedited
Forwarding PHB
RFC 2697, A Single
Rate Three Color
Marker
RFC 2698, A Two
Rate Three Color
Marker
RFC 3140, Per Hop
Behavior
Identification Codes

Page 1
Operations, Administration & Maintenance (OAM) (Rev.13)

Operations, Administration & Maintenance (OAM)
Table of Figures 8
802.3ah Ethernet in the First Mile (EFM-OAM)10
Overview10
Potential Applications11
Installation Configurations11
EFM-OAM Protocol Functionality12
Discovery13
Timers13
Flags14
Process Overview14
Rules for Active Mode14
Rules for Passive Mode15
Link Monitoring Process15
Remote Failure Indication16
Remote Loopback16
EFM-OAM Configuration Flow17
Configuring EFM-OAM18
Enabling/ Disabling EFM-OAM18
Specifying the Number of OAMPDUs19
Enabling/ Disabling Sending of Local Event Notifications to Remote Device19
Enabling/ Disabling Sending of Event Notifications to Local Syslog Daemon20
Defining OAMPDUs Priority20
Defining the Keep-Alive Interval21
Defining the Hello Interval22
Setting the EFM-OAM History limit22
EFM-OAM Interface Configuration Commands23
Enabling/ Disabling the EFM-OAM State on the Specified Interface23
Forcing the EFM-OAM Local/ Remote Loopback Configuration24

Page 2
Operations, Administration & Maintenance (OAM) (Rev. 13)

Enabling/ Disabling the EFM-OAM Enhancements on the Specified Interface25
Defining the EFM-OAM Thresholds for Bit Error Monitoring on the Specified
Interface26
Defining the EFM-OAM Thresholds for Frame Error Monitoring on the Specified
Interface27
Defining Event Monitoring on a Specific Interface28
Enabling Event Return29
EFM-OAM Monitoring and Network Testing Commands30
Enabling EFM-OAM Non-intrusive Monitoring31
Enabling EFM-OAM Monitoring32
Enabling/ Disabling Loopback Commands' Processing35
Enabling EFM-OAM Get Variable35
Clearing EFM-OAM History36
EFM-OAM Display Commands37
Displaying EFM-OAM Status and Configuration37
Displaying EFM-OAM History on a Specified Interface39
Displaying the EFM-OAM History Count for a Specific Port40
Displaying EFM-OAM History41
Displaying EFM-OAM Local and Remote Interface Statistics41
Log Messages 43
EFM-OAM Configuration Example45
802.1ag Connectivity Fault Management (CFM)50
Overview50
CFM-OAM Protocol Functionality50
CFM Purpose50
Mechanisms of Ethernet 802.1ag OAM51
Discovery and Connectivity51
Fault Verification (Loopback Messages)53
Fault Isolation (Linktrace Messages)53
Fault Notification and Alarm Suppression (Fault Alarms)55
CFM-OAM Configuration Flow56
Configuring 802.1ag CFM in Protocol Configuration Mode59
Enabling/ Disabling the CFM Protocol 59
Creating and Accessing a Maintenance Domains 60

Page 3

Restoring the Version 6.161
Displaying the Current Version61
The CFM Maintenance Domain Commands62
Creating Maintenance Associations62
Specifying MIP Creation Policy (in Maintenance Domain) 64
Defining the Identification Data Sent to the Remote MEPs64
CFM Maintenance Association Commands66
Defining the Hello Interval67
Adding/ Removing MEPs68
Configuring CCM Priority69
Specifying MIP Creation Policy (in Maintenance Association) 69
Defining the Identification Data Sent to the Remote MEPs71
Defining the Defect Priority72
Updating the Remote MEPs List 73
Defining the Fault Notification Reset Time74
Defining the Fault Notification Alarm Time74
Enabling the AIS/ LCK75
Configuring the AIS/ LCK Level 75
Configuring the AIS/ LCK Priority76
Configuring the AIS/ LCK Sending Interval77
Enabling a MEP in an Active State77
Enabling a MEP to Send CCMs78
CFM Performance Monitoring Commands79
Performance Monitoring Profile Creation79
Configuring Two-way Monitoring Process80
Configuring Time between Performance Parameters Update81
CFM Profile Configuration82
Specifying the 802.1p Class-of-Service Setting83
Specifying the Number of Loopback Request Packets83
Specifying the Size of Loopback Request Packets 83
Specifying One-Way Jitter Error Monitoring84
Specifying One-Way Jitter Warning Monitoring84
Specifying Two-Way Jitter Error Monitoring84

Page 4

Specifying Two-Way Jitter Warning Monitoring85
Specifying Two-Way Frame-Loss Error Monitoring85
Specifying Two-Way Frame-Loss Warning Monitoring86
Specifying Two-Way Latency Error Monitoring86
Specifying Two-Way Latency Warning Monitoring87
Defining the CFM OAM Process Result Bucket Size87
802.1ag CFM Monitoring and Statistics Commands88
Displaying the CFM Configuration88
Displaying Connectivity Statistics92
Displaying Monitoring Parameters 94
Displaying Performance Statistics95
Displaying the Update Interval96
Sending Linktrace Messages97
Sending Loopback Messages98
CFM Configuration Example 100
Configuring two Devices in CFM Protocol 100
Using the clear connectivity Command 105
SAA Throughput Test 109
Overview 109
Unidirectional Throughput Test 109
Bi-Directional Throughput Test 110
The SAA Throughput Test Configuration Flow 112
SAA Throughput Test Configuration Commands 113
Creating a Throughput Test 114
Defining the Throughput Test Type 115
Defining the Source for Throughput Test 116
Defining the C-VLAN 117
Defining the Throughput Test Target 118
Defining the Maximum Test Rate 119
Defining the Burst Size for the Unidirectional Test 119
Defining the Test Duration 120
Defining the Test Packet Pattern 121
Defining the Frame Loss Ratio Threshold 121

Page 5

Defining the Test's Data-Size List 122
Defining the Test Timeout 123
Defining the Result Acknowledge Timeout 123
Defining the Loopback Type 124
Starting/ Stoping the Throughput Test 124
Displaying the Throughput Test Results 126
Throughput Test Configuration Example 127
Service Assurance Application (SAA) 131
Overview 131
SAA Configuration Flow 132
SAA Configuration Commands 133
Creating an SAA Profile 135
Configuring the Near Delay Thresholds 135
Configuring the Far Delay Thresholds 136
Configuring the Near Jitter Thresholds 137
Configuring the Far Jitter Thresholds 137
Configuring the Near Frame-Loss Ratio Thresholds 138
Configuring the Far Frame-Loss Ratio Thresholds 138
Defining the Maximum Number of Concurrent SAA Tests 139
Creating an SAA Test 139
Configuring the SAA Service Test Type 140
Configuring the SAA VLAN Test Type 141
Enabling/ Disabling the Current SAA Test 142
Attaching a Threshold Profile and Enabling Alarms 142
Configuring the Repeat Frequency 143
Configuring Probe Statistics 143
Configuring Probe Timeout 144
Configuring the Test Sending Interval 144
Configuring the Monitored Interval 145
Configuring the Test Priority 145
Configuring the Test's Metric Types 146
Configuring the Test Delay Calculation Method 147
Configuring the Test Jitter Calculation Method 148

Page 6

Defining the Current Service Loopback Functionality 148
Defining the Current VLAN Loopback Functionality 149
Displaying the SAA Tests Results 150
Displaying the SAA Threshold Profile 151
Displaying the SAA Loopback Service 152
Displaying the SAA Loopback VLAN 152
SAA Configuration Example 153
ITU-T G.8031Ethernet Protection Switching (EPS) 158
Overview 158
Switchover Options 158
EPS Configuration Flow 159
EPS Configuration Commands 160
Enabling/ Disabling EPS 161
Selecting the CFM Level 161
Selecting the Primary Paths MEPs 162
Selecting the Backup Link MEPs 162
Activating EPS 163
Defining the Hold Off Timer 163
Manual Traffic Switchover 163
Locking the Active Path 164
Blocking the Service Protection 164
Enabling/ Disabling Revertive Protection 164
Defining Wait-to-Restore Timer 165
Configuring Signal Degrade Test 165
Enabling/ Disabling Signal Degrade Events 166
Clearing Local Commands 166
Displaying the EPS Service Status 166
EPS Configuration Example 167
Event Propagation 172
Event Propagation Configuration Flow 173
Event Propagation Configuration Commands 174
Creating an Event Propagation Profile 174
Configuring Remote Fault Detection and Propagation 175

Page 7

Configuring Local Alarm Propagation 176
Applying a Profile to a SAP or a Port 176
Displaying the Configured Event Propagation Profiles 177
Displaying the Running Sessions 178
Event Propagation Configuration Example 180
Ethernet Local Management Interface (E-LMI, MEF 16) 183
E-LMI Configuration Flow 184
E-LMI Configuration Commands 185
Enabling/ Disabling E-LMI on the Device 186
Enabling/ Disabling E-LMI per Port 186
Defining the E-LMI Mode 186
Configuring the E-LMI Polling Timer 187
Configuring the E-LMI Polling Verification Timer 188
Configuring the E-LMI Polling Counters 188
Configuring the E-LMI Status Counters 189
Displaying the E-LMI Status 189
Displaying the E-LMI VLAN 190
Displaying the E-LMI Statistics 191
Clearing the E-LMI Port Statistics 192
E-LMI Configuration Example 193
Diagnosing Connectivity Problems 195
Ping 195
Trace Route 195
Supported Platforms 196
Supported Standards, MIBs and RFCs 197


Page 8

Table of Figures
Figure 1: End-to-End OAM Configuration10
Figure 2: Managing Provider Devices using the EFM 802.3ah Standard11
Figure 3: Managing Customer Devices (passive) using the EFM 802.3ah Standard12
Figure 4: EFM-OAM Configuration Flow17
Figure 5: Example for Configuring Two Devices in EFM-OAM Protocol45
Figure 6: OAM Ethernet Tools51
Figure 7: MEP1 and MEP3 Send a Multicast CC Frame52
Figure 8: MEP4 and MEP2 Send a Multicast CC Frame52
Figure 9: Loopback Operation53
Figure 10: Link Trace Operation54
Figure 11: CFM-OAM Configuration Flow56
Figure 12: CFM-OAM Performance Monitoring Flow57
Figure 13: CFM-OAM on-demand Tools Flow58
Figure 14: Example for Configuring Two Devices in CFM Protocol 100
Figure 15: Example for using the clear connectivity Command 105
Figure 16: Unidirectional Test 109
Figure 17: End-to-End Unicast Loopback Test 110
Figure 18: Configuring Two Devices in Throughput Test Configuration Mode 127
Figure 19: Example for Configuring Two Devices in SAA Test Configuration Mode 153
Figure 20: Protecting Services Using EPS. 158
Figure 21: EPF Configuration Flow 159
Figure 22: Event Propagation Configuration Flow 173
Figure 23: E-LMI Configuration Flow 184


Page 9

OAM is a family of standards providing reliable remotely-managed service-assurance (SA)
mechanisms for both the provider and customer networks, offering the ability to perform
automatic periodic network-wide service assurance and quality verifications.
This chapter includes the configuration instructions for the following OAM standards:
802.3ah Ethernet in the First Mile (EFM-OAM)
This standard specifies the protocols and Ethernet interfaces for using Ethernet over
access links as a first-mile technology and transforming it into a highly reliable
technology.
For more information, refer to 802.3ah Ethernet in theFirst Mile(EFM-OAM)
802.1ag Connectivity Fault Management (CFM)
This standard refers to the ability of a network to monitor the health of an end-to-end
service delivered to customers (as oppose to just links or individual bridges).
For more information, refer to 802.1agConnectivity Fault Management (CFM)
SAA Throughput Test
This section describes the steps for configuring and executing unidirectional and
bi-directional throughput tests.
For more information, refer to SAA Throughput Test
Service Assurance Application (SAA)
SAA is a software feature that allows you to monitor the performance of network-hosted
applications by emulating the traffic of these applications.
For more information, refer to ServiceAssuranceApplication (SAA)
EPS is a method of protecting point-to-point Ethernet service connection over VLAN
transport networks, assuring traffic transport between the two service ends.
For more information, refer to ITU-T G.8031 Ethernet Protection Switching(EPS).
Event Propagation
The Event Propagation feature allows users to configure automatic actions executed
upon the occurrence of specific events. For more information, refer to Event Propagation.
Ethernet Local Management Interface (E-LMI)
E-LMI, an OAM protocol, enables the CE to auto-configure its support of Metro
Ethernet services.
For more information, refer to Ethernet Local Management Interface(E-LMI,
MEF 16).

Page 10

802.3ah Ethernet in the First Mile (EFM-OAM)
Overview
The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming it into a
highly reliable technology.
Using the Ethernet in the First Mile solution, you gain broadcast Internet access in addition to
services (such as Layer 2 transparent LAN services, Voice services over Ethernet Access networks,
Video, and multicast applications) reinforced by security and Quality of Service (QoS) control to
build a scalable network.
The in-band management specified by this standard defines the operations, administration, and
maintenance (OAM) mechanism needed for the advanced monitoring and maintenance of
Ethernet links in the first mile. The OAM capabilities facilitate network operation and
troubleshooting for both the provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link. The 802.3ah (Clause
57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units (OAMPDUs).
OAMPDUs are standard-size frames, including information such as the destination MAC address,
EtherType and subtype, sent at a predefined rate (a limitation necessary for reducing the impact on
the usable bandwidth).
EFM OAM is an optional and you can enable or disable it per physical port.

Figure 1: End- to- End OAM Configuration

Page 11

Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices (defined as passive
devices) without utilizing an IP layer. Instead they can utilize link-layer SNMP counters request and
reply, loopback testing, and other techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE passive device) using
802.3ah standard.

Figure 2: Managing Provider Devices using the EFM 802.3ah Standard

Page 12

The configuration below illustrates how to manage the customer devices using EFM 802.3ah.

Figure 3: Managing Customer Devices ( passive) using the EFM 802.3ah Standard
EFM-OAM Protocol Functionality
EFM-OAM supports the following basis functionalities:
Discovery: a local Data Terminating Entity's (DTE) ability to discover other EFM-OAM
enabled DTEs and exchanging information about OAM entities, capabilities, and
configuration.
Link monitoring: this process is used to detect and indicate link faults to its peer.
Remotefailuredetection: a mechanism for an OAM device to convey error conditions to its peer
via a flag in the OAMPDUs.
Remoteloopback: this mechanism is used to troubleshoot problematic segments by sending
Loopback Control OAMPDUs to the peer.
MIB variableretrieval: used for retrieving information from a management information base.
Organizingspecificenhancements: provides vendor-specific enhancements to the protocol.

Page 13

Discovery
At the first phase EFM-OAM enabled DTEs identify other DTEs along with their OAM
capabilities using Information OAMPDUs, advertising the following information:
OAM configuration(capabilities)the local DTE's OAM capabilities. Using this information, a
peer can determine what functions are supported and accessible (for example, loopback
capability).
OAM modethe DTE's OAM mode, also used to determine the DTE's functionality:
Activemode: the DTE instigates OAM communications and can issue queries and
commands to the remote device.
Passivemode: the DTE generally waits for the peer DTE to instigate OAM
communications and responds to them. It does not instigate commands and queries.
For more information about the rules for active and passive mode DTEs, refer to Rules
for ActiveModeand Rules for PassiveModebelow.
The mode combinations are:
One active and one passive OAM DTE
Two active OAM DTEs
OAMPDU configurationincluding the maximum size of OAMPDUs delivered (This
information, in combination with a limited rate of ten frames per second, is used to limit the
bandwidth allocated to OAM traffic)
Platformidentitythe platform identity is a combination of an Organization Unique Identifier
(OUI, the first three bytes of the MAC address) and 32-bits of vendor-specific information.
OUI allocation is controlled by the IEEE.
Once OAM support is detected and the OAM expectations are met, both ends of the link
exchange the above information, enabling OAM on the link. However, the loss of a link or a failure
to receive OAMPDUs for a predefined interval causes the discovery process the start over again.
Timers
Two configurable timers control the protocol:
The Hellotimer, determining the rate for sending OAMPDUs
The Keep-alivetimer, determining the time interval for expecting OAMPDUs from the peer
An additional 1-second non-configurable timer is used for error aggregation necessary for the Link
Monitoring Process to generate link quality events.

Page 14

Flags
Each OAMPDU includes a Flagsfield that includes the discovery process status. There are three
possible status values:
Discoveringthe discovery process is in progress
Stablediscovery is completed and the remote device can start sending any type of OAMPDU
Unsatisfiedwhen there are mismatches in the OAM configuration that prevent OAM from
completing the discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect OAM on a remote
DTE. Once OAM support is detected, both ends of the link exchange state and configuration
information (such as mode, PDU size, loopback support, etc.). If both DTEs are satisfied with the
settings, OAM is enabled on the link. However, the loss of a link or a failure to receive OAMPDUs
for five seconds may cause the discovery process the start over again.
DTEs may either be in active or passive mode. Active mode DTEs instigate OAM
communications and can issue queries and commands to a remote device. Passive mode DTEs
generally wait for the peer device to instigate OAM communications and respond to, but do not
instigate, commands and queries. Rules of what DTEs in active or passive mode can do are
discussed in the following sections.
Rules for Active Mode
The Active mode DTE:
initiates the OAM Discovery process
sends Information PDUs
can send Event Notification PDUs
can send Variable Request/ Response PDUs
can send Loopback Control PDUs
doesnot respond to Variable Request PDUs from devices in Passive mode
doesnot react to Loopback Control PDUs from devices in Passive mode

Page 15

Rules for Passive Mode
The Passive mode DTE:
waits for the remote device to initiate the Discovery process
sends Information PDUs
can send Event Notification PDUs
can respond to Variable Request PDUs
can react to received Loopback Control PDUs
cannot send Variable Request or Loopback Control OAMPDUs
Link Monitoring Process
The Link Monitoring process is used for monitoring the link for occurrences where defined
thresholds are crossed and notifying the remote device by sending Event Notification OAMPDUs.
The events the Link Monitoring process indicates:
ErroredSymbol per secondif the number of symbol errors that occurred during a specified
period exceeded a threshold. These are coding symbol errors (for example, a violation of
4B/ 5B coding).
ErroredFrameper secondif the number of frame errors detected during a specified period
exceeded a threshold.
ErroredFrameper N framesif the number of frame errors within the last N frames exceeded a
threshold.
ErroredSecondsSummary(erroredsecondsper M seconds)if the number of errored seconds (one
second intervals with at least one frame error) per M seconds exceeded a threshold.
Since 802.3ah OAM does not guarantee the delivery of OAMPDUs, the Event Notification
OAMPDU can be sent multiple times to reduce the probability of losing these notifications using a
sequence number in order to recognize duplicate events.
The Link Monitoring process operates on all enabled EFM OAM links.

Page 16

Remote Failure Indication
Faults in Ethernet that are caused by slowly deteriorating quality are more difficult to detect than
completely disconnected links. A flag in the OAMPDU allows an OAM entity to send failure
conditions to its peer. The failure conditions are defined as follows:
Link FaultThe Link Fault condition is detected when the receiver loses the signal. This
condition is sent once per second in the Information OAMPDU.
DyingGaspThis condition is detected when the receiver goes down. The DyingGasp
condition is considered as unrecoverable. Conditions for dying gasp:
Management of the reload command
Device power down (incidental / deliberate).
Critical EventWhen a critical event occurs, the device is unavailable as a result of malfunction,
and it is to be restarted by you. The critical events can be sent immediately and continually.
Conditions for critical events:
Fatal error mess any task on the device (suspend)
When a link receives no signal from its peer at the physical layer (for example, if the peers laser is
malfunctioning), the local entity sets this flag to let the peer know that its transmit path is
inoperable.
Since these conditions are severe, the OAMPDUs updated with these flags are not subject to
normal rate limiting policy.
Remote Loopback
In order to verify the quality of links, estimating whether a network segment satisfies an SLA, and
when troubleshooting, the active device can enable the remote peer's loopback mode, using
Loopback Control OAMPDUs.
When in a loopback mode, the peer loops back all the traffic (except for OAMPDU traffic and
pause frames) without changing it. The remote peer acknowledges the loopback by responding
with an Information OAMPDU, indicating the loopback status in the Statefield.

CAUTION
Initiating this mode drops all traffic from the remote peer device.

There are two kinds of loopback tests:
Loopback using multiple ping packets (1 to 200 packets). This tests and displays also the local
and remote peer's counters.
Loopback using hardware-created frames at wire-speed, allowing the testing of the link under
extreme high-load conditions. (These frames are discarded on the active device when they get
back from the remote peer.) This tests and displays also the local and remote peer's counters.

Page 17

EFM-OAM Configuration Flow

Figure 4: EFM- OAM Configuration Flow
Start
End
Configure protocol parameters priority, hello-interval,
keepalive-interval, multiple-pdu-count, propagate-events.
Enable protocol
Configure EFM-OAM per port
Configure EFM-OAM monitoring and
network testing
Start/Stop EFM-OAM local/remote
loopback configuration
Built-in test tools
Set network monitoring
Non-intrusive Intrusive

Page 18

Configuring EFM-OAM
Table 1: EFM-OAM Protocol Configuration Commands
Command Description
efm-oam
Enables/disables the EFM-OAM protocol (see Enabling/Disabling
EFM-OAM)
efm-oam multiple-pdu-
count
Specifies the number of OAMPDUs that are sent when the
protocol sends multiple successive messages (Event Notification
OAMPDU) (see Specifying the Number of OAMPDUs).
efm-oam propagate-
events
Enables the sending of local event notifications to the remote
device (see Enabling/Disabling Sending of Local Event
Notifications to Remote Device)
efm-oam log-events
Enables/disables sending of event notification OAMPDUs to the
local Syslog daemon (see Enabling/Disabling Sending of Event
Notifications to Local Syslog Daemon)
efm-oam priority
Defines priority for the sent OAMPDUs (see Setting OAMPDUs
Priority)
efm-oam keepalive-
interval
Defines the aging interval in seconds for the neighboring device
that last sent packets (see Setting the Keep-Alive Interval)
efm-oam hello-
interval
Defines the time interval between two PDUs in milliseconds (see
Setting the Hello Interval)
efm-oam history limit Defines the EFM-OAM history limit (see Setting the EFM-OAM
History limit)
Enabling/Disabling EFM-OAM
The efm-oam command enables/ disables the EFM-OAM protocol on the devices.
The efm-oam disable/enable command configures all EFM-OAM parameters to their default
values. To disable the protocol and keep the current configuration, disable the protocol on a
specified port or port range.
Command Syntax
device-name(cfg protocol)#efm-oam {enable | disable}
enable
Enables EFM-OAM protocol.
Enabled
disable Disables EFM-OAM protocol.

Page 19

Example
device-name(cfg protocol)#efm-oam enable
Specifying the Number of OAMPDUs
The efm-oam multiple-pdu-count command specifies the number of OAMPDUs that are sent
when the protocol sends multiple successive messages (Event Notification OAMPDU).
Command Syntax
device-name(cfg protocol)#efm-oam multiple-pdu-count <pdu-count>
device-name(cfg protocol)#no efm-oam multiple-pdu-count
pdu-count
Defines the number of identical PDUs, in the range of <110>. These
PDUs are sent when the local event occurs and requires propagation to
the remote device.
5 OAMPDU
no
Example
device-name(cfg protocol)#efm-oam multiple-pdu-count 3
Enabling/Disabling Sending of Local Event Notifications to
Remote Device
The efm-oam propagate-events command enables the sending of local event notifications to the
remote device.
Command Syntax
device-name(cfg protocol)#[no] efm-oam propagate-events
no
Disables the event propagation.
the event propagation is enabled

Page 20

Example
device-name(cfg protocol)#efm-oam propagate-events
Enabling/Disabling Sending of Event Notifications to Local Syslog
Daemon
The efm-oam log-events command enables/ disables sending of event notification OAM PDUs
to the local Syslog daemon. Thus, the logging of the local activity is disabled.
When you enable the event notification, all the EFM messages are logged. When you disable this
function, EFM threshold messages are not logged.
Command Syntax
device-name(cfg protocol)#[no] efm-oam log-events
no
Disables the local Syslog daemon's event propagation.
the sending of the event notification OAMPDUs is enabled
Example
device-name(cfg protocol)#no efm-oam log-events
Defining OAMPDUs Priority
The efm-oam priority command sets priority for the sent OAMPDUs.

NOTE
This command takes affect only if the port is a tagged member of the default
VLAN.
Command Syntax
device-name(cfg protocol)#efm-oam priority <priority>
device-name(cfg protocol)#no efm-oam priority

Page 21

priority Defines 802.1p priority value for the outgoing and incoming EFM-OAM PDUs,
in the range of <07>.
the priority is undefined
no
Example
device-name(cfg protocol)#efm-oam priority 3
Defining the Keep-Alive Interval
The efm-oam keepalive-interval command sets the aging interval in seconds for the
neighboring device that last sent packets. When the neighboring device does not send a PDU
within the defined keep-alive interval, it is considered inoperative.
Command Syntax
device-name(cfg protocol)#efm-oam keepalive-interval <interval>
device-name(cfg protocol)#no efm-oam keepalive-interval
interval Defines the aging interval, in the range of <10015000>milliseconds.
5000 milliseconds
no
Example
device-name(cfg protocol)#efm-oam keepalive-interval 3000

Page 22

Defining the Hello Interval
The efm-oam hello-interval command sets the time interval between two PDUs in
milliseconds. This mechanism is used to inform the neighboring device that the local device is
operative. When the local device receives no PDU within the defined keep-alive interval, the
neighboring device is considered inoperative.

NOTE
The standard hello interval is 1second. However, to reduce overload in some
cases, it is possible to set the range to up to 5 seconds even though it violates the
standard.

NOTE
The keepalive-interval must be 2 times bigger than the hello-interval.

Command Syntax
device-name(cfg protocol)#efm-oam hello-interval <interval>
device-name(cfg protocol)#no efm-oam hello-interval
interval Defines the repetition interval of sending Hello packets. The range is <100
5000>milliseconds.
1000 milliseconds
no
Setting the EFM-OAM History limit
The efm-oam history limit command sets the EFM-OAM history limit.
Command Syntax
device-name(cfg protocol)#efm-oam history limit <1000-10000>
device-name(cfg protocol)#no efm-oam history limit
1000-10000 Defines the maximum number of entries in the EFM-OAM history.
5000 entries
no

Page 23

EFM-OAM Interface Configuration Commands
Table 2: EFM-OAM Interface Configuration Commands
Command Description
efm-oam
Enables/disables EFM-OAM on the specified interface and sets its
mode to active or passive (see Enabling/Disabling the EFM-OAM
State on the Specified Interface)
efm-oam force-
loopback
Forces permanent loopback on the local or remote device (see
Forcing the EFM-OAM Local/Remote Loopback Configuration)
efm-oam mode
Enables/disables the organization-specific EFM-OAM
enhancements on the specified interface (see Enabling/Disabling
the EFM-OAM Enhancements on the Specified Interface)
efm-oam threshold
bit-errors
Defines thresholds for bit error testing and reporting on the
specified interface (see Setting the EFM-OAM Thresholds for Bit
Error Monitoring on the Specified Interface)
efm-oam threshold
frame-errors
Defines a threshold for frame error testing and reporting on the
specified interface (see Setting the EFM-OAM Thresholds for
Frame Error Monitoring on the Specified Interface)
efm-oam event-forward
Defines an action that is performed when the link status of the
configured interface is changed (see Setting Event Monitoring on a
Specific Interface)
efm-oam event-return
shutdown
Enables the Event Return feature (see Enabling Event Return)
Enabling/Disabling the EFM-OAM State on the Specified Interface
The efm-oam command enables/ disables EFM-OAM on the specified interface and sets its mode
to active or passive.
When both peers are in passive mode (abnormal configuration) the information from 'Remote
Status' is not updated anymore and it may be inaccurate.
To execute this command, first enable EFM-OAM in the Protocol Configuration mode
(see Enabling/ DisablingEFM-OAM), otherwise the %EFM-OAM isdisablederror is generated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam {active | passive}
device-name(config-if UU/SS/PP)#no efm-oam
device-name(config-if-group)#efm-oam {active | passive}
device-name(config-if-group)#no efm-oam

Page 24

active When specifying the active mode, the device can send hello packets over this
port to initiate an EFM-OAM discovery process. To initiate the discovery
process, enable first the EFM-OAM protocol.
passive When specifying the passive mode, the device cannot use this port to send
hello packets.
port state is passive for uplink ports and disabled for user ports
no Disables 802.3ah EFM-OAM.
Example 1
device-name(config-if 1/1/1)#efm-oam passive
Example 2
device-name(config)#interface range 1/1/1
device-name(config-if-group)#efm-oam passive
Forcing the EFM-OAM Local/Remote Loopback Configuration
The efm-oam force-loopback command forces loopback on local or remote devices. This is
useful for long-term loopback traffic analysis.
For this command to take effect on a local device you do not have to enable EFM-OAM in the
Protocol Configuration mode.
If the port is in a loopback state and either EFM is disabled globally or per this port, or the port's
mode is changed to Passive mode, the force loopback state is removed from the port, generating
the remoteloopback isremovedfromthedeviceonport UU/ SS/ PP message. This message, along with an
error severity is sent to the Syslog server.
For this command to take effect on a remote device:
1. first enable EFM-OAM in the Protocol Configuration mode (see Enabling/ DisablingEFM-
OAM), otherwise the %EFM-OAM isdisablederror is generated.
2. configure this interface to be in an Active mode.

NOTE
The loopback is always forced on the remote port, when EFM is enabled on
the remote device.

CLI Mode: Interface Configuration and Interface Range Configuration

Page 25

Command Syntax
device-name(config-if UU/SS/PP)#efm-oam force-loopback {local | remote}
device-name(config-if UU/SS/PP)#no efm-oam force-loopback
device-name(config-if-group)#efm-oam force-loopback {local | remote}
device-name(config-if-group)#no efm-oam force-loopback Argument Description
local Forces the port loopback on the local device.
Disabled
remote Forces the port loopback on the remote device.
Disabled
no Removes the forced loopback on local or remote devices.
Example
device-name(config-if 1/1/1)#efm-oam force-loopback remote
Enabling/Disabling the EFM-OAM Enhancements on the
Specified Interface
The efm-oam mode command enables/ disables the organization-specific EFM-OAM
enhancements on the specified interface or interface range.
You can use this command with one of the below variables:
Basic: do not use organization-specific extensions
Enhanced: allows defining and retrieving all the SNMP variables on the remote device.
If the remote device is not an organization device, Basic mode is used, even if Enhanced
mode is configured.
Configure both devices with Enhanced mode for the devices to exchange their hostname.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam mode {enhanced | basic}
device-name(config-if UU/SS/PP)#no efm-oam mode
device-name(config-if-group)#efm-oam mode {enhanced | basic}
device-name(config-if-group)#no efm-oam mode
enhanced Enables enhanced mode.
Enhanced mode
basic Enables basic mode.

Page 26

no Disables the organization-specific EFM-OAM enhancements.
Example
device-name(config-if 1/1/1)#efm-oam mode enhanced
Defining the EFM-OAM Thresholds for Bit Error Monitoring on the
Specified Interface
The efm-oam threshold bit-errors command defines a threshold for bit error testing and
reporting for a specific interface or an interface range.
When the threshold is exceeded, the device generates an ErroredSymbol PeriodEvent message and
sends it to the remote peer. The message is written to the Syslog and in the feature history.
Additionally, the event counters are updated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam threshold bit-errors seconds <seconds>
error-count <error-count>
device-name(config-if UU/SS/PP)#no efm-oam threshold bit-errors
device-name(config-if-group)#efm-oam threshold bit-errors seconds <seconds>
device-name(config-if-group)#no efm-oam threshold bit-errors
seconds The number of seconds required for monitoring the bit error-count, in the
range of <160>.
error-count The errors bit errors threshold in the range of <11000000000>.
no
Disables the bit errors monitoring.
bit errors threshold is disabled
Example
device-name(config-if 1/1/1)#efm-oam threshold bit-errors seconds 20 error-
count 100
In this example, the device generates the ErroredSymbol PeriodEvent message in case of 100 bit errors
in a 20 seconds time frame.

Page 27

Defining the EFM-OAM Thresholds for Frame Error Monitoring on
the Specified Interface
The efm-oam threshold frame-errors command defines a threshold for frame error testing and
reporting a specific interface or an interface range.
When the threshold is exceeded, the device generates an ErroredFrameEvent message and sends it to
the remote peer. The message is written to the Syslog and in the feature history. Additionally, the
event counters are updated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam threshold frame-errors [seconds
<seconds> error-count <error-count>]
device-name(config-if UU/SS/PP)#no efm-oam threshold frame-errors
device-name(config-if-group)#efm-oam threshold frame-errors seconds <seconds>
device-name(config-if-group)#no efm-oam threshold frame-errors
seconds The number of seconds required to monitor the frame error-count, in the
range of <160>.
error-count The errors frame errors threshold in the range of <11488000>.
no
Disables the frame errors monitoring.
256 errors during 20 seconds
Example
device-name(config-if 1/1/1)#efm-oam threshold frame-errors seconds 20 error-
count 100
In this example, the device generates the ErroredFrameEvent message in case of 100 frame errors in
a 20 seconds time frame.

Page 28

Defining Event Monitoring on a Specific Interface
Event monitoring is the ability to perform an action on a target interface whenever a source
interface's link status changes. There are two possible actions:
shutdown the target interface
send a Link Event Notification from the target interface to its EFM peer
The efm-oam event-forward command on the source port to enable and an Event Monitoring
action.
For this command to take effect on the local interface, first enable EFM-OAM in the Protocol
Configuration mode (see Enabling/ DisablingEFM-OAM), otherwise the %EFM-OAM isdisabled
error is generated. You do not have to enable this option on the remote peer.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam event-forward {shutdown | status}
UU/SS/PP
device-name(config-if UU/SS/PP)#no efm-oam event-forward
device-name(config-if-group)#efm-oam event-forward {shutdown | status}
UU/SS/PP
device-name(config-if-group)#no efm-oam event-forward
shutdown Shuts down the target interface.
status Forwards a Link Event Notification from the target interface.
UU/SS/PP The target interface (on which the action is performed).
no
Disables event monitoring.
event monitoring is disabled
Example
device-name(config-if 1/1/1)#efm-oam event-forward status 1/2/3

Page 29

Enabling Event Return
The efm-oam event-return shutdown command is used to enable the Event Return feature. This
feature is used to determine the number of discovery attempts prior to administratively shutting
down the port.
You have to enable EFM-OAM on the port prior to enabling this command.
Command Syntax
device-name(config-if UU/SS/PP)#[no] efm-oam event-return shutdown <attempts>
attempts
The number of discovery attempts before shutting down the port, in the range
of <110>.
5 discovery attempts when Event Return feature is enabled
no
Disables this feature.
Event Return feature is disabled
Example
device-name(config-if 1/1/1)#efm-oam event-return shutdown 3

Page 30

EFM-OAM Monitoring and Network Testing
Commands
Table 3: EFM-OAM Monitoring and Network Testing Commands
Command Description
efm-oam ping
Enables the EFM-OAM non-intrusive monitoring on the specific
interface (see Enabling EFM-OAM Non-intrusive Monitoring)
efm-oam loopback
Enables the EFM-OAM monitoring on the specific interface, using
the loopback service (see Enabling EFM-OAM Monitoring)
efm-oam accept-
remote-loopback
Enables reaction to loopback control OAMPDUs from peers (see
Enabling/Disabling Loopback Commands' Processing)
efm-oam get
Enables the EFM-OAM get variable operations for the interface
specific counters, as defined by the relevant standard (see
Enabling EFM-OAM Get Variable)
efm-oam history clear
Clears the EFM-OAM buffer history contents (see Clearing EFM-
OAM History)


Page 31

Enabling EFM-OAM Non-intrusive Monitoring
The efm-oam ping command enables the EFM-OAM non-intrusive monitoring of a specific
interface.
By default, 5 requests are sent on the specified interface.
Command Syntax
device-name#efm-oam ping UU/SS/PP [number <number>] [delay <delay>] [timeout
<timeout>] [counter <branch> <leaf>] [extended]
UU/SS/PP The interface for EFM-OAM non-intrusive monitoring.
number <number> (Optional) defines the number of echo packets to send, in the range of
<110>
5 packets
delay <delay> (Optional) defines the delay between packets, in seconds, in the range
of <0600>
there is no delay
timeout <timeout> (Optional) define the reply timeout in the range of <160>seconds
2 seconds
counter (Optional) defines a different counter for the ping-like operation, from
the options displayed in the below table
aFramesTransmittedOK, branch 7 leaf 2
branch (Optional) selects the branch (see table below).
leaf (Optional) selects the leaf (see table below).
extended (Optional) displays the replay time for every packet.

Table 4: Leaf Values
Branch Leaf Port Statistics
7
2 aFramesTransmittedOK
7
5 aFramesReceivedOK
7
8 aOctetsTransmittedOK
7
14 aOctetsReceivedOK
7
21 aMulticastFramesReceivedOK
7
22 aBroadcastFramesReceivedOK


Page 32

Enabling EFM-OAM Monitoring
The efm-oam loopback command enables EFM-OAM monitoring of a specific interface, by
setting the remote device into a loopback mode and generating test traffic.
CAUTION
Initiating this mode drops all traffic from the remote peer interface.
You can enable one of the two loopback versions available:
Storm: sets the remote peer interface into a loopback mode, stops the local data flow to this
interface, and the local CPU generates a packet burst. When the remote peer sends the burst
back, the local device validates it and displays the burst statistics.
Burst: sets the remote peer interface into a loopback mode, stops the local data flow on this
interface, and the local hardware generates a test packet burst (a single packet, generated by
local CPU, is repetitively sent by the hardware). When the remote peer sends the burst back,
the local device ignores it and displays only counters.

NOTE
The Burst option is only supported with external traffic generator.

You can perform this test only if both devices support EFM-OAM Loopback.
Command Syntax
device-name#efm-oam loopback UU/SS/PP storm [count <burst-count>] [delay
<delay>] [packet-size <packet-size>] [no-remote-loopback] [timeout
<timeout>]
device-name#efm-oam loopback UU/SS/PP burst [duration <duration>] [packet-
size <packet-size>] [no-remote-loopback]
UU/SS/PP The interface for EFM-OAM non-intrusive monitoring.
Storm Selects a Storm loopback.
count <burst-
count>
(Optional) defines the number of packets sent in the Storm loopback, in
the range of <12147483646>.
100 packets
delay <delay>
(Optional) defines the delay between packets, in seconds, in the range
of <1600>
there is no delay
packet-size
<packet-size>
(Optional) defines the test-packets' size, in the range of <641512>
bytes
64 bytes
no-remote-
loopback
(Optional) does not define a remote loopback for this operation (set the
loopback manually).
timeout
<timeout>
(Optional) the reply timeout, in the range of <1600>seconds
2 seconds

Page 33

burst Selects a Burst loopback.
duration
<duration>
(Optional) defines the burst loopback duration, in the range of <1600>
seconds
10 seconds
Example 1
device-name#efm-oam loopback 1/1/1 storm count 1000 packet-size 64
Set t i ng Loopback . . . . . St ar t ed . . . . Compl et ed
Gener at i ng Test Tr af f i c . . . . . St ar t ed . . . . Compl et ed
Sent : 1000 packet s / 6400 oct et s
Recei ved Successf ul l y: 999 packet s / 6336 oct et s

Local Remot e
I nOct et s 636728 I nOct et s 1005096
Out Oct et s 613104 Out Oct et s 1136751
I nUcast Pkt s 7500 I nUcast Pkt s 7700
I nNUcast Pkt s 2250 I nNUcast Pkt s 7983
Out Ucast Pkt s 7400
Out NUcast Pkt s 2176
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

device-name#efm-oam loopback 1/1/1 burst duration 10 packet-size 64
Set t i ng Loopback . . . . . St ar t ed . . . . . Compl et ed
St oppi ng l oopback . . . . . St ar t ed . . . . . Compl et ed

That out put does not cor r espond t o t he l oopback bur st

Local Remot e
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

Page 34

Example 2
device-name#efm-oam loopback 1/2/1 burst no-remote-loopback
Set t i ng Loopback . . . . . St ar t ed . . . . . Compl et ed
St oppi ng l oopback . . . . . St ar t ed . . . . . Compl et ed

Maxi mumachi eved r at e: 94. 12%

Local Remot e
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

device-name#efm-oam loopback 1/ 2/ 1 storm no-remote-loopback
Gener at i ng Test Tr af f i c . . . . . St ar t ed . . . . . Compl et ed


Local Remot e
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

Page 35

Enabling/Disabling Loopback Commands' Processing
The efm-oam accept-remote-loopback command enables the processing of loopback control
OAMPDUs from peers.
Command Syntax
device-name(config-if UU/SS/PP)#[no] efm-oam accept-remote-loopback
no Disables reaction to loopback control OAMPDUs.
Disabled
Example
device-name(config-if 1/1/1)#efm-oam accept-remote-loopback
Enabling EFM-OAM Get Variable
The efm-oam get command gets specified counter variables for a specific interface.
Using this command with no parameters displays the identical information as the show efm-oam
statistics command (for more information, refer to DisplayingEFM-OAM Local andRemote
InterfaceStatistics).
Command Syntax
device-name#efm-oam get UU/SS/PP [counter <branch> <leaf>]
UU/SS/PP The interface to get counters from.
counter (Optional) performs a standard get variable operation, from the options
displayed in the below table.
branch (Optional) selects the branch for the get variable operation (see Table 4).
leaf (Optional) selects the leaf for the get variable operation (see Table 4).

Page 36

Example
device-name#efm-oam get 1/1/1
Wai t i ng t o r ecei ve r emot e st at i st i cs val ues
. . . . . . . . . . . . . . . . . . . .
Remot e I nt er f ace St at us St abl e
Remot e I f St at us St abl e
Remot e MAC 00: A0: 12: 27: 14: 23

I nOct et s 363254
Out Oct et s 181663
I nUcast Pkt s 0
I nNUcast Pkt s 2757

device-name#efm-oam get 1/1/1 counter 7 2
Wai t i ng t o r ecei ve
Pr ess Esc f or br eak
. . . . . . . . .
aFr amesTr ansmi t t edOK = 3007
Clearing EFM-OAM History
The efm-oam history clear command clears the EFM-OAM buffer history contents.
Command Syntax
device-name#efm-oam history clear

Page 37

EFM-OAM Display Commands
Table 5: EFM-OAM Display Commands
Command Description
show efm-oam
Displays the current EFM-OAM configuration and status for a
specific interface or for all interfaces(see Displaying the EFM-
OAM Status and Configuration)
show efm-oam history
Displays the history of the events from the remote device for a
specific interface or for all interfaces (see Displaying EFM-OAM
History on a Specified Interface)
show efm-oam history
count
Displays the number of entries in EFM-OAM history for a specific
port (see Displaying the EFM-OAM History Count for a Specific
Port)
efm-oam history show
Displays EFM-OAM history contents (see Displaying EFM-OAM
History)
show efm-oam
statistics
Displays the local and remote counters and accumulated statistics
for EFM-OAM on a specified interface (see Displaying the EFM-
OAM Local and Remote Interface Statistics)
Displaying EFM-OAM Status and Configuration
The show efm-oam command displays the current EFM-OAM configuration and status for a
specific interface or for all interfaces.
Command Syntax
device-name#show efm-oam [extended | UU/SS/PP]
extended (Optional) displays additional details.
UU/SS/PP Selects the interface to display the EFM-OAM configuration and status.

Page 38

Example 1
device-name#show efm-oam extended
Event s sendi ng st at us: Loggi ng Enabl ed, Pr opagat i on Enabl ed
Event Not i f i cat i on Dupl i cat i on Count : 5
I nt er val s: Keep- Al i ve i s 5000 mi l i seconds, Hel l o i s 1000 mi l l i seconds
Hi st or y l i mi t : 24 hour s or 5000 ent r i es
Local MAC: 00: A0: 12: 27: 12: 40
Ef m- OamPkt s count er : sent = 106680 , r ecei ved = 377329

Por t | Local | Remot e MAC | Remot e | Remot e | Remot e
| St at e | | St at e | Por t | Host name
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - -
1/ 1/ 1 | Act i ve | 00: A0: 12: 27: 14: 23| Passi ve | 1/ 1/ 1 | T- Mar c 2
1/ 1/ 2 | Di sabl ed | Unknown | Unknown | UU/ SS/ PP| Unknown
1/ 2/ 1 | Act i ve | 00: A0: 12: 27: 01: 29| Act i ve | 1/ 2/ 1 | T- Mar c
Example 2
device-name#show efm-oam
Local MAC: 00: A0: 12: 27: 12: 40

Por t | Local | Remot e MAC | Remot e | Remot e | Local
| St at e | | St at e | St at us | St at us
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - -
1/ 1/ 1 | Act i ve | 00: A0: 12: 27: 14: 23| Passi ve | St abl e | St abl e
1/ 1/ 2 | Di sabl ed | Unknown | Unknown | Unknown | Unknown
1/ 2/ 4 | Act i ve | 00: A0: 12: 27: 01: 29| Act i ve | St abl e | St abl e

Page 39

Example 3
device-name#show efm-oam 1/2/1
I nt er f ace Mode: Enhancement s Enabl ed
Loopback St at us: Local
Local St at e: Act i ve
Remot e St at e: Act i ve
Remot e MAC: 00: A0: 12: 27: 14: 23
Remot e Host name: T- Mar c
Remot e St at us: St abl e
Local St at us: Loopback
Remot e OI D/ Vendor Speci f i c: 00: A0: 12 / 0x00000000
OAM Ver si on: 1. 0
Loopback Capabl e? Yes Event s Capabl e? Yes
Var i abl es Ret r i eve Capabl e? Yes Uni - Di r ect i onal Mode Capabl e? Yes
Pr i vat e Ext ensi ons Capabl e?
Act i ve Remot e Fl ags: ( Local St abl e, Remot e St abl e )
Act i ve Local Fl ags : ( Local St abl e, Remot e St abl e )

Local Thr eshol ds:
Bi t Er r or s: Di sabl ed
Fr ame Er r or s: 256 Wi ndow: 20

Li nk down act i ons:
Shut down: None.
For war d st at us t o: None.
Displaying EFM-OAM History on a Specified Interface
The show efm-oam history command displays the Link Events' history for a specified interface
or for all interfaces.
You can view the last 24 hours' historyif the device is not reloaded. To get this history, enable the
Syslog.
To execute this command, first enable:
EFM-OAM in the Protocol Configuration mode (see Enabling/ DisablingEFM-OAM),
otherwise the %EFM-OAM isdisablederror is generated
Syslog (holds a log with the same detail level. For more information, refer to the Configuring
SystemMessageLoggingchapter of this User Guide)
Command Syntax
device-name#show efm-oam [UU/SS/PP] history

Page 40

UU/SS/PP (Optional) specifies the interface number for which the EFM-OAM history
is displayed.
Example
device-name#show efm-oam history
3/ 1/ 2008 19: 20: Por t 1/ 1/ 1: Remot e Li nk Faul t Bi t Recei ved
3/ 1/ 2008 19: 21: Por t 1/ 1/ 1: Remot e Er r or ed Fr ame Event Recei ved
Ti mest amp: 12323445 Wi ndow: 30 sec
Thr eshol d: 50 Er r or s: 55
Tot al Er r or s: 78654
Tot al Event s: 9943
3/ 2/ 2008 19: 21: Por t 1/ 1/ 1: Remot e Li nk Faul t Bi t Cl ear ed
4/ 2/ 2008 22: 30, Por t 1/ 2/ 2: Remot e Er r or ed Fr ame Event Sent
Ti mest amp: 24523445 Wi ndow: 45 sec
Thr eshol d: 10 Er r or s: 15
Tot al Er r or s: 32654
Tot al Event s: 5943
3/ 4/ 2008 13: 25, Por t 1/ 1/ 1: Dyi ng Gasp Recei ved
3/ 4/ 2008 13: 26, Por t 1/ 1/ 1: Renegot i at i on Compl et ed.
3/ 4/ 2008 13: 27, Por t 1/ 1/ 1: Unknown Or gani zat i on Speci f i c Event
Displaying the EFM-OAM History Count for a Specific Port
The show efm-oam history count command displays the number of entries in EFM-OAM
history for a specific port.
Command Syntax
device-name#show efm-oam history [count | count UU/SS/PP]]
count
(Optional) counts EFM-OAM history
UU/SS/PP
The interface to display EFM-OAM statistics for
Example
device-name#show efm-oam history count 1/1/1
Ef m- oamhi st or y count on i nt er f ace 1/ 1/ 1 i s 1

Page 41

Displaying EFM-OAM History
The efm-oam history show command displays the EFM-OAM history contents.
Command Syntax
device-name#efm-oam history show count [UU/SS/PP]
count Counts EFM-OAM history.
UU/SS/PP (Optional) the port on which to display EFM-OAM history.
Example 1
device-name#efm-oam history show
%Ef m- Oamhi st or y empt y
Example 2
device-name#efm-oam history show count
Ef m- oamhi st or y count i s 1
Example 3
device-name#efm-oam history show count 1/1/1
Ef m- oamhi st or y count on i nt er f ace 1/ 1/ 1 i s 1
Displaying EFM-OAM Local and Remote Interface Statistics
The show efm-oam statistics command displays the local and remote counters and all EFM-
OAM accumulated statistics for a specific interface.
To execute this command, first enable:
EFM-OAM in the Protocol Configuration mode (see Enabling/ DisablingEFM-OAM),
otherwise the %EFM-OAM isdisablederror is generated.
EFM-OAM for the specific interface (see Enabling/ DisablingtheEFM-OAM Stateon a
SpecificInterfaceor InterfaceRange), otherwise the %EFM-OAM isdisabledonport UU/ SS/ PP
error is generated.

Page 42

Command Syntax
device-name#show efm-oam UU/SS/PP statistics
UU/SS/PP The interface to display EFM-OAM statistics for.
Example
device-name#show efm-oam 1/1/1 statistics

Local I nt er f ace St at us St abl e Remot e I nt er f ace St at us St abl e
Local St at e: Passi ve Remot e St at e: Act i ve
Local MAC 00: A0: 12: 22: 5B: A0 Remot e MAC 00: A0: 12: 22: 13: 36

Out Ucast Pkt s 0
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

OamPkt s Sent 1285
OamPkt s Recei ved 1286

EFMOAMPDU max si ze : 1518

Page 43

Log Messages
The following table displays the log messages implemented by the EFM-OAM.
Table 6: Log messages implemented by the EFM-OAM
Message Severity Description
EFM-OAM-Remote-
CriticalEvent
Error An event generated on interface UU/SS/PP
NOTE
This error requires special attention
EFM-OAM-Remote-
DyingGasp
Error A Dying Gasp event generated on interface
UU/SS/PP
EFM-OAM-Remote-
LinkFault
Warning A fault event generated on interface UU/SS/PP
EFM-OAM-Remote-
SpecificEvent
Notification An organization specific event generated on
interface UU/SS/PP
EFM-OAM-Remote-
RateExceeded
Warning The PDU quantity exceeded the allowed rate on
interface UU/SS/PP
EFM-OAM-Remote-
Errored-Symbol-Event
Warning Port UU/SS/PP: Remote Errored Frame Symbol
Period Event Received:
Timestamp: 0x24523445
Window: 452341 bytes
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Remote-
Errored-Frame-Event
Warning Port UU/SS/PP: Remote Errored Frame Frame
Event Received
Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Remote-
Errored-Period-Event
Warning Port UU/SS/PP: Remote Errored Frame Period
Event Received:
Window: 454341frames
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943

Page 44

Message Severity Description
EFM-OAM-Remote-
Errored-Seconds-
Event
Warning Port UU/SS/PP: Remote Errored Frame Seconds
Event Received:
Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Local-
DyingGasp
Fatal EFM-OAM detected a local Dying Gasp event
EFM-OAM-Local-
LinkFault
Error Link Fault occurred on the local device, on interface
UU/SS/PP
EFM-OAM-Local-
Errored-Symbol-Event
Warning Port UU/SS/PP: Local Errored Frame Symbol Period
Event sent:
Window: 45 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Local-
Errored-Frame-Event
Warning Port UU/SS/PP: Local Errored Frame Frame Event
sent:
Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Remote-
Errored-Seconds-
Event
Warning Port UU/SS/PP: Local Errored Frame Seconds
Event sent:
Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943

Page 45

EFM-OAM Configuration Example
The following example is based on Figure5 and shows how to configure an Ethernet network using
a EFM-OAM protocol.

Figure 5: Example for Configuring Two Devices in EFM- OAM Protocol
Configuring Device1:
1. Verify if the EFM-OAM protocol is enabled on the device:
Device1#show efm-oam
%EFM- OAM i s di sabl ed
2. If EFM-OAM protocol is disabled, enable it:
Device1(cfg protocol)#efm-oam enable
3. Specify the number of OAMPDU:
Device1(cfg protocol)#efm-oam multiple-pdu-count 3
4. Enable sending of local event notifications to remote device:
Device1(cfg protocol)#efm-oam propagate-events
5. Define the OAMPDUs Priority:
Device1(cfg protocol)#efm-oam priority 3

Page 46

6. Define the aging interval in seconds for the neighboring device that last sent packets:
Device1(cfg protocol)#efm-oam keepalive-interval 3000
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config-if 1/1/1)#efm-oam active
1. Verify if the EFM-OAM protocol is enabled on the device:
%EFM- OAM i s di sabl ed
2. If EFM-OAM protocol is disabled, enable it:
Device1(cfg protocol)#efm-oam enable
3. Specify the number of OAMPDU:
Device2(cfg protocol)#efm-oam multiple-pdu-count 5
4. Enable sending of local event notifications to remote device
Device2(cfg protocol)#efm-oam propagate-events
5. Set OAMPDUs Priority:
Device2(cfg protocol)#efm-oam priority 5
Forcing loopback on remote device (Device2):
Device1(config-if 1/1/1)#efm-oam force-loopback remote
Configuring the remote peer interface into a loopback mode:
Device2#efm-oam loopback 1/1/1 storm

Page 47

Displaying EFM-OAM Configuration on both Devices:
Local Pr i or i t y i s 3
Local MAC: 00: A0: 12: 22: 41: 60

=================================================================
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - -
1/ 1/ 1 | Act i ve | 00: A0: 12: 4B: 06: C3| Passi ve | Loopback | St abl e
1/ 1/ 2 | Act i ve | Unknown | Unknown | Unknown | Di scover y
1/ 2/ 1 | Act i ve | Unknown | Unknown | Unknown | Li nk- Down

Local MAC: 00: A0: 12: 4B: 06: C3

=================================================================
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - -
1/ 1/ 1 | Passi ve | 00: A0: 12: 22: 41: 60| Act i ve | St abl e | Loopback


Page 48

Displaying EFM-OAM Extended Configuration on both Devices:
Device1#show efm-oam extended
Local MAC: 00: A0: 12: 22: 41: 60

=================================================================
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - - - -
1/ 1/ 1 | Act i ve | 00: A0: 12: 4B: 06: C3| Passi ve | 1/ 1/ 1 | Devi ce2
1/ 1/ 2 | Act i ve | Unknown | Unknown | UU/ SS/ PP| Unknown

Device2#show efm-oam extended
Local MAC: 00: A0: 12: 4B: 06: C3

=================================================================
- - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - +- - - - - - - - - - -
1/ 1/ 1 | Passi ve | 00: A0: 12: 22: 41: 60| Act i ve | 1/ 1/ 1 | Devi ce2


Page 49

Displaying EFM-OAM Interface Statistics on Device1:
Device1#show efm-oam 1/1/1 statistics

Local I nt er f ace St at us St abl e Remot e I nt er f ace St at us Loopback
Local St at e: Act i ve Remot e St at e: Passi ve
Local MAC 00: A0: 12: 22: 41: 60 Remot e MAC 00: A0: 12: 4B: 06: C3

Out Ucast Pkt s 0
I nDi scar ds 0
Out Di scar ds 0
I nEr r or s 0
Out Er r or s 0

OamPkt s Sent 585
OamPkt s Recei ved 577

EFMOAMPDU max si ze : 1516

Page 50

802.1ag Connectivity Fault Management (CFM)
Overview
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a network to monitor
the health of an end-to-end service delivered to customers (as oppose to just links or individual
bridges). The pre-standard IEEE 802.1ag CFM feature, called MAC ping/ trace route, defines the
end-to-end OAM capabilities that are intrinsic to Ethernet technology, enabling service providers to
monitor the Ethernet service that the customer receives.
The 802.1ag CFM standard specifies protocols, procedures, and managed objects to support
transport fault management. These allow:
the discovery and verification of the frames' path addressed to and from specified network
users
the detection and isolation of a connectivity fault to a specific bridge or LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for point-to-point and
multipoint Ethernet Virtual Connections (EVC) that span one or more links.
CFM-OAM Protocol Functionality
CFM-OAM supports the following basis functionalities:
Discovery& Connectivity: the ability to discover other CFM-OAM enabled devices and verifying
the connectivity to these devices
Fault Verification: the ability to verify and test the quality of the service delivered
Fault Isolation: the ability to identify and isolate the point of fault within the service path
CFM Purpose
Bridges are increasingly used in networks operated by multiple independent organizations, each
with restricted management access to each others equipment.
CFM provides capabilities for detecting, verifying, and isolating connectivity failures in such
networks, where multiple organizations are involved in providing and using the Ethernet service
(such as customers, service providers, and operators).
Customers purchase Ethernet service from service providers. These service providers may utilize
their own networks or the networks of other operators to provide connectivity for the requested
service. Customers themselves may be service providers. For example, a customer may be an
Internet service provider that sells Internet connectivity.

Page 51

Figure 6: OAM Ethernet Tools
Operators need minimal Ethernet OAM as oppose to providers that need more comprehensive
Ethernet OAM for themselves and the ability to provide customers with better monitoring
functionality.
In order to validate the service quality and to perform fault verification on Maintenance End Points
(MEP) and Maintenance Intermediate Points (MIPs) that belong to the organization, each
organization defines its own maintenance domain. These MEPs and MIPs are then linked to the
relevant domain creating a Maintenance Association (MA).
Mechanisms of Ethernet 802.1ag OAM
The mechanisms supported by CFM include Connectivity Check Messages (CCM), loopback, link
trace and Alarm Indication Signal (AIS).
CFM allows for end-to-end fault management that is generally reactive (through loopback, link
trace messages, and Alarm Indication Signals) and connectivity verification that is proactive
(through Connectivity Check messages).
Discovery and Connectivity
To discover the devices in a domain, each MEP transmits a periodical CCM to the entire domain
MIPs and MEPs.
CCMs are periodic hello messages multicast by a MEP within the MA at a defined rate. The
receiving MEPs build a MEP database that catalogs a list of the various MAs, including their MEPs
and MIPs (indicating each entity's MAC address) as functional points.

Page 52

The database includes entities MEP Destination MAC Address (DA) and port (format: MEP DA,
Port).

Figure 7: MEP1 and MEP3 Send a Multicast CC Frame

Figure 8: MEP4 and MEP2 Send a Multicast CC Frame
A CCM timeout is used to detect connectivity faults (such as a software failure, memory corruption,
or miss-configuration). A CCM loss is assumed when a MEP does not receive the next CCM from
a remote MEP within the CCM timeout.
If a MEP on a local bridge (local MEP) stops receiving periodic CCMs from a peer MEP on a
remote bridge (remote MEP), it assumes that a failure in the remote bridge or in the continuity of
the path has occurred. If the MEP does not receive three consecutive CCMs, it declares a
connectivity loss.
In this case, the bridge can notify the network management application about the failure and initiate
the fault verification and fault isolation steps either automatically or through an operator command.
Since a short CCM interval rate is a key point in ensuring fast connection-failure detection, the
systems administrator can define a CCM interval rate of down to 3.3 milliseconds.

Page 53

In cases that the MEP is deliberately taken out of commission, the MEP indicates this status to
other peer MEPs to avoid triggering false fault detections.
CFM also provides an alarm suppression mechanism in cases where a network fault affects more
than one VLAN and to avoid a situation where different MEPs generate an alarm notifying of the
same common fault.
Fault Verification (Loopback Messages)
A unicast Loopback Message (LBM) is used for fault verification. To verify the connectivity
between MEP and its peer MEP or a MEP, the LBM is initiated by a MEP with a destination MAC
address set to the MAC address of either a Maintenance association Intermediate Point (MIP) or
the peer MEP. The receiving MIP or MEP responds to the LBM with a Loopback Reply (LBR).
A Loopback message helps a MEP identify the precise fault location along a given MA. A
Loopback message is issued by a MEP to a given MIP along an MA. The appropriate MIP in front
of the fault responds with a Loopback reply. The MIP behind the fault does not respond. For
Loopback to work, the MEP must know the MAC address of the MIP to ping.

Figure 9: Loopback Operation
In the Figure 9 two maintenance entities are shown: one comprising the yellow MEPs and MIPs,
the other comprising orange MEPs and MIPs.
Fault Isolation (Linktrace Messages)
In order to isolate the exact point of fault, a MEP initiates a Linktrace mechanism. This mechanism
is used to isolate faults at the Ethernet MAC layer.
To run this mechanism, the originating MEP sends a Linktrace Message (LTM, using the domain's
set of reserved multicast MAC addresses) that traverses hop-by-hop along the domain's trace path.
Each Maintenance Point (MP, whether a MEP or MIP) along the trace path intercepts this LTM,
processes it, and forwards it onto the next hop until it reaches the destination MEP.

Page 54

Each MP along the path returns a unicast Linktrace Reply (LTR) back to the originating MEP. The
MEP then sends a single LTM to the next hop along the trace path eventually determining the
MAC address of all MIPs along the MA and their precise location with respect to the originating
MEP.

Figure 10: Link Trace Operation
In case of Ethernet, fault isolation is more challenging due to MAC addresses aging out, erasing the
information needed for locating the fault.
The possible ways to address this issue are:
Carrying out the Linktrace within the age-out time frame
Maintaining information about the destination MEP at the MIPs along the path using CCMs
Maintaining the path's visibility at the source MEPs through periodic LTMs (in intervals larger
than the CCM rate interval)
You can also use the Linktrace mechanism to discover normal data paths through the network,
during times where the network is fault-free. This can be helpful at a later stage, in cases where
Linktrace cannot provide the information needed to isolate a fault and by issuing LBMs to MPs
along the normal data paths to retrieve additional useful information.

Page 55

Fault Notification and Alarm Suppression (Fault
Alarms)
The Fault Alarm feature is a management operation that generates an SNMP notification to a
designated address when a MEP detects a fault.
When you enable the Fault Alarm, the MEP transmits an alarm upon detecting a defect that
occurred for more than a predefined threshold time. The MEP can transmit no further Fault
Alarms until a configured time period has passed during which no defect indication is present.
A MEP maintains a number of separate defects, for example, one for defects caused by the
accidental cross-connection of two different MAs and one for defects that are confined to a single
MA.
The defects are ranked by priority. If a higher priority defect occurs after a lower priority defect has
triggered a Fault Alarm, then the MEP transmits another Fault Alarm. This enables the operator to
reliably prioritize Fault Alarms. For example, cross-connect errors are typically of greater concern in
a Service Provider environment than connectivity loss errors. Only the highest-priority defect is
reported in the Fault Alarm.
In the order of their priority the defects are:
DefRDICCMthe last CCM received by this MEP from a remote MEP contained the RDI
bit
DefMACstatusthe last CCM received by this MEP from a remote MEP indicated that the
transmitting MEPs associated MAC is reporting an error status
DefRemoteCCMthis MEP is not receiving CCMs from one of the MEPs in its configured
list
DefErrorCCMthis MEP is receiving invalid CCMs
DefXconCCMthis MEP is receiving CCMs from a different MA

Page 56

CFM-OAM Configuration Flow

Figure 11: CFM- OAM Configuration Flow
Enable the CFM protocol
Start
Create a CFM Domain
Create CFM Maintenance Associations (MA)
End
Create MEP

Page 57

Figure 12: CFM- OAM Performance Monitoring Flow
Start
Create a Performance
Monitoring Profile
Create
performance
monitoring
profile?
Yes
No
Point-to-Multi-Point
Connection
Start CFM Process
End
Is dynamic
SLA
assurance
required?
No
Yes

Page 58

Figure 13: CFM- OAM on- demand Tools Flow

Start
CFM
Connectivity
Problem?
No
Yes
End
Verify the Failure
Send Linktrace Message Send Loopback Message
Isolate the Failure

Page 59

Configuring 802.1ag CFM in Protocol Configuration
Mode
Table 7: 802.1ag CFM Protocol Configuration Commands
Command Description
cfm
Enables/disables the CFM protocol on the devices and enters the
CFM Protocol Configuration mode (see Enabling/Disabling the
CFM Protocol)
domain
Creates a maintenance domain with a specified name and level
and enters that Maintenance Domain mode (see Creating and
Accessing a Maintenance Domain)
use-draft61
Enables the compatibility with the old IEEE 802.1ag protocol
version 6.1 (see Enabling the Compatibility with Version 6.1)
show cfm use-draft61
Displays if the compatibility with the old IEEE 802.1ag protocol
version 6.1 is enabled (see Showing the Compatibility with
Version 6.1)
Enabling/Disabling the CFM Protocol
The cfm command enables/ disables the CFM protocol on the device and enters the CFM Protocol
Configuration mode.
Command Syntax
device-name(config)#cfm [enable | disable]
device-name(config)#no cfm
enable (Optional) enables the CFM protocol
disable (Optional) disables the CFM protocol
Disabled
no Disables the CFM protocol


Page 60

Examples:
Enable CFM:
device-name(config)#cfm enable
device-name(config-cfm)#
Enabling the CFM (using the cfm enable command) when CFM is already enabled, generates
the %CFM isalreadyenablederror message, as displayed below:
[ %Er r or ] %CFM i s al r eady enabl ed
device-name(config)#cfm
device-name(config-cfm)#
Creating and Accessing a Maintenance Domains
The domain command creates a maintenance domain with a specified name and level. It also enters
the Maintenance Domain mode of that domain.
CLI Mode: CFM Protocol Configuration
Command Syntax
device-name(config-cfm)#domain name NAME level <level>
device-name(config-cfm)#domain name NAME format {none | string} level <level>
device-name(config-cfm-DONAME NAME)#

device-name(config-cfm)#no domain name NAME
NAME
The domain name.
level
The domain level in the range of <07>, according to the following rules:
Operators MA levels: 02
Providers MA levels: 34
Customers MA levels: 57
NOTE
This argument is compulsory when creating a new domain.
Do not use this argument for re-entering an existing
domain.

format
The way the name will appear in the MAID.
none
The domain name does not appear in the MAID.
string
The domain name appears as a string in the MAID.
string
no
Removes the domain from the CFM protocol.

Page 61

Examples:
Create a maintenance domain:
device-name(config-cfm)#domain name D5 level 3
device-name(config-cfm-D5)#exit
device-name(config-cfm)#domain name D6 format none level 4
device-name(config-cfm-D6)#
When reentering an existing domain, using the level argument generates the
[%Error] 'level' isnot recognizederror message, as displayed below:
device-name(config-cfm-D5)#exit
[ %Er r or ] ' l evel ' i s not r ecogni zed
device-name(config-cfm)#domain name D5
device-name(config-cfm-D5)#
Restoring the Version 6.1
The use-draft61 command enables compatibility with the IEEE 802.1ag protocol version 6.1
PDUs used for connectivity, loopback, and linktrace.
Command Syntax
device-name(config-cfm)#use-draft61
device-name(config-cfm)#no use-draft61
no
Restores to default
standard IEEE 802.1ag-2007 (draft 8.1)
Example
device-name(config-cfm)#use-draft61
Displaying the Current Version
The show cfm use-draft61 command shows if the compatibility with IEEE 802.1ag protocol
version 6.1 is enabled or disabled.
Command Syntax
device-name(config-cfm)#show cfm use-draft61

Page 62

The CFM Maintenance Domain Commands
Table 8: 802.1ag CFM Maintenance Domain Commands
Command Description
ma name
Creates a maintenance association within the specified domain
(see Creating Maintenance Associations)
mip-policy
Specifies the conditions in which MIPs are automatically created
on ports (see Specifying MIP Creation Policy)
senderid-content
Configures the Sender ID Type Length Value content of the CFM
packets (see Defining the Identification Data Sent to the
Remote MEPs)
Creating Maintenance Associations
The ma name command creates a maintenance association within a specified domain. This
command changes the Maintenance Domain mode to the specific Maintenance Association mode.
NOTE
You have to define a VLAN ID or a TLS service ID prior to creating an MA.

CLI Mode: Maintenance Domain Configuration
Command Syntax
device-name(config-cfm-DONAME NAME)#ma name NAME {vlan-ID <vlan-id> | service
<SVCID>}
device-name(config-cfm-DONAME NAME)#ma name NAME format icc {vlan-ID <vlan-
id> | service <SVCID>}
device-name(config-cfm-DONAME NAME)#ma name NAME format ieee {vlan-ID <vlan-
id> | service <SVCID>}

device-name(config-cfm-DONAME NAME)#no ma name NAME
NAME The MA name up to 22 characters.
vlan-id The unique VLAN identifier of the MA in the range of <14094>.
service
<SVCID>
The unique service ID (SVCID) of a TLS service in the valid range of <1
4294967295>.
format The way the name will appear in the MAID.
icc This format is described in ITU-T Y.1731.
ieee This format is described in IEEE 802.1ag.
ieee
no Removes the created MA.

Page 63

The MAID is unique over the domain. If the MAID is globally unique, then that domain is global.
CFM can detect connectivity errors only for a list of MEPs with unique MAIDs.
Example 1
First create the VLAN ID and then the MA:
device-name(config-cfm-D5)#ma name MA5 vlan-ID 3
device-name(config-cfm-D5-MA5)#exit
device-name(config-cfm-D5)#ma name MA6 format icc vlan-ID 4
When reentering an existing MA, using the vlan argument generates the
[%Error] 'vlan-ID' isnot recognizederror message, as displayed below:
[ %Er r or ] ' vl an- I D' i s not r ecogni zed
device-name(config-cfm-D5)#ma name MA5
device-name(config-cfm-D5-MA5)#
Example 2
First create the TLS service and then the MA:
device-name(config-tls serv)#exit
device-name(config-cfm-D5)#ma name MA5 service 5
device-name(config-cfm-D5-MA5)#

Page 64

Specifying MIP Creation Policy (in Maintenance Domain)
The mip-policy command defines the conditions in which MIPs are automatically created on
ports.
A MIP can be created on a port and a VLAN only when an explicit or default policy is defined for
them.
When no MEP was created for the specific port and VLAN, the MIP is created at the lowest level.
If a MEP was created, the MIP is created at the next-immediate level higher than the MEP's.
Command Syntax
device-name(config-cfm-DONAME NAME)#mip-policy {none | explicit | default}
device-name(config-cfm-DONAME NAME)#no mip-policy
none Does not create any MIPs for the specified MA
explicit Configures MIPs only if a MEP exists on a lower MD Level
default Always creates MIPs
MIPs are always created
For the MIP creation rules, see Table 10.
Example
device-name(config-cfm-D7)#mip-policy explicit
Defining the Identification Data Sent to the Remote MEPs
The senderid-content command configures the content of the Sender ID Type Length Value
(TLV) included in most of the CFM packets the MEPs send.
Command Syntax
device-name(config-cfm-DONAME NAME)#senderid-content {none | hostname |
management-address | all}
device-name(config-cfm-DONAME NAME)#no senderid-content

Page 65

none
Does not send the Sender ID TLV to remote MEPs: the chassis ID and
management information are hidden from all remote sites.
hostname
The Sender ID TLV includes only the device hostname: the local hostname is
visible to all remote sites on the MA but the local management address is
hidden.
management-
address
The Sender ID TLV includes only the device's management address: the local
management mechanism and management address are visible to all remote
sites on the MA but the local hostname is hidden.
all
The Sender ID TLV includes both the hostname and the management address
of the device.
hostname and management address of the device
no
Restores to default
Example
device-name(config-cfm-D7)#senderid-content management-address

Page 66

CFM Maintenance Association Commands
Table 9: 802.1ag CFM Maintenance Association Commands
Command Description
hello-interval
Defines the time interval between two successive CCMs
(see Defining the Hello Interval)
mep
Adds/removes local ports or a group of ports as a MEP to/from an
MA (see Adding/Removing MEPs)
ccm-priority
Define the VLAN priority assigned to CCM, LBM, and LTM packets
(see Configuring the Packets' VLAN Priority)
mip-policy
Defines the MIPs creation conditions on ports
(see Defining the MIP Creation Policy on Ports)
senderid-content
Defines the Sender ID TLV content in the CFM packets the MEPs
send (see Define the Identification Data Sent to the Remote
MEPs)
fault-alarms-level
Defines the defect priority used to generate fault alarms for a
specified MEP (see Defining the Defect Priority)
clear connectivity
Clears and updates the remote MEPs connectivity list
(see Updating the Remote MEPs List)
fng-reset-time
Defines in which defects are absent before enabling a Fault Alarm
again (see Defining the Fault Notification Reset Time)
fng-alarm-time
Define the time interval that defects must be present before a local
MEP generates a Fault Alarm (see Defining the Fault
Notification Alarm Time)
ais-lck
Enables the Alarm Indication Signal (AIS) and Lock Signal (LCK)
functions of Y.1731 (see Enabling the AIS/LCK)
ais-lck level
Configures the client's domain level in which AIS and LCK packets
are sent (see Configuring the AIS/LCK Level)
ais-lck priority
Configures the sent AIS and LCK packets' priority
(see Configuring the AIS/LCK Priority)
ais-lck interval
Configures the interval between two successive AIS or LCK
packets sent (see Configuring the AIS/LCK Sending Interval)
mep-state active
Enables a MEP to operate in an active state for a specific MEP ID
(see Enabling a MEP in an Active State)
mep-ccm enabled
Enables a MEP to send CCMs for a specific MEP ID
(see Enabling a MEP to Send CCMs)

Page 67

Defining the Hello Interval
The hello-interval command defines the time interval between two successive CCMs sent by a
MEP that is a member of this maintenance association.
CLI Mode: Maintenance Association Configuration
Command Syntax
device-name(config-cfm-DONAME NAME-MA NAME)#hello-interval {300 Hz | 10
milliseconds | 100 milliseconds | 1 second | 1 minute | 10 seconds | 10
minutes}
300 Hz Defines the time interval between two successive CCM packets to
3.3 milliseconds.
10 milliseconds Defines the time interval between two successive CCM packets to 10
milliseconds.
100 milliseconds Defines the time interval between two successive CCM packets to
100 milliseconds.
1 second Defines the time interval between two successive CCM packets to 1
second.
1 second
1 minute Defines the time interval between two successive CCM packets to 1
minute.
10 seconds Defines the time interval between two successive CCM packets to 10
seconds.
10 minutes Defines the time interval between two successive CCM packets to 10
minutes.
Example 1: When creating a domain
device-name(config-cfm-D1)#ma name MA1 vlan-id 3
device-name(config-cfm-D1-MA1)#hello-interval 10 seconds
Example 2: When the domain is already created
device-name(config-cfm)#domain name D1
device-name(config-cfm-D1-MA1)#hello-interval 10 minutes

Page 68

Adding/Removing MEPs
The mep command adds local ports or a group of ports as MEPs to a specific maintenance
association.
If the current MA is defined over the service and you are trying to create a MEP on a physical port
or a LAG, the [Error]MA isdefinedover servicemessage is displayed.
When the MA is not defined over the service, and a MEP is created over VLAN, the [Error]MA
definedover VLAN message is displayed.

NOTE
MEP IDs have to be unique per MA.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep <mep-id> {port UU/SS/PP |
ag0N} {in | out}
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep <mep-id> sap SAPSTRING
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep <mep-id>
mep-id Defines the maintenance end point (MEP) ID, in the range of <18191>.
UU/SS/PP Specifies the target interface on which MEP is used.
ag0N Specifies the link aggregation ID (ag01, ag04ag07) on which MEP is used.
The allowed ID is in the range of <17>.
in
Defines the MEP Direction to in the bridge.
out
Defines the MEP Direction to out the bridge.
sap
SAPSTRING
Creates the MEP on a SAP (part of the service where MA was created on).
The SAPSTRING has the UU/SS/PP:CVLANID: format.

NOTE
To use this command, first create the MA on the service with
ma name NAME ser vi ce <SVCID> command.
no Removes the MEP from the MA

Page 69

Examples:
Define the MEP ID and direction:
device-name(config-cfm-D5-MA5)#mep 1 port 1/2/3 out
Create the MEP on SAP port 1/ 2/ 1:
device-name(config-cfm-D2)#ma name MA2 service 3
device-name(config-cfm-D2-MA2)#mep 2 sap 1/2/1:10:
Configuring CCM Priority
The ccm-priority command defines the VLAN priority assigned to the CCM, LBM, and LTM
packets.
Command Syntax
device-name(config-cfm-DONAME NAME-MA NAME)#ccm-priority <0-7> [mep <mep-id>]
0-7 The VLAN priority.
6
mep-id (Optional) selects a MEP ID to assign the priority to, in the range of
<18191>.
Example
device-name(config-cfm-D5-MA5)#ccm-priority 5 mep 1
Specifying MIP Creation Policy (in Maintenance Association)
The mip-policy command defines the conditions in which MIPs are automatically created on
ports.
A MIP can be created on a port and a VLAN only when an explicit or default policy is defined for
them.
When no MEP was created for the specific port and VLAN, the MIP is created at the lowest level.
If a MEP was created, the MIP is created at the next-immediate level higher than the MEP's.

Page 70

Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mip-policy {none | explicit |
default | defer}
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mip-policy
none Does not create any MIPs for the specified MA.
explicit Creates MIPs only if a MEP exists on a lower MD Level.
default Always creates MIPs.
defer The policy is inherited from the domain policy configuration.
no Restores to defaults.
If no MIP creation policy per MA is defined, the default policy is inherited
from the domain policy configuration
Table 10: MIP Creation Rules
Existing
MEP at
Higher
MD Level
MIP at
lower MD
Level
MIP Policy MEP at Higher MD
Level
MIP Half
Function
(MHFs)
Created
True No
False True No
False False None No
False False Default the MIP Policy
default always
creates MIPs
Yes
False False Explicit True Yes
False False The explicit MIP policy
depends on the presence of
MEPs at lower level.
False No
All above All above Defer
NOTE
You can define the
Defer policy only
on the MA level
(see Specifying
MIP Creation
Policy (in
Maintenance
Domain))
If you select the defer
argument, the MIP policy is
inherited from the enclosing
Domain.
The decision
is taken
considering
the setting of
the enclosing
domain.
The table above defines the Level of MIP on a given port and on a given VLAN.


Page 71

NOTE
Levels are set optionally by the administrator and depend on that part of the
network that is under monitoring or the place of the device in the network.

Therefore the MIPs appear on ports if there are any Domains and already defined MAs.
It is recommended the levels 7, 6 and 5 to be explored by the users. Levels 3 and 4 are distributed
for the Service Providers. Level 1 and 2 serve the Operators. Level 0 is intended to be closer to the
physical Level.
An Intermediate Service Access Point (ISAP) is a SAP, from a Maintenance Domain, through
which frames can pass in transit from DoSAP to DoSAP.
MIPs are supporting the discovery of paths among MEPs and the location of faults along those
paths.
Example
device-name(config-cfm-D7-MA7)#mip-policy explicit
Defining the Identification Data Sent to the Remote MEPs
The senderid-content command configures the content of the Sender ID Type Length Value
(TLV) included in most of the CFM packets the MEPs send.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#senderid-content {none | hostname
| management-address | all | defer}
device-name(config-cfm-DOMAIN NAME-MA NAME)#no senderid-content
none
Does not send the Sender ID TLV to remote MEPs: the chassis ID and
management information are hidden from all remote sites.
hostname
The Sender ID TLV includes only the device hostname: the local
hostname is visible to all remote sites on the MA but the local
management address is hidden.
management-
address
The Sender ID TLV includes only the device's management address: the
local management mechanism and management address are visible to
all remote sites on the MA but the local hostname is hidden.
all
The Sender ID TLV includes both the hostname and the management
address of the device.hostname and management address of the device
defer
The content of the Sender ID TLV is decided by the corresponding
setting on the enclosing domain. The values are inherited from the
domain configuration.
defer

Page 72

no
Restores to default
Example
device-name(config-cfm-D7-MA7)#senderid-content hostname
Defining the Defect Priority
The fault-alarms-level command defines the defect priority for generating fault alarms for a
specified MEP.
Defects are the loss of CCMs or a reception of cross connected CCMs.
For more information regarding Fault Alarms, refer to the Fault Notification and Alarm
Suppression (Fault Alarms) section.
The following table shows the relationship between the variables indicating the defects (the
highestDefect column), their priorities, and corresponding integer (the highestDefectPri column)
reported to the fault alarm.
The highestDefectPri is an integer value indicating the priority of the defect named in the variable
highestDefect.
The highestDefect variable is the highest-priority defect which is currently detected by the MEP.
Table 11: Defects and Priorities
Defect Priority
Variable HighestDefect HighestDefectPri Importance
Disable Disable 6
xconCCMdefect DefXconCCM 5 most
errorCCMdefect DefErrorCCM 4
someRMEPCCMdefect DefRemoteCCM 3
someMACstatusDefect DefMACstatus 2
someRDIdefect DefRDICCM 1 least


Page 73

Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fault-alarms-level <priority>
[mep <MEPID>]
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fault-alarms-level [mep
<MEPID>]
priority The defect priority for the specified MEP, in the range of <16>.
Selecting priority 6 disables Alarm Reporting.
defect priority is 1 and alarms are generated for all defect conditions.
MEPID (Optional) defines the MEP ID, in the range of <18191>.
no
Restores to default
Example
In this example, the defect priority of the local MEP ID 10 is configured to 3. In this case, this
MEP reports all defect conditions with a priority equal to or higher than 3:
It announces the lack of CCMs from a remote MEPs (configured in the local MEPs list)
It ignores the MAC status defects and the reception of valid CCMs with RDI bit set
device-name(config-cfm-D7-MA7)#fault-alarms-level 3 mep 10
Updating the Remote MEPs List
The clear connectivity command clears and updates the remote MEPs' connectivity list for a
specific or all remote MEPs.
This command clears:
the remote MEPs that did not send CCMs for some time and are in a downstate
the active remote MEPs' counters
When removing a local MEP, all the remotes MEPs that belong to the monitored MA are removed
from the CCM remote MEPs list.
NOTE
When you remove a local MEP, all the remote MEPs it has relations with are
removed from the MEP's connectivity list.

Command syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#clear connectivity [<MEPID>]

Page 74

MEPID (Optional) defines the remote MEP's ID, in the range of <18191>
NOTE
If you do not define a MEP ID, this command clears
all the MEPs in a down state.
Defining the Fault Notification Reset Time
The fng-reset-time command defines the time interval in which defects are absent before
enabling a Fault Alarm again.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fng-reset-time <250-1000> mep
<1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fng-reset-time mep <1-8191>
250-1000 Defines the reset interval time, in hundredths of a second.
1000 hundredths of a second
mep <1-8191> The MEP ID.
Example
device-name(config-cfm-D7-MA7)#fng-reset-time 850 mep 225
Defining the Fault Notification Alarm Time
The fng-alarm-time command defines the time interval that defects must be present before a
local MEP generates a Fault Alarm.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fng-alarm-time <250-1000> mep
<1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fng-alarm-time mep <1-8191>

Page 75

250-1000 Defines the alarm interval, in hundredths of a second.
250 hundredths of a second
mep <1-8191> The MEP ID.
Example
device-name(config-cfm-D7-MA7)#fng-reset-time 350 mep 225
Enabling the AIS/LCK
The ais-lck command enables Alarm Indication Signal (AIS) and Lock Signal (LCK) functions of
Y.1731. MEPs send AIS packets during signal failure detection and LCK packets during tests. The
MEPs, defined in the MA, react to the received AIS and LCK packets.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck {enable | disable}
Example
device-name(config-cfm-D5-MA5)#ais-lck enable
Configuring the AIS/LCK Level
The ais-lck level command configures the client domain level in which AIS and LCK packets
are sent.
This level has to be higher than the domain level. For example, if the domain level is 5, the
AIS/ LCK level has to be 6 or 7. Therefore, the AIS/ LCK feature does not send any packets when
it is enabled on domain level 7.
To configure the AIS/ LCK level, first enable this feature using the ais-lck command
(see EnablingtheAIS/ LCK), otherwise the [%Error] AIS/ LCK shouldbeenabledfirst error is
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck level <1-7>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no ais-lck level

Page 76

level <17>
The AIS/LCK level, in the range of <17>.
default level is one higher than the configured MA level.
Example 1
device-name(config-cfm-D5-MA5)#ais-lck level 4
Example 2
[ %Er r or ] AI S/ LCK shoul d be enabl ed f i r st
Configuring the AIS/LCK Priority
The ais-lck priority command configures the sent AIS and LCK packets' priority.
To configure the AIS/ LCK priority, first enable this feature using the ais-lck command
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck priority <0-7>
0-7
The AIS/LCK priority
6
Example 1
device-name(config-cfm-D5-MA5)#ais-lck priority 5
Example 2

Page 77

Configuring the AIS/LCK Sending Interval
The ais-lck interval command configures the interval between two successive AIS or LCK
packets sent (A MEP continuously sends AIS or LCK packets until the condition that triggered
them is cleared).
To configure the AIS/ LCK interval, first enable this feature using the ais-lck command
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck interval {1 second | 1
minute}
1 second
Defines a 1 second interval between two successive AIS or LCK packets
1 second
1 minute
Defines a 1 minute interval between two successive AIS or LCK packets
Example
device-name(config-cfm-D5-MA5)#ais-lck interval 1 minute
device-name(config-cfm-D5-MA5)#ais-lck interval 1 minute
Enabling a MEP in an Active State
The mep-state active command enables a MEP to operate in an active state for a specific MEP
ID.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep-state active <1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep-state active
1-8191
Specifies the MEP ID.
MEP state is inactive
no
Restores the default.

Page 78

Enabling a MEP to Send CCMs
The mep-ccm enabled command enables a MEP to send CCMs for a specific MEP ID.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep-ccm enabled <1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep-ccm enabled
1-8191
Specifies the MEP ID.
MEP is not able to send CCMs
no
Restores the default.
Example
device-name(config-cfm-D1-MA1)#mep-ccm enabled 1

Page 79

CFM Performance Monitoring Commands
Table 12: 802.1ag Performance Monitoring Commands
Command Description
profile
Creates a performance monitoring profile with a specified name
and enters Monitoring Profile Configuration mode (see Creating a
Performance Monitoring Profile)
process
Enters the Monitoring Process Configuration mode and starts the
monitoring of an established CFM connectivity according to
thresholds defined on the specified profile (see Configuring a
Two-way Monitoring Process)
update-interval
Defines the time interval between updates of performance
parameters (see Configuring the Time between Performance
Parameters Update)
Performance Monitoring Profile Creation
The profile command creates a CFM profile with a specified name or enters the Monitoring
Profile Configuration mode.
If you do not configure a monitoring profile, the default thresholds and default parameters values
(such as rate and frame size) are used.
Command Syntax
device-name(config-cfm)#[no] profile PROFNAME
PROFNAME Defines the monitoring profile name.
when CFM protocol is enabled, a default profile is created automatically
no
Removes the configured profile.
Example
device-name(config-cfm)#profile p1
device-name(config-cfm-profile-p1)#exit

Page 80

Configuring Two-way Monitoring Process
The process command begins the monitoring of an established CFM connectivity on a specified
domain level and MA, according to thresholds defined on the specified profile. These results are
collected for performing the two-way jitter calculation.
Command Syntax
device-name(config-cfm)#[no] process PROCNAME domain DOMAIN NAME ma MA NAME
[repeat minutes <minutes> seconds <seconds>] [profile PROFNAME]
PROCNAME Defines the monitoring process name.
DOMAIN NAME The maintenance domain name used by the process.
MA NAME The maintenance association name that the process monitors.
repeat minutes
<minutes>
seconds
<seconds>
(Optional) defines the repetition interval of the monitoring process.
The valid range is:
<060>minutes
<060>seconds
1 minute
profile PROFNAME (Optional) selects the monitoring profile name.
no Removes the existing configuration.

NOTE
The command is rejected if you add a process with an existing name but change the
repeat interval.
The command is accepted if you add a process with an existing name but change
the profile name and the repeat interval (even if the profile has the same
configuration as the previous).
Example
device-name(config-cfm)#process proc1 domain d7 ma ma7 profile p1 repeat
minutes 0 seconds 1
minutes 1 seconds 1
%Pr ocess pr oc1 i s al r eady usi ng pr of i l e p1 f or domai n d7 and ma ma7

minutes 0 seconds 1

Page 81

Configuring Time between Performance Parameters Update
The update-interval command configures the time interval for updating the monitoring
parameters (one-way jitter, two-way jitter, latency, and frame loss).
Command Syntax
device-name(config-cfm)#update-interval <0-65535>
065535
Defines the time between monitoring parameters update, in seconds. A
value of 0 suspends the monitoring task and a value different from 0
resumes it.
20 seconds
Example
device-name#update-interval 60

Page 82

CFM Profile Configuration
Table 13: 802.1ag Monitoring Profile Commands
Command Description
priority
Defines the 802.1p class-of-service (see Specifying the CFM
Class-of-Service)
rate
Defines the number of the Loopback Request packets (see
Specifying the Number of Loopback Request Packets)
size
Defines the Loopback Request packets' size (see Specifying the
Size of Loopback Request Packets)
1wJitter-error
Defines the one-way jitter error monitoring threshold (see
Specifying the One-Way Jitter Error Monitoring Threshold)
1wJitter-warning
Defines the one-way jitter warning monitoring threshold (see
Specifying the One-Way Jitter Warning Monitoring
Threshold)
jitter-error
Defines the two-way jitter error monitoring threshold (see
Specifying the Two-Way Jitter Error Monitoring Threshold)
jitter-warning
Defines the two-way jitter warning monitoring threshold (see
Specifying the Two-Way Jitter Warning Monitoring
Threshold)
frame-loss-error
Defines the frame-loss error threshold (see Specifying the Two-
Way Frame-Loss Error Threshold)
frame-loss-warning
Defines the frame-loss warning threshold (see Specifying the
Two-Way Frame-Loss Warning Threshold)
latency-error
Defines the two-way latency error threshold (see Specifying the
Two-Way Latency Error Monitoring Threshold)
latency-warning
Defines the two-way latency warning threshold (see Specifying
the Two-Way Latency Warning Monitoring Threshold)
results-bucket-size
Defines the number of results saved for jitter calculation (see
Defining the CFM OAM Process Result Bucket Size)


Page 83

Specifying the 802.1p Class-of-Service Setting
The priority command defines the 802.1p class-of-service.
CLI Mode: Monitoring Profile Configuration
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#priority <priority>
priority The 802.1p class-of-service setting, in the range of <07>.
0
Specifying the Number of Loopback Request Packets
The rate command defines the number of the Loopback Request packets.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#rate <packet-rate>
packet-rate The number of Loopback Request packets sent each time, in the range
of <13>.
1
Specifying the Size of Loopback Request Packets
The size command defines the Loopback Request packets' size.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#size <0-1462>
0-1462 The Loopback Request data TLV payload, in the range of <01462>
bytes.
0 bytes

Page 84

Specifying One-Way J itter Error Monitoring
The 1wJitter-error command defines the one-way jitter error monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#1wJitter-error <1wJitter-error>
1wJitter-error Defines the one-way jitter error value to monitor, in the range of
<110000>milliseconds.
350 milliseconds
Specifying One-Way J itter Warning Monitoring
The 1wJitter-warning command defines the one-way jitter warning monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#1wJitter-warning <1wJitter-warning>
1wJitter-warning Defines the one-way jitter warning value to monitor, in the range of
<110000>milliseconds.
300 milliseconds
Specifying Two-Way J itter Error Monitoring
The jitter-error command defines the two-way jitter error monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#jitter-error <jitter-error> [period
<jitter-error-time>]

Page 85

jitter-error The jitter error value to monitor, in the range of <110000>
milliseconds.
700 milliseconds
period <jitter-
error-time>
(Optional) defines the jitter duration, in the range of <13600>seconds.
90 seconds
Specifying Two-Way J itter Warning Monitoring
The jitter-warning command defines the two-way jitter warning monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#jitter-warning <jitter-warning> period
<jitter-warning-time>
jitter-warning The two-way jitter warning value to monitor, in the range of <110000>
milliseconds.
600 milliseconds
period <jitter-
warning-time>
(Optional) defines the jitter duration, in the range of <13600>seconds.
180 seconds
Specifying Two-Way Frame-Loss Error Monitoring
The frame-loss-error command defines the two-way frame-loss error monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#frame-loss-error <frame-loss-error>
frame-loss-error The two-way frame-loss error value, in percents, in the range of
<099>.
10% frame loss

Page 86

Specifying Two-Way Frame-Loss Warning Monitoring
The frame-loss-warning command defines the two-way frame-loss warning monitoring
threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#frame-loss-warning <frame-loss-warning>
frame-loss-
warning
The two-way frame-loss warning value, in percents, in the range of
<099>. If you define a value greater than the frame-loss-error
value, the frame-loss-warning is disabled.
8% frame loss
Specifying Two-Way Latency Error Monitoring
The latency-error command defines the two-way latency error monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#latency-error <latency-error> [period
<latency-error-time>]
latency-error The two-way latency error threshold, in the range of <110000>
milliseconds.
2000 milliseconds
period <latency-
error-time>
(Optional) defines the latency increase duration, in the range of
<13600>seconds.
90 seconds

Page 87

Specifying Two-Way Latency Warning Monitoring
The latency-warning command defines the two-way latency warning monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#latency-warning <latency-warning>
[period <latency-warning-time>]
latency-warning The two-way latency warning threshold, in the range of <110000>
milliseconds.
1600 milliseconds
period <latency-
warning-time>
(Optional) defines the latency increase duration, in the range of
<13600>seconds.
180 seconds

NOTE
If you define a threshold that is larger than the corresponding error threshold,
the warning threshold is disabled.
Defining the CFM OAM Process Result Bucket Size
The results-bucket-size command defines the number of results to save for jitter calculation.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#results-bucket-size <bucket-size>
bucket-size The number of results saved for jitter calculation, in the range of
<2255>results.
20 results


Page 88

802.1ag CFM Monitoring and Statistics Commands
Table 14: 802.1ag CFM Monitoring and Statistics Commands
Command Description
show cfm
Displays the current CFM configuration and status (see
Displaying the CFM Configuration)
show cfm connectivity
Displays connectivity statistics for all configured domains or for a
specified domain (see Displaying Connectivity Statistics)
show cfm profile
Displays the monitoring parameters for a specified monitoring
profile or for all profiles (see Displaying Monitoring
Parameters)
show cfm process
Displays performance statistics for a specified domain or all
domains (see Displaying Performance Statistics)
show cfm update-
interval
Displays the update interval value (see Displaying the Update
Interval)
cfm linktrace
Sends a linktrace message to a specific MEP or MIP in a specified
domain (see Sending Linktrace Messages
cfm loopback
Sends a loopback message to a specific MEP or MIP in a
specified domain (see Sending Loopback Messages)
Displaying the CFM Configuration
The show cfm command displays the local MEPs' current CFM configuration and status.
To execute this command, first enable CFM (see Enabling/ DisablingtheCFM Protocol);
otherwise the %CFM not activeerror is generated.
Command Syntax
device-name#show cfm [UU/SS/PP | ag0N | interfaces | domain level <0-7>]
UU/SS/PP (Optional) the port for which MEPs and MIPs details are displayed.
ag0N (Optional) the aggregated port for which MEPs and MIPs details are
displayed. The allowed LAG ID numbers are in the range of <17>.
interfaces (Optional) the current CFM entities (MIPs, MEPs).
domain level
<0-7>
(Optional) the CFM entities (MIPs, MEPs) for a specific domain level.

Page 89

The command displays two state types per MEP: Administrative and Operative (as detailed in the
below table):
Table 15: The show cf mCommand Parameters Displayed (for Local MEPs)
Adm State Indicates whether CFM packets are being sent or not. The
available states are:
Up: the MEP is functioning normally and sends packets
Down: the MEP is not functioning properly and is not able to
send packets
Oper state Displays the status of the port assigned to the MEP. The available
states are:
Up: MEP functions normally and CFM PDUs are sent
Down: at least one of the remote MEPs configured to this
MEP has failed and CFM PDUs are not sent.
Block: the port is blocked by the xSTP protocol
Test: a status that might be set as a result of an IEEE Std.
802.3ah OAM intrusive loopback operation
NoDat: no data and no CFM Messages are received for an
excessive length of time
Example 1
device-name#show cfm
Domai n: d1 ( st r i ng)
Level : 1
Mi p Pol i cy: def aul t
Sender I D Cont ent : al l

Mai nt enance associ at i on: ma1 ( st r i ng)
Ser vi ce I D: 33
CCM Pr i or i t y: 6
Hel l o i nt er val ( ms) : 1000
Mi p Pol i cy: def er
Sender I D Cont ent : def er
AI S- LCK: enabl ed
AI S- LCK l evel : 5
AI S- LCK pr i or i t y: 6
AI S- LCK i nt er val : 1 mi nut e

Local MEPs
======================================================
| MEP | SAP | Adm | Oper | Al ar m| CCM |
| | | St at e| St at e| Level | Pr i o|
| - - - - +- - - - - - - - - - - - - - - - - - - - - - - - +- - - - - +- - - - - +- - - - - +- - - - |
| 2| 1/ 2/ 4: unt agged: | Up | Up | 1 | 6 |
======================================================


Page 90

Local MI Ps
=============================================================
| MP | SDP | Domai n | MA | MD | SVC |
| Type | | name | name | Level | I D |
| - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - +- - - - - - - - - - |
| MI P | 1/ 1/ 1: 10 | 1| 1| 1 | 33|
=============================================================

Level : 3

VLAN I D: 10
AI S- LCK: di sabl ed

Local MEPs
===================================================
| MEP | Por t | Adm | Oper | Al ar m| CCM |
| | | St at e | St at e | Level | Pr i or i t y|
| - - - - - +- - - - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - |
| 3 | 1/ 2/ 1 | Up | Down | 1 | 6 |
===================================================

Local MI Ps
=======================================================
| MP | Por t | Domai n | MA | MD | VLAN |
| - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - +- - - - - - |
| MI P | 1/ 2/ 2| 3| 3| 3 | 10 |
=======================================================
Example 2
device-name#show cfm 1/2/2
========================================
| MP | Di r ect i on | I D | MD | VLAN |
| Type | | | Level | I D |
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - +
| MEP | I N | 226 | 5 | 5 |
| MI P | | | 6 | 10|
========================================

Page 91

Example 3
device-name#show cfm interfaces
Por t 1/ 1/ 1
========================================
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - +
| MI P | OUT | 0 | 1 | 10 |
==========================================

Por t 1/ 2/ 2
==========================================
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - +
| MEP | | 224 | 1 | 10 |
========================================

SDP 1/ 1/ 1: 10
========================================
| MP | Di r ect i on | I D | MD | SVC |
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - +
| MI P | | 0 | 1 | 33 |
========================================

SAP 1/ 2/ 2: unt agged:
========================================
| MP | Di r ect i on | I D | MD | SVC |
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - +
| MEP | I N | 2 | 1 | 33 |
==========================================

Page 92

Example 4
device-name#show cfm domain level 1
Level : 5
VLAN I D: 10

Local MI Ps
=======================================================
| MP | Por t | Domai n | MA | MD | VLAN |
| - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - +- - - - - - |
| MI P | 1/ 1/ 1 | d1| ma1| 1 | 10 |
| MI P | 1/ 1/ 2 | d1| ma1| 1 | 10 |
=========================================================
Example 5
device-name#show cfm ag01
Not hi ng def i ned on por t
device-name#show cfm ag02
Local MEPs
==============================================================================
| MP | Di r ect i on | I D | Adm | Oper | Domai n | MA | MD | VLAN|
| Type | | | St at e | St at e | name | name | Level I D |
| - - - - - - +- - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - +- - - - - -
| MEP | OUT | 1000 | Down | Down | Cust omer _L| MA10 | 7 | 10|
==============================================================================
Displaying Connectivity Statistics
The show cfm connectivity command displays connectivity statistics for all configured domains
or for a specified domain.
Command Syntax
device-name#show cfm connectivity [domain NAME] [ma MA NAME] [extended]

Page 93

domain NAME (Optional) the maintenance domain's name to display connectivity statistics
for.
the statistics for all defined domains are displayed
ma MA NAME (Optional) the maintenance association's name to display connectivity
statistics for.
the statistics for all domains (defined above) MAs are displayed
extended (Optional) displays information extracted from the Port ID TLV in CCMs
Example 1
device-name#show cfm connectivity
Level : 5
VLAN I D: 11

Remot e MEPs Di scover ed by Local MEP 2
===========================================================
MEP | MAC- addr ess | Adm | Oper | Last St at e |
| | St at e | St at e | Change |
- - - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - |
10 | 00: A2: 12: C2: 00: 02 | UP | UP | 1days 14: 54: 34|
15 | 00: A2: 12: D2: 01: 04 | UP | UP | 2days 19: 37: 16|
16 | 00: A2: 12: A6: 30: 23 | UP | UP | 1days 10: 21: 08|
=========================================================
Example 2
device-name#show cfm connectivity extended
Domai n: D6 ( st r i ng)
Level : 6

Mai nt enance Associ at i on: ma6 ( st r i ng)
VLAN I D: 3

======================================================================
MEP | MAC- addr ess | Adm | Oper | Chassi s | Management |
| | St at e | St at e | I D | Addr ess |
- - - - +- - - - - - - - - - - - - - - - - - - +- - - - - - +- - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - |
10 | 00: A2: 12: C2: 00: 02 | UP | UP | T- Mar c 4| 193. 254. 12. 1: 23 |
15 | 00: A2: 12: D2: 01: 04 | UP | UP | N/ A | N/ A |
16 | 00: A2: 12: A6: 30: 03 | UP | UP | T- Mar c 5| N/ A |
======================================================================

Page 94

The command displays two state types per MEP: Administrative and Operative (as detailed in the
below table).
Table 16: The show cf mconnect i vi t y ext ended Command Parameters (Remote
MEP)
Adm State Indicates whether CFM packets are received or not. The available
states are:
Up: the MEP is functioning normally and packets are received
Fail: the MEP is not functioning properly and no packets were
received in the last 3.5 CCM lifetime intervals
Oper state Displays the status of the port assigned to the MEP. The available
states are:
Up: MEP functions normally and CFM PDUs are received
Down: at least one of the remote MEPs configured to this
MEP has failed and CFM PDUs are not recieved.
Block: the remote port is blocked by the xSTP protocol
Test: a status that might be set as a result of an IEEE Std.
802.3ah OAM intrusive loopback operation
NA: the received CCMs do not contain the interface status
TLV or they contain an invalid interface status value.
There are other available statuses defined by IEEE Std.
802.1ag: unknown, dormant, notPresent, lowerLayerDown
(the operating status displays these statuses only if some
other vendor transmits them, but the T-Marc does not
broadcast such states)
Displaying Monitoring Parameters
The show cfm profile command displays the monitoring parameters for a specified monitoring
profile or for all profiles.
Command Syntax
device-name#show cfm profile [PROFILE NAME]
PROFILE NAME (Optional) the profile name to display.

Page 95

Example
device-name#show cfm profile default
Pr ocess name: def aul t
Pr i or i t y: 3; Rat e: 1; Payl oad si ze: 0; Bucket si ze: 20;
Thr eshol ds ( val ue<ms>/ dur at i on<s>) :
1WJ i t t er er r or : 350 1WJ i t t er war ni ng: 300
2WJ i t t er er r or : 700/ 90 2WJ i t t er war ni ng: 600/ 180
Lat ency er r or : 2000/ 90 Lat ency war ni ng: 1600/ 180
Fr ame l oss er r or : 10. 00% Fr ame l oss war ni ng: 8. 00%
Displaying Performance Statistics
The show cfm process command displays performance statistics for a specified domain or all
domains.
Command Syntax
device-name#show cfm process [PROCNAME]
PROCNAME (Optional) the process name to display
all domains' performance statistics are displayed
Example 1
device-name#show cfm process Proc1
Pr ocess: Pr oc1
Moni t or i ng pr of i l e: def aul t
Domai n: D1; Level : 3
Mai nt enance associ at i on: MA1; VLAN- I D: 3
Loopback i nt er val : 10; Loopback- t i meout : 4200 sec
Resul t s- bucket - si ze: 120
====================================================
MAC- addr ess | One- way| Two- way| Lat ency | Fr ame |
| j i t t er | j i t t er | | l oss |
- - - - - - - - - - - - - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - - +- - - - - - - -
00: A0: 12: 27: 12: 40| 100 | 98 | 10 | 10% |
00: A0: 12: 27: 12: 40| 80 | 99 | 5| 2% |
====================================================

Page 96

Example 2
If you configure the updateinterval to zero seconds (monitoring is suspended), this command
displays only the processes but not monitoring tables (see ConfiguringtheTimebetween
PerformanceParameters Update).
device-name(config-cfm)#update interval 0
device-name(config-cfm)#end
device-name#show cfm process
The Per f or mance moni t or i ng i s di sabl ed. The updat e i nt er val i s set t o 0
Pr ocess: 1
Moni t or i ng pr of i l e: def aul t
Domai n: d1; Level : 1
Mai nt enance Associ at i on: ma1; VLAN- I D: 10
Loopback i nt er val : 60s; Loopback t i meout : 1200s;
Resul t s bucket si ze: 20
Displaying the Update Interval
The show cfm update-interval command displays the update interval value in seconds.
Command Syntax
device-name#show cfm update-interval
Example
device-name(config-cfm)#update interval 10
device-name(config-cfm)#end
device-name#show cfm update-interval
Updat e i nt er val i s set t o: 10 seconds

Page 97

Sending Linktrace Messages
The cfm linktrace command sends a linktrace message to a specified MEP or MIP in the
domain.
Command Syntax
device-name#cfm linktrace domain NAME ma MA-NAME mep <mep-id> {target-mip
HH:HH:HH:HH:HH:HH | target-mep <mep-id>} [timeout <timeout>] [ttl
<TTL>]
domain NAME The maintenance domain.
ma MA-NAME The maintenance association.
mep <mep-id> The Source MEP ID, in the range of <18191>.
target-mip
HH:HH:HH:HH:HH:HH
The MAC address of the linktrace destination MIP.
target-mep
<mep-id>
The linktrace destination MEP ID, in the range of <18191>.
timeout <timeout> (Optional) the linktrace reply (LTR) timeout, in the range of <160>
seconds
2 seconds
ttl <TTL> (Optional) the initial TTL field value, in the range of <1255>.
Example
device-name#cfm linktrace domain d5 ma ma5 mep 204 target-mep 201
Tr aci ng l i nk f r ommep 204 t o mep- i d 201 ( 00: A0: 12: 11: 11: 11)
Sendi ng l oopback message t o r ef r esh MAC addr ess t abl es. . .
Loopback r epl y r ecei ved
Sendi ng Li nkt r ace Message
Wai t i ng t o r ecei ve Li nkt r ace Repl i es
Repl y wi t h t t l 63 t r ansI D 7674 f r om00: A0: 12: 11: 11: 11 ( 5 ms)
Tar get MAC f ound
Done.

Page 98

Sending Loopback Messages
The cfm loopback domain command sends a loopback message to a specific MEP or MIP in a
specified domain.
Command Syntax
device-name#cfm loopback domain NAME ma MA NAME mep <mep-id> {target-mep
<mep-id> | target-mip HH:HH:HH:HH:HH:HH} [number <number> | infinite]
[delay <delay>] [timeout <timeout>] [payload-size <size>]
domain NAME The maintenance domain.
ma MA NAME The maintenance association.
mep <mep-id> The Source MEP ID, in the range of <18191>.
target-mep
<mep-id>
The loopback destination MEP ID, in the range of <18191>.
target-mip
HH:HH:HH:HH:HH:HH
The MAC address of the linktrace destination MIP.
number <number> (Optional) defines the number of loopback messages sent, in the
range of <11024>
3 messages
infinite (Optional) configure the loopback to run continuously until you press
<ESC>
NOTE
Using this argument changes the delay value to 1, in
case you previously defined the delay value to 0.
delay <delay> (Optional) the delay between 2 consecutive loopback messages, in
the range of <060>seconds
5 seconds
timeout <timeout> (Optional) the loopback reply (LBR) timeout, in the range of <160>
seconds
2 seconds
payload-size
<size>
(Optional) the loopback message PDU size, in the range of <01462>
bytes
0 bytes

Page 99

Example 1
device-name#cfm loopback domain D5 ma ma5 mep 17 target-mep 13 number 5 size
64
Sendi ng 5 l oopback message t o mep- i d 13 ( 00: A0: 12: 27: 00: 80)
. . . . .
Done.
Sent 5. Recei ved ok 5. Out of or der 0. Bad 0. Success r at e 100. 0%
Ti me msec. ( mi n/ avg/ max) : 0. 5/ 1/ 1. 5
Example 2
device-name#cfm loopback domain d5 ma ma5 mep 17 target-mip 00:A0:12:22:5A:00
number 5 size 64
Sendi ng 5 l oopback message( s) t o mi p 00: A0: 12: 22: 5A: 00
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Done.
Sent 5. Recei ved ok 5. Out of or der 0. Bad 0. Success r at e 100%
Table 17: Parameters Displayed by the cf ml oopback domai n Command
mi n
The minimum time, in seconds, for receiving a loopback message.
avg
The average time, in seconds, for receiving a loopback message.
max
The maximum time, in seconds, for receiving a loopback message.

Page 100

CFM Configuration Example
Configuring two Devices in CFM Protocol
The following example is based on the following figure. The example shows how to configure an
Ethernet network using a CFM protocol.

Figure 14: Example for Configuring Two Devices in CFM Protocol
1. Create a VLAN with the specified name vl10 and ID 10:
Device1(config vlan)#create vl10 10
2. Change the configuration mode to a specified VLAN Configuration mode specified by name
in the command argument:
Device1(config vlan)#config vl10
3. Add port 1/ 2/ 1 as a tagged port:
Device1(config-vlan vl10)#add ports 1/2/1 tagged
Device1(config-vlan vl10)#end
4. Verify if the CFM protocol is enabled:
Device1(config)#cfm

Page 101

[ %Er r or ] %CFM i s di sabl ed, enabl e i t t o conf i g
5. If CFM protocol is disabled, enable it:
Device1(config)#cfm enable
6. Create a maintenance domain with a specified name d7and level 7and create a maintenance
association within a specified domain:
Device1(config-cfm)#domain name d7 level 7
Device1(config-cfm-d7)#ma name ma7 vlan-ID 10
7. Specify the identification data sent to the remote MEPs creation policy on the specified MA:
Device1(config-cfm-d7-ma7)#senderid-content hostname
Device1(config-cfm-d7-ma7)#mip-policy explicit
8. Add port 1/ 2/ 1 as MEP to a specified MA:
Device1(config-cfm-d7-ma7)#mep 1 port 1/2/1 out
Device1(config-cfm-d7-ma7)#end
9. Create profile p1and process proc1for Device1:
Device1(config)#cfm
Device1(config-cfm)#profile p1
Device1(config-cfm-profile-p1)#rate 3
Device1(config-cfm-profile-p1)#exit
Device1(config-cfm)#process proc1 domain d7 ma ma7 profile p1 repeat
minutes 0 seconds 1
Device1(config-cfm)#end
1. Create a VLAN with the specified name vl10and ID 10:
Device2(config)#cfm

Page 102

7. Specify the identification data to be sent to the remote MEPs and the MIP creation policy on
the specified MA:
Device2(config-cfm-d7-ma7)#senderid-content hostname
Device2(config-cfm-d7-ma7)#mip-policy explicit
8. Add port 1/ 2/ 2 as MEP to the specified MA:
Displaying CFM Processes and Profiles on Device1:
Device1#show cfm profile
Pr of i l e name: def aul t

Pr of i l e name: p1

Device1#show cfm profile p1
Pr of i l e name: p1


Page 103

Device1#show cfm process proc1
Pr ocess: pr oc1
Moni t or i ng pr of i l e: p1
Domai n: d7; Level : 7
Mai nt enance Associ at i on: ma7; VLAN- I D: 10
Loopback i nt er val : 1s; Loopback t i meout : 20s;
Resul t s bucket si ze: 20
===========================================================
| MAC | One- way | Two- way | Lat ency | Fr ame |
| Addr ess | j i t t er | j i t t er | | l oss |
| - - - - - - - - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - |
| 00: A0: 12: 27: 08: 20 | 0. 0 | 4. 2 | 0 | 0. 00%|
===========================================================
Displaying CFM Configuration and CFM Connectivity Statistics on
Device 1:
Device1#show cfm
Level : 7
VLAN I D: 10
Mi p Pol i cy: expl i ci t
Sender I D Cont ent : host name
AI S- LCK: di sabl ed

Local MEPs
===============================================================
| MEP | Por t | Adm | CCM| Oper | Al ar m| CCM | Sent |
| | | St at e| En | St at e | Level | Pr i or i t y| CCM |
| - - - - - +- - - - - - - - - - +- - - - - - +- - - +- - - - - - - +- - - - - - - +- - - - - - - - +- - - - - - - - |
| 1| 1/ 2/ 1| Up | Yes| UP | 1 | 6 | 80|
===============================================================

Device1#show cfm connectivity
Level : 7
VLAN I D: 10

========================================================
| MEP| MAC- addr ess | Adm | Oper | Last St at e |
| | | St at e | St at e | Change |
| - - - - +- - - - - - - - - - - - - - - - - +- - - - - - - +- - - - - - - +- - - - - - - - - - - - - - - - - |
| 2| 00: A0: 12: 27: 08: 20| Up | Up | 2days 14: 54: 34|
========================================================

Page 104

Sending a loopback message to a specified MEP in a specified
domain:
Device1#cfm loopback domain d7 ma ma7 mep 1 target-mep 2 delay 0 number 10
Sendi ng 10 l oopback message( s) t o mep- i d 2 ( 00: A0: 12: 27: 08: 20)
. . . . . . . . . .
Done.
Sent 10. Recei ved 10. Out of or der 0. Bad 0. Success r at e 100%
Sending a linktrace message to a specified MEP in a specified
domain:
Device1#cfm linktrace domain d7 ma ma7 mep 1 target-mep 2
Tr aci ng l i nk f r ommep 1 t o mep- i d 2 ( 00: A0: 12: 27: 08: 20)
Sendi ng l oopback message t o r ef r esh MAC addr ess t abl es. . .
Loopback r epl y r ecei ved
Sendi ng Li nkt r ace Message
Wai t i ng t o r ecei ve Li nkt r ace Repl i es
Repl y wi t h t t l 63 t r ansI D 7674 f r om00: A0: 12: 27: 08: 20 ( 5 ms)
Tar get MAC f ound
Done.

Page 105

Using the clear connectivity Command
This example is based on the following figure and describes the using of the clear connectivity
command.

Figure 15: Example for using the clear connectivity Command
3. Add ports 1/ 2/ 1 and 1/ 2/ 2 as tagged ports:
Device1(config-vlan vl10)#add ports 1/2/1-1/2/2 tagged
Device1(config)#cfm

Page 106

1. Create a VLAN with the specified name vl10and ID 10:
Device2(config)#cfm

Page 107

Device2(config)#cfm
Displaying the CFM Connectivity Statistics:
Level : 7
VLAN I D: 10
===================================================
| | | St at e| St at e| Change |
| - - - +- - - - - - - - - - - - - - - - - +- - - - - +- - - - - +- - - - - - - - - - - - - - - - - |
| 205| 00: A0: 12: 27: 08: 20| Up | Up | 1days 14: 54: 34|
| 203| 00: A0: 12: 27: 08: 21| Up | Up | 1days 14: 23: 25|
===================================================

Page 108

Displaying the CFM Connectivity Statistics after the Connection
between Device 1 and Device3 is Removed:
Level : 7
VLAN I D: 10
===================================================
| - - - +- - - - - - - - - - - - - - - - - +- - - - - +- - - - - +- - - - - - - - - - - - - - - - - |
| 205| 00: A0: 12: 27: 08: 20| Up | Up | 1days 14: 54: 34|
| 203| 00: A0: 12: 27: 08: 21| Down | Down | 1days 14: 23: 25|
===================================================
Clearing the Remote Inactive and Unused MEPs with the cl ear
connect i vi t y Command:
Device1(config)#cfm
Device1(config-cfm)#domain name d7
Device1(config-cfm-d7)#ma name ma7
Device1(config-cfm-d7-ma7)#clear connectivity
Displaying CFM Connectivity Statistics after Using the cl ear
connect i vi t y Command:
Level : 7
VLAN I D: 10
===================================================
| - - - +- - - - - - - - - - - - - - - - - +- - - - - +- - - - - +- - - - - - - - - - - - - - - - - |
| 205| 00: A0: 12: 27: 08: 20| Up | Up | 1days 14: 54: 34|
===================================================

Page 109

SAA Throughput Test
Overview
CFM-OAM SAA Throughput tests are out-of-service applications that provide traffic
measurements between two network elements.
These tests are based on CFM domains, MEPs, and MAs (see 802.1agConnectivityFault Management
(CFM))

CAUTION
Initiating these tests stops all traffic on the test devices.

The T-Marc 300 Series support two types of throughput tests:
Unidirectional throughput test
Bi-directional throughout test
Unidirectional Throughput Test
Unidirectional throughput tests provide accurate measurements of different rates (such as duration,
maximum rate of test packets, maximum timeout, and list of data sizes) for both egress and ingress
traffic (see figure below).
The test measures the frame loss ratio between the test-head that sends the test packets and the
test-tail that receives them, comparing the results to a definable threshold.

Figure 16: Unidirectional Test

Page 110

To perform the unidirectional throughput test, the system administrator needs to define the
following parameters:
The test-head (source) and test-tail (target) within an existing domain
PDU sizes: since this test calculates performance for each PDU size (64, 128, 256, 512, 1024,
1280, 1518, 2000, 9000 bytes), displaying the test results per PDU size, the system
administrator has to select the relevant PDU sizes for the test.
Maximum traffic rate, and the ratio between the constant and burst traffic rate: the test sends
two streams of traffic from the test-head, together concluding the test's maximum traffic rate:
Stream 1: The constant traffic rate (simulating the Committed Information RateCIR).
In default setting, this stream takes up 90% of the maximum traffic rate.
Stream 2: The burst traffic rate (simulating the Committed Burst SizeCBS). In default
setting, this stream takes up the remaining 10% of the maximum traffic rate.
PDU burst size (in packets) for stream 2, which is CBS/ PDU size
The test length: the test duration per selected PDU size
When executing the test, the test-tail calculates the packet count for each test sequence, sending the
results to the test-head. Based on this message, the test-head reduces the test rate or continues to
the next PDU size.
To ensure the notification delivery, the test-tail keeps sending the results until the test-head sends a
reply to the test-tail or until it reaches the configured timeout.
If the test-head does not receive the message, it stops the test.
Bi-Directional Throughput Test
The bi-directional throughput test is based on the end-to-endunicast loopback test (as shown in the
below figure).
The test measures the frame loss ratio between the test-head (source) that sends the test packets
and test-loopback that receives them, comparing the results to a definable threshold.

Figure 17: End- to- End Unicast Loopback Test
The bi-directional throughput test generates test frames using 802.1ag LBM/ LBR format.

Page 111

To perform the bi-directional throughput test, the system administrator needs to define the
following parameters:
The test-head (source) and test loopback (target) within an existing domain
PDU sizes: since this test calculates performance for each PDU size (64, 128, 256, 512, 1024,
1280, 1518, 2000, 9000 bytes), displaying the test results per PDU size, the system
administrator has to select the relevant PDU sizes for the test.
Maximum traffic rate, and the ratio between the constant and burst traffic rate: the test sends
two streams of traffic from the test-head, together concluding the test's maximum traffic rate:
Stream 1: The constant traffic rate (simulating the Committed Information RateCIR).
In default setting, this stream takes up 90% of the maximum traffic rate.
Stream 2: The burst traffic rate (simulating the Committed Burst SizeCBS). In default
setting, this stream takes up the remaining 10% of the maximum traffic rate.
PDU burst size (in packets) for stream 2, which is CBS/ PDU size
The test length: the test duration per selected PDU size
Select one of the below the loopback types:
MAC SA/ DA swap and LBM to LBR swap
MAC SA/ DA swaps only
When performing a bi-directional throughput test:
The test transmits PDUs in the defined CIR rate for a single test duration to determine
whether the frame-loss drops from a configurable threshold.
After finishing the packets transmission, the test suspends for a period of time equal to the
maximum latency in which all the packets arrive.
Each transmitted PDU has an ID (sequence number) and timestamp used for statistics
calculation.
If the frame-loss is above the maximum frame-loss percentage, the source repeats the test in a
lower rate until frame loss is within the configured SLA range.
Display the following results: Maximum successful throughput, frame-loss measured at that
throughput, and total packets sent.

Page 112

The SAA Throughput Test Configuration Flow
1. Create a throughput test and enter the Throughput Test Configuration mode. See Creatinga
Throughput Test.
2. Define the test type. SeeDefiningtheThroughput Test Type.
3. Define the parameters of the generated traffic. See DefiningtheSourcefor Throughput Test.
4. Define the C-VLAN in the generated test packets. See DefiningtheC-VLAN.
5. Define the destination of the throughput test. See DefiningtheThroughput Test Target.
6. Define the maximum rate of the test packets. See DefiningtheMaximumTest Rate.
7. Define the committed burst size. See DefiningtheBurst Sizefor theUnidirectional Test.
8. Define the duration of a single test sequence. See DefiningtheTest Duration
9. Define the pattern of the test packet. See DefiningtheTest Packet Pattern.
10. Define the frame-loss ratio threshold. See DefiningtheFrameLossRatioThreshold.
11. Define the list of data-size for which the throughput test is executed. See DefiningtheTest's
Data-Size.
12. Define the maximum timeout for the test packets. See DefiningtheTest Timeout.
13. Define the time to wait for the test tail to send acknowledgment. See DefiningtheResult
AcknowledgeTimeout.
14. Define the loopback type. See DefiningtheLoopback Type.
15. Start the throughput test. See Starting/ StopingtheThroughput Test.
16. Display the results of the throughput test. See DisplayingtheThroughput Test Results.

Page 113

SAA Throughput Test Configuration Commands
Table 18: Throughput Tests commands
Command Description
saa throughput test Creates a throughput test and enters the Throughput Test
Configuration mode (see Creating a Throughput Test)
type Defines the throughput test type (see Defining the Source for
Throughput Test)
source Defines the parameters of the generated traffic (see Defining the
Source for Throughput Test)
c-vlan Defines the C-VLAN in the generated test packets (see Defining
the C-VLAN)
target Defines the throughput test destination (see Defining the
Throughput Test Target)
cir Defines the maximum committed information rate (CIR) of the test
packets (see Defining the Maximum Test Rate)
cbs Defines the committed burst size (CBS) and its ratio for the
second stream in the unidirectional testing (see Defining the Burst
Size for the Unidirectional Test)
duration Defines the duration of a single test sequence (see Defining the
Test Duration)
pattern Defines the pattern of the test packet (see Defining the Test
Packet Pattern)
frame-loss Defines the allowed frame-loss ratio threshold for throughput test
(see Defining the Frame Loss Ratio Threshold)
data-size Defines the list of data-sizes for which the throughput test is
executed (see Defining the Test's Data-Size)
timeout Defines the maximum timeout for the test packets (see Defining
the Test Timeout)
result-ack-timeout Defines the time to wait for the test-tail to send acknowledgement
(see Defining the Result Acknowledge Timeout)
loopback-type Defines the loopback type (see Defining the Loopback Type)
shutdown Stops/starts the throughput test (see Starting/Stoping the
Throughput Test)
show saa throughput
test
Displays the results of the throughput test (see Displaying the
Throughput Test Results)

Page 114

Creating a Throughput Test
The saa throughput test command creates a throughput test and enters the Throughput Test
Configuration mode. You can create and configure up to 32 multiple tests, but only one can run at
a time.

NOTE
You have to shutdown the test in order to change its configuration or remove it.

NOTE
If you try to create a throughput test with a name already used by the SAA test,
an error message is displayed; see Example 2 below.

Command Syntax
device-name(config)#saa throughput test NAME
device-name(config)#no saa throughput test NAME
NAME
Specifies the test's name, a string of up to 10 characters.
no
Removes the specified test.
Example 1
device-name(config)#saa throughput test t1
device-name(config-saa-throughput)#
Example 2
device-name(config)#saa test T1
device-name(config-saa-T1)#exit
device-name(config)#saa throughput test T1
[ %Er r or ] A saa t est named T1 al r eady exi st
Example 3
Max number of t hr oughput t est s r eached

Page 115

Defining the Throughput Test Type
The type command defines the throughput test type.
CLI Mode: Throughput Test Configuration
Command Syntax
device-name(config-saa-throughput)#type {uni-test-head | bi-test-head | uni-
test-tail | bi-test-loopback}
uni-test-head
Defines a unidirectional throughput test.
bi-test-head
Defines a bi-directional throughput test.
uni-test-tail
Defines the test-tail functionality during a unidirectional throughput
test.
bi-test-loopback
Defines the test-loopback functionality during a bi-directional test.
Examples:
Configure the test to unidirectional throughput test:
device-name(config-saa-throughput)#type uni-test-head
device-name(config-saa-throughput-uth)#
Configure the test to bi-directional throughput test:
device-name(config-saa-throughput)#type bi-test-head
device-name(config-saa-throughput-bth)#
Configure the test-tail functionality during unidirectional throughput test:
device-name(config-saa-throughput)#type uni-test-tail
device-name(config-saa-throughput-tt)#
Configure the test-loopback functionality during bi-directional throughput test:
device-name(config-saa-throughput)#type bi-test-loopback
device-name(config-saa-throughput-loopback)#
Return a message that the test type is changed:
device-name(config-saa-throughput)#type bi-test-head
device-name(config-saa-throughput-bth)#exit
device-name(config-saa-throughput)#type bi-test-loopback
Reset t i ng t est t ype, di scar di ng pr evi ous conf i gur at i on

Page 116

Defining the Source for Throughput Test
The source command defines the generated traffic's parameters. This command is applicable for
all types of throughput tests.

NOTE
Configure the domain, MA, and MEP prior to running this command.
Configure this command immediately after the t ype command.
Command Syntax
device-name(config-saa-throughput-uth)#source cfm domain NAME ma NAME mep <ID>
[drop-eligible] [priority <0-7>]
device-name(config-saa-throughput-uth)#no source
device-name(config-saa-throughput-bth)#source cfm domain NAME ma NAME mep <ID>
[drop-eligible] [priority <0-7>]
device-name(config-saa-throughput-bth)#no source
device-name(config-saa-throughput-tt)#source cfm domain NAME ma NAME mep <ID>
device-name(config-saa-throughput-tt)#no source
device-name(config-saa-throughput-loopback)#source cfm domain NAME ma NAME mep
<ID>
device-name(config-saa-throughput-loopback)#no source
cfm Uses IEEE 802.1ag CFM protocol.
domain NAME Specifies the CFM domain.
ma NAME Specifies the CFM MA (defines the S-VLAN and priority).
mep <ID> Specifies the MEP ID, in the range of <18191>.
drop-eligible (Optional, valid only for unidirectional and bi-directional test-heads)
defines Data Exchange Interface (DEI) for S-TAG.
DEI is 0 (not drop-eligible)
priority <0-7> (Optional, valid only for unidirectional and bi-directional test-heads)
allows you to override default VPT bits for S-VLAN.
6
no Removes the previous configuration.

Page 117

Examples
The domains, MA, and MEP must be configured prior to executing the source command.
device-name(config-saa-throughput-uth)#source cfm domain d7 ma ma7 mep 10
drop-eligible priority 5
If the domains, MA, and MEP are not already configured, the below messages are displayed:
%Er r or . ' d7' does not exi st
%Er r or . ' ma7' does not exi st
%Er r or . ' 10' does not exi st
Defining the C-VLAN
The c-vlan command defines the C-VLAN in the generated test packets. The command is
applicable for all types of throughput tests.
Command Syntax
device-name(config-saa-throughput-uth)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-uth)#no c-vlan
device-name(config-saa-throughput-bth)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-bth)#no c-vlan
device-name(config-saa-throughput-tt)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-tt)#no c-vlan
device-name(config-saa-throughput-loopback)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-loopback)#no c-vlan
c-vlan <c-vlan-id> Defines the C-VLAN ID, in the range of <14094>.
drop-eligible (Optional) specifies the DEI bit.
0 (not drop-eligible)
priority <0-7> (Optional) defines the 802.1p priority bits.
0
no Restores to defaults.
packets are not tagged
Example
device-name(config-saa-throughput-uth)#c-vlan 10 drop-eligible priority 5

Page 118

Defining the Throughput Test Target
The target command defines the throughput test's destination. This command is applicable to
unidirectional and bi-directional test-heads.

NOTE
Configure the target after configuring the source and the target MEP.
Command Syntax
device-name(config-saa-throughput-uth)#target {mip HH:HH:HH:HH:HH:HH | mep
<mep-id>}
device-name(config-saa-throughput-uth)#no target
device-name(config-saa-throughput-bth)#target {mip HH:HH:HH:HH:HH:HH | mep
<mep-id>}
device-name(config-saa-throughput-bth)#no target
mip HH:HH:HH:HH:HH:HH Specifies the target MIP MAC address.
mep <mep-id>
Defines the target MEP ID, in the range of <18191>.
no Removes the previous configuration.
Examples
Define the throughput test's destination:
device-name(config-saa-throughput-uth)#target mip 00:11:22:33:44:55
If the MEP is not already configured, the below message is displayed:
priority 5 drop-eligible
device-name(config-saa-throughput-uth)#target mep 10
%CFM MEP not f ound
If the source is not already configured, the below message is displayed:
device-name(config-saa-throughput-uth)#target mep 10
%Sour ce domai n and MA must be speci f i ed f i r st

Page 119

Defining the Maximum Test Rate
The cir command defines the maximum Committed Information Rate (CIR) of the test packets.
This command is applicable to unidirectional and bi-directional test-heads.

NOTE
The CBS value must be smaller than CIR x Duration value.

Command Syntax
device-name(config-saa-throughput-uth)#cir <rate>
device-name(config-saa-throughput-uth)#no cir
device-name(config-saa-throughput-bth)#cir <rate>
device-name(config-saa-throughput-bth)#no cir
rate
Defines the test packets maximum rate, in the range of <641000000>kbps.
500 Mbps
no
Example
device-name(config-saa-throughput-uth)#cir 150
Defining the Burst Size for the Unidirectional Test
The cbs command defines the Committed Burst Size (CBS) for the second stream in the
unidirectional test. This command is applicable only for the unidirectional test-head.

NOTE
The CBS value must be smaller than the CIR x Duration value.

Command Syntax
device-name(config-saa-throughput-uth)#cbs <burst-size> percentage <0-100>
device-name(config-saa-throughput-uth)#no cbs

Page 120

burst-size Defines the burst size, in the range of <102048>KB.
1 MB
percentage <0-100> Defines the bursty stream's ratio in the unidirectional throughput
test.
Example
device-name(config-saa-throughput-uth)#cbs 64 percentage 55
Defining the Test Duration
The duration command defines the duration of a single-test sequence. This command is
applicable to unidirectional and bi-directional test-heads.
Command Syntax
device-name(config-saa-throughput-uth)#duration <time>
device-name(config-saa-throughput-uth)#no duration
device-name(config-saa-throughput-bth)#duration <time>
device-name(config-saa-throughput-bth)#no duration
time Defines the duration value, in the range of <110>seconds.
5 seconds
no
Restores to default
Examples:
Define the duration of a single-test sequence:
device-name(config-saa-throughput-uth)#duration 4
Here, the CBS value is larger than the CIR x Duration value (in the example: 150>2 x 64). An
error message appears. When changing the CIR value and fulfilling this condition, CIR accepts
the new value.
device-name(config-saa-throughput-uth)#duration 2
device-name(config-saa-throughput-uth)#cbs 150 percentage 30
%Val ue gi ven f or CI R i s i nval i d ( CBS must be smal l er t han CI R*Dur at i on)

Page 121

Defining the Test Packet Pattern
The pattern command defines the test packet's pattern type. This command is applicable to
unidirectional and bi-directional test-heads.
Command Syntax
device-name(config-saa-throughput-uth)#pattern {NULL | NULL-CRC | PRBS |
PRBS-CRC | NONE}
device-name(config-saa-throughput-uth)#no pattern
device-name(config-saa-throughput-bth)#pattern {NULL | NULL-CRC | PRBS |
PRBS-CRC | NONE}
device-name(config-saa-throughput-bth)#no pattern
NULL Specifies a 0 pattern type for all the tests.
NULL-CRC Specifies a 0 pattern type with Cyclic Redundancy Check (CRC) for all the
tests.
PRBS Specifies Pseudo Random Bit Sequence (PRBS).
PRBS
PRBS-CRC Specifies PRBS with CRC.
NONE Specifies an arbitrary pattern.
Example
device-name(config-saa-throughput-uth)#pattern NULL
Defining the Frame Loss Ratio Threshold
The frame-loss command defines the allowed frame-loss ratio threshold for throughput tests.
Command Syntax
device-name(config-saa-throughput-uth)#frame-loss <frame-loss>
device-name(config-saa-throughput-uth)#no frame-loss
device-name(config-saa-throughput-bth)#frame-loss <frame-loss>
device-name(config-saa-throughput-bth)#no frame-loss

Page 122

frame-loss Defines the frame-loss ratio, in the range of <0100000>percents (the
resolution is 0.001%).
0%
no
Example
device-name(config-saa-throughput-bth)#frame-loss 50
Defining the Test's Data-Size List
The data-size command defines the test's data-size list for which the throughput test is executed.
Command Syntax
device-name(config-saa-throughput-uth)#data-size <fpga_pkt_size-list>
device-name(config-saa-throughput-uth)#no data-size
device-name(config-saa-throughput-bth)#data-size <fpga_pkt_size-list>
device-name(config-saa-throughput-bth)#no data-size
fpga_pkt_size-list Defines the data-size list: 64, 128, 256, 512, 1024, 1280,
1518, 2000, and 9000 bytes.
Separate tokens by a comma (',') or a dash ('-').
no
the test is performed for data-size list specified in the current
document (see Unidirectional Throughput Test and Bi-Directional
Throughput Test)
Example 1
device-name(config-saa-throughput-uth)#data-size 64
Example 2
device-name(config-saa-throughput-bth)#data-size 64-128

Page 123

Defining the Test Timeout
The timeout command defines the maximum timeout for the test packets. This command is
applicable to bi-directional test-heads only.
Command Syntax
device-name(config-saa-throughput-bth)#timeout <timeout>
device-name(config-saa-throughput-bth)#no timeout
timeout Defines the timeout, in the range of <0100>(in 0.1 of second increments).
1 second
no
Example
device-name(config-saa-throughput-bth)#timeout 10
Defining the Result Acknowledge Timeout
The result-ack-timeout command defines how long the test-head (source) waits for
acknowledgement from the test-tail (target). The test-head repeats the request 3 times before
stopping the test if no acknowledges are received.
This command is applicable to unidirectional test-heads only.
Command Syntax
device-name(config-saa-throughput-uth)#result-ack-timeout <timeout>
device-name(config-saa-throughput-uth)#no result-ack-timeout
timeout Defines the timeout, in the range of <160>seconds.
5 seconds
no

Page 124

Defining the Loopback Type
The loopback-type command defines the test's loopback type. This command is applicable to bi-
directional test-heads only.
Command Syntax
device-name(config-saa-throughput-bth)#loopback-type {OAM | MAC-SWAP}
device-name(config-saa-throughput-bth)#no loopback-type
OAM Specifies the MAC SA/DA swap and LBM to LBR swap.
OAM
MAC-SWAP Specifies the MAC SA/DA swap only.
Example
device-name(config-saa-throughput-bth)#loopback-type MAC-SWAP
Starting/Stoping the Throughput Test
The shutdown command stops the throughput test.

CAUTION
Initiating these tests stops all traffic on the test devices.

While performing a throughput test, CLI locks and a message informs you of each test iteration.
Pressing <ESC>, while the test is running, stops the test and the CLI unlocks.

NOTE
The device supports only one running throughput test at a time, although you can
create and configure up to 32 multiple tests. If you want to start other configured
test, first you have to stop the running throughput test.

NOTE
For correct results, first start the test on the test loopback device (in a Bi-directional
test) or the test-tail device (in a unidirectional test).

Command Syntax
device-name(config-saa-throughput)#[no] shutdown

Page 125

no Starts the throughput test
Example 1: a unidirectional test
device-name(config-saa-throughput)#no shutdown
Sendi ng START message t o Test Tai l . . .
Acknowl edge message r ecei ved f r omTest Tai l
Begi nni ng t est wi t h 64B packet s. . .
Tr yi ng wi t h bi t r at e 500 Mbps
Sendi ng GET message t o Test Tai l . . .
Recei ved r esul t s f r omTest Tai l : 3596551 packet s
Test succeeded. Fr amel oss 0. 000%
Example 2: a bi-directional test

Test f i ni shed.
Example 3: a loopback test
Begi nni ng l oopback t est . . .
Example 4: a test tail test
Wai t i ng f or st ar t message f r omTest Head
St ar t message r ecei ved f r omTest Head. Sendi ng back Aknowl edge message
Begi nni ng t est wi t h t ar get r at e 500000 Kbps
Recei ved GET r esul t s r equest f r omTest Head.
Sendi ng back r esul t : 3596551 r ecei ved packet s.
Example 5: pressing <ESC> while the test is running
St oppi ng t est . . .
Test st opped

Page 126

Displaying the Throughput Test Results
The show saa throughput test command displays the results of the throughput test.
If the throughput test is not completed yet, its status is displayed in the command output.
The output also displays the results of test sequences for completed data-sizes.
Command Syntax
device-name#show saa throughput test NAME
NAME The test name to display
Example 1: a unidirectional test
device-name#show saa throughput test t1
Out - of - ser vi ce UTH t est t owar ds 00: A0: 12: 4B: 07: A0 bel ongi ng t o MEP 2
Test name: t 1
Usi ng sour ce MEP 1 i n domai n d4 and MA ma4 on l evel 4
S- Vl an 10, pr i or i t y 6, dr op- el i gi bl e f l ag 0
CI R 500 Mbps CBS 1 MB, CI R per cent age 10%
Test dur at i on 5s, Pat t er n: PRBS
Maxi mumFr ame l oss 0. 000%
Test ed PDU si zes: 64, 128, 256, 512, 1024, 1280, 1518, 2000, 9000Out - of - ser vi ce UTH
t est t owar ds 00: A0: 12: 27: 09: 60 bel ongi ng t o MEP 222
Test name: t 1
Taggi ng al so wi t h C- Vl an 0, pr i or i t y 0, dr op- el i gi bl e f l ag 0
CI R 140000 Kbps CBS 2 MB, CBS per cent age 99%
Test dur at i on 5s, Pat t er n: PRBS
Test ed PDU si zes: 64, 128, 256, 512, 1024, 1280, 1518, 2000, 9000
Example 2: a loopback test
device-name#show saa throughput test t1
Out - of - ser vi ce Loopback t est f r om00: A0: 12: 22: 5B: A0 bel ongi ng t o MEP 10
Test name: t 1
Usi ng domai n d7 and MA ma7 on l evel 7
S- Vl an 10


Page 127

Throughput Test Configuration Example
The following example shows how to configure the test-head on two devices.

Figure 18: Configuring Two Devices in Throughput Test Configuration Mode
Configuring Device1 (Source):
1. Create a VLAN with the specified name and ID:
Device1(config)#cfm

Page 128

6. Create a maintenance domain with a specified name and level and create a maintenance
Device1(config)#domain name d7 level 7
Configuring Device2 (Target):
1. Create a VLAN with the specified name and ID:
Device2(config)#cfm
Device2(config)#domain name d7 level 7
8. Create a throughput test:
Device2(config)#saa throughput test t1
9. Set the throughput test type to test-loopback:
Device2(config-saa-throughput)#type bi-test-loopback
Device2(config-saa-throughput-loopback)#

Page 129

10. Set the throughput test source:
Device2(config-saa-throughput-loopback)#source cfm domain d7 ma ma7 mep 10
Device2(config-saa-throughput-loopback)#exit
Configuring Throughput test on Device1 (Source):
1. Create a throughput test:
Device1(config)#saa throughput test t1
2. Set the throughput test type to bi-directional:
Device1(config-saa-throughput)#type bi-test-head
3. Set the throughput test source:
Device1(config-saa-throughput-bth)#source cfm domain d7 ma ma7 mep 10
4. Set the throughput test target:
Device1(config-saa-throughput-bth)#target mep 20
5. Set the maximum test rate:
Device1(config-saa-throughput-bth)#cir 150
6. Set the test duration:
Device1(config-saa-throughput-bth)#duration 4
7. Set the test packet pattern:
Device1(config-saa-throughput-bth)#pattern PRBS-CRC
8. Set the frame loss ratio threshold:
Device1(config-saa-throughput-bth)#frame-loss 50
9. Set the list of test data-sizes:
Device1(config-saa-throughput-bth)#data-size 64,128
10. Set the timeout:0.
Device1(config-saa-throughput-bth)#timeout 100
Device1(config-saa-throughput-bth)#exit
Starting the throughput test on Device2 (Target):
Device2(config-saa-throughput)#no shutdown
Begi nni ng l oopback t est . . .
Device2(config-saa-throughput)#end

Page 130

Starting the throughput test on Device1 (Source):
Device1(config-saa-throughput)#no shutdown

Device1(config-saa-throughput)#end
Displaying the throughput test results on Device1 (Source):
Device1#show saa throughput test t1
Out - of - ser vi ce BTH t est t owar ds 00: A0: 12: 11: 22: 33 bel ongi ng t o MEP 10
Test name: t 1
CI R 150 Kbps
Test dur at i on 4s, Pat t er n: PRBS- CRC
Test ed PDU si zes: 64, 128
Displaying the throughput test results on Device2 (Target):
Device2#show saa throughput test t1
Out - of - ser vi ce Loopback t est f r om00: A0: 12: 22: 5B: A0 bel ongi ng t o MEP 10
Test name: t 1
Usi ng domai n d7 and MA ma7 on l evel 7
S- Vl an 10

Page 131

Service Assurance Application (SAA)
Overview
SAA is an in-service software feature that allows you to monitor the performance of network-
hosted applications by emulating the traffic of these applications. It provides the capability for
controlling and provisioning various OAM tests and SAA monitoring.
Using SAA you can measure real world performance scenarios through the SAA operations'
configuration, executing them periodically in a definable frequency.
SAA is based on the CFM feature, using its infrastructure to create and run ping tests, calculate and
store test results, and define performance profiles that include rising and falling statistics' thresholds.
Each test definition includes thresholds for different SLA levels. SAA calculates SLA statistics
(jitter, delay, and frame loss) and compares them to predefined SLA thresholds. In cases that the
statistics' values cross a threshold, SAA sends a notification.

Page 132

SAA Configuration Flow
To define SAA, proceed as follows:
1. Create an SAA profile. See Creatingan SAA Profile
2. Define the maximum number of concurrent active tests. See DefiningtheMaximumNumber of
Concurrent SAA Tests
3. Create SAA tests. See CreatinganSAA Test.
4. Configure the test type. See ConfiguringtheSAA Test Type.
5. Configure general test parameters, such as:
Frequency. See ConfiguringtheRepeat Frequency
Probe statistics. See ConfiguringProbeStatistics
Probe timeout. See ConfiguringProbeTimeout
Test sending interval. See ConfiguringtheTest SendingInterval
Monitored interval. See ConfiguringtheMonitored Interval
6. Enable/ Disable the SAA tests. See Enabling/ DisablingtheCurrent SAA Test.
7. Attach a profile to the current test. See Attachinga Threshold Profiletoan SAA Test and
EnablingAlarms.
8. Configure the test delay and jitter calculation methods. See ConfiguringtheTest Delay Calculation
Methodand ConfiguringtheTest Jitter Calculation Method.
9. Define the SAA loopback. See DefiningtheCurrent Loopback Functionality.
10. Display test results. See DisplayingtheSAA Tests Results.
11. Display configured profiles. See DisplayingtheSAA Threshold Profile.

Page 133

SAA Configuration Commands
Table 19: SAA Performance Monitoring Profiles Commands
Command Description
saa profile Creates a monitoring SAA profile and enters SAA Profile mode
(see Creating an SAA Profile)
delay-near-end Configures the measured one way delay threshold from the test-
head to the test loopback device (see Configuring the Near Delay
Thresholds)
delay-far-end Configures the measured one way delay threshold from the test
loopback to the test-head device (see Configuring the Far Delay
Thresholds)
jitter-near-end Configures the measured one way jitter threshold from the test-
head to the test loopback device (see Configuring the Near Jitter
Thresholds)
jitter-far-end Configures the measured one way jitter threshold from the test
loopback to the test-head device (see Configuring the Far Jitter
Thresholds)
frameloss-near-end Configures the measured one way frame loss ratio from the test-
head to the test loopback device (see Configuring the Near
Frame-Loss Ratio Thresholds)
frameloss-far-end Configures the measured one way frame loss ratio from the test
loopback to the test-head device (see Configuring the Far Frame-
Loss Ratio Thresholds)

Table 20: SAA Tests Commands
saa max-concurrent-
requests
Defines the maximum number of concurrent active tests (see
Defining the Maximum Number of Concurrent SAA Tests)
saa test Creates a new SAA test and enters SAA Test Configuration mode
(see Creating an SAA Test)
type y1731-ptp
service
Defines the type of the generated monitoring traffic for a specified
TLS service (see Configuring the SAA Service Test Type)
type y1731-ptp vlan Defines the type of the generated monitoring traffic for a specified
VLAN (see Configuring the SAA VLAN Test Type)
shutdown Enables/Disables the SAA test (see Enabling/Disabling the
Current SAA Test)
profile Specifies the threshold profile attached to the current SAA test and
enables the alarm feature (see Attaching a Threshold Profile to an
SAA Test and Enabling Alarms)
frequency Defines the repeat frequency (see Configuring the Repeat
Frequency)
probe-statistics Defines the number of intervals for which the calculation results
are kept in the result history database (see Configuring Probe
Statistics)

Page 134

timeout Defines the probe timeout period for the packets to reply before
considering them lost (see Configuring Probe Timeout)
period Defines the time interval between the packets sent by the test (see
Configuring the Test Sending Interval)
interval Defines the time interval for a test to collect data before doing a
calculation (see Configuring the Monitored Interval)
priority Defines the priority of the packets sent by the test (see Configuring
the Test Priority)
supported-functions Defines the type of metrics used by the test (see Configuring the
Test's Metric Types)
delay-calculation Configures the way the test calculates the frame-loss ratio delay
threshold (see Configuring the Test Delay Calculation Method)
jitter-calculation Configures the way the test calculates the jitter delay threshold
(see Configuring the Test Jitter Calculation Method)
saa loopback service Defines the enabled loopback functionality for a specified TLS
service (see Defining the Current Service Loopback Functionality)
saa loopback service Defines the enabled loopback functionality for a specified VLAN
(see Defining the Current VLAN Loopback Functionality)

Table 21: SAA Display Commands
Command Description
show saa test Displays the configuration of the SAA tests and the results of the
calculations at the end of the monitored intervals (see Displaying
the SAA Tests Results)
show saa profile Displays the configuration of the defined SAA profile (see
Displaying the SAA Threshold Profile)
show saa loopback Displays what loopback functionality is enabled and for what
services (see Displaying the SAA Loopback Service)
show saa loopback Displays what loopback functionality is enabled and for what VLAN
ID (see Displaying the SAA Loopback VLAN)


Page 135

Creating an SAA Profile
The saa profile command creates a monitoring SAA profile (up to 100 profiles) and enters the
SAA Profile mode. You can attach a profile to an SAA test.
Command Syntax
device-name(config)#saa profile <profile_id> [PROFILENAME]
device-name(config)#no saa profile <profile_id>
profile_id Defines the ID of the new profile to be configured, in the range of
<12147483647>.
PROFILENAME (Optional). Defines the name of the SAA profile.
no
Removes the configured SAA profile
NOTE
You cannot remove a profile associated with a running test.
Example
device-name(config)#saa profile 1 StrictProfile
device-name(config-saa-profile-1)#
Configuring the Near Delay Thresholds
The delay-near-end command configures the measured one way delay threshold from the test-
head to the test loopback device.
Enable the 1588v2 Precision Time Protocol (PTP), for this test to detect a high resolution deviation
of 100 microseconds delay (for more information, refer to the DeviceAdministrationchapter of this
User Guide).
CLI Mode: SAA Profile Configuration
Command Syntax
device-name(config-saa-profile-Profile_ID)#delay-near-end <delay_threshold>
device-name(config-saa-profile-Profile_ID)#no delay-near-end
<delay_threshold>

Page 136

delay_threshold
Defines the one way delay threshold, in the range of <160000000>
microseconds.
1 second
no
Example
device-name(config-saa-profile-1)#delay-near-end 10000
Configuring the Far Delay Thresholds
The delay-far-end command configures the measured one way delay threshold from the test
loopback to the test-head device.
Enable the 1588v2 Precision Time Protocol (PTP), for this test to detect a high resolution deviation
of 100 microseconds delay (for more information, refer to the DeviceAdministrationchapter of this
User Guide).
Command Syntax
device-name(config-saa-profile-Profile_ID)#delay-far-end <delay_threshold>
device-name(config-saa-profile-Profile_ID)#no delay-far-end <delay_threshold>
delay_threshold Defines the one way delay threshold, in the range of <160000000>
microseconds.
1 second
no
Restores to default
Example
device-name(config-saa-profile-1)#delay-near-end 15000

Page 137

Configuring the Near J itter Thresholds
The jitter-near-end command configures the measured one way jitter threshold from the test-
head to the test loopback device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#jitter-near-end <jitter_threshold>
device-name(config-saa-profile-Profile_ID)#no jitter-near-end
<jitter_threshold>
jitter_threshold Defines the one way jitter threshold, in the range of <160000000>
microseconds.
300 milliseconds
no
Example
device-name(config-saa-profile-1)#jitter-near-end 4500
Configuring the Far J itter Thresholds
The jitter-far-end command configures the measured one way jitter threshold from the test
loopback to the test-head device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#jitter-far-end <jitter_threshold>
device-name(config-saa-profile-Profile_ID)#no jitter-far-end
<jitter_threshold>
jitter_threshold Defines the one way jitter threshold, in the range of <160000000>
microseconds.
300 milliseconds
no
Example
device-name(config-saa-profile-1)#jitter-near-end 5000

Page 138

Configuring the Near Frame-Loss Ratio Thresholds
The frameloss-near-end command configures the measured one way frame loss ratio from the
test-head to the test loopback device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#frameloss-near-end
<frame_loss_threshold>
device-name(config-saa-profile-Profile_ID)#no frameloss-near-end
frame_loss_threshold Defines the one way frame-loss ratio, in the range of <0100000>
percents. The resolution is 0.001%.
8%
no
Example
device-name(config-saa-profile-1)#frameloss-near-end 100
Configuring the Far Frame-Loss Ratio Thresholds
The frameloss-far-end command configures the measured one way frame loss ratio from the
test loopback to the test-head device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#frameloss-far-end
device-name(config-saa-profile-Profile_ID)#no frameloss-far-end
frame_loss_threshold Defines the one way frame-loss ratio, in the range of <0100000>
percents. The resolution is 0.001%.
8%
no

Page 139

Defining the Maximum Number of Concurrent SAA Tests
The saa max-concurrent-requests command defines the maximum number of concurrent
active tests.
Command Syntax
device-name(config)#saa max-concurrent-requests <NUMBER>
device-name(config)#no saa max-concurrent-requests
NUMBER Defines the maximum concurrent active tests, in the range of <132>
10 concurrent active tests
no
Restores to default
Example
device-name(config)#saa max-concurrent-requests 5
Creating an SAA Test
The saa test command creates a new SAA test and enters the SAA Configuration mode.

NOTE
If you try to create an SAA test with a name already used by the throughput test,
an error message is displayed; see Example 2 below.

Command Syntax
device-name(config)#saa test TESTNAME [OWNERNAME]
device-name(config)#no saa test TESTNAME [OWNERNAME]
TESTNAME Defines the test name up to 32 characters.
OWNERNAME (Optional) defines the test-owner's name.
no
Removes an existing test.

Page 140

Example 1
device-name(config-saa-T1)#
Example 2
device-name(config-saa-throughput)#exit
[ %Er r or ] A t hr oughput t est named T2 al r eady exi st
Configuring the SAA Service Test Type
The type y1731-ptp service command defines the type of the generated monitoring traffic for a
specified TLS service.

NOTE
Configure a TLS service prior to running this command.
Configure an MD, MA, and remote MEP prior to running this command.
Configure this command immediately after creating the test.

CLI Mode: SAA Test Configuration
Command Syntax
device-name(config-saa-TESTNAME)#type y1731-ptp service <1-4294967295>
oamdomain <LEVEL> HH:HH:HH:HH:HH:HH [clock-in-sync]
service <1-4294967295> The TLS service ID
oamdomain <LEVEL> The CFM domain level, in the range of <07>. When the
domain is already created, this argument is optional.
The levels are:
Operator MA levels: 02
Provider MA levels: 34
Customer MA levels: 57
HH:HH:HH:HH:HH:HH The target MAC address.
clock-in-sync (Optional, only for PTP time synchronization with the peer)
synchronizes the internal clock of the device.
Example
device-name(config-saa-T1)#type y1731-ptp service 1 oamdomain 7
00:A0:12:11:22:33

Page 141

Configuring the SAA VLAN Test Type
The type y1731-ptp vlan command defines the type of the generated monitoring traffic for a
specified VLAN.

NOTE
Configure a VLAN prior to running this command.
Configure an MD, MA, and remote MEP prior to running this command.
Configure this command immediately after creating the test.

Command Syntax
device-name(config-saa-TESTNAME)#type y1731-ptp vlan <2-4094> uplink-port
{UU/SS/PP | ag0N} user-port {UU/SS/PP | ag0N} oamdomain <0-7>
HH:HH:HH:HH:HH:HH [clock-in-sync]
vlan <2-4094> The VLAN ID
uplink-port The core (uplink) port
UU/SS/PP
The target interface on which VLAN is used
ag0N
The link aggregation ID (ag01, ag04ag07) on which VLAN is used.
The allowed ID is in the range of <17>
user-port The access (user) port
oamdomain <LEVEL> The CFM domain level, in the range of <07>. When the domain is
already created, this argument is optional.
The levels are:
Operator MA levels: 02
Provider MA levels: 34
Customer MA levels: 57
HH:HH:HH:HH:HH:HH The target MAC address
clock-in-sync (Optional, only for PTP time synchronization with the peer)
synchronizes the internal clock of the device
Example
device-name(config-saa-T1)#type y1731-ptp vlan 10 uplink-port 1/1/1 user-port
1/2/2 oamdomain 6 00:A0:12:00:00:00

Page 142

Enabling/Disabling the Current SAA Test
The shutdown command disables the SAA test.
Tests that run for a single interval stop running at the end of the configured interval however you
can also stop tests by using this command.
Command Syntax
device-name(config-saa-TESTNAME)#shutdown
device-name(config-saa-TESTNAME)#no shutdown
no
Enables the SAA test.
all tests are in a shutdown/disabled state
Example
device-name(config-saa-test)#no shutdown
Attaching a Threshold Profile and Enabling Alarms
The profile command specifies the threshold profile attached to the current SAA test and enables
the alarm feature.
After each interval, the calculated test results are compared to the profile thresholds, sending an
alarm when these thresholds are crossed.
Command Syntax
device-name(config-saa-TESTNAME)#profile <profile_id>
device-name(config-saa-TESTNAME)#no profile
profile_id Specifies an existing profile ID to attach to the current SAA test. The
values for the IDs are in the range of <12147483647>.
the calculations are done at the end of an interval and the results are
stored in the result history database
no
Restores to default
Example
device-name(config-saa-T1)#profile 1

Page 143

Configuring the Repeat Frequency
The frequency command defines the test's repeat frequency.
Command Syntax
device-name(config-saa-TESTNAME)#frequency <0-65535>
device-name(config-saa-TESTNAME)#no frequency
0-65535 Defines the test's repetition frequency, in seconds
0 seconds
no
Restores to default
Example
device-name(config-saa-T1)#frequency 20
Configuring Probe Statistics
The probe-statistics command defines the number of intervals for which the calculation results
are kept in the result history database.
Command Syntax
device-name(config-saa-TESTNAME)#probe-statistics <1-120>
device-name(config-saa-TESTNAME)#no probe-statistics
1-120 Defines the number of probes kept in the database
96. The last 24 hours results of a test running continuously with a default
interval of 15 minutes and a non-zero frequency are available
no
Restores to default
Exampl
device-name(config-saa-T1)#probe-statistics 10

Page 144

Configuring Probe Timeout
The timeout command defines the probe's timeout period for the packets to reply before
considering them lost.
Command Syntax
device-name(config-saa-TESTNAME)#timeout <1-60>
device-name(config-saa-TESTNAME)#no timeout
1-60 The timeout, in seconds.
3 seconds
no
Example
device-name(config-saa-T1)#timeout 5
Configuring the Test Sending Interval
The period command defines the time interval between the packets sent by the test.
If the interval is between 100 milliseconds and 1 second it is incremented with 100 milliseconds and
if it is above 1 second it is incremented with 1 second.
Command Syntax
device-name(config-saa-TESTNAME)#period <100-10000>
device-name(config-saa-TESTNAME)#no period
100-10000 Defines the time interval, in milliseconds, between the packets sent by the
test.
1 second
no
Example
device-name(config-saa-T1)#period 2000

Page 145

Configuring the Monitored Interval
The interval command defines the time interval for a test to collect data before calculating the
results. The results are calculated for each monitored interval and stored in the result-history
database.
Command Syntax
device-name(config-saa-TESTNAME)#interval <1-60>
device-name(config-saa-TESTNAME)#no interval
1-60 Defines the time interval, in minutes, for a test to collect data before
calculating the results.
15 minutes
no
Example
device-name(config-saa-T1)#monitored-interval 10
Configuring the Test Priority
The priority command defines the priority of the packets sent by the test.

NOTE
This is also the priority for which the service traffic is monitored.
Map the service traffic to this priority, by using the t r ust - pr i or i t y command;
see Example 2. Use the t r ust - pr i or i t y command, before configuring and
starting the SAA test (refer to the Configuring Quality of Service (QoS) chapter
of this User Guide).

Command Syntax
device-name(config-saa-TESTNAME)#priority <0-7>
device-name(config-saa-TESTNAME)#no priority
0-7 Defines the priority of the packets sent by the test.
6
no

Page 146

Example 1
device-name(config-saa-T1)#priority 3
Example 2
SAA measurements are performed for specific traffic class, provided by QoS configuration.
1. Assign a traffic class according to the customer VLAN priority on both SDP and SAP ports:

NOTE
Prior to assging the traffic, add port 1/ 1/ 1as tagged and port 1/ 2/ 1as
untagged to the same service VLAN. After, create the TLS service by attaching
these ports to SDP (port 1/ 1/ 1) and SAP (port 1/ 2/ 1). For an example, refer to
the SAA Configuration Example section.

device-name(config qos)#network-policy batm
device-name(config qos-net batm)#ingress
device-name(config qos-net-in batm)#trust-priority
device-name(config qos-net-in batm)#end
device-name(config-if 1/1/1)#qos-network-policy batm
device-name(config-if 1/2/1)#qos-network-policy batm
2. Start the SAA test after configuring its parameters:
device-name(config-saa-T1)#priority 3
device-name(config-saa-T1)#frequency 10
device-name(config-saa-T1)#timeout 5
device-name(config-saa-T1)#probe-statistics 10
device-name(config-saa-T1)#no shutdown
Configuring the Test's Metric Types
The supported-functions command defines the test's metrics type.
Command Syntax
device-name(config-saa-TESTNAME)#supported-functions {loss-measurements |
delay-measurements | both}
device-name(config-saa-TESTNAME)#no supported-functions

Page 147

loss-measurements Performs only loss measurements.
delay-measurements Performs only delay measurements.
both Performs loss measurements and delay measurements.
both loss and delay measurements are calculated
no
Example
device-name(config-saa-T1)#supported-functions loss-measurements
Configuring the Test Delay Calculation Method
The delay-calculation command configures the frame-loss ratio delay calculation method.
Command Syntax
device-name(config-saa-TESTNAME)#delay-calculation {average | p-percentile <1-
100>}
device-name(config-saa-TESTNAME)#no delay-calculation
average Performs a simple average of the delay, measured by all packets.
the delay calculation method uses a simple average of the delay, measured
by all packets
p-percentile
<1-100>
Defines the OAM p-percentile method, in the range of <1100>
50
no
Example
device-name(config-saa-T1)#delay-calculation p-percentile 85

Page 148

Configuring the Test J itter Calculation Method
The jitter-calculation command configures the jitter threshold calculation method.
Command Syntax
device-name(config-saa-TESTNAME)#jitter-calculation {peak-to-peak | variance |
p-percentile <1-100>}
device-name(config-saa-TESTNAME)#no jitter-calculation
peak-to-peak Specifies the difference between the maximum and minimum frame delay
during the interval.
variance Specifies a simple variance of all packets' delays.
the jitter calculation method uses a simple variance of the delay, measured
by all packets
p-percentile
<1-100>
Defines the OAM p-percentile method, in the range of <1100>
50
no
Example
device-name(config-saa-T1)#jitter-calculation peak-to-peak
Defining the Current Service Loopback Functionality
The saa loopback service command defines the enabled loopback functionality for a specified
TLS service.

NOTE
Configure a TLS service prior to running this command.

Both delay and frame-loss measurements are enabled by default.
Command Syntax
device-name(config)#saa loopback service <1-4294967295> [frame-loss | delay-
measurement | both]
device-name(config)#no saa loopback service <1-4294967295> {frame-loss |
delay-measurement | both}

Page 149

service <1-
4294967295>
The TLS service ID
frame-loss (Optional) the measured one way frame loss ratio from the test
loopback to the test-head device
delay-measurement (Optional) the measured one way delay threshold from the test
both (Optional) both types of thresholds: frame loss and delay thresholds
no
Removes the specified loopback functionality from a service.
Example 1
device-name(config)#saa loopback service 1 both
Example 2
device-name(config)#saa loopback service 1
Bot h DM and LM l oopback capabi l i t i es ar e enabl ed
Defining the Current VLAN Loopback Functionality
The saa loopback vlan command defines the enabled loopback functionality for a specified
VLAN.

NOTE
Configure a VLAN prior to running this command.

Both delay and frame-loss measurements are enabled by default.
Command Syntax
device-name(config)#saa loopback vlan <2-4094> uplink-port {UU/SS/PP | ag0N}
user-port {UU/SS/PP | ag0N} [frame-loss | delay-measurement | both]
device-name(config)#no saa loopback vlan <2-4094> {frame-loss | delay-
measurement | both}
vlan <2-4094> The VLAN ID
uplink-port The uplink port on which loopback is enabled
UU/SS/PP
The target interface on which VLAN is used
ag0N
The link aggregation ID (ag01, ag04ag07) on which VLAN is used.
The allowed ID is in the range of <17>
user-port The user port on which loopback is enabled

Page 150

frame-loss (Optional) the measured one way frame loss ratio from the test
delay-measurement (Optional) the measured one way delay threshold from the test
both (Optional) both types of thresholds: frame loss and delay thresholds
no
Removes the specified loopback functionality from a VLAN
Example
device-name(config)#saa loopback vlan 10 uplink-port 1/1/1 user-port 1/2/5
delay-measurement
Displaying the SAA Tests Results
The show saa test command displays the SAA tests' configuration and the calculations results at
the end of the monitored intervals.
Command Syntax
device-name#show saa test [TESTNAME [last-results <2-120>]]
TESTNAME (Optional) displays a specific test.
all configured tests are displayed
last-results <2-120> (Optional) specifies the number of results to display from the
test result history database.

Page 151

Example
device-name#show saa test T1
Test Name: T1
Test Owner : def aul t
Test t ype: y1731- pt p
Admi ni st r at i ve st at us: enabl ed
Remot e Mep: 224, MAC: 00: A0: 12: 4B: 06: C0
Pr of i l e I d: not set
Fr equency of r epet i t i on: 1
Pr obe t i meout : 3 seconds
Pr obe hi st or y count : 96
Cl ocks i n sync NO
Suppor t ed f unct i ons: del ay measur ement s & l oss measur ement s
Del ay Met hod: aver age
J i t t er Met hod: var i ance
I nt er val I d : 115 Resul t s gat her ed FRI J AN 01 02: 31: 46 1993

Ti meout s: 0 Er r or s: 0 Sent Pkt s: 120
Del ay ( NE) : 19. 97 us Del ay ( FE) : 19. 97 us
J i t t er ( NE) : 0. 18 us J i t t er ( FE) : 0. 18 us
Fr ameLoss ( NE) : 0. 000 % Fr ameLoss ( FE) : 0. 000 %
Sent Pkt s ( NE) : 0 Sent Pkt s ( FE) : 0
Rcvd Pkt s ( NE) : 0 Rcvd Pkt s ( FE) : 0
Displaying the SAA Threshold Profile
The show saa profile command displays a defined SAA profile's configuration.
Command Syntax
device-name#show saa profile [<1-2147483647>]
1-2147483647 (Optional) the profile ID.
Example
device-name#show saa profile 1
Pr of i l e Name: St r i ct Pr of i l e , i ndex: 1
Del ay ( NE) 10000us Del ay ( FE) 15000us
J i t t er ( NE) 4500us J i t t er ( FE) 5000us
Fr amel oss ( NE) 0. 000% Fr amel oss ( FE) 0. 000%

Page 152

Displaying the SAA Loopback Service
The show saa loopback service command displays which loopback functionality is enabled and
for what services.
If you do not specify a service ID, the command displays the enabled loopback functionality for all
services. If you specify a service ID, the command displays the status for that service ID only.
Command Syntax
device-name#show saa loopback service [<1-4294967295>]
1-4294967295 (Optional) the TLS service ID
Example
device-name#show saa loopback service 1
Displaying the SAA Loopback VLAN
The show saa loopback vlan command displays which loopback functionality is enabled and for
what VLAN ID.
If you do not specify a VLAN ID, the command displays the enabled loopback functionality for all
VLANs. If you specify a VLAN ID, the command displays the status for that VLAN ID only.
Command Syntax
device-name#show saa loopback vlan [<2-4094>]
2-4094 (Optional) the VLAN ID
Example
device-name#show saa loopback vlan
Vl an 10:
Vl an 20:

Page 153

SAA Configuration Example
The following example shows how to configure the SAA tests on two devices.

Figure 19: Example for Configuring Two Devices in SAA Test Configuration Mode
2. Add 1/ 1/ 1 (SDP port) as tagged port and 1/ 2/ 1 (SAP port) as untagged port:
Device1(config-vlan vl10)#add ports 1/2/1 untagged
Device1(config-vlan vl10)#add ports default 1/2/1
Device1(config)#tls serv1 1
Device1(config-tls serv1)#sdp 1/1/1 s-vlan 10
Device1(config-tls serv1)#sap 1/2/1 c-vlans 100 untagged
Device1(config-tls serv1)#exit

Page 154

Device1(config)#cfm
association within the specified domain:
Device1(config-cfm-d4)#ma name ma4 service 1
Device1(config-cfm-d4-ma4)#mep 1 sap 1/2/1:100:
2. Add 1/ 1/ 2 (SDP port) as tagged port and 1/ 2/ 1 (SAP port) as untagged port:
Device2(config-vlan vl10)#add ports 1/2/1 untagged
Device2(config-vlan vl10)#add ports default 1/2/1
Device2(config)#tls serv1 1
Device2(config-tls serv1)#sdp 1/1/2 s-vlan 10
Device2(config-tls serv1)#sap 1/2/1 c-vlans 100 untagged
Device2(config-tls serv1)#exit
Device2(config)#cfm
association within the specified domain:
Device2(config-cfm-d4)#ma name ma4 service 1

Page 155

Device2(config-cfm-d4-ma4)#mep 2 sap 1/2/1:100:
Configuring SAA on Device1:
1. Create an SAA profile:
Device1(config)#saa profile 1 StrictProfile
2. Configure the Near and Far delay thresholds:
Device1(config-saa-profile-1)#delay-near-end 10000
Device1(config-saa-profile-1)#delay-far-end 15000
3. Configure the Near and Far jitter thresholds:
Device1(config-saa-profile-1)#jitter-near-end 4500
Device1(config-saa-profile-1)#jitter-far-end 5000
4. Configure the Near frame-loss ratio thresholds:
Device1(config-saa-profile-1)#frameloss-near-end 100
Device1(config-saa-profile-1)#frameloss-near-end 200
Device1(config-saa-profile-1)#exit
5. Create an SAA test:
Device1(config)#saa test T1
6. Configure the OAM for the SAA test:
Device1(config-saa-T1)#type y1731-ptp service 1 oamdomain 4
00:A0:12:11:22:33
7. Attach the specified threshold profile to the current SAA test:
Device1(config-saa-T1)#profile 1
8. Configure the test frequency:
Device1(config-saa-T1)#frequency 10
9. Configure the test timeout:
Device1(config-saa-T1)#timeout 5
10. Configure the probe statistics:
Device1(config-saa-T1)#probe-statistics 10
11. Configure the test sending interval:
Device1(config-saa-T1)#period 2000
12. Configure the monitored interval:
Device1(config-saa-T1)#interval 10

Page 156

13. Configure the test delay calculation method:
Device1(config-saa-T1)#delay-calculation p-percentile 85
14. Configure the test jitter calculation method:
Device1(config-saa-T1)#jitter-calculation peak-to-peak
Device1(config-saa-T1)#exit
15. Set the maximal number of concurrent SAA tests:
Device1(config)#saa max-concurrent-requests 5
16. Enable the SAA test:
Device1(config)#saa test T1
Device1(config-saa-T1)#no shutdown
Device1(config-saa-T1)#end
Configuring SAA on Device2:
1. Configure the SAA loopback:
Device2(config)#saa loopback service 1 both
Displaying the SAA Test Result and SAA Threshold Profile on
Device1:
1. Display the SAA test results:
Device1#show saa test T1
Test Name: T1
Test Owner : def aul t
Test t ype: y1731- pt p
Admi ni st r at i ve st at us: enabl ed
Remot e Mep: 2, MAC: 00: A0: 12: 11: 22: 33
Pr of i l e I d: 1
Pr of i l e Name: St r i ct Pr of i l e
Fr equency of r epet i t i on: 1
Pr obe t i meout : 3 seconds
Pr obe hi st or y count : 50
Cl ocks i n sync NO
SLA Pr of i l e I d: 1
Suppor t ed f unct i ons: del ay measur ement s & l oss measur ement s
Del ay Met hod: p- per cent i l e
J i t t er Met hod: peak- t o- peak
I nt er val I d 1, Resul t s gat her ed FRI J AN 01 01: 29: 42 1993

Ti meout s: 0 Er r or s: 0 Sent Pkt s: 300
Sent Pkt s ( NE) 12345678 Sent Pkt s ( FE) 7654327
Rcvd Pkt s ( NE) 7654321 Rcvd Pkt s ( FE) 12345674

Page 157

2. Display the SAA threshold profile:
Device1#show saa profile 1
Pr of i l e Name: St r i ct Pr of i l e , i ndex: 1

Page 158

Overview
EPS is a method of protecting point-to-point Ethernet service connection over VLAN transport
networks, assuring traffic transport between the two service ends. This method is based on ITU-T
G.8031 standard.
This method defines two transport paths (entities), based on existing CFM-OAM MEPs:
a primary (normally active) path: this is the path through which traffic is sent
a backup (protection) path: this is the path EPS switches the traffic to, in case of a failure of
the primary path

Figure 20: Protecting Services Using EPS.
Once these paths are determined, EPS periodically sends CFM-OAM CCMs (see Discoveryand
Connectivity) on both paths. The failure in receiving CCMs triggers a traffic switchover.
Switchover Options
EPS switches over the traffic from one path to another in the below cases:
1. When there is a signal failure (SF) in the active path
2. Upon a user request
3. A request from the remote device.
System administrators can lock the switchover, preventing traffic from switching over to the
backup path in any of the above cases.
In order to minimize unnecessary traffic, switchovers administrators can define a Holdoff timer: This
timer postpones the switchover for a specified time. If the transport path does not recuperate by
the end of this time period, traffic is switched over.

Page 159

EPS Configuration Flow

Figure 21: EPF Configuration Flow
End
Select the CFM Level
Create a TLS service
(refer to the Configuring Transparent
LAN Services (TLS) chapter)
Select the Primary Link MEPs
Select the Backup Link MEPs
Start
Enable EPS
CFM connectivity establishment
(refer to the CFM-OAM Configuration
Flow)
Enable the protection

Page 160

EPS Configuration Commands
Table 22: EPS Commands
Command Description
eps
Enables EPS for the TLS service and enters the EPS Configuration
mode.
cfm-config level
Defines the CFM domain level used by EPS.
primary-link
Defines the CFM pair of MEPs that monitor the primary path.
backup-link
Defines the CFM pair of MEPs that monitor the backup path.
shutdown
Activates/deactivates EPS for the current service.
hold-off-timer
Defines the hold off timeout.
switchover
Manually switches between the active and inactive transport paths.
lock
Manually locks the active traffic path, preventing any switchover
from this path to the inactive path.
freeze
Blocks all states change requests.
revertive
Enables the revertive mode for the protection.
wait-restore-timer
Defines the wait-to-restore timeout.
signal-degrade-test
Configures the signal degrade test.
signal-degrade
Controls whether the service should react to signal degrade events
from a test configured previously.
clear
Clears the revertive mode, the forced and manual active traffic path,
the wait-to-restore timer and signal degrade state.
show tls eps
Displays the status of the EPS service for all configured TLS
services.

Page 161

Enabling/Disabling EPS
The eps command enables EPS for the TLS service and enters the EPS Configuration mode.
The eps command is used in conjunction with SDP primary and SDP secondary (refer to the sdp
command of ConfiguringTransparent LAN Serviceschapter of this User Guide).
Command Syntax
device-name(config-tls SERVICE-NAME)#[no] eps
no
Disables EPS.
disabled
Example
Enable EPS for the TLS service with serv name and service ID 2:
device-name(config-tls serv)#eps
device-name(config-eps-serv)#
Selecting the CFM Level
The cfm-config level command defines the CFM domain level used by EPS. For more
information about CFM levels, refer to the CreatingandAccessinga MaintenanceDomains.
CLI Mode: EPS Configuration
Command Syntax
device-name(config-eps-SERVICE-NAME)#cfm-config level <0-7>
device-name(config-eps-SERVICE-NAME)#no cfm-config level
0-7
Defines the CFM domain level
no CFM domain level is specified
no
Restores to default

Page 162

Selecting the Primary Paths MEPs
The primary-link command defines the CFM pair of MEPs that monitor the primary path.
Command Syntax
device-name(config-eps-SERVICE-NAME)#primary-link local-mep <1-8191> remote-
mep <1-8191>
device-name(config-eps-SERVICE-NAME)#no primary-link local-mep
local-mep
<1-8191>
Specifies the service MEP ID of the local device
remote-mep
<1-8191>
Specifies the discovered service MEP ID of the remote device
no
Restores to default
no MEPs are specified
Selecting the Backup Link MEPs
The backup-link command defines the CFM pair of MEPs that monitor the backup path.

NOTE
If the CFM configuration uses in-MEPs or if it is defined over services, then
both the primary and backup links are monitored by the same pair of MEPs.

Command Syntax
device-name(config-eps-SERVICE-NAME)#backup-link local-mep <1-8191> remote-mep
<1-8191>
device-name(config-eps-SERVICE-NAME)#no backup-link local-mep
local-mep
<1-8191>
Specifies the service MEP ID of the local device
remote-mep
<1-8191>
Specifies the discovered service MEP ID of the remote device
no
Restores to default
no MEPs are specified

Page 163

Activating EPS
The shutdown command activates/ deactivates EPS for the current service.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] shutdown
no
Activates EPS for the service
Defining the Hold Off Timer
The hold-off-timer command defines the hold off timeout. This timer postpones the switchover
for a specified time. If the transport path does not recuperate by the end of this time period, traffic
is switched over.
Command Syntax
device-name(config-eps-SERVICE-NAME)#hold-off-timer <0-10000>
device-name(config-eps-SERVICE-NAME)#no hold-off-timer
0-10000
The hold-off timeout, in the range of <010000>ms, with 100 ms
increments
0 seconds
no
Restores to default
Manual Traffic Switchover
The switchover command manually switches between the active and inactive transport paths.
By default, switchovers are allowed.
Command Syntax
device-name(config-eps-SERVICE-NAME)#switchover

Page 164

Locking the Active Path
The lock command manually locks the active traffic path, preventing any switchover from this
path to the inactive path. The command is reverted by the clear command.
Command Syntax
device-name(config-eps-SERVICE-NAME)#lock
Blocking the Service Protection
The freeze command blocks all states change requests. The device enters the freeze state that
means no commands are accepted. This state can be cleared with clear command. Until the freeze
state is cleared, all local and remote EPS commands are ignored. After the freeze state is cleared, the
state of the services is recomputed.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] freeze
no
Unblocks the states change requests
Enabling/Disabling Revertive Protection
The revertive command enables the revertive mode for the protection. In case of a signal failure
when the primary transport is repaired, the traffic is automatically moved to the primary transport
after the wait-to-restore timer expired.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] revertive
no
Disables the revertive mode

Page 165

Defining Wait-to-Restore Timer
The wait-restore-timer command defines the wait-to-restore timeout. If the revertive mode is
disabled, this timer is also disabled.
Command Syntax
device-name(config-eps-SERVICE-NAME)#wait-restore-timer <value>
device-name(config-eps-SERVICE-NAME)#no wait-restore-timer
value
The wait-to-restore timer in the range of <512>, or value 0, in minutes.
0 means revert immediately.
5 minutes
no
Restores to default
Example
device-name(config-eps-serv)#wait-restore-timer 7
Configuring Signal Degrade Test
The signal-degrade-test command configures the signal degrade test for EPS.
Command Syntax
device-name(config-eps-SERVICE-NAME)#signal-degrade-test cfm PROCNAME
PROCNAME The existing CFM monitoring process name
Example
device-name(config-eps-serv)#signal-degrade-test cfm PerfTest

Page 166

Enabling/Disabling Signal Degrade Events
The signal-degrade command controls whether the service should react to signal degrade events
from a test configured previously with the signal-degrade-test command.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] signal-degrade
no
Disables signal degrade events
Clearing Local Commands
The clear command clears the revertive mode, the forced and manual active traffic paths, the wait-
to-restore timer and signal degrade state.
Command Syntax
device-name(config-eps-SERVICE-NAME)#clear
Displaying the EPS Service Status
The show tls eps command displays the status of the EPS service for all configured TLS services.
Command Syntax
device-name#show tls eps [SERVICE-NAME]
SERVICE-NAME
(Optional) displays the specified service name EPS status

Page 167

EPS Configuration Example
The below example details the steps to configure EPS on two back-to-back connected devices:
1. Configure VLAN v2 with VLAN ID 2:
device1#configure terminal
device1(config)#vlan
device1(config vlan)#create v2 2
device1(config vlan)#config v2
2. Assign port 1/ 1/ 2 (SDP port) as tagged to VLAN v2:
device1(config-vlan v2)#add port 1/1/2 tagged
3. Assign port 1/ 1/ 1 (SAP port) as untagged to VLAN v2:
device1(config-vlan v2)#add port 1/1/1 untagged
device1(config-vlan v2)#exit
device1(config-vlan v3)#end
7. Create a TLS service named serv with service ID 2:
device1(config)#tls serv 2
8. Configure the primary SDP for the TLS service on port 1/ 1/ 2 with S-VLAN ID 2:
device1(config-tls serv)#sdp 1/1/2 s-vlan 2 primary
9. Configure the secondary SDP for the TLS service on port 1/ 1/ 3 with S-VLAN ID 3:
device1(config-tls serv)#sdp 1/1/3 s-vlan 3 secondary
10. Configure SAP 1/ 1/ 1 with C-VLAN ID 5:
device1(config-tls serv)#sap 1/1/1 c-vlans 5
device1(config-tls serv)#exit
device1(config)#cfm

Page 168

device1(config)#cfm enable
13. Create maintenance domain a1 with domain level 1:
device1(config-cfm)#domain name a1 level 1
14. Create maintenance association ma1 for service ID 2:
device1(config-cfm-a1)#ma name ma1 service 2
15. Create MEP ID 1 on SAP 1/ 1/ 1 with C-VLAN ID 5:
device1(config-cfm-a1-ma1)#mep 1 sap 1/1/1:5:
device1(config-cfm-a1-ma1)#end
16. Enable EPS for the TLS service:
device1(config)#tls serv
device1(config-tls serv)#eps
17. Select CFM level 1 for the EPS service:
device1(config-eps-serv)#cfm-config level 1
18. Select local MEP ID 1 and remote MEP ID 2 for monitoring the primary link:
device1(config-eps-serv)#primary-link local-mep 1 remote-mep 2
19. Select local MEP ID 1 and remote MEP ID 2 for monitoring the secondary link:
device1(config-eps-serv)#backup-link local-mep 1 remote-mep 2
20. Activate EPS:
device1(config-eps-serv)#no shutdown
device1(config-eps-serv)#end
device2(config)#vlan
device2(config-vlan v2)#exit

Page 169

5. Assign port 1/ 1/ 3 (SDP port) as tagged to VLAN v3
6. Assign port 1/ 1/ 1 (SAP port) as untagged to this VLAN:
device2(config-vlan v3)#end
7. Create a TLS service names serv with service ID 2:
device2(config)#tls serv 2
8. Configure the primary SDP for the TLS service on port 1/ 1/ 2 with S-VLAN ID 2:
device2(config-tls serv)#sdp 1/1/2 s-vlan 2 primary
9. Configure the secondary SDP for the TLS service on port 1/ 1/ 3 with S-VLAN ID 3:
device2(config-tls serv)#sdp 1/1/3 s-vlan 3 secondary
10. Configure SAP 1/ 1/ 1 with C-VLAN 5:
device2(config-tls serv)#sap 1/1/1 c-vlans 5
device2(config-tls serv)#exit
device2(config)#cfm
device2(config)#cfm enable
device2(config-cfm)#domain name a1 level 1
14. Create the maintenance association ma1 for service ID 2:
device2(config-cfm-a1)#ma name ma1 service 2
15. Create MEP ID 2 on SAP 1/ 1/ 1 with C-VLAN 5:
device2(config-cfm-a1-ma1)#mep 2 sap 1/1/1:5:
device2(config-cfm-a1-ma1)#end
16. Enable EPS:
17. Select CFM level 1 for the EPS service:
device2(config-eps-serv)#cfm-config level 1
18. Select local MEP ID 2 and remote MEP ID 1 for monitoring the primary link:
device2(config-eps-serv)#primary-link local-mep 2 remote-mep 1

Page 170

19. Select local MEP ID 2 and remote MEP ID 1 for monitoring the secondary link:
device2(config-eps-serv)#backup-link local-mep 2 remote-mep 1
20. Activate EPS:
device2(config-eps-serv)#no shutdown
device2(config-eps-serv)#end
Configuring Signal Degrade on Device 1:
1. Enable EPS for the TLS service:
2. Configure the signal degrade test:
device1(config-eps-serv)#signal-degrade-test cfm TestEPS
device1(config-eps-serv)#signal-degrade
device1(config-eps-serv)#exit
device1(config-tls-serv)#exit
3. Create a CFM profile:
device1(config)#cfm
device1(config-cfm)#profile ProfileEPS
device1(config-cfm-profile-ProfileEPS)#latency-error 1500
device1(config-cfm-profile-ProfileEPS)#frame-loss-error 5
device1(config-cfm-profile-ProfileEPS)#exit
4. Define the monitoring process:
device1(config-cfm)#process TestEPS domain d1 ma ma1 repeat minutes 0
seconds 1 profile ProfileEPS

Page 171

Displaying the EPS Configuration on Device 1:
device1#show tls eps
Eps conf i gur at i on f or ser vi ce 2
Pr ot ect i on: Enabl ed
Oper at i onal St at us: Up
Def ect s pr esent : None

CFM Level : 1
Pr i mar y l i nk - Local Mep: 1, Remot e Mep: 2 - St at us: Up
Backup l i nk - Local Mep: 1, Remot e Mep: 2 - St at us: Up
Hol d of f t i mer ( ms) : 0
Wai t t o r est or e t i mer ( mi nut es) : 5
SD event s: Enabl ed, Test Ready: No
SD t est name: TestEPS, SD t est t ype: CFM

APS dat a LOCAL REMOTE

Act i ve st at e: NoRequest NoRequest
Act i ve t r anspor t : Pr i mar y Pr i mar y
APS channel r equest ed: Up Up
APS connect i on t ype: Bi di r ect i onal Bi di r ect i onal
Pr ot ect i on Type: 1: 1 1: 1
Rever t i ve mode: Di sabl ed Di sabl ed

Page 172

Event Propagation
The event propagation feature allows users to configure automatic actions executed upon the
occurrence of specific events.
The feature acts upon receiving events from the events provider. It matches the received events
with pre-configured pairs of event-action and then forwards the matched action to the related
action performer.
To configure this feature, the users have to define profiles grouping the event-action pairs. The
users can apply these profiles to various targets, such as SAPs or physical ports.
By enabling event propagation, the T-Marc 300 Series devices can:
detect a remote link failure or a local ports down status
disconnect a link to a peer device
restore the link to the peer device in case the event is reversed
To avoid flapping events, users can configure two timers per profile:
Event timer: the interval from the time the event starts before the event propagation disconnects
a link.
Revertivetimer: the interval from the time the event is reversed before reversing the Event
Propagation action.
This feature is based on TLS and the CFM-OAM functionality. Therefore, it can function only on
devices where these features are enabled.

Page 173

Event Propagation Configuration Flow

Figure 22: Event Propagation Configuration Flow
Create a TLS service
(refer to the Configuring Transparent
LAN Services (TLS) chapter)
CFM Configuration (refer to the
CFM-OAM Configuration Flow)
Define the event propagation profile
Configure the required and revertive
actions for the created profile
Attach the profile to a SAP or port
Start
Stop

Page 174

Event Propagation Configuration Commands
Table 23: Event Propagation Commands
Command Description
event-propagation
profile
Creating an event propagation profile (see Creating an Event
Propagation Profile)
source rem-mep event Allocates a profile to receive events from a remote MEP (see
Configuring Remote Fault Detection and Propagation)
source local-port
event
Allocates a profile to receive events from a local port (see
Configuring Local Alarm Propagation)
event-propagation
profile
Applies an existing profile to a SAP or local port (see Applying a
Profile to a SAP or a Port)
show event-
propagation profile
Displays the configured profile parameters(see Displaying the
Configured Event Propagation Profiles)
show event-
propagation session
Displays the attached targets and running parameters per profile
(see Displaying the Running Sessions)
Creating an Event Propagation Profile
The event-propagation profile command creates an event propagation profile and enters the
Event Propagation Profile Configuration mode.
Command Syntax
device-name(config)#[no] event-propagation profile <id>
id The unique profile identifier, in the range of <110>.
there is no defined profile
no Removes an existing profile
Examples
Create an event propagation profile:
device-name(config)#event-propagation profile 1
device-name(config-ep-profile 1)#
Remove an event propagation profile:
device-name(config)#no event-propagation profile 1

Page 175

Configuring Remote Fault Detection and Propagation
The source rem-mep event command allocates an existing profile to receive events from a
specified remote MEP.
CLI Mode: Event Propagation Profile Configuration
Command Syntax
device-name(config-ep-profile ID)#source rem-mep <mep_id> event {con-lost |
status-down | recv-rdi} action link-drop [reverse link-restore]
rem-mep <id> The MEP ID the profile is allocated to, in the range of <18191>.
event {con-lost |
status-down | recv-
rdi}
The expected event type:
connectivity loss: the connectivity is lost
port status down: the port is in down state
received RDI: the RDI (Remote Defect Identification) bit is
received
action link-drop The action executed upon the event occurrence
reverse link-restore (Optional) reverses the action when the event is reversed
Examples
Configure profile 1 to act upon a connectivity loss on remote MEP 200. This profile drops
the link to the remote peer and restores the link when the event reverts:
device-name(config-ep-profile 1)#source rem-mep 200 event con-lost action
link-drop reverse link-restore
Configure profile 2 to act upon a down status event on remote MEP 200 and drop the link to
the remote peer without reversing this action:
device-name(config-ep-profile 2)#source rem-mep 200 event status-down
action link-drop

Page 176

Configuring Local Alarm Propagation
The source local-port event command allocates an existing profile to receive events from a
local port.
CLI Mode: Event Propagation Profile Configuration
Command Syntax
device-name(config-ep-profile ID)#source local-port UU/SS/PP event status-down
action link-drop [reverse link-restore]
local-port
UU/SS/PP
The local port the profile is allocated to
event status-down A port down status event
action link-drop The profile drops the link upon this event
reverse link-
restore
(Optional) reverses the action when the event is reversed
Example
Configure profile 2 to act when port 1/1/1 is down and restore the link when the event is
reversed:
device-name(config-ep-profile 1)#source local-port 1/1/1 event staus-down
action link-drop reverse link-restore
Applying a Profile to a SAP or a Port
The event-propagation profile command applies an existing profile to a SAP or local port.
When applying the profile to a:
SAP, you have to first allocate it to a remote MEP
port, you have to first allocate it to a port

CLI Mode:
SAP Service Configuration, Interface Configuration, and Range Interface
Configuration
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#[no] event-propagation profile
<id>
device-name(config-if UU/SS/PP)#[no] event-propagation profile <id>
device-name(config-if-group)#[no] event-propagation profile <id>

Page 177

profile <id> The existing profile ID applied to the SAP or port
no Removes the applied profile
Example
Apply profile 1 to SAP:
device-name(config-tls-sap 1/2/2:3:)#event-propagation profile 1
Apply profile 2 to port 1/2/1:
device-name(config-if 1/2/1)#event-propagation profile 2
Displaying the Configured Event Propagation Profiles
The show event-propagation profile command displays the configured parameters for all
profiles or for a specified one.
Command Syntax
device-name#show event-propagation profile [<id>]
profile <id> (Optional) displays the configuration for the specified profile.
Examples
Display information for all configured profiles:
device-name#show event-propagation profile
===============================================================================
| pr of i l e | sour ce t ype | sour ce i d | event | act i on | r ever se act i on|
+- - - - - - - - +- - - - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - - - +
| 1| r em- mep | 1| con- l ost | l i nk- dr op | l i nk- r est or e |
| 2| l ocal - por t | 1/ 1/ 1| st at us- down | l i nk- dr op | l i nk- r est or e |
| 3| r em- mep | 2| r ecv- r di | l i nk- dr op | l i nk- r est or e |
===============================================================================
Display information for the specified profile:
device-name#show event-propagation profile 1
===============================================================================
| pr of i l e | sour ce t ype | sour ce i d | event | act i on | r ever se act i on|
+- - - - - - - - +- - - - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - - - - - - +
===============================================================================

Page 178

If no profiles are defined or the specified profile does not exist, the command generates No
entry error message:
No ent r y
Displaying the Running Sessions
The show event-propagation session command displays the source each profile is allocated to
and its running parameters.
Command Syntax
device-name#show event-propagation session [profile <id>]
profile <id> (Optional) displays the configuration for the specified profile
Examples
Display information for all existing sessions:
device-name#show event-propagation session
pr of i l e 1
sour ce t ype: r em- mep
sour ce i d : 200
event : con- l ost
act i on : l i nk- dr op
r ever se : l i nk- r est or e
t ar get s:
=============================================================
| Type | I D | St at e | Act i ons | Rever t i ves|
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| SAP | 1/ 1/ 1: unt agged: | def aul t | 0| 0|
=============================================================

pr of i l e 2
sour ce t ype: l ocal - por t
sour ce i d : 1/ 1/ 1
event : st at us- down
t ar get s:
==============================================================
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +
| Por t | 1/ 1/ 2 | l i nk- dr op | 2| 1|
==============================================================


Page 179

pr of i l e 3
sour ce i d : 2
event : r ecv- r di
t ar get s:
=============================================================
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| SAP | 1/ 1/ 1: unt agged: | def aul t | 0| 0|
=============================================================
Display information for the specified profile session:
device-name#show event-propagation session profile 2

pr of i l e 2
sour ce i d : 1/ 1/ 1
t ar get s:
==============================================================
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - +
| Por t | 1/ 1/ 2 | l i nk- dr op | 2| 1|
==============================================================
If no profiles are defined or the specified profile does not exist, the command generates No
entry error message:
No ent r y

Page 180

Event Propagation Configuration Example
TLS Configuration:
1. Create a TLS service named serv with service ID 2:
2. Attach to the TLS service the SAP port 1/2/1 with C-VLAN ID 2::
device-name(config-tls serv)#exit
CFM Configuration:
device-name(config)#cfm
2. Enable CFM (if it is not enabled):
device-name(config-cfm)#domain name a6 level 6
4. Create maintenance association ma6 for service ID 2:
device-name(config-cfm-a6)#ma name ma6 service 2
5. Creates MEP 200 on SAP port 1/2/1 with C-VLAN 2::
device-name(config-cfm-a6-ma6)#mep 200 sap 1/2/1:2:
device-name(config-cfm-a6-ma6)#end

Page 181

Event Propagation Configuration:
1. Define event propagation profile 1:
2. Define profile 1 to receive events from local port 1/1/1:
device-name(config-ep-profile 1)#source local-port 1/1/1 event status-down
action link-drop reverse link-restore
device-name(config-ep-profile 1)#exit
3. Define event propagation profile 2:
4. Define profile 2 to receive events from remote MEP 200:
device-name(config-ep-profile 2)#source rem-mep 200 event con-lost action
link-drop reverse link-restore
device-name(config-ep-profile 2)#exit
5. Attach profile 1 to port 1/1/1:
device-name(config-if 1/1/1)#event-propagation profile 1
6. Attach profile 2 to SAP port 1/2/1:
device-name(config)#tls serv
device-name(config-tls-sap 1/2/1:2:)#event-propagation profile 2
7. Display information for all configured profiles:
=========================================================================
| pr of i l e| sour ce t ype| sour ce i d| event | act i on | r ever se act i on|
+- - - - - - - +- - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - +- - - - - - - - - - - - - - +- - - - - - - - - - - - - - +
| 1| l ocal - por t | 1/ 1/ 1| st at us- down| l i nk- dr op | l i nk- r est or e |
=========================================================================

Page 182

8. Display information for all existing sessions:
Pr of i l e 1
sour ce i d : 1/ 1/ 1
Sessi ons:
================================================================
| Tar get | I D | St at e | Act i ons | Rever t i ves|
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| Por t | 1/ 1/ 1 | none | 0| 0|
================================================================

Pr of i l e 2
sour ce i d : 200
event : con- l ost
Sessi ons:
================================================================
| Tar get | I D | St at e | Act i ons | Rever t i ves|
+- - - - - - - - +- - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +
| SAP | 1/ 2/ 1: 2: | none | 0| 0|
================================================================

Page 183

Ethernet Local Management Interface (E-LMI,
MEF 16)
E-LMI, an OAM protocol, enables the CE to auto-configure its support of Metro Ethernet
services.
E-LMI notifies the CE on the Ethernet Virtual Connections (EVC) operating state and the time
when an EVC is added or deleted. E-LMI also communicates the attributes of the EVC and the
User-Network Interface (UNI) to the CE.
The UNI is physically implemented over a bi-directional Ethernet link that provides data, control
and management plane capabilities.
The UNI functionality is split between:
UNI-C: is acting as Customer Edge device and is executed on a non-service device
UNI-N: is acting as a Provider Edge device and is the underlying physical port of a configured
SAP belonging to a service.
UNI-C and UNI-N exchange information about EVC configuration and EVC status (service) and
thus, the UNI-C may auto-configure itself according to the reported EVC status from the UNI-N.
E-LMI protocol defines two types of messages:
status: is sent by the UNI-N to the UNI-C in response to a status enquiry message. It indicates
the status of EVCs or for the exchange of sequence numbers.
statusenquiry: is sent by the UNI-C to request status or to verify sequence numbers. The UNI-C
must send a status message in response to a status enquiry message.

Page 184

E-LMI Configuration Flow

Figure 23: E- LMI Configuration Flow
Enable E-LMI globally
Select the E-LMI mode
Enable E-LMI per port
Configure the polling timers
Configure the polling counters
Start
Stop

Page 185

E-LMI Configuration Commands
Table 24: E-LMI Commands
Command Description
Enables or disables the E-LMI protocol on the device
(see Enabling/Disabling E-LMI)
e-lmi
Enables or disables E-LMI protocol on a specified port
(see Enabling/Disabling E-LMI per Port)
e-lmi mode Defines the E-LMI mode (see Defining the E-LMI Mode)
e-lmi polling-timer Configures the E-LMI polling timer
(see Configuring the E-LMI Polling Timer)
e-lmi polling-
verification-timer
Configures the E-LMI polling-verification timer
(see Configuring the E-LMI Polling Verification Timer)
e-lmi polling-counter Configures the E-LMI polling counter
(see Configuring the E-LMI Polling Counters)
e-lmi status-counter Configures the E-LMI status counter
(see Configuring the E-LMI Status Counters)
show e-lmi Displays the E-LMI status information for a specific port
(see Displaying the E-LMI Status)
show e-lmi vlan-map Displays the CE-VLAN ID/EVC map for a specific port
(see Displaying the E-LMI VLAN)
show e-lmi statistics Displays the E-LMI statistics for a specific port
(see Displaying the E-LMI Statistics)
clear e-lmi statistics
e-lmi clear statistics
Clears the E-LMI statistics for a specific port
(see Clearing the E-LMI Port Statistics)

Page 186

Enabling/Disabling E-LMI on the Device
The e-lmi command enables or disables E-LMI protocol globally.
Command Syntax
device-name(cfg protocol)#e-lmi {enable | disable}
enable Enables E-LMI
disable Disables E-LMI
disabled
Enabling/Disabling E-LMI per Port
The e-lmi command enables or disables E-LMI protocol on a specified port.
Command Syntax
device-name(config if UU/SS/PP)#e-lmi {enable | disable}
enable Enables E-LMI on the specified port
disable Disables E-LMI on the specified port
disabled per port
Defining the E-LMI Mode
The e-lmi mode command defines the E-LMI mode.

NOTE
Disable E-LMI on the port prior to changing its mode.
Changing the E-LMI mode restarts the E-LMI protocol per port and clears all
statistics and information per port.



Page 187

Command Syntax
device-name(config if UU/SS/PP)#e-lmi mode {uni-c | uni-n}
uni-c Customer mode. UNI-C statically retrieves the needed configuration
information from the UNI-N.
uni-n Network mode
uni-n
Example
device-name(config if 1/1/1)#e-lmi mode uni-c
[ %Er r or ] Di sabl e E- l mi on t hi s por t bef or e changi ng E- l mi mode
device-name(config-if 1/1/1)#e-lmi disable
device-name(config-if 1/1/1)#e-lmi mode uni-c
Configuring the E-LMI Polling Timer
The e-lmi polling-timer command configures the E-LMI polling timer.
Polling timer controls the interval at which statusenquirymessages are transmitted. These messages
are sent by the UNI-C to request status or to verify sequence numbers.

NOTE
Valid only for cust omer mode, otherwise this command returns an error.

Command Syntax
device-name(config if UU/SS/PP)#e-lmi polling-timer <5-30>
device-name(config if UU/SS/PP)#no e-lmi polling-timer
5-30 The polling timer value, in seconds
10 seconds
Example
device-name(config-if 1/1/1)#e-lmi polling-timer 7
[ %Er r or ] Thi s command i s val i d onl y f or cust omer mode

Page 188

Configuring the E-LMI Polling Verification Timer
The e-lmi polling-verification-timer command configures the E-LMI polling verification
timer.
Polling verification timer controls the interval during which information sent to the UNI-C, in a
statusmessage, is considered valid.

NOTE
Valid only for net wor k mode, otherwise the command returns an error.
The pol l i ng ver i f i cat i on t i mer has to be grater than pol l i ng t i mer .

Command Syntax
device-name(config if UU/SS/PP)#e-lmi polling-verification-timer {<5-30> |
disable}
device-name(config if UU/SS/PP)#no e-lmi polling-verification-timer
5-30 The polling verification timer value, in seconds
15 seconds
disable Disables the polling verification timer
Configuring the E-LMI Polling Counters
The e-lmi polling-counter command configures the E-LMI polling counter.
Polling counter controls the number of polling cycles between Full Status (status of UNI and all
EVCs) exchanges.

NOTE
Valid only for cust omer mode, otherwise the command returns an error.

Command Syntax
device-name(config if UU/SS/PP)#[no] e-lmi polling-counter <1-65000>
1-65000 The polling counter value
360

Page 189

Configuring the E-LMI Status Counters
The e-lmi status-counter command configures the E-LMI status counter.
Status counter controls the number of consecutive errors that occurs before E-LMI is declared not
operational.
Command Syntax
device-name(config if UU/SS/PP)#[no] e-lmi status-counter <2-10>
2-10 The status counter value
4
Displaying the E-LMI Status
The show e-lmi command displays the E-LMI status information for a specific port or for all
ports.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all}
device-name(config-if UU/SS/PP)#show e-lmi
UU/SS/PP The port for which the E-LMI status information is displayed
all Displays the E-LMI status information for all ports

Page 190

Example
device-name#show e-lmi 1/1/1
E- LMI admi ni st r at i ve st at us : Di sabl ed

E- LMI admi ni st r at i ve st at us : Enabl ed
E- LMI mode : UNI - N
E- LMI oper at i onal st at us : Up
Pol l i ng ver i f i cat i on t i mer : 15
St at us count er : 5
device-name(config-if 1/2/1)#show e-lmi
E- LMI mode : UNI - C
Pol l i ng t i mer : 10
Pol l i ng count er : 200
Displaying the E-LMI VLAN
The show e-lmi vlan-map command displays the CE-VLAN ID/ EVC map for a specific port
or for all ports.
The maximum number of bytes needed to carry CE-VLAN ID/ EVC map information depends
on the number of CE-VLAN IDs mapped to an EVC.
CE-VLAN ID/ EVC map contains the configured SAPs and the services (EVCs) they belong to,
along with the configured CE-VLAN IDs (inner VLAN tags) that classify the incoming customer
traffic as belonging to the EVC.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all} vlan-map
device-name(config-if UU/SS/PP)#show e-lmi vlan-map
UU/SS/PP The port for which the CE-VLAN ID/EVC map information is displayed
all Displays the CE-VLAN ID/EVC map for all ports

Page 191

Example
device-name#show e-lmi 1/1/2 vlan-map
Last f ul l - st at us r epor t : HH: MM DD/ MM/ YYYY

EVC I d: 123
St at e: Act i ve
CE- VLANs: 100, 200, 201

EVC I d: 200
St at e: Par t i al l y Act i ve
CE- VLANs: 10, 11, 12

EVC I d: 300
St at e: I nact i ve
CE- VLANs: 300
Displaying the E-LMI Statistics
The show e-lmi vlan-map command displays the E-LMI statistics for a specific port or for all
ports.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all} statistics
device-name(config-if UU/SS/PP)#show e-lmi statistics
UU/SS/PP The port for which the E-LMI statistics information are displayed
all Displays the E-LMI statistics for all ports


Page 192

Example
device-name#show e-lmi 1/1/1 statistics
E- LMI admi ni st r at i ve st at us : Di sabl ed

device-name(config if 1/2/1)#show e-lmi statistics
Last f ul l - st at us r epor t : HH: MM DD/ MM/ YYYY

Rel i abi l i t y er r or s
St at us Ti meout s : 20
Messages wi t h I nval i d Sequence Number : 1023

Pr ot ocol er r or s
I nval i d Pr ot ocol Ver si on : 0
I nval i d EVC Ref er ence I d : 0
I nval i d Message Type : 0
Out of Sequence I E : 1
Dupl i cat ed I E : 0
Mandat or y I E Mi ssi ng : 0
I nval i d Mandat or y I E : 2
I nval i d non- Mandat or y I E : 0
Unr ecogni zed I E : 0
Unexpect ed I E : 1
Shor t Message : 0
Clearing the E-LMI Port Statistics
The commands below clear the E-LMI statistics for a specific port or for all ports:
clear e-lmi statistics command
e-lmi clear statistics command
Command Syntax
device-name#clear e-lmi {UU/SS/PP | all} statistics
device-name(config-if UU/SS/PP)#e-lmi clear statistics
UU/SS/PP The port for which the E-LMI statistics information are cleared
all Clears the E-LMI statistics for all ports

Page 193

E-LMI Configuration Example
1. Enable E-LMI globally:
device-name(cfg protocol)#e-lmi enable
2. Enable E-LMI on port 1/1/1:
device-name(config-if 1/1/1)#e-lmi enable
3. Configure the E-LMI polling verification timer:
device-name(config-if 1/1/1)#e-lmi polling-verification-timer 10
4. Configure the E-LMI status counter:
device-name(config-if 1/1/1)#e-lmi status-counter 3
5. Change the mode to customer:
device-name(config-if 1/1/2)#e-lmi mode uni-c
6. Enable E-LMI on port 1/1/2:
device-name(config-if 1/1/2)#e-lmi enable
7. Configure the E-LMI polling timer:
device-name(config-if 1/1/2)#e-lmi polling-timer 7
8. Configure the E-LMI polling counter:
device-name(config-if 1/1/2)#e-lmi polling-counter 50
9. Configure the E-LMI status counter:
device-name(config-if 1/1/2)#e-lmi status-counter 5
10. Display the E-LMI status information:
E- LMI oper at i onal st at us : UP
Pol l i ng ver i f i cat i on t i mer : 10
Pol l i ng t i mer : 7
Pol l i ng count er : 50

Page 194

11. Display the E-LMI VLAN information:
E- LMI oper at i onal st at us : DOWN
Last f ul l - st at us r epor t : N/ A

E- LMI oper at i onal st at us : DOWN
12. Display the E-LMI statistics information for port 1/1/1:
device-name#show e-lmi 1/1/1 statistics

Rel i abi l i t y er r or s
St at us Ti meout s : 3
Messages wi t h I nval i d Sequence Number : 0

Pr ot ocol er r or s
I nval i d Pr ot ocol Ver si on : 0
I nval i d EVC Ref er ence I d : 0
I nval i d Message Type : 0
Out of Sequence I E : 0
Dupl i cat ed I E : 0
Mandat or y I E Mi ssi ng : 0
I nval i d Mandat or y I E : 0
I nval i d non- Mandat or y I E : 0
Unr ecogni zed I E : 0
Unexpect ed I E : 0
Shor t Message : 0

Page 195

Diagnosing Connectivity Problems
In cases where you are supplied with the correct IP address, but there is no network connectivity,
the Packet Internet Groper (PING) and Trace Route tools allow you to explore the Internet and
the connectivity problems.
Ping
PING is a tool that helps you to verify the Internet connectivity at the IP level. The ping
command sends an Internet Control Message Protocol (ICMP) echo request to the IP address or
selected hostname.
Trace Route
The Trace route tool works by sending by sending ICMP echo packets with varying IP Time-to-
Live (TTL) values to the destination. On the screen, each device that is crossed between the source
computer and the destination IP address is displayed
For more details, refer to the TroubleshootingandMonitoringchapter of this User Guide.

Page 196

Supported Platforms
Intermediate 802.3ah EFM-OAM + +
Intermediate 802.1ag CFM + +
SAA Throughput Test + +
Service Assurance Application (SAA) + +
ITU-T G.8031 Ethernet Protection Switching (EPS) + +
Event Propagation + +
E-LMI + +
Diagnostic Connectivity Problems + +

Page 197

Intermediate 802.3ah
EFM-OAM
IEEE Std 802.3ah-
2004
Public MIB:
dot3_oam.mib
Private MIB:
prvt_switch_efm_oa
m.mib
No RFCs are supported
by this feature
Intermediate 802.1ag
CFM
IEEE 802.1ag-
2007
(Connectivity
Fault
Management)
ITU-T Y.1731
Public MIB,
ieee8021_cfm.mib
Private MIB,
prvt_cfm.mib
RFC 2544,
Benchmarking
Methodology for
Network Interconnect
Devices
SAA Throughput Test No Standards are
supported by this
feature
No MIBs are
supported by this
feature.
RFC2544,
Benchmarking
Methodology for
Network Interconnect
Devices
SAA
SOAM (Service
OAM) based on
the IEEE
802.1ag-2007
(draft 8.1)
ITU-T
Recommendation
Y.1731
Public MIB, ping.mib
Private MIB,
saa.mib
RFC 2925 allows
functionality for creating
of ping and traceroute
tests that can be carried
out periodically on the
remote host.
ITU-T G.8031 EPS ITU-T G.8031
standard
Private MIB,
prvt_eps.mib
by this feature
Event Propagation IEEE 802.1ag-2007
(Connectivity Fault
Management)
Private MIB,
prvt_status_propag
ation.mib
by this feature
E-LMI No Standards are
supported by this
feature
Private MIB,
prvt_elmi.mib
by this feature
Diagnosing
Connectivity
Problems
No standards are
supported by this
feature
No MIBs are
supported by this
feature.
RFC 791, Internet
Protocol DARPA
Internet Program
Protocol Specifications

Page 1
Configuring Link Layer Discovery Protocol (LLDP) (Rev. 02)
Configuring Link Layer Discovery Protocol (LLDP)
Table of Figures 2
Overview 3
LLDP Data Unit (LLDPDU) 3
TLV Format 3
LLDP Default Configuration 5
LLDP Configuration Flow 6
LLDP Configuration Commands 7
Configuring the LLDP 8
Configuring the Port Reinitialization 8
Specifying the Transmit Delay Interval 9
Specifying the Transmit Hold Interval 9
Specifying the Transmit Interval 9
Specifying the LLDP Port Behavior10
Advertising the Management Address10
Advertising the Port Description11
Advertising the System Capabilities Information11
Advertising the System Description12
Advertising the System Name12
Displaying Global LLDP Settings12
Displaying LLDP Statistics13
Displaying the Local System Data13
Displaying the Remote System Data13
Page 2

Table of Figures
Figure 1: LLDPDU Frame Structure 4
Figure 2: LLDP Configuration Flow 6
Figure 3: Example for Configuring LLDP14

Page 3

Overview
The Link Layer Discovery Protocol (LLDP) is a discovery Layer 2 protocol used by network
devices for advertising their identity, capabilities, interconnections, and store information about the
network. LLDP is a one hop protocol; the LLDP information can only be sent to and received
by devices that are directly connected to each other (neighbors) by the same link. It allows a device
to learn higher layer management reachability and connection endpoint information from adjacent
devices.
LLDP Data Unit (LLDPDU)
The LLDP frame contains a Link Layer Discovery Protocol Data Unit (LLDPDU) which is a set of
type-length-value (TLV) structures. The LLDPDU is enclosed into an Ethernet frame in which
the destination MAC address is set to multicast address 01:80:c2:00:00:0e and the Ethernet type is
set to 0x88cc.
The device sends LLDP frames on each of its ports at a fixed frequency. It also sends LLDPDUs
when the local configuration changes to inform the neighboring devices. In any of the two cases, an
interval exists between two successive operations of sending LLDPDUs. This prevents the network
from being overwhelmed by LLDPDUs. The receiving of LLDP packets is implemented by
capturing the packet in hardware, using the L2 destination ACL and forwarding it to the CPU.
LLDP information received from neighbor LLDP-enabled devices is accessible including via
Simple Network Management Protocol (SNMP) through objects defined in a standard IEEE
LLDP Management Information Base (MIB). Received LLDP information is valid for a period of
time defined by the value of the LLDP Time to Live (TLV) that is contained within the received
packet.
The information about a neighboring device maintained locally ages out when the corresponding
TTL expires. Only valid LLDP information is stored in the network devices.
TLV Format
In an LLDPDU, the chassis ID, port ID, and TTL TLV are the first three TLVs. The optional
TLVs are placed after the TTL TLV. The end of LLDPDU TLV is placed last. There is no
restriction regarding the length of LLDPDUs. The restriction comes from the transport layer, for
example in 802.3 MAC environments the maximum size of the PDU is 1500 bytes.
The figure below provides the LLDPDU structure and the mandatory LLDPDU TLV structure
details:

Page 4

Figure 1: LLDPDU Frame Structure
The mandatory TLVs contained in a LLDPDU are:
Chassis ID TLVThe MAC address associated with the local system
PortID TLVIdentifies the port from which the LLDPDU is transmitted
TTL TLVIndicates how long (in seconds) the LAN device's information received in the
LLDPDU is to be treated as valid information
End of LLDPDU TLVIndicates the end of TLVs of the LLDPDU frame
The optional TLVs defined as part of LLDP are grouped into the following three sets:
Basic Management TLV SetPort description, System name, System description, System
capabilities, Management address
IEEE 802.1 Organizationally Specific TLV Set currently not supported
IEEE 802.3 Organizationally Specific TLV Set currently not supported

Page 5

LLDP Default Configuration
Table 1: LLDP Default Configuration
Command Description
LLDP Disabled
LLDP reinitialize-delay 2 seconds
LLDP transmit-delay 2 seconds
LLDP transmit-hold 4 seconds
LLDP transmit-interval 30 seconds
LLDP basic management-address no-advertise
LLDP basic port-description no-advertise
LLDP basic system-capabilities no-advertise
LLDP basic system-description no-advertise
LLDP basic system-name no-advertise
Page 6

LLDP Configuration Flow

Figure 2: LLDP Configuration Flow

Start
Enable LLDP
Set the LLDP Timers (reinitialize-delay, transmit-delay,
transmit-hold, transmit-interval)
Optional LLDP Port Commands
Display LLDP Configuration
End
Page 7

LLDP Configuration Commands
Table 2: LLDP Global Configuration Commands
Command Description
lldp Configures the LLDP (see Configuring the LLDP)
lldp reinit-delay Specifies the minimum time an LLDP port waits before reinitializing
LLDP transmission (see Configuring the Port Reinitialization)
lldp transmit-delay Specifies the delay between successive LLDP frame transmissions
initiated by value/status changes in the LLDP local systems MIB
(see Specifying the Transmit Delay Interval)
lldp transmit-hold Specifies the amount of time the receiving device should hold the
LLDP remote information before being marked as old and deleted
(see Specifying the Transmit Hold Interval)
lldp transmit-
interval
Specifies the amount of time (in seconds) the device waits before
sending LLDP packets (see Specifying the Transmit Interval)

Table 3: Optional Basic Information Commands
Command Description
lldp Enables LLDP transmit, receive, or transmit and receive mode on
the specified port, or group of ports (see Specifying the LLDP Port
Behavior)
lldp basic
management-address
Configures an LLDP-enabled port to advertise the management
address for this device (see Advertising the Management Address)
lldp basic port-
description
Configures an LLDP-enabled port to advertise its port description
(see Advertising the Port Description)
lldp basic system-
capabilities
Configures an LLDP-enabled port to advertise its system capabilities
(see Advertising the System Capabilities Information)
lldp basic system-
description
Configures an LLDP-enabled port to advertise the system
description (see Advertising the System Description)
lldp basic system-
name
Configures an LLDP-enabled port to advertise the system name
(see Advertising the System Name)

Page 8

Table 4: LLDP Display Commands
Command Description
show lldp
configuration
Displays LLDP configuration settings (see Displaying Global LLDP)
show lldp
statistics
Displays statistical counters for all LLDP-enabled ports (see
Displaying LLDP Statistics)
show lldp local-
system-data
Displays LLDP global and port-specific configuration settings for this
device (see Displaying the Local System Data)
show lldp remote-
system-data
Displays LLDP global and port-specific configuration settings for
remote devices attached to an LLDP-enabled port (see Displaying
the Remote System Data)
Configuring the LLDP
The lldp command configures the LLDP.

NOTE
If you do not enable first LLDP, the LLDP commands and their outputs are not
valid.
Command Syntax
device-name(config)#lldp {enable | disable}
enable Enables the LLDP.
disable Disables the LLDP.
Configuring the Port Reinitialization
The lldp reinit-delay command specifies the minimum time an LLDP port waits before
reinitializing LLDP transmission.
Command Syntax
device-name(config)#lldp reinit-delay <1-10>
1-10 The time interval, in seconds. The default value is 2 seconds.
Page 9

Specifying the Transmit Delay Interval
The lldp transmit-delay command specifies the delay between successive LLDP frame
transmissions initiated by value/ status changes in the LLDP local systems MIB.

NOTE
Transmit-delay can be set only to values smaller than (0.25 * transmit-interval).
Command Syntax
device-name(config)#lldp transmit-delay <1-8192>
1-8192 The transmit delay interval, in seconds. The default value is 2 seconds.
Specifying the Transmit Hold Interval
The lldp transmit-hold command specifies the amount of time the receiving device should hold
a LLDP remote information before being marked as old and deleted. The device information on
the neighboring devices ages out and it discarded when its corresponding TTL expires.
NOTE
The TTL value is to multiply the TTL transmit hold value by the LLDP packets
transmitting interval.


Command Syntax
device-name(config)#lldp transmit-hold <2-10>
2-10 The transmit hold interval, in seconds. The default value is 4 seconds.
Specifying the Transmit Interval
The lldp transmit-interval command specifies the interval (in seconds) the device waits before
sending LLDP packets.
Page 10

NOTE
Transmit-interval can be set only to values bigger than (4 * transmit-delay).
The values of transmit-interval and transmit-delay are mutually dependent on each
other:
transmit-interval is from 5 to 32768 (5 can be set when
transmit-delay is set to its minimum value of 1)
transmit-delay is from 1to 8192 (8192 can be set when transmit-
interval is set to its maximum value of 32768)


Command Syntax
device-name(config)#lldp transmit-interval <5-32768>
5-32768 The transmit interval, in seconds. The default value is 30 seconds.
Specifying the LLDP Port Behavior
The lldp command enables LLDP transmit, receive, or transmit and receive mode on the specified
port, or a group of ports.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#lldp {tx-only | rx-only | tx-rx | disabled |
basic}
device-name(config-if-group)#lldp {tx-only | rx-only | tx-rx | disabled |
basic}
basic Basic management set TLVs.
disabled The port neither receives nor transmits LLDP packets.
rx-only The port only receives LLDP packets.
tx-only The port only transmits LLDP packets.
tx-rx The port both transmits and receives LLDP packets.
The tx-rx option is used by default.
Advertising the Management Address
The lldp basic management-address command configures an LLDP-enabled port to advertise
the management address for this device.
CLI Mode:
Page 11

Command Syntax
device-name(config-if UU/SS/PP)#lldp basic management-address {advertise | no-
advertise}
device-name(config-if-group)#lldp basic management-address {advertise | no-
advertise}
advertise The management address is advertised by LLDP.
no-advertise The management address is not advertised by LLDP.
The no-advertise option is used by default.
Advertising the Port Description
The lldp basic port-description command configures an LLDP-enabled port to advertise its
port description.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic port-description {advertise |
no-advertise}
device-name(config-if-group)#lldp basic port-description {advertise |
no-advertise}
advertise The description of the configured port is advertised by LLDP.
no-advertise The description of the configured port is not advertised by LLDP.
Advertising the System Capabilities Information
The lldp basic system-capabilities command configures an LLDP-enabled port to
advertise its system capabilities.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-capabilities {advertise |
no-advertise}
device-name(config-if-group)#lldp basic system-capabilities {advertise | no-
advertise}
advertise The system capabilities information is advertised by LLDP.
Page 12

no-advertise The system capabilities information is not advertised by LLDP.
Advertising the System Description
The lldp basic system-description command configures an LLDP-enabled port to advertise
the system description.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-description {advertise | no-
advertise}
device-name(config-if-group)#lldp basic system-description {advertise | no-
advertise}
advertise The system description is advertised by LLDP.
no-advertise The system description is not advertised by LLDP.
Advertising the System Name
The lldp basic system-name command configures an LLDP-enabled port to advertise the
system name.
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-name {advertise |
no-advertise}
device-name(config-if-group)#lldp basic system-name {advertise | no-advertise}
advertise The system name is advertised by LLDP.
no-advertise The system name is not advertised by LLDP.
Displaying Global LLDP Settings
The show lldp configuration command displays LLDP configuration settings.
CLI Modes:
Privileged (Enable) and Interface Configuration
Page 13

Command Syntax
device-name#show lldp configuration
device-name(config-if UU/SS/PP)#show lldp configuration
Displaying LLDP Statistics
The show lldp statistics command displays statistical counters for all LLDP-enabled ports.
CLI Mode:
Command Syntax
device-name#show lldp statistics
device-name(config-if UU/SS/PP)#show lldp statistics
Displaying the Local System Data
The show lldp local-system-data command displays LLDP global and port-specific
configuration settings for this device.
CLI Mode:
Command Syntax
device-name#show lldp local-system-data
device-name(config-if UU/SS/PP)#show lldp local-system-data
Displaying the Remote System Data
The show lldp remote-system-data command displays LLDP global and port-specific
configuration settings for remote devices attached to an LLDP-enabled port.
CLI Mode:
Command Syntax
device-name#show lldp remote-system-data
device-name(config-if UU/SS/PP)#show lldp remote-system-data
Page 14

The following example shows how to configure LLDP on two devices.

Figure 3: Example for Configuring LLDP
Device1 Configuration:
1. Enable the LLDP engine on the device:
Device1(config)#lldp enable
2. Specify the time interval at which it is checked if the port is enabled again so that the port can
be reinitialized:
Device1(config)#lldp reinit-delay 4
3. Specify the minimum interval at which notifications of changes in LLDP-monitored
parameters (variables) are sent:
Device1(config)#lldp transmit-delay 4
4. Specify the transmit-hold parameter:
Device1(config)#lldp transmit-hold 5
5. Specify the interval at which information about the LLDP-monitored parameters is divulged
(made public) by the device:
Device1(config)#lldp transmit-interval 500
Page 15

6. Specify the LLDP behavior on port 1/ 1/ 1:
Device1(config-if 1/1/1)#lldp tx-only
7. Specify that LLDP advertises the management address:
Device1(config-if 1/1/1)#lldp basic management-address advertise
Device2 Configuration:
1. Enable the LLDP engine on the device:
Device2(config)#lldp enable
2. Specify the time interval at which it is checked if the port is enabled again so that the port can
be reinitialized:
Device2(config)#lldp reinit-delay 4
3. Specify the minimum interval at which notifications of changes in LLDP-monitored
parameters (variables) are sent:
Device2(config)#lldp transmit-delay 4
4. Specify the transmit-hold parameter:
Device2(config)#lldp transmit-hold 5
5. Specify the interval at which information about the LLDP-monitored parameters is divulged
(made public) by the device:
Device2(config)#lldp transmit-interval 500
Device2(config-if 1/2/1)#lldp rx-only
7. Specify if LLDP advertises the management address:
Device2(config-if 1/2/1)#lldp basic management-address advertise
Page 16

Display information about all LLDP-configurable parameters:
Device1(config-if 1/1/1)#show lldp configuration
l l dp t x- onl y
l l dp snmp- not i f i cat i on di sabl e
l l dp basi c management - addr ess adver t i se
l l dp basi c por t - descr i pt i on no- adver t i se
l l dp basi c syst em- name no- adver t i se
l l dp basi c syst em- descr i pt i on no- adver t i se
l l dp basi c syst em- capabi l i t i es no- adver t i se

Device2(config-if 1/2/1)#show lldp configuration
l l dp r x- onl y
l l dp snmp- not i f i cat i on di sabl e
l l dp basi c management - addr ess adver t i se
l l dp basi c por t - descr i pt i on no- adver t i se
l l dp basi c syst em- name no- adver t i se
l l dp basi c syst em- descr i pt i on no- adver t i se
l l dp basi c syst em- capabi l i t i es no- adver t i se
Display information about the local device that is sent as LLDPDUs
to remote devices:
Device1(config-if 1/1/1)#show lldp local-system-data
LLDP Local Syst emDat a on por t 1/ 1/ 1
======================================================================
Por t I D subt ype : MacAddr ess
Por t I D : 00: a0: 12: 4b: 06: c3
Por t Descr i pt i on : I nt er f ace 1/ 1/ 1

Device2(config-if 1/2/1)#show lldp local-system-data
LLDP Local Syst emDat a on por t 1/ 2/ 1
======================================================================
Por t I D subt ype : MacAddr ess
Por t I D : 00: a0: 12: 23: 06: 03
Por t Descr i pt i on : I nt er f ace 1/ 2/ 1

Page 17

Supported Platforms
Link Layer Discovery Protocol (LLDP) + +
Link Layer
Discovery Protocol
(LLDP)
IEEE 802.1AB Public MIB, 802.1AB
Section 12 (LLDP
MIB Definitions)
No RFCs are
supported by this
feature.

Page 1
Configuring Device Authentication Features (Rev. 07)

Configuring Device Authentication Features
Table of Contents
Table of Figures 3
Features Included in This Chapter 4
User Privilege-Levels on the Local Database 5
Users and Privilege-Level Configuration Flow 6
Users and Privilege-Level Configuration Commands 6
Creating a Username and Defining Its Privilege Level in the Local Database 7
Defining the Authentication Method 8
Displaying the Users Privilege Level 9
Remote Authentication Dial in User Service (RADIUS) 10
The RADIUS Negotiation Procedure10
The RADIUS Configuration Flow11
Defining User Privileges on the RADIUS Server12
RADIUS Configuration Commands13
Selecting a RADIUS Server 13
Defining the Shared Secret Key14
Defining the Number of RADIUS Request Retransmissions14
Defining the RADIUS Server Timeout 15
Defining the RADIUS-Server Dead Time15
Terminal Access Controller Access-Control System Plus (TACACS+)19
The TACACS+ Negotiation Procedure19
Comparing TACACS+ and RADIUS20
TACACS+ Configuration Flow21
Defining User Privileges on the TACACS+ Server22
TACACS+ Configuration Commands 23
Selecting a TACACS+ Server23

Page 2

Defining the TACACS+ Shared Encryption Key24
Defining the TACACS+ Timeout24
Secure Shell Server (SSH)28
SSH Vs. Telnet28
Security Considerations29
Supported Clients29
The SSH Server Configuration Flow30
SSH Configuration Commands30
Generating the Initial DSA Public-Parameters31
Initializing the SSH Server31
Stopping the SSH Server31
Secure File Transfer Protocol (SFTP) Client34
The SFTP Client Configuration Commands34
Downloading a File to the Device35
Uploading a File to the SFTP Server37
Listing Files in the SFTP-Server Directory38
Renaming a File on the SFTP Server39
Deleting a File from the SFTP Server39


Page 3

Table of Figures
Figure 1: User Privilege Levels Configuration Flow 6
Figure 4: A RADIUS Communication Example10
Figure 5: RADIUS Configuration Flow11
Figure 6: RADIUS Configuration Example16
Figure 7: TACACS+ Configuration Flow21
Figure 2: Security Alert Message Issued by the SSH Client29
Figure 3: SSH Configuration Flow30


Page 4

Features Included in This Chapter
This chapter provides information on the variety of security features incorporated in the T-Marc
300 Series software to protect it from unauthorized access.
This chapter includes the following features:
User Privilege-Levels
You can control users access to the device and the functions they can perform by
maintaining a local list of authorized users, assigning them to appropriate privilege levels.
RemoteAuthenticationDial inUser Service(RADIUS)
RADIUS is an authentication, authorization, and accounting protocol for securing
networks against unauthorized access.
Terminal AccessController Access-Control SystemPlus(TACACS+)
TACACS+ is a security protocol for remote authentication, authorization, and accounting
that communicates between network devices and an authentication database.
SecureShell Server (SSH)
SSH is a protocol used for securely managing a remote device over an insecure network.
The protocol secures the management sessions using standard cryptographic mechanisms
and ensures data protection as well as password-theft prevention.
SecureFileTransfer Protocol (SFTP) Client
SFTP is a secured file-transfer protocol, provided as a part of SSH. This protocol
encrypts both the commands and the data transferred, providing a secure and
authenticated method for copying router configuration or router image files.


Page 5

User Privilege-Levels on the Local Database
The T-Marc 300 Series CLI is protected by several privilege-levels, preventing unauthorized access
to the different CLI modes.
The local database includes 16 privilege levels, in the range of <0-15>, where users assigned to level
0 have unrestricted privileges over the CLI (highest privilege) and users assigned to level 15 are the
most restricted users (lowest privilege).
Each CLI command is associated to a privilege level. Only users with privilege levels equal or
higher than this privilege level can execute the command.
You can configure any one of the below supported features for authenticating users accessing the
device:
Local database
RADIUS
TACACS+

Table 1: Local Users Privilege-Levels
Privilege Description
Administrators (level 0) Full read/write privileges (with no restrictions) for Layer 2 and
Layer 3.
Network-Admins (level 4) Read/write privileges for Layer 2 and Layer 3, without access
to security (usernames and passwords), debug commands,
and other administrative settings (such as license
management, software upgrade, device reload, and script FS).
Technicians (level 8) Read/write privileges for Layer 2 and read-only privileges for
Layer 3.
Users (level 12) Read-only privileges for Layer 2 and Layer 3. Users with this
privilege level have access to all the show commands and
general commands (such as exit, quit, ping, and traceroute
commands).
Guests (level 15) Read-only privileges in View mode. Users in this level cannot
access the Privileged (Enabled) mode.

Page 6

Users and Privilege-Level Configuration Flow

Figure 1: User Privilege Levels Configuration Flow
Users and Privilege-Level Configuration Commands
Table 2: User Privilege Commands
Command Description
username
Creates a new username and assigns it to a privilege group (see
Creating a Username and Defining Its Privilege Level)
aaa authentication
login default
Defines the default login-authentication method (see Defining the
Authentication Method)
show privilege
Displays the privilege level assigned to the current user (see
Displaying the Users Privilege Level)
Start
End
Create a local username and password, and assign it to a
privilege group
Specify the default login authentication method
Display the privilege level assigned to the current user

Page 7

Creating a Username and Defining Its Privilege Level in the Local
Database
The username command creates a new username and password in the local database, and assigns
the username to a privilege group.
Command Syntax
device-name(config)#username NAME password PASSWORD CONFIRM-PASSWORD [group
{administrators | net-admins | technicians | users | guests}]
device-name(config)#no username NAME
NAME
The new username, a case-sensitive string of up to 32 characters that
can consist of any character except for blank spaces and question
marks.
password
Specifies a password
PASSWORD
The password, a case-sensitive string of up to 64 characters that can
consist of any character except for blank spaces
CONFIRM-PASSWORD
group
(Optional) defines the users privilege group
administrators
Assigns the user to Administrators
net-admins
Assigns the user to Network-Admins
technicians
Assigns the user to Technicians
users
Assigns the user to Users
guests
Assigns the user to Guests
no
Removes the specified username and its associated password from the
local authentication database.


Page 8

Defining the Authentication Method
The aaa authentication login default command defines the device login-authentication
method. You can define both a primary and secondary authentication method. In case the device is
not able to connect the primary method, it attempts to authenticate the username with the
secondary method.
Command Syntax
device-name(config)#aaa authentication login default [tacacs+ radius | radius
tacacs+ | tacacs+ local | radius local | local radius | local tacac+]
device-name(config)#no aaa authentication login default
tacacs+ radius
(Optional) configures TACACS+as primary and RADIUS as secondary
methods.
radius tacacs+
(Optional) configures RADIUS as primary and TACACS+as secondary
methods.
tacacs+ local
(Optional) configures TACACS+as primary and local authentication as
secondary methods.
radius local
(Optional) configures RADIUS as primary and local authentication as
secondary methods.
local radius
(Optional) configures local and RADIUS authentication as primary and
secondary login authentication methods respectively
local tacacs+
(Optional) configures local and TACACS+authentication as primary and
secondary login authentication methods respectively.
no
Disables the username authentication; users need to type the device
password only (refer to the password command in the Device Setup
and Maintenance chapter of the user guide).
Example
Create a user, assign a privilege level to this user and define an authentication method:
device-name(config)#username admin password admin admin group technicians
device-name(config)#aaa authentication login default local local

Page 9

Displaying the Users Privilege Level
The show privilege command displays the privilege level assigned to the current logged-in user.
Command Syntax
device-name>show privilege
device-name#show privilege
Example
device-name#show privilege
Cur r ent user pr i vi l ege i s Techni ci an.

Page 10

Remote Authentication Dial in User Service
(RADIUS)
RADIUS is a client-server protocol for controlling remote users access to the device. The protocol
provides the following services, also known as the AAA services:
Authentication: determining who a user (or entity) is.
Authorization: determining what a user is allowed to do.
Accounting: keeping track of each users network activity.
The RADIUS client (typically a Network Access Server, NAS), exchanges UDPs with the RADIUS
server (usually a UNIX or Windows NT daemon process) to authenticate user-connection requests.
The NAS sends user-connection requests to the designated RADIUS servers. The RADIUS server
responds by returning configuration information necessary for the NAS to provide access to the
user. All user passwords exchanged between the NAS and the RADIUS server are encrypted using
the RSA MD5 algorithm.
The NAS and the RADIUS server use a shared secret-key to authenticate transactions between
them. This secret is never sent over the network.
The RADIUS Negotiation Procedure
The below figure demonstrates a typical RADIUS negotiation procedure. In this example:
1. The user sends a Telnet request to connect to a T-Marc 300 Series device (the NAS).
2. The device sends an AccessRequest packet to the RADIUS server. The Access Request packet
includes the username, encrypted password, NAS IP address, and port. The request also
provides information about the type of session the user wants to initiate.

Figure 2: A RADI US Communication Example

3. The RADIUS server first validates the NAS (based on the shared secret-key). Then it validates
the user request against a local database, matching the users password (and in some cases,
other parameters, such as the port number). The RADIUS server then responds with:
an accept reply, if the user information is validated
a reject reply if the user is not found in the database or its information is not matched.
The reject reply might include the rejection reason.
Based on this reply, the NAS accepts or rejects the users request.

Page 11

The accept reply includes a list of attributes that should be used in the session. An important
parameter is the authenticated users privilege level.
The RADIUS Configuration Flow

Figure 3: RADI US Configuration Flow
Start
Select the RADIUS server(s)
End
Define the shared secret key
Configure users in the local database in case
RADIUS is not responding
(see Configuring User Privilege Levels)
Configure the RADIUS timers
Define user privileges on the RADIUS server
Define RADIUS as the primary authentication
method

Page 12

Defining User Privileges on the RADIUS Server
Follow the below steps on the RADIUS server to ensure correct user privilegs. The example refers
only to a FreeRADIUS server authentication.
1. Complete the RADIUS configuration (as described in the FreeRADIUS README file) on
the RADIUS server.
2. Copy an additional dictionary.batm file (with the below information) to the folder containing
the RADIUS configuration files.
# BATM vendor speci f i c di ct i onar y
# Copyr i ght ( C) 2003 BATM
#
# BATM At t r i but es
#
# exampl e f r eer adi us user ent r y:
#
# t est Aut h- Type : = Local , User - Passwor d == " t est "
# Repl y- Message = " Wel come, %u" ,
# BATM- pr i vi l ege- gr oup = Net wor k- admi ns
#

VENDOR BATM 738

ATTRI BUTE BATM- pr i vi l ege- gr oup 1 i nt eger BATM

VALUE BATM- pr i vi l ege- gr oup Admi ni st r at or s 0
VALUE BATM- pr i vi l ege- gr oup Net wor k- admi ns 4
VALUE BATM- pr i vi l ege- gr oup Techni ci ans 8
VALUE BATM- pr i vi l ege- gr oup User s 12
VALUE BATM- pr i vi l ege- gr oup Guest s 15
3. Assign a privilege level to all other users; in the users configuraiton file, as shown in the below
example:
admi n Aut h- Type = Local , Passwor d = " admi n_passwor d123"
BATM- pr i vi l ege- gr oup = Admi ni st r at or s
4. Add the following line to the dictionary file (in the RADIUS-configuration folder):
$I NCLUDE di ct i onar y. bat m
5. Add the subnetwork address from which NAS is connected to the clients.conf:
cl i ent 10. 2. 200. 200/ 16 {
secr et = bat m
shor t name = n10
}


Page 13

RADIUS Configuration Commands
Table 3: RADIUS Configuration Commands
Command Description
radius-server host
Selects the RADIUS server(s) (see Selecting a RADIUS Server).
radius-server key
Defines the shared secret key between the device and the
RADIUS server (see Defining the Shared Secret Key).

Table 4: RADIUS Timers Configuration Commands
Command Description
radius-server
retransmit
Sets the number of times the device transmits each RADIUS
request (see Defining the Number of RADIUS Request
Retransmissions).
radius-server timeout
Sets the time interval an access server waits for the RADIUS
server to reply before retransmitting (see Defining the RADIUS
Server Timeout).
radius-server
deadtime
Sets the number of minutes the access server marks a RADIUS
server as unavailable (see Defining the RADIUS-Server Dead
Time).
Selecting a RADIUS Server
The radius-server host command selects the RADIUS server(s) used for authenticating users
on the device.
You can select up to five RADIUS servers (repeat the command for each server). When you select
more than one RADIUS server, the device attempts to connect these servers in the same order you
inserted them into the CLI.
Command Syntax
device-name(config)#radius-server host A.B.C.D [<portnumber>]
device-name(config)#no radius-server host A.B.C.D
A.B.C.D
The RADIUS server IP-address
portnumber
(Optional) the UDP-authentication port number, in the range of <102465535>
1812
no
Removes the specified RADIUS server from the database

Page 14

Defining the Shared Secret Key
The radius-server key command defines the shared secret key used between the device and the
RADIUS server.
Command Syntax
device-name(config)#radius-server key STRING
device-name(config)#no radius-server key
STRING
The shared secret
no
Removes the secret key
Defining the Number of RADIUS Request Retransmissions
The radius-server retransmit command defines the number of times the device sends an
authentication request to the RADIUS server, in case the server does not respond.
Command Syntax
device-name(config)#radius-server retransmit <count>
device-name(config)#no radius-server retransmit
count
The number of retransmissions, in the range of <130>
3 retransmissions
no
Restores to default

Page 15

Defining the RADIUS Server Timeout
The radius-server timeout command defines the number of seconds the device waits for the
RADIUS server reply before retransmitting.
Command Syntax
device-name(config)#radius-server timeout <seconds>
device-name(config)#no radius-server timeout
seconds
The timeout in the range of <160>seconds
3 seconds
no
Restores to default
Defining the RADIUS-Server Dead Time
The radius-server deadtime command defines the number of minutes the device waits for a
reply before presuming that the RADIUS server is dead and skips to the next RADIUS server.

NOTE
A RADIUS server is presumed dead, if the timeout is reached in three authentication
sessions (requests) and RADIUS is defined as the primary authentication method.
In this case the device attempts authentication based on the secondary method.

Command Syntax
device-name(config)#radius-server deadtime <minutes>
device-name(config)#no radius-server timeout
minutes
The dead-time interval, in the range of <01440>minutes
no
Sets the dead-time to zero (non-responding servers are not declared dead)

Page 16

RADIUS Server Configuration:
1. Install and configure the RADIUS server.

Figure 4: RADI US Configuration Example
2. Add the following lines to the clients.conf file on the RADIUS server:
client 10.2.200.200/16 {
secret = batm
shortname = n10
}
3. Edit the RADIUS servers users file. Add users:
user Aut h- Type : = Local , passwor d : = " user 123"
Repl y- Message = " user i s i n"
BATM- pr i vi l ege- gr oup = User s
t ech Aut h- Type : = Local , passwor d : = t ech
Repl y- Message : = t ech i s i n
BATM- pr i vi l ege- gr oup : = Techni ci ans
admi n Aut h- Type : = Local , passwor d : = admi n
Repl y- Message : = admi n i s i n
BATM- pr i vi l ege- gr oup : = Admi ni st r at or s
r i chy aut h- t ype = r ej ect
r epl y- message = Pay t he bi l l f i r st !
T-Marc 300 Series Configuration:
1. Select the RADIUS server and define the shared secret key (defined in the clients.conf file, as
shown above):
device-name(config)#radius-server host 10.2.42.137
device-name(config)#radius-server key batm

Page 17

2. Create local user localuser and password mypass:
device-name(config)#username localuser password mypass mypass

NOTE
The local authentication database is used if the configured RADIUS server
does not respond.

3. Define RADIUS as the primary authentication method and local authentication as the
secondary method:
device-name(config)#aaa authentication login default radius local
4. Configure the RADIUS timers:
device-name(config)#radius-server retransmit 3
device-name(config)#radius-server timeout 10
device-name(config)#radius-server deadtime 3
5. Display the RADIUS configuration:

! Cur r ent Conf i gur at i on:
!
! T- Mar c 340
!
i p addr ess 10. 2. 4. 208
i nt er f ace sw0

r adi us- ser ver host 10. 2. 42. 137
r adi us- ser ver key bat m
r adi us- ser ver t i meout 10
r adi us- ser ver deadt i me 3
user name l ocal user passwor d
ea71c25a7a602246b4c39824b855678894a96f 43bb9b71319c39
700a1e045222
aaa aut hent i cat i on l ogi n def aul t r adi us l ocal
i p addr ess 10. 2. 4. 208
. . .

Page 18

Configuration Results:
1. When accessing the device using username richy, the RADIUS server sends a REJECT reply:
Username: richy
Pay t he bi l l f i r st !
Password:
Username:
2. When accessing the device using username user and password looser, the RADIUS server sends
an ACCEPT reply, authenticating the user:
Username: user
Password: user123
device-name>
user i s i n
3. When accessing the device using username localuser password mypass, the user is rejected by the
RADIUS server .
In case the RADIUS server is shut down or disconnected from the device, the device retransmits
the request for three times. After the retransmission timeout, the device attempts to authenticate
the user with the local database (defined as the secondary method), accepting the user.

Page 19

Terminal Access Controller Access-Control System
Plus (TACACS+)
TACACS+ is a security protocol for remote authentication, authorization, and accounting that
communicates between network devices and an authentication database. This protocol is based on
the communication between a NAS (T-Marc 300 Series device) and the TACACS+ authentication
server.
The TACACS+ is based on TCP communication, what is considered to be a more reliable protocol
than UDP (used in RADIUS).
The TACACS+ Negotiation Procedure
A users attempt to connect to the device triggers the following procedure:
1. The NAS mediates between the user and the TACACS+ server requesting and obtaining a
username prompt.
2. When the user types a username at the prompt, the NAS requests and obtains a password
prompt.
3. When the user types a password, the NAS sends the username and password to the
TACACS+ server.
4. Besides a username and password, the TACACS+ server may also request other required
identifying items to authenticate the user.
5. After typing the required information, the TACACS+ server responds with one of the below
options:
Table 5: TACACS+ Server Responses
Response Description
ACCEPT The user is authenticated. Based on configuration, the NAS might need to
start the authorization phase.
REJ ECT The user is not authenticated. Depending on the TACACS+server
configuration, the user is either prompted to retry login or denied from
accessing the network.
ERROR An error occurred during the authentication procedure (such as a network
connection issue). In this case the NAS typically tries to authenticate the
user by an alternative method.
CONTINUE The TACACS+server prompts the user for further authentication
information.


Page 20

Comparing TACACS+ and RADIUS
Table 6: A comparison between TACACS+ and RADIUS
Feature RADIUS TACACS+
Communication
Protocol
UDP TCP
Authentication and
Authorization
Combined AAA processes AAA architecturethree separate
processes: Authentication,
Authorization, and Accounting
Packet Encryption Encrypts only the password sent by
the user to the server
Encrypts the entire packet body but
leaves a standard TACACS+
header
Router
Management
Sends the device a privilege level
used for command authorization
Controls the command authorization
on a per-user or per-group basis by
assigning privilege levels to
commands
Multiprotocol
Support
Does not support some protocols,
such as:
AppleTalk Remote Access
(ARA)
NetBIOS Frame Protocol
Control
Novell Asynchronous Services
Interface (NASI)
X.25 PAD connection
Offers multiprotocol support

Page 21

TACACS+ Configuration Flow

Figure 5: TACACS+ Configuration Flow
Start
Select the TACACS+ server(s)
End
Define the shared encryption key
Configure users in the local database in case
TACACS+is not responding
(see Configuring User Privilege Levels)
Configure the TACACS+ timeout
Define user privileges on the TACACS+ server
Define TACACS+ as the primary authentication
method

Page 22

Defining User Privileges on the TACACS+ Server
The TACACS+ usernames and privilege levels are defined in the TACACS+ configuration file.
The TACACS+ privilege levels are arranged in an ascending order where:
privilege level 0 is the lowest level (Guest level)
privilege level 15 is the highest levle (Administrators)
The following example displays the contents of a TACACS+ server configuration file:
# The shar ed secr et key
key = TacacsPl us

# Use / et c/ shadow f i l e t o do aut hent i cat i on
def aul t aut hent i cat i on = f i l e / et c/ shadow

# Wher e t he account i ng r ecor ds shoul d go t o
account i ng f i l e = / var / l og/ t ac_acc. l og

#The def aul t user . I f absent , each user must have ser vi ce=exec st at ement
# i n or der t o be gr ant ed aut hor i zat i on f or shel l l ogi n r equest .

user = DEFAULT {
def aul t ser vi ce = per mi t
}

# Pr of i l es f or user account s
# user i vo pr i v. l evel 3 conver t ed i nt er nal l y by t he devi ce
# t o 12 ( pr i vi l ege gr oup User s)
user = i vo {
l ogi n = cl ear t ext i vo123
ser vi ce=exec {
pr i v- l vl = 3
}
}
# user r oot pr i v. l evel 15 conver t ed i nt er nal l y by t he devi ce
# t o 0 ( pr i vi l ege gr oup Admi ni st r at or s)
user = r oot {
l ogi n = cl ear t ext r t psw
ser vi ce=exec {
pr i v- l vl = 15
}
}

Page 23

TACACS+ Configuration Commands
Table 7: TACACS+ Configuration Commands
Command Description
tacacs-server host
Selects the TACACS+server(s) (see Selecting a TACACS+
Server)
tacacs-server key
Defines the shared encryption key between the NAS and the
TACACS+server (see Defining the TACACS+ Shared
Encryption Key)
tacacs-server timeout
Defines the time the NAS waits for a response from the
TACACS+server before it times out and declares an error (see
Defining the TACACS+ Timeout)
Selecting a TACACS+Server
The tacacs-server host command selects the TACACS+ server(s), by defining their IP address
and port.
You can select up to five different TACACS+ servers (repeat the command for each server). When
you select more than one server, the device attempts to connect these servers in a predefined order.
The first server to successfully connect (responding with either a PASS or a FAIL reply) accepts or
rejects the request.
Command Syntax
device-name(config)#tacacs-server host A.B.C.D [<port>]
device-name(config)#no tacacs-server host A.B.C.D
A.B.C.D
The TACACS+server IP address
port
(Optional) the TACACS+server port, in the range of <102465535>
49
no
Removes the specified TACACS+server from the device

Page 24

Defining the TACACS+Shared Encryption Key
The tacacs-server key command defines the shared encryption key used for all the traffic
between the device and the TACACS+ server.

NOTE
Defining an encryption key is not mandatory. However, if you configure one on the
device, you must configure the same key on the TACACS+ server.
We recommend defining an encryption key (unencrypted packets are intended for
testing).

Command Syntax
device-name(config)#tacacs-server key ENCRYPTION-KEY
device-name(config)#no tacacs-server key
ENCRYPTION-KEY
The shared encryption key, a string of up to 64 characters. This key is also
encrypted in the running configuration
no
Removes the encryption key
Defining the TACACS+Timeout
The tacacs-server timeout command defines the amount of time the device waits for a
response from the TACACS+ server before it times out and declares an error.
Command Syntax
device-name(config)#tacacs-server timeout <timeout>
timeout
The timeout, in the range of <160>seconds
15 seconds
no
Restores to default

Page 25

The following example displays the contents of the TACACS+ server configuration file.
In this example we demonstrate the following setup:
Shared encryption key= bat m
Usernames and privilege levels:

Username TACACS+ Configuration
File Privilege Level
Internal
Privilege level
Privilege Group
guest 0 15 Guest
ivo 3 12 User
tech 7 8 Technician
netadmin 11 4 Network-Admin
admintac 15 0 Administrator

key = bat m
#Al l ser vi ces ar e al l owed. .
user = DEFAULT {
def aul t ser vi ce = per mi t
}
#Pr of i l es f or user account s

user = guest {
l ogi n = cl ear t ext guest
ser vi ce=exec {
pr i v- l vl = 0
}
}
# When user guest i s aut hent i cat ed and devi ce- name#show pr i vi l ege i s
# ent er ed f r omCLI , t he devi ce wi l l di spl ay t he f ol l owi ng l i ne:
# " Cur r ent user pr i vi l ege i s Guest "
#
# I n t hi s case t he devi ce changes aut omat i cal l y t he pr i vi l ege
# l evel t o 15 t o map t he speci f i ed val ue of 0 t o t he i nt er nal pr i vi l eged
# scheme of t he devi ce ( see " User Pr i vi l ege Level s" chapt er ) .

user = i vo {
l ogi n = cl ear t ext i vo
ser vi ce=exec {
pr i v- l vl = 3
}
}
# devi ce- name#show pr i vi l ege
# " Cur r ent user pr i vi l ege i s User "
# ( Changes aut omat i cal l y t o 12, see " User Pr i vi l ege Level s" chapt er )

Page 26

user = t ech {
l ogi n = cl ear t ext t ech
ser vi ce = exec {
pr i v- l vl = 7
}
}
# " Cur r ent user pr i vi l ege i s Techni ci an"

user = net admi n {
l ogi n = cl ear t ext net admi n
ser vi ce = exec {
pr i v- l vl = 11
}
}
# " Cur r ent user pr i vi l ege i s Net wor k- Admi n"

user = admi nt ac {
l ogi n = cl ear t ext admi nt ac
ser vi ce = exec {
pr i v- l vl = 15
}
}
# " Cur r ent user pr i vi l ege i s Admi ni st r at or "
Device Configuration:
1. Select the TACACS+ server and define the shared encryption key:
device-name(config)#tacacs-server host 10.2.42.137
device-name(config)#tacacs-server key TacacsPlus
2. Create username ivoand password ivo123 in the local database:
device-name(config)#username ivo password ivo123 ivo123 group users
3. Create username root and password rtpswin the local database:
device-name(config)#username root password rtpsw rtpsw group
administrators

Page 27

4. Define TACACS+ as the primary authentication method and local authentication as the
secondary method:
device-name(config)#aaa authentication login default tacacs+ local
5. Display the TACACS+ configuration:
! T- Mar c 340
!
i p addr ess 10. 2. 4. 208
i nt er f ace sw0

r adi us- ser ver host 10. 2. 42. 137
r adi us- ser ver key bat m
r adi us- ser ver t i meout 10
r adi us- ser ver deadt i me 3
t acacs- ser ver host 10. 2. 42. 137
t acacs- ser ver key t acacspl us
user name l ocal user passwor d
ea71c25a7a602246b4c39824b855678894a96f 43bb9b71319c39
700a1e045222
user name i vo passwor d
ac6ab2a87e30f 78f 589a668c4ef 3651e0345b5dab8c20f d03de6327d86
4d9a4d gr oup user s
user name r oot passwor d
b85de4c6ef 68e8ae1b7e6e398817f 315b47286b68f 0f 74ca5a3ccf 267
0f 81507
aaa aut hent i cat i on l ogi n def aul t t acacs+ l ocal
i p addr ess 10. 2. 4. 208
Configuration Results:
1. When accessing the device using username tech, the result is ACCEPT:
Username: tech
Password:
device-name>show privilege
Cur r ent user pr i vi l ege i s Techni ci an
2. When accessing the device using username richy, the result is REJECT:
Username: richy
Password:
Username:
3. When accessing the device using local username root and password rtpsw, when the TACACS+
server is absent, the result is ACCEPT:
Username: root
Password:
device-name>

Page 28

Secure Shell Server (SSH)
SSH is a protocol used for securely managing a remote device over an insecure network. The
protocol secures the management sessions using standard cryptographic mechanisms and ensures
data protection as well as password-theft prevention.
The T-Marc 300 Series supports SSH version 2 (SSH-2). This version supports multiple public-key
algorithms, including Digital Signature Algorithm (DSA).
When initiating an SSH session, the encryption algorithm and the key are negotiated between the
server (on the T-Marc 300 Series) and the client. The SSH server has an authentication timeout,
disconnecting it in case no authentication is accepted. Additionally, system administrators can limit
the number of failed authentication-attempts to the server in a single session before the server
disconnects.
You can use any of the supported authentication methods (RADIUS, TACACS+, or local
database) when connecting to the device via SSH.
SSH Vs. Telnet
Since SSH is an encrypted channel for accessing the device, you can disable the Telnet access,
forcing all administrative sessions to run over an encrypted channel. To disable a Telnet access, use
the telnet stop command (for more information, refer to the Enabling/ DisablingtheDevicesTelnet
Serverssection of the DeviceSetupandMaintenancechapter.)
In addition, when you connect to the device using SSH, avoid using a Telnet client from that device
to another host. This precaution is required to prevent the connection from being vulnerable to
anyone who may spy on both network connections.

Page 29

Security Considerations
Upon the first access to an SSH server, the SSH client usually issues a security-alert message as
shown in the below figure:

Figure 6: Security Alert Message I ssued by the SSH Client
If you receive this message when accessing the SSH server again:
you are either exposed to a malicious intrusion
or the SSH keys were reconfigured
Supported Clients
You can access the SSH server using the following SSH clients:
SSH Communications Security Corps client
OpenSSH secure shell client
PuTTY terminal program
F-Secure SSH client
SecureRT
Other clients supporting SSH (version 2)

Page 30

The SSH Server Configuration Flow

Figure 7: SSH Configuration Flow

SSH Configuration Commands
Table 8: SSH Commands
Command Description
ssh generate-key dsa Generates the initial DSA public-parameters (see Generating the
Initial DSA Public-Parameters)
ssh start Initializes the SSH server (see Initializing the SSH Server)
ssh stop Stops the SSH server (see Stopping the SSH Server)

Start
Start the SSH server
End
Create a username and password on the local
database
Generate the initial DSA public-parameters
Define the login-authentication method
Define usernames and user-privileges for the
selected authentication method

Page 31

Generating the Initial DSA Public-Parameters
The ssh generate-key dsa command generates the initial DSA public-parameters used during
the key-exchange phase.

NOTES
Apply this command before starting the SSH server for the first time.
This command is not displayed in the configuration file but is saved when
rebooting the device after saving the running configuration to the NVRAM.
Command Syntax
device-name(config)#ssh generate-key dsa
Initializing the SSH Server
The ssh start command initializes the SSH server. Users can access the device with an SSH client
only after executing this command.
NOTES
Apply the ssh gener at e- key dsa command prior to executing this command for
the first time.

The SSH server is disabled by default.
Command Syntax
device-name(config)#ssh start
Stopping the SSH Server
The ssh stop command stops the SSH server.

NOTE
Stopping the SSH server closes all open SSH connections to the device.


Page 32

Authenticating the Local Database Usernames and Passwords with SSH
1. Create username abcwith password klm:
device-name(config)#username abc password klm klm
2. Define local authentication as the primary authentication method:
device-name(config)#aaa authentication login default local local
3. Generate the initial DSA public-parameters:
DSA par amet er s wi l l be st or ed onl y af t er wr i t i ng conf i gur at i on i n memor y! ! !
4. Write the SSH configuration to the devices memory:
device-name#write memory

5. Initialize the SSH Server:
6. Stop the Telnet Server:
device-name(config)#telnet stop

Page 33

Authenticating RADIUS Usernames and Passwords with SSH
1. Select a RADIUS server and define the shared secret key:
device-name(config)#radius-server host 10.2.42.137
device-name(config)#radius-server key 123456
2. Create username abcwith password klmin the local database (in case the RADIUS server does
not respond):
device-name(config)#username abc password klm klm
3. Define RADIUS as the primary authentication method:
device-name(config)#aaa authentication login default radius local
4. Generate the initial DSA public-parameters:
DSA par amet er s wi l l be st or ed onl y af t er wr i t i ng conf i gur at i on i n memor y! ! !
5. Write the SSH configuration to the devices memory:
device-name#write memory

6. Start the SSH Server:
7. Stop the Telnet Server:
device-name(config)#telnet stop

Page 34

Secure File Transfer Protocol (SFTP) Client
SFTP is a secured file-transfer protocol, provided as a part of SSH. This protocol encrypts both the
commands and the data transferred, providing a secure and authenticated method for copying
router-configuration or router-image files.
The SFTP Client Configuration Commands
Table 9: SFTP Client Commands

Command Description
copy sftp Downloads a file from a remote SFTP server (see Downloading a
File to the Device)
copy localfile sftp Uploads a file to a remote SFTP server (see Uploading a File)
dir sftp Lists files in remote directory of a remote SFTP server (see Listing
Files)
rename sftp Renames a file located on a remote SFTP server (see Renaming a
File)
del sftp Removes a file located on a remote SFTP server (see Deleting a
File)

Page 35

Downloading a File to the Device
The copy sftp command downloads a file from a remote SFTP server.
Upon the file transfer, the CLI displays the number of received bytes. You can terminate the
command execution by pressing Ctrl+C.
Command Syntax
device-name#copy sftp://[username[:password]@]hostname[:port]/srcfile
[localfile]
Arguments Description
username
(Optional) the SFTP-server username
password
(Optional) the password authenticating the username
hostname
The SFTP server IP Address, in an A.B.C.D format
port
(Optional) the SFTP port number
srcfile
The source file including path
localfile
(Optional) the local filename, including path.
If you do not specify this argument, the file is saved with the source
filename into the current working directory.

NOTE
If you do not the username and password arguments within the command line, the
CLI prompts for them, as shown in the below examples.

Examples
Username and password specified in the command line:
device-name#copy sftp://batm:batm@10.20.30.40:1002/File_Image.Z

Connect i ng t o 10. 20. 30. 40
Remot e di r ect or y i s / home/ bat m
Downl oadi ng f i l e / home/ bat m/ Fi l e_I mage. Z
SFTP r ecei vi ng f i l e f l ash: / Fi l e_I mage. Z : 1249612
Downl oad compl et ed successf ul l y. . .

Page 36

Only a username is specified in the command line:
device-name#copy sftp://batm@10.20.30.40:1002/File_Image.Z
User name: bat m
Passwor d:

Connect i ng t o 10. 20. 30. 40
Neither the username nor the password is specified in the command line:
device-name#copy sftp://10.20.30.40:1002/File_Image.Z
User name: batm
passwor d:

Connect i ng t o 10. 20. 30. 40
The destination filename is specified:
device-name#copy sftp://batm:batm@10.20.30.40:1002/File_Image.Z
New_File_Image.Z

Connect i ng t o 10. 20. 30. 40
SFTP r ecei vi ng f i l e f l ash: / New_Fi l e_I mage. Z : 1249612

Page 37

Uploading a File to the SFTP Server
The copy localfile sftp command uploads a file to the SFTP server.
Upon the file transfer, the CLI displays the number of received bytes. You can terminate the
command execution by pressing Ctrl+C.
Command Syntax
device-name#copy localfile
sftp://[username[:password]@]hostname[:port][/dstfile]
username
password
hostname
port
localfile
The local file including path
dstfile
(Optional) specifies the destination filename including path.
If you do not specify:
a path, the file is saved in the current working directory
a filename, the file is stored with the local filename

NOTE
If you do not the username and password arguments within the command line, the
CLI prompts for them.

Example
device-name#copy File_Image.Z sftp://batm:batm@10.20.30.40:1002/File_Image.Z

Connect i ng t o 10. 20. 30. 40
Upl oadi ng f i l e / home/ bat m/ Fi l e_I mage. Z
SFTP sendi ng f i l e f l ash: / Bi NOS- T- Mar c3X0. Z : 123456
Upl oad compl et ed successf ul l y. . .

Page 38

Listing Files in the SFTP-Server Directory
The dir sftp command lists the existing files in the SFTP-server directory.
The command displays the filenames, size, directory or file, modification date, and permissions.
You can terminate the command execution by pressing Ctrl+C.
Command Syntax
device-name#dir sftp://[username[:password]@]hostname[:port][/dirname]
username
password
hostname
port
dirname
(Optional) the path to the relevant directory, relative to the root directory
(usually the home directory).
Example
device-name#dir sftp://batm:batm@10.20.30.40/usr/temp

Connect i ng t o 10. 20. 30. 40
Remot e di r ect or y i s / home/ bat m/ usr / t emp

- r w- r - - r - - 1 bat m bat m 515 Aug 31 2008 . emacs
- r w- r - - r - - 1 bat m r oot 1177800 J un 25 09: 28 pr oba. c
- r w- r - - r - - 1 bat m bat m 24 Aug 31 2008 . bash_l ogout
- r w- - - - - - - 1 bat m bat m 644 J ul 2 12: 34 . bash_hi st or y
- r w- r - - r - - 1 bat m bat m 124 Aug 31 2008 . bashr c
dr wxr - xr - x 5 bat m bat m 4096 J ul 2 12: 37 .
- r w- r - - r - - 1 bat m bat m 191 Aug 31 2008 . bash_pr of i l e
- r w- r w- r - - 1 bat m bat m 44 J un 5 21: 17 boot . i ni 1
dr wxr - xr - x 5 r oot r oot 4096 J un 26 00: 50 . .
- r w- r - - r - - 1 bat m bat m 120 Aug 31 2008 . gt kr c
- r w- r - - r - - 1 bat m bat m 658 Aug 31 2008 . zshr c
- r w- r w- r - - 1 bat m bat m 118407968 J un 20 18: 07 bi gf i l e
dr wxr - xr - x 3 bat m bat m 4096 Apr 27 2008 . kde
t ot al 13

Page 39

Renaming a File on the SFTP Server
The rename sftp command renames a file located on the remote SFTP server.
Command Syntax
device-name#rename sftp://[username[:password]@]hostname[:port]/old_filename
new_filename
username
password
hostname
port
old_filename
The current filename including the path (relative to the root directory, usually
home directory).
new_filename
The new filename (without the path). This name cannot contain directory
separators and cannot be the same as the old one.
Deleting a File from the SFTP Server
The del sftp command deletes a file from the SFTP server.
Command Syntax
device-name#del sftp://[username[:password]@]hostname[:port]/filename
username
password
hostname
port
filename
The filename including path (relative to the root directory, usually the home
directory).

Page 40

Supported Platforms
CLI User-Privilege Levels + +
RADIUS + +
TACACS+ + +
SSH + +
SFTP Client + +
CLI User-
Privilege
Levels
No Standards are supported
by this feature.
No MIBs are
supported by
this feature.
No RFCs are supported by this
feature.
RADIUS No standards are supported
by this feature.
No MIBs are
supported by
this feature.
RFC 2865, Remote
Authentication Dial In User
Service (RADIUS)
RFC 2869, Remote
Authentication Dial In User
Service (RADIUS)
Extensions
TACACS+ No Standards are supported
by this feature.
No MIBs are
supported by
this feature.
draft-grant-tacacs-02tac-
rfc.1.78.txt draft
SSH
draft-ietf-secsh-
architecture-07
draft-ietf-secsh-
transport-09
draft-ietf-secsh-connect-
09
draft-ietf-secsh-userauth-
09
FIPS 186 (Digital
Signature Standard)
FIPS 180-1 (Secure
Hash Algorithm)
HMAC-SHA1 MAC
algorithm
No MIBs are
supported by
this feature.
RFC 1851, The ESP Triple
DES Transform
RFC 2792, DSA and RSA
Key and Signature Encoding
for the KeyNote Trust
Management System

Page 41

SFTP
Client
No standards are supported
by this feature.
No MIBs are
supported by
this feature.
RFC 4251, The Secure Shell
(SSH) Protocol Architecture
(SSH) Authentication
Protocol
(SSH) Transport Layer
Protocol
(SSH) Connection Protocol

Page 1
Error! No text of specified style in document. (Rev. 01)

Configuring Internet Group Multicast
Protocol (IGMP) Snooping
Table of Contents
Table of Figures 3
Internet Group Multicast Protocol (IGMP) Snooping 4
Overview 4
Multicast Address 4
IGMP Version 1 4
IGMP Version 2 5
Device without IGMP Snooping 6
Joining a Multicast Group 6
Leaving a Multicast Group 8
Immediate Leave 9
Aging a Multicast Group 9
Multicast Routers and Multicast Servers 9
IGMP Configuration Flow10
IGMP Snooping Command Hierarchy11
Enabling/ Disabling the IGMP Snooping13
Enabling/ Disabling the IGMP Snooping on a VLAN13
Specifying IGMP Snooping Timers14
Defining a Device as Querier 15
Specifying the Immediate Leave16
Adding Static Reports17
Specifying Forbidden Ports17
Processing the Unregistered Multicast Traffic18
Specifying the Multicast Router Port18
Specifying the Static IP Multicast Address19

Page 2
Configuring Internet Group Multicast Protocol (IGMP) Snooping (Rev. 01)

Specifying Maximum IGMP Groups19
Specifying Maximum IGMP Reports19
Enabling the Transparent Mode20
Enabling the Proxy Mode20
Enabling the Source Tracking21
Enabling the Report Suppression Mode21
Setting the Query Source IP Addresses to Zeroes22
Specifying Maximum IGMP Reports per Port 22
Enabling the Router Alert Option Ignore23
Specifying the Maximum IGMP Group Number23
Specifying the Maximum IGMP Report Number24
Specifying the Multicast VLAN24
Displaying the IGMP Snooping VLAN Information25
Displaying Multicast Router Ports26
Displaying IGMP Router Timers26
Displaying All IGMP Snooping Entries26
Displaying Information for All Ports28
Displaying IGMP Snooping Limits29
Displaying IGMP Snooping Current Limits29
Displaying IGMP Snooping Queriers by VLAN30
Displaying IGMP Snooping Statistics30
Clearing IGMP Snooping Statistics31
Debug the IGMP Snooping31
Debug IGMP Snooping Packets32
Displaying the Multicast Database32
Enabling/ Disabling Debug of MFIB34


Page 3

Table of Figures
Figure 1: IGMP Version 1 Message Fields 4
Figure 2: IGMP Version 2 Message Fields 5
Figure 3: Initial IGMP Join Message 7
Figure 4: Second Host Joining a Multicast Group 8
Figure 5: IGMP Configuration Flow10
Figure 6: IGMP Snooping Configuration Example35


Page 4

Internet Group Multicast Protocol (IGMP) Snooping
Overview
IGMP is a session-layer protocol used to establish membership in a multicast group, registering a
device to receive specific multicast traffic.
A device that supports IGMP Snooping can passively snoop on IGMP Query, Report and Leave
(IGMP version 2) packets transferred between IP multicast routers/ devices and IP multicast hosts
to learn the IP multicast group membership. It checks IGMP packets that pass through it, picks out
the group registration information, and configures multicasting accordingly.
Without IGMP Snooping, multicast traffic is forwarded to all ports, the same as broadcast traffic.
With IGMP Snooping, multicast traffic is only forwarded to ports that are members of the specific
multicast group. IGMP Snooping generates no additional network traffic, allowing you to
significantly reduce multicast traffic passing through the device.
Multicast Address
Multicast IP addresses range is from 224.0.0.0 to 239.255.255.255. They are also referred to as
Group Destination Address (GDA). A MAC address is associated to each GDA. This GDA MAC
address is formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the GDA multicast IP
address in hex.
IGMP Version 1
The IGMP version 1 message is 8 bytes long and contains the following fields (see Figure 1):
Version (bits 0 to 3)is 1
Type (bits 4 to 7)there are 2 types of IGMP messages:
1=Host Membership Query
2=Host Membership Report
GDA (bits 32 to 63)Group Destination Address

IGMP Version 1 Format
Version Type Unused Checksum
0 3 4 7 8 15 16 31
GDA
32 63
Figure 1: I GMP Version 1 Message Fields

Page 5

A host membership report is issued by a host that wants to join a specific multicast group (GDA).
When the IGMP multicast router receives the host membership report, it adds the GDA to the
multicast forwarding table and starts forwarding the IGMP traffic to this group. Host membership
queries are issued by the IGMP multicast router at regular intervals to check whether there is still a
host interested in the GDA in that segment. Host membership reports are sent either when the
host wants to receive GDA traffic or in response to a host membership query from the IGMP
multicast router.
IGMP version 1 does not have a Leave mechanism. When a host does not want to receive the
IGMP traffic any more, it just quits silently. IGMP multicast routers periodically send host
membership query messages (hereinafter called queries) to discover which host groups have
members on their attached local networks. If no reports are received for a particular group after a
certain number of queries, the routers assume that that group has no local members and that they
need not forward remotely-originated multicasts for that group onto the local network.
The host membership report messages are transmitted with the following datagram:
Layer 2 information:
Source MAC addressis the MAC address of the host
Destination MAC addressis the MAC address for the GDA (01:00:5E:XX:XX:XX)
Layer 3 information:
Source IP addressis the IP address of the host
Destination IP addressis the GDA (from 224.0.0.0 to 239.255.255.255)
IGMP Version 2
The IGMP version 2 message fields, as Figure 2, are as follows:
Type (bits 0 to 7)there are 3 types of IGMP messages:
0x11=Membership Query
0x16=Version 2 Membership Report
0x17=Leave Group
Also, there is an additional type of message for backwards-compatibility with IGMPv1:
0x12=Version 1 Membership Report.
Maximal Response Time (MRT) (bits 8 to 15)this field is meaningful only in
membership query messages, and specifies the maximum allowed time before sending a
responding report in units of 1/ 10 second. In all other messages, it is set to zero by the sender
and ignored by receivers.
GDA (bits 32 to 63)Group Destination Address

IGMP Version 2 Format
Type MRT Checksum
0 7 8 15 16 31
GDA
32 63
Figure 2: I GMP Version 2 Message Fields

Page 6

Report group message is a membership report issued by a host that wants to join a specific
multicast group (GDA). When the IGMP multicast router receives the membership report, it adds
the GDA to the multicast forwarding table and starts forwarding the IGMP traffic to this group.
Membership queries are issued by the IGMP multicast router at regular intervals to check whether
there is still a host interested in the GDA in that segment. Host membership reports are sent either
when the host wants to receive GDA traffic or responds to a membership query from IGMP
multicast router.
If a host does not want to receive the IGMP traffic any more, it sends a Leave Group message.
When the IGMP multicast router receives this Leave Group message, it removes the GDA from
the multicast routing table. In addition, IGMP multicast routers periodically send host membership
query messages (hereafter called queries) to discover which host groups have members on their
attached local networks. If no reports are received for a particular group after a certain number of
queries, the routers assume that that group has no local members and that they need not forward
remotely-originated multicasts for that group onto the local network.

NOTE
According to RFC 2236, all IGMP Version 2 messages have to contain a Router
Alert option in their IP header. IGMP drops any IGMP Version 2 message that
does not contain Router Alert option in its IP header.
Device without IGMP Snooping
By default, the device floods multicast traffic within the broadcast domain. This can consume a lot
of bandwidth if many multicast servers are sending streams to the segment. IGMP Snooping
restrains the flooding process only to ports where IGMP reports have to be received, thus traffic is
sent only when needed.
J oining a Multicast Group
When a host wants to join a multicast group, it sends to the device an IGMP Report message
specifying the multicast group (GDA) he wants to join. The IGMP Snooping device recognizes the
IGMP Report message sent by the host and adds the corresponding port to the forwarding list for
the multicast group (GDA). Subsequently, the device forwards all multicast traffic arriving from this
host only to the ports associated with this GDA.
In Figure 3, host A wants to join multicast group 224.1.2.3 and multicasts an unsolicited IGMP
membership report (IGMP join message) to the group with the equivalent MAC destination
address 01:00:5E:01:02:03. The device recognizes IGMP packets and forwards them to the CPU.
When the CPU receives the IGMP report multicast by host A, it uses the information to set up a
multicast forwarding table entry as shown in Table 1. This information includes the port numbers
of host A and the router.

Page 7

Figure 3: I nitial I GMP J oin Message

Table 1: IP Multicast Forwarding Table Destination Address
MAC Address Type of Packet Ports
01:00:5e:01:02:03 IGMP 1/1/1
The device architecture allows the CPU to distinguish IGMP information packets from other
packets for the multicast group. The device recognizes the IGMP packets through its filter engine.
This prevents the CPU from becoming overloaded with multicast frames.
The entry in the multicast forwarding table tells the switching engine to send frames addressed to
the 01:00:5E:01:02:03 multicast MAC address that are not IGMP packets to the host that has joined
the group.
If another host (for example, host D) sends an IGMP join message for the same group (Figure 4),
the CPU receives that message and adds the port number of host D to the multicast forwarding
table as shown in Table 2.

Page 8

Figure 4: Second Host J oining a Multicast Group
Table 2: Updated Multicast Forwarding Table Destination Address
MAC Address Type of Packet Ports
01:00:5e:01:02:03 IGMP 1/1/1,1/2/2

NOTE
The number of multicast groups is 1000.
When Link Aggregation is configured, all the multicast traffic is passed on the master port. For
more information about Link Aggregation, refer to the ConfiguringInterfaceschapter of this User
Guide.
Leaving a Multicast Group
In IGMP version 1, if a host does not want to receive the IGMP traffic, it just silently quits the
group. IGMP multicast routers periodically send host membership query messages to discover if
any member is still interested in the specific multicast group traffic. As long as the IGMP Snooping
device receives this Query Group message, it forwards the message to the associated port included
in the multicast group. If the router does not receive a Report Group message after three
consecutive queries, it deletes the GDA MAC of the associated port in the MAC Filtering
Database.
In IGMP version 2, if a host does not want to receive the IGMP traffic any more, it sends a Leave
Group message. When the IGMP Snooping device receives this Leave Group message, it sends an
IGMP group specified query message to determine if any device behind that port is interested in
the specific multicast group traffic. If the device does not receive any IGMP Report message, it
removes the GDA MAC address from the associated port in the MAC Filtering Database.

Page 9

Immediate Leave
IGMP Snooping Immediate Leave processing allows the device to remove an interface that sends a
Leave message from the forwarding table without first sending out group-specific queries to the
interface. The port is pruned from the multicast tree for the multicast group specified in the original
Leave message. Immediate Leave processing ensures optimal bandwidth management for all hosts
on a switched network, even when multiple multicast groups are in use simultaneously.

NOTE
IGMP Snooping Immediate Leave is suitable only if after connecting one receiver
on the port.
Aging a Multicast Group
When a report is received (unsolicited or in response to a query), the IGMP snooping sets the age
timer to this entry. If the report is received and the multicast group already exists, the IGMP
snooping just updates the age timer.
Once the age timer expires, the report is removed from the IGMP snooping table and the entry in
Multicast Forwarding Table is updated.
The calculation of the age timer of a report is as follows:
Repor t Age = r obust ness * quer y- i nt er val + r esponse- t i me
Multicast Routers and Multicast Servers
A Multicast router (mrouter) is a router that runs a multicast routing protocol (such as PIM) and
participates in the multicast tree. On the edge of the network, a multicast router might be
connected to an IGMP Snooping device. The port on which the multicast router is connected is
called an mrouter port. The multicast router sends periodic General IGMP queries.
The snooping device identifies an mrouter port by either receiving an IGMP query on that port or
by explicit configuration of the port as an mrouter port (by using the ip igmp snooping vlan
mrouter command).
A Multicast server may be any stream server sending multicast traffic (such as a UDP stream destined
to multicast address). As a rule, a multicast server does not send IGMP queries. The snooping
devices connected to a multicast server (which does not send queries) require additional
configuration (see the example). Multicast traffic is forwarded to group members regardless of the
configuration of the incoming port.

Page 10

IGMP Configuration Flow

Figure 5: I GMP Configuration Flow
Start
Enable IGMP snooping
Create a static report on particular VLAN and port
Configure uplink ports as m-router ports
Configure query sender on user ports
Apply static configuration on some special
ports-forbidden, for-all, static MACs, etc.
Set immediate-leave on VLANs with single host per port
End
Synchronize IGMP timers with other IGMP devices
Disable IGMP snooping per VLAN where it is not needed
Is there a
multicast/IGMP router?
No
Yes

Page 11

IGMP Snooping Command Hierarchy
+ enable
+ configure terminal
- [no] ip igmp snooping
- [no] ip igmp snooping vlan <vlan-id>
- [no] ip igmp snooping router-timers {last-member <last-member-
interval> | query <query-interval> | responses <responses-time>
| robustness <robustness>}
- [no] ip igmp snooping send-query vlan <vlan-id> interface
{PORT-LIST | PORT-AG-LIST} {query-interval <query-interval-
value> | response-time <response-time-value> | group <M.G.R.P>}
- [no] ip igmp snooping vlan <vlan-id> immediate-leave
- [no] ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports <number> | static report M.G.R.P}
- [no] ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}
- [no] ip igmp snooping vlan <vlan-id> mrouter interface {AG0N |
UU/SS/PP}
- [no] ip igmp snooping vlan <vlan-id> static A.B.C.D interface
{PORT-LIST | PORT-AG-LIST}
- [no] ip igmp snooping vlan <vlan-id> max-groups <number>
- [no] ip igmp snooping vlan <vlan-id> max-reports <number>
- ip igmp snooping vlan <vlan-id> transparent
- ip igmp snooping vlan <vlan-id> proxy
- [no] ip igmp snooping vlan <vlan-id> source-tracking
- ip igmp snooping vlan <vlan-id> report-suppression
- [no] ip igmp snooping query-source-ip-zero
- [no] ip igmp snooping interface UU/PP/SS max-reports <number>
- [no] ip igmp snooping ignore router-alert-option
- [no] ip igmp snooping max-groups <number>
- [no] ip igmp snooping max-reports <number>
- [no] multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH interface
- show ip igmp snooping [vlan <vlan-id>]
- show ip igmp snooping mrouter [vlan <vlan-id>]
- show ip igmp snooping router-timers
- show ip igmp snooping all [count]
- show ip igmp snooping interfaces
- show ip igmp snooping limits [interface UU/SS/PP | vlan <vlan-id> |
vlan <vlan-id> interface UU/SS/PP]
- show ip igmp snooping limits current [vlan <vlan-id> | interface
UU/SS/PP | vlan <vlan-id> interface UU/SS/PP]

Page 12

- show ip igmp snooping querier [vlan <vlan-id>]
- show ip igmp snooping statistics
- show multicast table {l2mac | l2g | l2sg | l3 | nbr | all}
- clear ip igmp snooping statistics [max-groups | leaves | queries |
reports]
- [no] debug igmp snooping {mvr | hw | database | timers | events |
all}
- [no] debug igmp snooping packet {send | recv} [detail]
- [no] debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers
| events | hw]


Page 13

Enabling/Disabling the IGMP Snooping
The ip igmp snooping command enables IGMP Snooping on all existing VLANs.
When you enable IGMP Snooping, the device automatically learns the ports to which multicast
routers are connected. When you disable IGMP Snooping, the entire configuration is erased.

NOTE
When you enable IGMP Snooping, all multicast data packets are filtered out before
receiving reports, except for well known multicast groups in the range
<01:00:5E:00:00:0001:00:5E:00:00:FF>.

When globally enabling or disabling IGMP Snooping, this feature is also enabled or disabled on all
existing VLANs.
Command Syntax
device-name(config)#ip igmp snooping
device-name(config)#no ip igmp snooping
no Disables IGMP Snooping on all existing VLANs.
Disabled
Enabling/Disabling the IGMP Snooping on a VLAN
The ip igmp snooping vlan command enables IGMP Snooping on the specified VLAN.
You can enable IGMP snooping for each VLAN only after you have enable the global IGMP
snooping, using the ip igmp snooping command.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id>
device-name(config)#no ip igmp snooping vlan <vlan-id>
no
Disables IGMP Snooping for a VLAN.
Enabled
vlan-id Enables IGMP snooping for the specified VLAN in the range of <14094>.

Page 14

Specifying IGMP Snooping Timers
The ip igmp snooping router-timers command specifies the query packet intervals sent to the
host port when performing leavesnooping. The command sets the multicast router timer variables
to synchronize the IGMP Snooping.
By default, when the device receives a Leave packet from a host that is a member of a certain
group. It performs the following steps repeatedly Robustnesstimes:
1. The device sends a specific query for that group, with the response time field set to 1 second
(last-member interval).
2. The device waits 1 second (last-member interval).
3. If the device receives a join request, it refreshes the group membership aging, and stops the
procedure.

NOTE
This procedure is not performed when Immediate Leave is enabled.

NOTE
To calculate the Group Membership Interval and Other Querier Present Interval
(see RFC 2236) use the IGMP Snooping timers.
Command Syntax
device-name(config)#ip igmp snooping router-timers {last-member <last-member-
interval> | query <query-interval> | responses <responses-time> | robustness
<robustness>}
device-name(config)#no ip igmp snooping router-timers {last-member | query |
responses | robustness}
last-member
<last-member-
interval>
Specifies the expected response time, in seconds, for answering a specific
query. The valid range is <0.1125.0>.
1 second
The response time must be less than the query interval.
This value is inserted in the response-time field of the specific query
packet generated by the device. Increasing the response time makes the
traffic less bursty, by spreading out host responses over a larger interval.
query <query-
interval>
Specifies the maximum time interval that the multicast router waits after
sending a group-specific query to determine if hosts are still interested in a
specific multicast group. The valid range is <11.032762.0>.
125 seconds
responses
<responses-
time>
Specifies the expected response time, in seconds, for answering a general
query. The valid range is <0.1125.0>.
10 seconds
This value is inserted in the response-time field of the general query
packet generated by the device. Increasing the response time makes the
traffic less bursty, by spreading out host responses over a larger interval.

Page 15

robustness
<robustness>
Specifies the number of specific query packets sent by the device. The
valid range is <2254>.
2 packets
The robustness variable allows tuning for the expected packet loss. If a
subnet is expected to be lost, the robustness variable may be increased.
no
Example
In the following example four specific queries are sent every 30 seconds with response time set to
15 seconds. If the device does not receive any join request after 60 seconds, it sends the Leave
packet to the multicast router port.
device-name(config)#ip igmp snooping router-timers last-member 30
device-name(config)#ip igmp snooping router-timers responses 15
device-name(config)#ip igmp snooping router-timers robustness 4
Defining a Device as Querier
The ip igmp snooping send-query command starts sending general queries on a specified
VLAN and port.
The query generator can be implemented only when IGMP Snooping is enabled. It generates
queries at the configured rate (query-interval).
Command Syntax
device-name(config)#ip igmp snooping send-query vlan <vlan-id> interface {PORT-
LIST | PORT-AG-LIST} {query-interval <query-interval-value> | response-time
<response-time-value> | group <M.G.R.P>}
device-name(config)#no ip igmp snooping send-query vlan <vlan-id> interface
vlan-id Specifies the VLAN ID number in range <14094>.
PORT-LIST Specifies the query port list distribution. Use commas as
separators and hyphens to indicate sub-ranges (e.g. 1/1/1
1/2/5, 1/2/7).
PORT-AG-LIST Specifies the Query link aggregation port list, of the form:
ag01, ag02ag05, ag07. The valid range is <ag01ag07>.
query-interval <query-
interval-value>
Specifies the interval between queries in seconds, in the
range <1300>.
125 seconds
response-time <response-
time-value>
Specifies the host response timeout, in seconds, to be set in
the query frame, in the range <125>.
10 seconds
group <M.G.R.P> Multicast group to query for.
no
Removes the query generator.

Page 16

Example

NOTE
The configured response timeout value is specified in seconds, but the value that is
actually inserted in the packet is in 1/10 second units.

Configure the general query packet every 50 seconds in VLAN 5 on port 1/ 1/ 1 with response
timeout of 15 seconds:
device-name(config)#ip igmp snooping send-query vlan 5 interface 1/1/1 query-
interval 50 response-time 15
Specifying the Immediate Leave
The ip igmp snooping vlan immediate-leave command enables IGMP immediate-leave
processing.
When you enable IGMP Immediate Leave processing, the device immediately removes a port from
the IP multicast group when it detects an IGMP version2 Leave message on that port. Immediate
Leave processing allows the device to remove a port that sends a Leave message from the
forwarding table without first sending out group-specific queries to the port. You can use the
Immediate-Leave only when there is only a single receiver present on every port in the VLAN.

NOTE
IGMP Snooping Immediate Leave is suitable only if one receiver is connected on
the port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> immediate-leave
device-name(config)#no ip igmp snooping vlan <vlan-id> immediate-leave
vlan-id Refer to the Argument Description.
no
Disabled
Example
device-name(config)#ip igmp snooping vlan 1 immediate-leave

Page 17

Adding Static Reports
The ip igmp snooping vlan interface command creates a static report on particular VLAN
and port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports <number> | static report M.G.R.P}
device-name(config)#no ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports | static report M.G.R.P}
interface UU/SS/PP Specifies the operating port.
max-reports <number> Specifies the maximum number of IGMP reports that the port can
join, in the range <02000>.
2000
static
Adds a static entry.
report
Adds a report entry.
M.G.R.P Specifies the IP multicast address.
no
Removes the static report.
Example
device-name(config)#ip igmp snooping vlan 1 interface 1/2/8 static report
228.1.23.4

Specifying Forbidden Ports
The ip igmp snooping forbidden command forbids forwarding of the entire multicast traffic
via the specified ports.
Command Syntax
device-name(config)#ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}
device-name(config)#no ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}

Page 18

hyphens to indicate sub-ranges (e.g. 1/2/11/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02ag05,
ag07. The valid range is <ag01ag07>.
Enabled
Processing the Unregistered Multicast Traffic
The multicast traffic sent to groups for which do not receive any membership reports, is regarded
as unregistered traffic.
NOTE
Ports on which IGMP queries are received or configured as mrouter ports receive
all multicast traffic in the VLAN.

IGMP does not process membership reports for groups in the local-link IP multicast range
<224.0.0.0224.0.0.255>, since many hosts do not join multicast groups in this range. Thus, the
traffic in the range <01:00:5E:00:00:0001:00:5E:00:00:FF> is always unregistered and forwarded
to all ports in the VLAN.
Specifying the Multicast Router Port
The ip igmp snooping vlan mrouter command configures a static connection to a multicast
router. The port to the router must be in the selected VLAN.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> mrouter interface {ag0N |
UU/SS/PP}
device-name(config)#no ip igmp snooping vlan <vlan-id> mrouter interface {ag0N
| UU/SS/PP}
vlan-id Specifies the multicast router VLAN ID value, in the range <14094>.
ag0N
Specifies the aggregation port to the multicast router. N is in the range <17>.
UU/SS/PP Specifies the multicast router port.
no
Removes the multicast router port definition on the specific VLAN.
Example
device-name(config)#ip igmp snooping vlan 200 mrouter interface 1/1/1

Page 19

Specifying the Static IP Multicast Address
The ip igmp snooping vlan static command configures a Layer 2 port of a VLAN as a
member of a multicast group.
Hosts or physical ports normally join multicast groups dynamically, but you can also statically
configure a host on a port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> static M.G.R.P interface
device-name(config)#no ip igmp snooping vlan <vlan-id> [static M.G.R.P]
[interface {PORT-LIST | PORT-AG-LIST}]
M.G.R.P Specifies the multicast address.
PORT-LIST Specifies one or more port numbers. Use commas as separators
and hyphens to indicate sub-ranges (e.g. 1/1/11/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02
ag05, ag07. The valid range is <ag01ag07>.
no
Removes the static multicast definition.
Specifying Maximum IGMP Groups
The ip igmp snooping vlan max-groups command defines the number of multicast groups
which can be registered for IGMP snooping of each VLAN.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> max-groups <number>
device-name(config)#no ip igmp snooping vlan <vlan-id> max-groups
max-groups <number> Specifies the maximum number of IGMP groups that VLAN can
2000
no
Restores the number of maximum groups to the default value.
Specifying Maximum IGMP Reports
The ip igmp snooping vlan max-reports command specifies the maximum number of IGMP
reports that the VLAN can join.

Page 20

Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> max-reports <number>
device-name(config)#no ip igmp snooping vlan <vlan-id>> max-reports
max-reports <number> Specifies the maximum number of IGMP reports that VLAN can
2000
no
Restores the number of maximum reports to the default value
Enabling the Transparent Mode
The ip igmp snooping vlan transparent command enables the Transparent mode. The
snooping device does not generate packets, only listens and builds its database and forwards the
rules quietly. In this mode of operation the multicast router receives all IGMP messages generated
in the VLAN. These can overhead the router with reports or sending specific queries.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> transparent
transparent
Specifies the transparent mode.
Enabling the Proxy Mode
The ip igmp snooping vlan proxy command enables the Proxy mode. The number of
processing done on the multicast router is reduced, because the device acts as Proxy. Some of
multicast router ports act as IGMP hosts and other ports as IGMP routers. Since the device acts as
a multicast router, but it is not a multicast router, the generated IGMP messages have the IP source
address of the IP interface sw0.

Page 21

Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> proxy
proxy
Specifies the proxy mode.
Enabling the Source Tracking
The ip igmp snooping vlan source-tracking command tracks IGMP membership reports
from individual hosts for each port on a per-VLAN basis.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> source-tracking
device-name(config)#no ip igmp snooping source-tracking
no Disables source tracking.
Enabled
Enabling the Report Suppression Mode
The ip igmp snooping vlan report-suppression command enables the Report Suppression
mode (the default mode). The device uses IGMP report suppression mode to forward only one
IGMP report per multicast router query to multicast devices. When IGMP router suppression is
enabled, the device sends the first IGMP report from all hosts for a group to all the multicast
routers. The device does not send the remaining IGMP reports for the group to the multicast
routers. This feature prevents duplicate reports from being sent to the multicast devices.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> report-suppression

Page 22

Setting the Query Source IP Addresses to Zeroes
The ip igmp snooping query-source-ip-zero command enables generating queries (on Leave
and on xSTP change) with source IP address that is all zeros (i.e. 0.0.0.0) according to the draft-ietf-
magma-snoop-11.txt draft.

NOTE
Windows clients do not accept queries with source IP address 0.0.0.0.
Command Syntax
device-name(config)#ip igmp snooping query-source-ip-zero
device-name(config)#no ip igmp snooping query-source-ip-zero
The source IP address of the queries is the IP address of the IP
interface sw0.
Specifying Maximum IGMP Reports per Port
The ip igmp snooping interface max-reports command specifies the maximum number of
IGMP reports that the port can join
Command Syntax
device-name(config)#ip igmp snooping interface UU/PP/SS max-reports <number>
device-name(config)#no ip igmp snooping interface UU/PP/SS max-reports
UU/SS/PP Specifies the port of the multicast device.
max-reports <number>
Specifies the maximum number of IGMP reports that port can join,
in the range <02000>.
2000
no Restores the maximum number of IGMP reports that specified port
can join to default value.

Page 23

Enabling the Router Alert Option Ignore
The ip igmp snooping ignore command enables the processing of IGMP packets without
router alert option.
Command Syntax
device-name(config)#ip igmp snooping ignore router-alert-option
device-name(config)#no ip igmp snooping ignore router-alert-option
router-alert-option IGMP packets are not checked for the router alert option.
no IGMP packets are checked for the router alert option.
Example
Specifying the Maximum IGMP Group Number
The ip igmp snooping max-groups command defines the number of multicast groups which
can be registered for IGMP snooping.
Command Syntax
device-name(config)#ip igmp snooping max-groups <number>
device-name(config)#no ip igmp snooping max-groups
number Specifies the maximum number of IGMP groups, in the range <02000>.
2000
no Restores the number of maximum groups to the default value.

Page 24

Specifying the Maximum IGMP Report Number
The ip igmp snooping max-reports command specifies the maximum number of IGMP
reports.
Command Syntax
device-name(config)#ip igmp snooping max-reports <number>
device-name(config)#no ip igmp snooping max-reports
number Specifies the maximum number of IGMP reports in the range <02000>.
2000
no Restores the number of maximum reports to the default value.
Specifying the Multicast VLAN
The multicast vlan command specifies the VLAN ID on a specified port, with a static MAC
address, on which multicast data is received.
Command Syntax
device-name(config)#multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH interface
device-name(config)#no multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH
vlan-id Specifies the VLAN ID value, in the range <14094>.
static
HH:HH:HH:HH:HH:HH
Specifies the static multicast MAC address.
hyphens to indicate sub-ranges (e.g. 1/1/11/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02
ag05, ag07. The valid range is <ag01ag07>.
no
Removes the previously configured static multicast entry.

Page 25

Displaying the IGMP Snooping VLAN Information
The show ip igmp snooping command displays the IGMP Snooping information on the
VLANs.
Command Syntax
device-name#show ip igmp snooping [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all IGMP Snooping information for a specified VLAN ID
value, in the range <14094>.
Example
device-name#show ip igmp snooping
vlan 1
=======
IGMP snooping is enabled on this VLAN.
IGMP Snooping Mode: Suppress Reports
IGMP Snooping Source-Tracking: Enabled
IGMP Snooping Immediate-leave: Disabled

Report Table
=============================================================
Group Address | Interface | Age | Type
-----------------+-----------+-----+-------------------------
224.2.2.2 | 1/1/2 | 208.0| REPORTv2
224.2.1.1 | 1/1/2 | 258.1| REPORTv2
-------------------------------------------------------------

Mrouter Interfaces Table
=============================================================
Interface | Source Address | Age | Type
-----------+-----------------+-----+-------------------------
1/1/1 | 1.1.1.1 | 82.4| MROUTER, DYNAMIC
-------------------------------------------------------------

Group Entries Table
=============================================================
Group Address | Ports
-----------------+-------------------------------------------
224.2.2.2 | 1/1/2 1/1/1
224.2.1.1 | 1/1/2 1/1/1
-------------------------------------------------------------

Page 26

Displaying Multicast Router Ports
The show ip igmp snooping mrouter command displays the multicast router ports.
Command Syntax
device-name#show ip igmp snooping mrouter [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all multicast router ports for a specified VLAN ID value,
in the range <14094>. If you do not specify this argument, the information
for all VLANs is displayed.
Example
Display static and dynamic multicast router ports for all VLANs:
device-name#show ip igmp snooping mrouter
=============================================================
Vlan | Interface | Source Address | Age | Type
------+-----------+-----------------+-----+------------------
1 | 1/1/1 | 1.1.1.1 | 254.1| MROUTER, DYNAMIC
-------------------------------------------------------------
Displaying IGMP Router Timers
The show ip igmp snooping router-timers command displays the multicast router timer to
synchronize IGMP Snooping.
Command Syntax
device-name#show ip igmp snooping router-timers
Example
Display the multicast router timers:
Last member query interval : 1.0 sec
Responses interval : 10.0 sec
Query interval : 125.0 sec
Robustness : 2 packets
Displaying All IGMP Snooping Entries
The show ip igmp snooping all command displays all IGMP Snooping entries form the
database.

Page 27

Command Syntax
device-name#show ip igmp snooping all [count]
count (Optional) counts all IGMP Snooping entries form the database.
Example 1
device-name#show ip igmp snooping all
Vlan 1
Ingress TABLE
Ing GrIp 224.2.2.2, Iface 1/1/2, Type 1, Timer 1448, PendQueue 0
Source Ip = 2.2.2.2
Ing GrIp 224.2.1.1, Iface 1/1/2, Type 1, Timer 1949, PendQueue 0
Source Ip = 2.2.2.2
Ingress count 2
Mrouter TABLE
Mrt IfIdx 1/1/1, SrcIp 1.1.1.1, Type 0, Timer 192,
Mrouter count 1
Egress TABLE
Egr GrIp 224.2.2.2, IfCount 2 - 1/1/2 1/1/1
Egr GrIp 224.2.1.1, IfCount 2 - 1/1/2 1/1/1
Egress count 2
Querier TABLE
Queries count 0
Vlan 10
Ingress TABLE
Ingress count 0
Mrouter TABLE
Mrouter count 0
Egress TABLE
Egress count 0
Querier TABLE
Queries count 0

Page 28

Example 2
device-name#show ip igmp snooping all count
Vlan 1
Ingress TABLE
Ingress count 0
Mrouter TABLE
Mrouter count 1
Egress TABLE
Egress count 2
Querier TABLE
Querier Interface 1/2/3, GrpIp 224.0.0.1, QueryInterval 125 Resp
onseInterval 10
Querier Interface 1/1/1, GrpIp 224.0.0.1, QueryInterval 300 Resp
onseInterval 25
Queries count 2
Displaying Information for All Ports
The show ip igmp snooping interfaces command displays IGMP Snooping information for
all ports.
Command Syntax
device-name#show ip igmp snooping interfaces
Example
device-name(config)#ip igmp snooping forbidden 1/1/1,1/1/2
=========================================
Interface | State | Forbidden |
------------+---------------+-----------+
1/1/1 | Operational | Yes |
1/1/2 | Operational | Yes |
1/2/1 | Operational | No |

ag01 | Operational | No |

-----------------------------------------

Page 29

Displaying IGMP Snooping Limits
The show ip igmp snooping limits command displays IGMP Snooping limits for a specified
port and VLAN.
Command Syntax
device-name#show ip igmp snooping limits [interface UU/SS/PP | vlan <vlan-id> |
vlan <vlan-id> interface UU/SS/PP]
interface UU/SS/PP (Optional) displays all IGMP Snooping limits for a specified port of the
multicast router.
vlan <vlan-id> (Optional) displays all IGMP Snooping limits for a specified VLAN ID
value, in the range <14094>.
Example
device-name#show ip igmp snooping limits
Number of max Reports for application : 2000
Number of max Reports for Default VSI : 30

Number of max Groups for application : 2000
Number of max Groups for Default VSI : 200
Displaying IGMP Snooping Current Limits
The show ip igmp snooping limits current command displays all IGMP Snooping current
limits for a specified port and VLAN.
Command Syntax
device-name#show ip igmp snooping limits current [vlan <vlan-id> | interface
UU/SS/PP | vlan <vlan-id> interface UU/SS/PP]
current
Displays all IGMP Snooping reports and groups currently
present in IGMP database.
interface UU/SS/PP
vlan <vlan-id>
(Optional) refer to the Argument Description above.


Page 30

Example
device-name#show ip igmp snooping limits current
Number of current Reports for application : 5
Number of current Reports for Default VSI : 5

Number of current Groups for application : 2
Number of current Groups for Default VSI : 2
Displaying IGMP Snooping Queriers by VLAN
The show ip igmp snooping querier command displays IGMP snooping queriers by VLAN..
Command Syntax
device-name#show ip igmp snooping querier [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all IGMP Snooping queriers sending for a
specified VLAN ID value, in the range <14094>.
Example
device-name#show ip igmp snooping querier
============================================================================
Vlan|Source Address|Multicast Grp |Type|Query Int|Rsp Time| Interface | Age
----+--------------+--------------+----+---------+--------+-----------+-----
1 | 200.1.1.1 | 224.0.0.1 | D | 125 | 10 | 1/2/8 | 88.5
1 | 200.1.1.1 | 224.0.0.1 | D | 125 | 10 | 1/2/7 | 88.5
Displaying IGMP Snooping Statistics
The show ip igmp statistics command displays the current settings of various IGMP statistics
counters.
Command Syntax
device-name#show ip igmp snooping statistics

Page 31

Example
device-name#show ip igmp snooping statistics
Total Queries Received : 8
Total Reports Received : 43
Total Leaves Received : 0
Current Groups : 2
Max Simultaneously Groups : 2
Clearing IGMP Snooping Statistics
The clear ip igmp snooping statistics command clears all counters (if no parameter is
configured) or the specified IGMP counter.
Command Syntax
device-name#clear ip igmp snooping statistics [max-groups | leaves | queries |
reports]
max-groups
(Optional) clears the maximum simultaneous groups counter.
leaves
(Optional) clears the Leave packets received counter.
queries
(Optional) clears the query packets received counter.
reports
(Optional) clears the report packets received counter.
Example
device-name#clear ip igmp snooping statistics
Debug the IGMP Snooping
The debug igmp snooping command debugs IGMP Snooping.
Command Syntax
device-name#debug igmp snooping {mvr | hw | database | timers | events | all}
device-name#no debug igmp snooping {mvr | hw | database | timers | events |
all}

Page 32

mvr Debugs IGMP Snooping MVR (Multicast VLAN Registration).
hw Debugs IGMP Snooping hardware calls.
database Debugs IGMP Snooping database.
timers Debugs IGMP Snooping timers.
events Debugs IGMP Snooping events.
all Debugs all IGMP Snooping.
no Stops the IGMP Snooping debug.
Debug IGMP Snooping Packets
The debug igmp snooping packet command debugs IGMP Snooping PDUs.
Command Syntax
device-name#debug igmp snooping packet {send | recv} [detail]
device-name#no debug igmp snooping packet {send | recv} [detail]
send Debugs all IGMP Snooping sent PDU.
recv Debugs all IGMP Snooping received PDU.
detail (Optional) debugs all IGMP Snooping PDU details.
no Stops the IGMP Snooping PDUs debug.
Displaying the Multicast Database
The show multicast table command displays the multicast database information.
Command Syntax
device-name#show multicast table {l2mac | l2g | l2sg | l3 | nbr | all}
l2mac Displays L2 MAC address entries.
l2g Displays multicast L2 group entries.
l2sg Displays multicast L2 source group table entries.
l3 Displays L3 entries.
nbr Displays neighbors.

Page 33

all Displays all entries.
Example
device-name#show multicast table all
Layer 2 Vlan, MAC Multicast Table
===============================================================================
Vlan| MAC | Interfaces
----+-------------------+------------------------------------------------------
1 | 01:00:5E:02:02:02 | 1/1/1
1 | 01:00:5E:03:04:01 | 1/1/1, 1/1/2
1 | 01:00:5E:02:01:01 | 1/1/1, 1/1/2
10 | 01:00:5E:01:01:01 |
===============================================================================

Layer 2 Ip Multicast Vlan,G,S Table
===============================================================================
Vlan| Group Ip | Source Ip |CPU| SPort |L3|TA|ExpTime|Ports
----+-----------------+-----------------+---+-------+--+--+-------+------------
--
1 | 224.2.2.2 | 1.1.1.1 | 0 | 1/1/1 |0 |0 | 209 |1/1/1
===============================================================================
Total Count 1

Layer 2 Ip Multicast *,G Table
===============================================================================
Vlan | Group Ip | Interfaces
------+-----------------+------------------------------------------------------
1 | 224.3.4.1 | 1/1/1, 1/1/2
1 | 224.2.1.1 | 1/1/1, 1/1/2
===============================================================================
Total Count 2

Layer 3 Ip Multicast S,G
===============================================================================
Group Ip | Source Ip | RP |SrcV|AgVl|B|N|R|DVlans
-----------------+-----------------+-----------------+----+----+-+-+-+---------
===============================================================================
Total Count 0

Multicast Routers Table
==============================================================================
Vlan | Interfaces
------+-----------------------------------------------------------------------
10 |
1 | 1/1/1
===============================================================================
Total Count 2

Page 34

Enabling/Disabling Debug of MFIB
The debug mfib command enables debugging information regarding the multicast database.
Command Syntax
device-name#debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers |
events | hw]
device-name#no debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers |
events | hw]
l2mac (Optional) debugs multicast MAC table.
l2g (Optional) debugs multicast L2 group table.
l2sg (Optional) debugs multicast L2 source group table.
l3 (Optional) debugs multicast L3 table.
unknown (Optional) debugs multicast unknown packets.
igmp (Optional) debugs multicast events from IGMP snooping.
timers (Optional) debugs multicast timers.
events (Optional) debugs multicast events.
hw (Optional) debugs multicast hardware.
no Disables debugging information regarding multicast database.

Page 35

The following figure shows an example of IGMP configuration. The multicast server is the source
of the multicast traffic. Switch 3 is configured as IGMP General Query sender. multicast receivers
(clients) are connected to Switch 1 and Switch 2.

Figure 6: I GMP Snooping Configuration Example
Configuring Switches 1, 2:
Enable IGMP Snooping:
Configuring Switch 3:
1. Enable IGMP Snooping:
2. Set port 1/ 2/ 8 as multicast-router (mrouter) port:
device-name(config)#ip igmp snooping vlan 1 mrouter interface 1/2/8
3. Set the maximum number of IGMP groups that the VLAN can join:
device-name(config)#ip igmp snooping vlan 1 max-groups 20

Page 36

4. Set the maximum number of IGMP reports that the VLAN can join:
device-name(config)#ip igmp snooping vlan 1 max-reports 30
5. Set a static multicast IP address on port 1/ 2/ 8:
device-name(config)#ip igmp snooping vlan 1 static 228.1.23.4 interface
1/2/8
6. Add static report on port 1/ 2/ 1:
device-name(config)#ip igmp snooping vlan 1 interface 1/2/1 static report
228.1.23.5
7. Enable transparent mode:
device-name(config)#ip igmp snooping vlan 1 transparent
8. Send every 30 seconds specific queries with response time set to 15 seconds:
device-name(config)#ip igmp snooping router-timers query 30.0
device-name(config)#ip igmp snooping router-timers responses 15.0
device-name(config)#ip igmp snooping router-timers robustness 4
9. Set the maximum number of IGMP groups:
device-name(config)#ip igmp snooping max-groups 30
10. Set the maximum number of IGMP reports:
device-name(config)#ip igmp snooping max-reports 50
11. Add port 1/ 2/ 8 to the multicast group:
device-name(config)#ip igmp snooping interface 1/2/8 max-reports 30
12. Disable router alert option check:
13. Set Query-sender on the client ports 1/ 2/ 1 and 1/ 2/ 2:
device-name(config)#ip igmp snooping send-query vlan 1 interface 1/2/1-
1/2/2 query-interval 10 response-time 15
Display the IGMP Snooping configuration and statistics for Switch3
1. Display the IGMP Snooping information:
device-name#show ip igmp snooping
vlan 1
=======
IGMP snooping is enabled on this VLAN.
IGMP Snooping Mode: Transparent
IGMP Snooping Source-Tracking: Enabled
IGMP Snooping Immediate-leave: Disabled

Report Table
=============================================================
Group Address | Interface | Age | Type
-----------------+-----------+-----+-------------------------
228.1.23.5 | 1/2/1 | 0.0 | REPORTv2, STATIC

Page 37

-------------------------------------------------------------

Mrouter Interfaces Table
=============================================================
Interface | Source Address | Age | Type
-----------+-----------------+-----+-------------------------
1/2/8 | 1.0.0.1 | 0.0 | MROUTER, STATIC
-------------------------------------------------------------

Group Entries Table
=============================================================
Group Address | Ports
-----------------+-------------------------------------------
228.1.23.5 | 1/2/1 1/2/8
228.1.23.4 | 1/2/8
-------------------------------------------------------------
2. Display the multicast router ports:
device-name#show ip igmp snooping mrouter
=============================================================
Vlan | Interface | Source Address | Age | Type
------+-----------+-----------------+-----+------------------
1 | 1/2/8 | 1.0.0.1 | 10 | MROUTER, STATIC
-------------------------------------------------------------
3. Display all IGMP Snooping entries form the database:
device-name#show ip igmp snooping all
Vlan 1
Ingress TABLE
Ing GrIp 228.1.23.5, Iface 1/2/1, Type 3, Timer 0,
PendQueue 0
Source Ip = 1.0.0.1
Ingress count 1
Mrouter TABLE
Mrt IfIdx 1/2/8, SrcIp 0.0.0.0, Type 1, Timer 0,
Mrouter count 1
Egress TABLE
Egr GrIp 228.1.23.5, IfCount 2 - 1/2/1 1/2/8
Egr GrIp 228.1.23.4, IfCount 1 - 1/2/8
Egress count 2
Querier TABLE
Querier Interface 1/2/2, GrpIp 224.0.0.1, QueryInterval 10
Respo
nseInterval 15
Respo
nseInterval 15
Queries count 2

device-name#show ip igmp snooping all count
Vlan 1
Ingress TABLE
Ingress count 1
Mrouter TABLE
Mrouter count 1
Egress TABLE
Egress count 2

Page 38

Querier TABLE
Respo
nseInterval 15
Respo
nseInterval 15
Queries count 2
4. Display IGMP Snooping information for all ports:
=========================================
Interface | State | Forbidden |
------------+---------------+-----------+


-----------------------------------------
5. Display IGMP Snooping limits:
device-name#show ip igmp snooping limits
Number of max Reports for application : 2000
Number of max Reports for Default VSI : 50

Number of max Groups for application : 2000
Number of max Groups for Default VSI : 30
6. Display all IGMP Snooping query sending:
device-name#show ip igmp snooping querier
===============================================================================
Vlan| Source Address | Multicast Grp | Query Int | Rsp Time | Interface | Age
----+----------------+----------------+-----------+----------+-----------+-----
1 | 1.0.0.1 | 224.0.0.1 | 10 | 15 | 1/2/2 | 5.2
1 | 1.0.0.1 | 224.0.0.1 | 10 | 15 | 1/2/1 | 5.3
-------------------------------------------------------------------------------
7. Display the multicast router timer to synchronize IGMP Snooping:
Last member query interval : 1.0 sec
Responses interval : 15.0 sec
Query interval : 30.0 sec
Robustness : 4 packets

Page 39

Supported Platforms
IGMP Snooping + +
IGMP Snooping No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 1112, Host
Extensions for IP
Multicasting
RFC 2236, Internet Group
Management Protocol,
Version 2
draft-ietf-magma-snoop-
11.txt

Page 1
Configuring Simple Network Management Protocol (SNMP) (Rev. 08)

Configuring Simple Network Management
Protocol (SNMP)
Table of Figures 3
Overview 4
SNMP Entity 4
SNMP Agent 5
Structure of Management Information (SMI) 5
SNMP Manager 5
Management Information Base (MIB) 5
SNMP Engine ID 5
SNMP View Records 6
SNMP Notifications 6
The Discovery Mechanism 8
Versions of SNMP 10
SNMP Default Configuration12
SNMP Configuration Flow13
SNMP Configuration Commands 14
Configuring the Agent Engine ID 16
Enabling the SNMP Server17
Defining SNMPv3 Views17
Defining SNMP Groups19
Defining an SNMP User21
Assigning an Access List to a User22
Defining SNMP Notification23
Configuring the SNMP Notification Log32
Configuring SNMP Logging of Sent Notifications33
Clearing the SNMP Notification Log34
Defining the Notification Target Parameter34
Defining the Notification Target Address35
Enabling the Sending of snmpSetExecuted Notifications36

Page 2

Enabling the Sending of authenticationFailure Notifications 36
Defining a Notification Target Profile37
Defining the Retry Inform Operation Value37
Defining the Timeout Inform Operation Value38
Defining the System Contact String39
Defining the System Name39
Defining the System Location40
Displaying the Status of the SNMP Server40
Displaying the Engine ID41
Displaying the SNMP Groups41
Displaying the SNMP Users42
Displaying All Configured Views 42
Displaying the Notification Target Parameters43
Displaying the Notification Target Profiles44
Displaying the SNMPv3 Notification Type44
Displaying the Notification Log45
Displaying the Notification Target Address45
Displaying the Pending Informs 46
Using SNMPv148
SNMP Notification for Users48
Group Definition49
Defining Users and Assigning Users to Groups50
Using SNMPv351
Configuring a Target Address to Receive Informs and Traps52
Configuring Notification Logs53


Page 3

Table of Figures
Figure 1: SNMP Agent and Manager Communications 4
Figure 2: Trap Sent to SNMP Manager Successfully 6
Figure 3: Inform Request Sent to SNMP Manager Successfully 7
Figure 4: Trap Unsuccessfully Sent to SNMP Manager 7
Figure 5: Inform Request Successfully Resent to SNMP Manager 8
Figure 6: Obtaining the snmpEngineID 9
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime 9

Page 4

Overview
The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates
the exchange of management information between network devices.
An SNMP-managed network consists of three key components:
managed deviceis a network node that contains an SNMP Agent and resides on a managed
network
agentis a network-management software module that resides in a managed device. An agent
has local knowledge of management information and translates that information into a form
compatible with SNMP
network-management systemexecutes applications that monitor and control managed
devices.
SNMP enables network administrators to manage network performance, find and solve network
problems and extend the network.
The SNMP system consists of SNMP Manager, SNMP Agent and Management Information Base
(MIB). SNMP provides a message format for communication between SNMP Managers and
Agents.
Figure1 displays the communication between an SNMP Agent and Manager.

Figure 1: SNMP Agent and Manager Communications
SNMP Entity
An SNMP Entity is an implementation of the SNMP architecture. Each entity consists of an
SNMP Engine and one or more associated applications. An SNMP Engine provides services for
sending and receiving messages, authenticating and encrypting messages, and controlling access to
managed objects. The SNMP Engine is identified by the SNMP Engine ID. The applications use
the services of an SNMP Engine to accomplish specific tasks. They coordinate the processing of
management information operations, and may use SNMP messages to communicate with other
SNMP Entities.

Page 5

SNMP Agent
An Agent is a network-management software module that resides in a managed device and is
responsible for maintaining local management information and delivering that information to a
Manager via SNMP. A management information exchange can be initiated by the Manager or by
the Agent. The SNMP Agent contains MIB variables and these values can be requested or
changed by the SNMP Manager. The Agent and MIB reside on the device. The Agent gathers data
from the MIB and responds to a Managers request to get or set data.
Structure of Management Information (SMI)
Management information is a collection of managed objects, residing in a virtual information store,
termed the Management Information Base (MIB). Collections of related objects are defined in MIB
modules. Each type of object has a name, syntax, and an encoding. The name is represented
uniquely as an Object Identifier (OID). An OID is an administratively assigned name for
identifying one object, regardless of the semantics associated with the object. The encoding of an
object type is the way the instances of that object type are represented using the objects type
syntax. The names are used to identify managed objects.
SNMP Manager
An SNMP Manager is a software module in a management network responsible for managing part
or the entire configuration on behalf of network management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB values.
Communication among protocol entities is accomplished by the exchange of messages; each of
them is entirely and independently represented within a single UDP datagram. A message consists
of a version identifier, an SNMP community name, and a protocol data unit (PDU). PDUs are the
packets that are exchanged in the SNMP communication.
Management Information Base (MIB)
A Management Information Base (MIB) consists of a collection of objects organized into groups.
Objects have values that represent managed resources. All managed objects in the SNMP
environment are arranged in a hierarchical or tree structure. A MIB is the repository for
information about devices parameters and network data.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier of a participant in
SNMP communication within a single management domain. The SNMP Manager and SNMP
Agent must be configured by an administrator to have unique SNMP Engine IDs.

Page 6

SNMP View Records
With the community-based authentication defined in SNMPv1, an authorized user is granted access
to the whole MIB tree for reading or for reading/ writing. With SNMPv1, it is not possible to allow
diverse authorized users access to different portions of the MIB database.
This deficiency is overcome in SNMPv3 with the introduction of views. A view is a set of rules that
define what portion of the MIB database can be visibleto a specific user. The rules are defined by
the OID of a node in the MIB tree, and the type of rule: included or excluded. The OID
defines a viewfamilya set of object identifiers that have a common prefix. A single rule (included
or excluded) in the view is applied to view family, not only to a single OID.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages to the SNMP
Managers. Devices can send notifications to SNMP Managers when particular events occur. For
example, an Agent might send a message to a Manager when the Agent experiences an error
condition.

NOTE
All traps, except the ones sent with SNMPv1, have a request ID as part of the PDU.

SNMP notifications can be sent as traps or Inform requests. Traps are unreliable because the
receiver does not send any acknowledgment when it receives a trap. However, an SNMP Manager
that receives an Inform request acknowledges the message with an SNMP response PDU. If the
Manager does not receive an Inform request, it does not send a response. If the sender does not
receive a response after a particular time interval, the Inform request can be sent again.
Because they are more reliable, Informs consume more resources in the device and in the network.
Unlike a trap, which is discarded as soon as it is sent, an Inform request must be held in memory
until a response is received or the request times out. Also, traps are sent only once, while an Inform
may be retried several times. The retries increase traffic and contribute to a higher overhead on the
network. Thus, traps and Inform requests provide a trade-off between reliability and resources. If it
is important that the SNMP Manager receives every notification, use Inform requests. On the other
hand, if you are concerned about traffic on your network or memory in the device and you do not
need to receive every notification, use traps.
Figure2 through Figure 5 illustrate the differences between traps and Inform requests.
In Figure2, the Agent successfully sends a trap to the SNMP Manager. Although the Manager
receives the trap, it does not send any acknowledgment to the Agent. The Agent has no way of
knowing whether the trap reached its destination.

Figure 2: Trap Sent to SNMP Manager Successfully

Page 7

In Figure3, the Agent successfully sends an Inform request to the Manager. When the Manager
receives the Inform request, it sends a response back to the Agent. Thus, the Agent knows that the
Inform request successfully reached its destination. In this example, twice traffic is generated as in
Figure2; however, the Agent is sure that the Manager received the notification.

Figure 3: I nform Request Sent to SNMP Manager Successfully
In Figure4, the Agent sends a trap to the Manager, but the trap does not reach the Manager. Since
the Agent has no way of knowing whether the trap reached its destination, the trap is not sent
again. The Manager never receives the trap.

Figure 4: Trap Unsuccessfully Sent to SNMP Manager
In Figure5, the Agent sends an Inform request to the Manager, but the Inform request does not
reach the Manager. Since the Manager did not receive the Inform request, it does not send a
response. After a period of time, the Agent resends the Inform request. This time, the Manager
receives the Inform request and replies with a response. In this example, there is more traffic than
in Figure4; however, the notification reaches the SNMP Manager.

Page 8

Figure 5: I nform Request Successfully Resent to SNMP Manager
The Discovery Mechanism
To protect the user network against message reply, delay and redirection, one of the SNMP engines
involved in each communication is designated to be the authoritative SNMP engine. When an
SNMP message contains a payload that expects a response, the receiver of such a message is
authoritative. When Inform PDUs are sent, the notification receiver is an authoritative
snmpEngineID (the Manager). This implies that the PDUs that are involved in an
authenticated/ encrypted session between the Agent and the Manager are encoded with keys that
are localized with the Managers snmpEngineID and not with the local application software Agents
snmpEngineID.
To match the described requirements, you need an additional configuration of users, on whose
behalf Inform PDUs can be sent. User keys are required to be localized with the snmpEngineID of
the Manager (the authoritative side). The keys of these users are localized for the remote side and
the Agent cannot process configuration of SNMP requests on their behalf. GET, GET-NEXT,
GET-BULK, SET requests from users with a snmpEngineID that is different from the Agent
snmpEngineID cannot be processed. The application software defines as remote those users
created with a snmpEngineID different from the Agents snmpEngineID. Remote users can
participate just by sending Inform PDUs.
To create a remote user, specify the snmpEngineID of the notification recipient, where this user is
correctly defined. The proper calculation of authentication/ encryption keys requires a valid remote
user.
To send the Inform PDU to the authoritative side, the Agent needs information for the
snmpEngineID of the target-address of the recipient.
To reduce a configuration complexity, the application software Agent implements an auto
discovery procedure for obtaining the snmpEngineIDsof different Inform recipients.

Page 9

When an event occurs, for example LinkUp, the Agent sends an Inform PDU to all valid targets for
this Inform. The very first Inform PDU actually is not valid as the Agent still does not know the
parameters of the Receiver Engine IDsnmpEngineId, snmpEngineBootsand snmpEngineTime.
In Figure6, the Manager reports the PDU with its Engine ID to the Agent.

Figure 6: Obtaining the snmpEngineI D
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is received as shown
in Figure6), but with incorrect snmpEngineBootsand snmpEngineTime. These parameters are still
unknown to the Agent. The discovery process ends when no authentication/ encryption exists for
the target address. If authentication/ encryption exists, the packet is with the corresponding
authentication / encryptionMD5, SHA or DES.
In Figure 7, the Manager returns an authenticated REPORT PDU (notInTimeWindow) that
consists of valid snmpEngineBoots and snmpEngineTime parameters.

Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime
Finally, when the discovery process is completed, the Agent and the Manager are synchronized and
following packets do not discover the Engine ID of the Manager.

Page 10

Versions of SNMP
The application software supports the following versions of SNMP:
Table 1: SNMP Versions
SNMPv1 SNMPv1 is version 1 of the Simple Network Management Protocol. It
enables the user to get and set MIB objects, traverse the MIB tree using
the getNext operation and enable the management device to receive
asynchronous messages from the Agent using the trap mechanism.
SNMPv1 bases its security on community strings.
SNMPv2c SNMPv2c is the community-string based Administrative Framework for
SNMPv2 (the C stands for community). SNMPv2c includes the following
improvements over SNMPv1:
Improved performance for getting data using getBulk. The bulk
retrieval mechanism supports the retrieval of tables and large
quantities of information in one PDU, thus minimizing the number of
round-trips required.
Improved error handling. SNMPv2 adds many error codes to the
five originally defined in SNMPv1. Management devices are
provided with more detailed information about the cause of the
error. Also, three kinds of exceptions are reported with SNMPv2c:
no such object exceptions, no such instance exceptions, and
end of MIB view exceptions.
Extended asynchronous reporting. SNMPv2 allows the Agent to
send SNMP notifications by inform request, as well as by trap
messages that are available in SNMPv1. Whereas traps do not
provide the Agent with an indication that the message is received,
the inform request requires the Manager to confirm reception and
is therefore more reliable. As for the trap message, its format is
changed to match the PDU format of a regular get/set PDU, in order
to simplify the protocol. The SNMPv2 protocol requires adding more
details to every trap in order to supply the Manager with more
information.
Generally, MIBs written for Agents that use SNMPv2c or higher versions
use SMIv2 instead of version 1 of the SMI. This version adds some new
variables types.
Both SNMPv1 and SNMPv2c use a community-based form of security.

Page 11

SNMPv3 SNMPv3 is version 3 of the Simple Network Management Protocol. It is
an interoperable standards-based protocol. It provides secure
communication using the USM (User-based Security Model) and access
control using the VACM (View-based Access Control).
The USM model provides an answer to the following threats:
Replay, interception and retransmission of messagesprevented
by using time-stamp.
Masqueradingprevented by authenticating the message sender.
Integrity, interception, changing data, and retransmission of
messagesprevented by authenticating the message sender and
encryption of the message data.
Disclosureprevented by encryption of the message data.
The SNMPv3 USM allows three levels of security (see Table 2):
No Authentication and No Privacy (noAuthNoPriv)
Authentication and No Privacy (AuthNoPriv)
Authentication and Privacy (authPriv)
Table 2: Security Levels Available in the SNMPv3 Security Models
Level Authentication Encryption Explanation
noAuthNoPriv Username No All PDUs are sent unencrypted and
not authenticated in the network.
authNoPriv HMAC-MD5 or
HMAC-SHA
No The PDUs are authenticated with
HMAC (keyed-Hashing for Message
Authentication Codes). They cannot
be altered by an attacker, but can be
read.
authPriv HMAC-MD5 or
HMAC-SHA
Cipher Block
ChainingData
Encryption
Standard
(CBC-DES)
The PDUs are authenticated and
encrypted (with CBC-DES Symmetric
Encryption Protocol).

You must configure the SNMP Agent to use the version of SNMP supported by the management
device. An Agent can communicate with multiple users. For this reason, you can configure the
application software to support communications with many users: some users can use the SNMPv1
protocol, some can use the SNMPv2c protocol, and the rest can use SMNPv3.

NOTE
You can participate in different groups, with a different security model in each
group. You cannot participate in more than one group with the same security model.


Page 12

SNMP Default Configuration
Table 3: SNMP Default Configuration
SNMP Engine ID 00 00 02 DB 03 [MAC ADDR] 00 00.
SNMP contact Empty (null).
System name The default value is the devices model
name
Location Empty (null)
SNMP Agent Disabled
UDP port 161
SNMP user Not configured
Retry inform operation 3 times
Inform operation timeout 30 seconds
SNMP notification log Disabled

Page 13

SNMP Configuration Flow
To activate the SNMP Agent and make a communication inside the
SNMP entity (from the Manager to the Agent), follow the steps:
1. Change the SNMP engine ID if the scheme for the engine ID used in the network requires it
(see ConfiguringtheAgent EngineID)
2. Enable the SNMP Agent (see EnablingtheSNMP Server).
3. Create views (see DefiningSNMPv3 Views
4. Create groups (see DefiningSNMP Groups)
5. Create the users (see DefininganSNMP User)
6. If you need to limit the managed communication for users according to access list criteria (see
AssigninganAccessList toa User)
7. Display SNMP (see SNMP Display Commands)
To send notifications to the management device, follow the steps:
1. Enable the SNMP Agent (if it is disabled) (see EnablingtheSNMP Server)
2. Create views, groups and users that include the notification variables with notify access right
(see DefiningSNMPv3 Views)
3. Create a tag that includes all required notifications (see DefiningSNMP Notification).
4. Create a target parameter that links a parameter name to the user (see DefiningtheNotification
Target Parameter)
5. Create a target address that links the parameter to a specific IP address (see Definingthe
NotificationTarget Address)
6. Display SNMP (see SNMP Display Commands)

Page 14

SNMP Configuration Commands
Table 4: SNMPv3 Agent Configuration Commands
Command Description
snmp-server engineID Configures a new value for the Agents SNMP Engine ID
(see Configuring the Agent Engine ID)
snmp-server enable Enables the SNMP Server (see Enabling the SNMP
Server)
snmp-server view Defines the subset of all MIB objects accessible to the
given view (see Defining SNMPv3 Views)
snmp-server group Creates an SNMP group with a specified security model
(v1, v2c or v3) and defines the access-right for this
group by associating views to this group (see Defining
SNMP Groups)
snmp-server user Creates an SNMP local or remote user and associates it
to a group (see Defining an SNMP User)
snmp-server access-list Assigns an access list to the specified user (see
Assigning an Access List to a User)

Table 5: Agent Notification Configuration Commands
Command Description
snmp-server notify Defines a notification and specifies the type (trap/inform)
(see Defining SNMP Notification)
snmp-server log-notify Enables the SNMP notification log (see Configuring the
SNMP Notification Log)
snmp-server log-sent-notify Enables the logging only for notifications that are sent to
management devices (see Configuring SNMP Logging
of Sent Notifications)
clear snmp-server log-notify Clears the SNMP notification log (see Clearing the
SNMP Notification Log)
snmp-server target-param Defines the notification target parameter (see Defining
the Notification Target Parameter)
snmp-server target-addr Defines the notification target address (see Defining the
Notification Target Address)
snmp-server set-execute-trap Enables the sending of snmpSetExecuted notifications
(see Sending snmpSetExecuted Notifications)
snmp-server authentication-
failure-trap
Enables the sending of authenticationFailure
notifications (see Sending authenticationFailure
Notifications)
snmp-server target-profile Includes or excludes a branch of the MIB tree in a
notification profile (see Defining a Notification Target
Profile).

Page 15

Command Description
snmp-server inform retry Sets an option related to resending unacknowledged
Inform requests and specifies the number of retries for
resending Inform PDUs (see Defining the Retry Inform
Operation Value)
snmp-server inform timeout Sets the time to wait for an acknowledgement before
resending an unacknowledged Inform PDU (see
Defining the Timeout Inform Operation Value)

Table 6: SNMP MIB-II System Group Elements Configuration Commands
Command Description
snmp-server contact Sets the MIB-II system contact string (see Defining the
System Contact String)
snmp-server system-name Sets the MIB-II system name (see Defining the System
Name)
snmp-server location Sets the MIB-II system location string (see Defining the
System Location)

Table 7: SNMPv3 Agent Display Commands
Command Description
show snmp-server Displays the status of the SNMP serverenabled or
disabled, and the UDP port on which the SNMP server
is enabled (see Displaying the Status of the SNMP
Server)
show snmp-server engineID Displays the current SNMP Agent engine ID and all
remote Engine IDs that are known to the Agent (see
Displaying the Engine ID)
show snmp-server group Displays all configured groups for the SNMP Agent (see
Displaying the SNMP Groups)
show snmp-server user Displays the users and their associated engine ID (see
Displaying the SNMP Users)
show snmp-server view Displays all configured views for the SNMP Agent (see
Displaying All Configured Views)
show snmp-server target-param Displays the target parameters (see Displaying the
Notification Target Parameters)
show snmp-server target-
profiles
Displays the notification target profiles (see Displaying
the Notification Target Profiles)
show snmp-server notify Displays information for the notify type (Inform or trap)
(see Displaying the SNMPv3 Notification Type)
show snmp-server log-notify Displays the NVRAM notification log of the SNMP
server. (see Displaying the Notification Log).
show snmp-server target-addr Displays the notification target address (see Displaying
the Notification Target Address)
show snmp-server informs Displays information about the pending informs (see
Displaying the Pending Informs)

Page 16

Command Description
show snmp-server access-list Displays the access list assigned to a user (see
Displaying the Access List Applied to a User)
Configuring the Agent Engine ID
The snmp-server engineID command configures a new value for the Agents SNMP Engine ID.

NOTE
Configure the Engine ID before adding any users.
Do not perform changes for the Engine ID once users are configured.
If you use third part MIB SNMP Managers, check the Engine ID configuration.
You cannot create two SNMP entities in the management domain with the same
Engine ID.

Mode: Global Configuration
By default, the Engine ID is 00 00 02 DB 03 [MAC-ADDR] 00 00, where [MAC-ADDR]
represents the devices MAC address.
Command Syntax
device-name(config)#snmp-server engineID ENGINE-ID
device-name(config)#no snmp-server engineID
ENGINE-ID Specifies a string of 10 to 64 characters (represented internally by 5 to 32 bytes)
This ID represents the Agents Engine ID as a hexadecimal number. Use an
even number of characters in the valid range <09>and <af>(case-
insensitive).
Type an even number of hexadecimal digits. Otherwise, as a result an extra zero
is inserted before the last digit. For example, if you type the string 11223344556
(an odd number of characters), the Agents parser interprets it as
0x112233445506.
The changing of the Engine ID while there are users that use SNMPv3
authentication or use privacy and authentication, invalidates the keys and
requires recalculation.
no Returns the ID to its default value.
Example
Set the local engineID to be 1234567890ABCD:
device-name(config)#snmp-server engineID 1234567890ABCD

Page 17

Enabling the SNMP Server
The snmp-server enable command enables the SNMP server.
By default, the SNMP server is disabled and the SNMP UDP port is 161.

NOTE
If the SNMP server is disabled, it can still be configured from the CLI, but it cannot
respond to SNMP PDUs and cannot send traps.

Command Syntax
device-name(config)#snmp-server enable [<udp-port>]
device-name(config)#no snmp-server enable
udp-port
(Optional) specifies the number of the UDP port on which the SNMP server
listens for messages. The valid range is <165535>.
If you do not specify the UDP port, the SNMP server listens for incoming
messages on its default UDP port161.
If you specify the UDP port number, the Agent listens for incoming SNMP
messages on this port.
no
Disables the SNMP server.
Example
Enable the SNMP server on port 1021:
device-name(config)#snmp-server enable 1021
Defining SNMPv3 Views
The snmp-server view command defines the subset of all MIB objects accessible to the given
view. This command includes or excludes a branch of the MIB tree in a view.
The MIB definition represents a tree architecture where each node in the tree is identified by a
number. To identify a branch in the tree, the usual convention is to use a series of numbers
separated by dots, where each number represents a node in the tree (OID-TREE).
Command Syntax
device-name(config)#snmp-server view VIEWNAME OID-TREE {included | excluded}
[MASK]
device-name(config)#no snmp-server view VIEWNAME [OID-TREE]

Page 18

VIEWNAME
Specifies the name of the view. It is limited to 32 characters.
OID-TREE Specifies the starting point inside the MIB tree given in dot-notation.
If the view definition exists, the defined subtree is added to the list of view families.
If the Object ID (OID) already exists, it is replaced by the new data (type of rule
and mask).
This parameter is optional for the no form of the command.
included Specifies that Object ID is included in the view.
excluded Specifies that Object ID is excluded from the view.
MASK (Optional) specifies the bit-mask defining OID wildcard. The mask is typed as a
hexadecimal value, and is interpreted as a binary value.
A binary 1 in the mask states that the Object ID at the corresponding position has
to match, a binary 0 states that the Object ID at the corresponding position is
irrelevantno match is required.
no Removes the defined view.
Example 1
Create the view MyViewand add two rules to it.
1. The first rule enables access to all Object IDs under the MIB-2 tree (all object identifiers that
start with 1.3.6.1.2.1).
2. The second rule disables access to the sysUpTime Object ID.
Grant or denial of access is determined by the most specific rule that matches the object ID. After
the Agent decides whether to grant access to the Object ID 1.3.6.1.2.1.1.3 both typed rules of
MyViewmatch the object. The second rule has a longer match to the view family and the result is
that access is denied (by the excluded keyword).
device-name(config)#snmp-server view MyView 1.3.6.1.2.1 included
device-name(config)#snmp-server view MyView 1.3.6.1.2.1.1.3 excluded
Example 2
Grant access to all conceptual rows in ipCidrRouteTablethat have next-hop 192.168.5.1. The
destination, mask and the TOS typed in the OID have no match (the bits of the mask are 0 at these
OIDs).
If an Object ID does not match any rule in a view, its access is denied.
device-name(config)#snmp-server view v1
1.3.6.1.2.1.4.24.4.1.1.0.0.0.0.0.0.0.0.0.192.168.5.1 included FFC01E


Page 19

Example 3
Remove the specified view data. If the Object ID is not supplied, all the data of the view
VIEWNAME is removed:
device-name(config)#no snmp-server view VIEWNAME
Example 4
Remove the rule for the sysUpTime(1.3.6.1.2.1.1.3) view family (all other data of MyViewis
preserved):
device-name(config)#no snmp-server view MyView 1.3.6.1.2.1.1.3
Example 5
Remove all data for the view with name MyView:
device-name(config)#no snmp-server view MyView
Defining SNMP Groups
The snmp-server group command creates an SNMP group with a specified security model (v1,
v2c or v3) and defines the access-right for this group by associating views to this group.
Command Syntax
device-name(config)#snmp-server group NAME {v1 | v2c} read READ-VIEW write
WRITE-VIEW notify NOTIFY-VIEW
device-name(config)#no snmp-server group NAME [v1 | v2c]

device-name(config)#snmp-server group NAME v3 {auth | noauth | priv} read
READ-VIEW write WRITE-VIEW notify NOTIFY-VIEW
device-name(config)#no snmp-server group NAME [v3 {auth | noauth | priv}]
NAME Configures a new SNMP group on the device. The name of the group is
limited to 32 characters.
v1 Specifies version 1 of the SNMP protocol.
v2c Specifies version 2 of the SNMP protocol.
v3 Specifies version 3 of the SNMP protocol. This requires you to select an
authentication levelnoAuth, Auth or AuthPriv.
In SNMPv3, you can participate in more than one group provided and
each group has a different security model.
auth
Enables the Message Digest 5 (HMAC-MD5) or the Secure Hash
Algorithm (HMAC-SHA) packet authentication.
noauth
Enables the security level that implies no authentication and no encryption
of the PDUs. This is the default if no keyword is specified.

Page 20

priv
Enables Data Encryption Standard (DES) packet encryption. In this case
authentication is mandatory and is based on HMAC-MD5 or HMAC-SHA
and CBC-DES encryption.
read READ-
VIEW
Specifies a string (not to exceed 32 characters) that is the name of the
view in which you can only view the contents of the Agents MIB.
write WRITE-
VIEW
view in which you can type data and configure the contents of the Agents
MIB.
notify
NOTIFY-VIEW
view, and specify what portion of the MIB database is accessible for
notifications.
no
Removes the SNMP group data.
If you specify only the group name, all groups with that name are removed,
regardless of their security model and security level. If you specify the
security model and security level (if the model is v3), only the group
matching all conditions is removed.
Example 1
Create an SNMP v3 group named GR1 with security level Authenticated:
device-name(config)#snmp-server group GR1 v3 auth read v3_read write v3_write
notify v3_read
Example 2
Remove the group named MyGroup:
device-name(config)#no snmp-server group MyGroup
Example 3
Remove only the group that is named MyGroup2 with security model v3 and security level AuthPriv:
device-name(config)#no snmp-server group MyGroup2 v3 priv

Page 21

Defining an SNMP User
The snmp-server user command creates an SNMP local or remote user and associates it to a
group.

NOTE
The generation of the key is considerably slow. During this generation, the CLI
stops responding for several seconds (depending on the device model).

Users with security level AuthNoPrivand AuthPrivare stored in NVRAM when the write
command is executed. The configured users are not seen in the configuration file.
Command Syntax
device-name(config)#snmp-server user USER-NAME group GROUP-NAME {v1 | v2c |
v3}
device-name(config)#snmp-server user USER-NAME group GROUP-NAME v3 [priv
ENCRYPTION_PASSWORD] [auth {md5 | sha} AUTHENTICATION_PASSWORD] [remote
ENGINE-ID]

device-name(config)#no snmp-server user USER-NAME [group GROUP-NAME {v1 | v2c
| v3}]
device-name(config)#no snmp-server user USER-NAME group GROUP-NAME v3 [remote
ENGINE-ID]
USER-NAME
Specifies the name of the user on the host that connects to the
Agent. The user name is limited to 32 characters.
GROUP-NAME
Specifies the name of the group to which the user is associated.
v1, v2c, v3 Specifies the SNMP version number (v1, v2c, or v3).
If the security model is v3, type the security level for the user.
For v3 users, if no security level is specified, noAuthNoPriv
security level is assumed.
priv
ENCRYPTION_PASSWORD
(Optional) specifies that the PDUs sent to or received by this
user should be encrypted, with the key generated from the
encryption password.
auth (Optional) specifies the authentication level setting session.
Specifying this argument requires either md5 or sha to be
specified, as well as a password string.
md5 Specifies theHMAC-MD5 authentication.
sha Specifies the HMAC-SHA authentication.
AUTHENTICATION_PASSWORD
Specifies the authentication password string. Do not exceed 32
characters for the password.
remote ENGINE-ID (Optional) creates a remote user by its engine ID.

Page 22

no Removes the defined user and the user from its associated
group.
Example 1
Create a user named TOM that uses SNMP v1:
device-name(config)#snmp-server user TOM group g_all_v1 v1
Example 2
Create a user named TOM that uses SNMP v3 with authentication and privacy. The privacy
password is privPass and the authentication password is authPass:
device-name(config)#snmp-server user TOM group g_all_v3 v3 priv privPass auth
md5 authPass
Example 3
Remove a defined v3 user named IVAN from an associated group ACC:
device-name(config)#no snmp-server user IVAN group ACC v3
Assigning an Access List to a User
The snmp-server access-list command assigns an access list to the specified user.
The access list can permit or deny access to a user according to the access list rules. The rules
contain a permit or deny action and a source IP address. To define the named access list use the
snmp-server access-list and access-list commands. The defined access lists can be viewed
by the show access-lists and/ or show snmp-server access-list commands.
For more information regarding ACL commands, refer to the DeviceSetupandMaintenancechapter of
this User Guide.

NOTE
SNMPv3 time synchronization may double the authenticationFailure notifications.
This can happen when applying user access lists on SNMPv3 users. In this case, the
SNMP requests contain engineBoots or engineTime equaled to zero (0) as time
synchronization. The request cannot take place because of the access list. Therefore,
if notInTimeWindow occurs, it generates an additional authenticationFailure
notification.

Command Syntax
device-name(config)#snmp-server access-list USER-NAME ACL-NAME
device-name(config)#no snmp-server access-list USER-NAME

Page 23

USER-NAME Specifies the user name.
ACL-NAME Specifies the existing access list name.
no Removes the access list assigned to the specified user.
Examples:
Create and assign an access list to a user named IVAN.
device-name(config)#access-list MyLyst permit 220.132.0.0/16
device-name(config)#snmp-server access-list IVAN MyLyst
Remove the upper access list from user IVAN:
device-name(config)#no snmp-server access-list IVAN
Defining SNMP Notification
The snmp-server notify command defines the notification and specifies the type (trap/ inform).

NOTE
The notification name is the same as specified in the MIB (case-sensitive). You can
add a notification with only one tag name.

Command Syntax
device-name(config)#snmp-server notify NAME TAG-NAME [inform]
device-name(config)#snmp-server notify all TAG-NAME [inform]
device-name(config)#no snmp-server notify NAME
NAME
Specifies the notification name, a reserved literal string. The available names are
available in Table 8.
all Enables all notifications. If you specify this parameter, all the available notifications
under the specified tag name are included.
TAG-NAME
Specifies the notification tag name.
inform (Optional) creates the notification as Inform. If you omit this parameter, the
notification is created as trap.
no Disables the specified notification.
Example
device-name(config)#snmp-server notify linkUp tag1

Page 24

Table 8: Notification Argument Values
Argument Value Description
authenticationFailure This notification indicates that the SNMP entity,
acting as an Agent, has received a protocol
message that is not properly authenticated. The
authentication method depends on the version of
SNMP that is used. For SNMPv1 or SNMPv2c,
authentication failure occurs for packets with an
incorrect community string. For SNMPv3,
authentication failure occurs for packets with an
incorrect SHA/MD5 authentication key or for a
packet that is outside of the authoritative SNMP
engines time window.
The generation of authentication failure notification
is also controlled by the snmp-server
authentication-failure-trap command.
cliConfigurationChanged This notification informs you if a change of
configuration is performed through the CLI (telnet,
SSH session) and logged in NVRAM. This
notification does not contain any variable bindings
because the application software does not have
SNMP support for configuration history. The
cliconfigurationChanged notification is generated
whenever the user exits the Global Configuration
mode.
This notification is generated when:
Configuration-history recording is enabled (use
the record configuration-history
nvram command)
A configuration-history session is added to the
configuration history
coldStart This notification indicates that the SNMP entity,
acting as an Agent, is reinitializing itself and that its
configuration may be altered.
configurationLoadFailed This notification indicates that the download or
upload of the configuration file failed.
For more information, refer to the Device
Administration chapter of this User Guide.
cpuTemperatureExceeded This notification indicates that the sending Agent
senses that the internal temperature has exceeded
the program threshold.
cpuUtilizationExceeded This notification indicates that the sending Agent
sensed that the CPU utilization has passed the
programmed threshold.
For more information, refer to the Troubleshooting
and Monitoring chapter of this User Guide.
dot1agCfmFaultAlarm If a MEP has a persistent defect condition, this
notification (fault alarm) is sent to the management
entity with the OID of the MEP that has detected the
fault.

Page 25

dot3OamEventNonThresholdEvent This notification is sent when a local or remote non-
threshold crossing event is detected. This
notification should not be sent more than once per
second. For more information, refer to the
dot3EventOamThresholdEvent notification
below.
dot3OamEventThresholdEvent This notification is sent when a local or remote
threshold crossing event is detected. A local
threshold crossing event is detected by the local
entity, while a remote threshold crossing event is
detected by the reception of an Ethernet OAM Event
Notification OAMPDU that indicates a threshold
event. This notification should not be sent more than
once per second. The OAM entity can be derived
from extracting the ifIndex from the variable
bindings. The objects in the notification correspond
to the values in a row instance in the
dot3OamEventLogTable. The management entity
should periodically check dot3OamEventLogTable
to detect any missed events.
fallingAlarm This notification indicates the RMON alarm
generated when a value falls below its pre-
For more information, refer to the Configuring
Remote Monitoring (RMON) chapter of this User
Guide.
fanStatusChange
This notification indicates that the sending agent
senses that one of the fans changed its status.
imageCrcCheckFailed This notification indicates that the software image
CRC check failed.
lagMemberAdd
This notification is generated when a new port is
added to a LAG link. The first ifIndex indicates the
ID of the trunk interface. The second one displays
the added port member.
lagMemberLinkDown
This notification is generated when the LAG link
becomes down. The first ifIndex indicates the ID of
the trunk interface. The second one shows the port
member with link status change.
lagMemberLinkUp
This notification is generated when the LAG link
becomes up. The first ifIndex indicates the ID of the
trunk interface. The second one displays the port
member with a link status change.
lagMemberRemove
This notification is generated when a port is
removed from a LAG. The first ifIndex indicates the
ID of the trunk interface. The second one shows the
removed port member.

Page 26

laserTempThresholdCrossed This notification is generated when
laserTemperature rises above
laserHighTemperatureThreshold or falls below
laserTemperatureLowThresholds.
Also the notification is generated when
laserTemperature returns to the normal range
between laserHighTemperatureThreshold and
laserTemperatureLowThresholds.
laserTxPowerThresholdCrossed This notification is generated when laserTxPower
rises above laserHighTxPowerThreshold or falls
below laserTxPowerLowThresholds.
laserTxPower returns to the normal range between
laserHighTxPowerThreshold and
laserTxPowerLowThresholds.
laserRxPowerThresholdCrossed This notification is generated when laserRxPower
rises above laserHighRxPowerThreshold or falls
below laserRxPowerLowThresholds.
laserRxPower returns to the normal range between
laserHighRxPowerThreshold and
laserRxPowerLowThresholds.
linkup This notification indicates that the SNMP entity,
acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links left the down state and transitioned into
another state (but not into the notPresent state).
The other state is indicated by the included value of
ifOperStatus.
linkDown This notification indicates that the SNMP entity,
acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links is about to enter the down state from some
other state (but not from the notPresent state). This
other state is indicated by the included value of
ifOperStatus.
lldpRemTablesChange
This notification is sent when the value of
lldpStatsRemTablesLastChangeTime changes. It
can be used by an NMS to trigger LLDP remote
systems table maintenance polls.
For more information, refer to the Configuring Link
Layer Discovery Protocol (LLDP) chapter of this
User Guide.

Page 27

mstpNewRoot This notification indicates that a new root is elected
by the Multiple Spanning Tree algorithm.
Multiple Spanning Tree Protocol (MSTP, IEEE
802.1s) chapter of this User Guide.
mstpTopologyChange This notification indicates that the topology change
is detected by the Multiple Spanning Tree algorithm.
Multiple Spanning Tree Protocol (MSTP, IEEE
802.1s) chapter of this User Guide.
newRoot This notification indicates that a new root is elected
by the Spanning Tree algorithm.
Spanning Tree Protocol (STP) and the Configuring
Rapid Spanning Tree Protocol (RSTP) chapters.
pingProbeFailed This notification indicates a detected probe failure if
the corresponding pingCtlTrapGeneration object is
set to probeFailure.
For more information, refer to the Operation
Administration and Maintenance (OAM) chapter of
this User Guide.
pingTestCompleted This notification is generated at the completion of a
ping test when the corresponding
pingCtlNotificationGeneration object is set to
testCompletion.
this User Guide.
pingTestFailed This notification indicates that a ping test is
determined to have failed when the corresponding
pingCtlTrapGeneration object is set to testFailure.
this User Guide.
portErrorsExceeded This notification indicates that the sending Agent
sensed that the number of errors has passed the
program threshold for one of the interfaces.
portRedundantLinkChange This notification indicates that the status of a
redundant link has changed.
portSecurityViolation This notification indicates that a security violation is
done on a port defined as a secure port.
VLANs and Super VLANs chapter of this User
Guide.

Page 28

portsBroadcastExceeded This notification indicates that the sending Agent
sensed that the number of broadcasts packets has
passed the programmed threshold on one of the
interfaces.
portsCRCErrExceeded This notification indicates that the level of CRC
errors passed the threshold.
portsOverSizeExceeded This notification indicates that rate of oversize
packets (packets larger than MaxFrameSize bytes)
has passed the threshold.
portsRuntsExceeded
This trap indicates that the rate of runt packets
(packets smaller than 64 bytes) has passed the
threshold.
powerSupplyStatusChange This notification indicates that the sending agent
senses that one of the power supplies changed its
status.
prvtCfm1wJitterThreshold
This notification is sent when CFM one way jitter
threshold crossed.
this User Guide.
prvtCfmFrameLossThreshold
This notification is sent when CFM frame loss
threshold crossed.
this User Guide.
prvtCfmJitterThreshold
This notification is sent when CFM two way jitter
threshold crossed.
this User Guide.
prvtCfmLatencyThreshold
This notification is sent when CFM latency threshold
crossed.
this User Guide.

Page 29

prvtConfigChangeAlarm This notification is generated when the value of
configurable attribute is changed. Use the
notification to trigger maintenance polling of the
running configuration on the device. One of the
variables points either to entry of the modified table
or the OID of the modified scalar object.
prvtDuplicatedMACAddressAlarm This notification is a duplicated MAC notification.
This is sent when the MAC address is duplicated on
more than one port, in a particular VLAN.
The notification includes information about the MAC
address. The original port has the specified MAC
and VLAN.
prvtCustCreated This notification is generated when an entry in
custInfoTable is created.
prvtCustDeleted This notification is generated when an entry in
custInfoTable is deleted.
prvtELMIChangeEVC This notification is sent when an EVC status
changed. Can be a change in CE-VLAN ID/EVC
map or EVC status.
this User Guide.
prvtELMIStatus This notification is sent when an E-LMI status
changed.
this User Guide.
prvtEpsDefectAlarm This notification is sent when EPS service
operational status changed or protocol defect
occurred.
this User Guide.
prvtEpsLostCommunication This notification is sent when EPS communication
failed.
this User Guide.
prvtEpsRestoredCommunication This notification is sent when EPS communication
restored.
this User Guide.
prvtEpsSignalDegradeDetected This notification is sent when monitored error
threshold is crossed.
this User Guide.

Page 30

prvtEpsSignalFailDetected This notification is sent when three consecutive
CCMs are not received.
this User Guide.
prvtEpsSwitchoverAlarm This notification is sent when EPS service active link
changed.
this User Guide.
prvtOamDyingGasp
Generates a dying-gasp alarm.
In order for dying-gasp trap to be functional, also
configure warmStart and coldStart notifications.
Dying-gasp is sent only to one server (last one
used).
this User Guide.
prvtOamLoopBackState This notification is changed when DOT3-OAM
Loopback state has changed.
this User Guide.
prvtPortSECViolation This notification is sent when port security is
enabled on a port, and security violation is detected.
The notification contains the following information:
the port on which the event occurred
the MAC Address causing the violation
the VLAN ID of the VLAN on which the address is
about to be learned
the administrative status of the port after the
violation that allows you to determine if the port is
shut down
VLANs and Super VLANs chapter of this User
Guide.
prvtSaaFrameLossThresholdCrossed This notification is generated when the SAA frame-
loss threshold is crossed the preconfigured
threshold in any direction, raising or falling. For
more information, refer to the Operations,
Administration & Maintenance (OAM) chapter of this
User Guide.
prvtSaaJitterThresholdCrossed This notification is generated when the SAA jitter
threshold crossed the preconfigured threshold in
any direction, raising or falling. For more
information, refer to the Operations, Administration
& Maintenance (OAM) chapter of this User Guide.

Page 31

prvtSaaDelayThresholdCrossed This notification is generated when the SAA delay
threshold crossed the preconfigured threshold in
any direction, raising or falling. For more
information, refer to the Operations, Administration
& Maintenance (OAM) chapter of this User Guide.
prvtSaaTestFinished This notification is sent for each completed SAA
test.
prvtSaaProbeSuccess This notification is sent for each successfully
completed ping.
prvtSaaProbeFailed This notification is sent for each failed probe ping
packet.
prvtSapCreated This trap is sent when a new row is created in the
sapBaseInfoTable.
prvtSapDeleted This trap is sent when an existing row is deleted
from the sapBaseInfoTable.
prvtSapStatusChanged This trap is generated when there is a change in the
administrative or operating status of an SAP.
prvtSdpCreated This trap is sent when a new row is created in the
sdpInfoTable.
prvtSdpDeleted This trap is sent when an existing row is deleted
from the sdpInfoTable.
prvtSdpStatusChanged This trap is generated when there is a change in the
administrative or operating status of an SDP.
prvtSvcCreated This trap is sent when a new row is created in the
svcBaseInfoTable.
prvtSvcDeleted This trap is sent when an existing row is deleted
from the svcBaseInfoTable.
prvtSvcStatusChanged This trap is generated when there is a change in the
administrative or operating status of a service.
ramFreeSpaceExceeded This notification indicates that the sending Agent
sensed that the internal amount of free RAMs is
lower than a program threshold.
resilientLinkStatusChange This notification indicates that the resilient link
status changed, identified by the resilientLinkIndex.
risingAlarm This notification indicates the RMON alarm
generated when a value rises above its pre-
Remote Monitoring (RMON) chapter of this User
Guide.
sfpMonStatusChanged This notification shows the status of the SFP
extracted/inserted.
snmpServerStatusChange This notification is sent when SNMP server status
has changed.

Page 32

snmpSetExecuted This notification informs you when a successful
SNMP SET request is executed. The notification
provides information about the security parameters
of the packet containing the SET request. The
snmpSetExecuted notification is sent directly by the
SNMP Agent.
The generation of the snmpSetExecute notification
is also controlled by the snmp-server set-
execute-trap command.
taskSuspended This notification indicates that a task is suspended.
For more information, refer to the Device Setup and
Maintenance chapter of this User Guide.
topologyChange This notification indicates that the topology change
is detected by the Spanning Tree algorithm.
Spanning Tree Protocol (STP) and the Configuring
Rapid Spanning Tree Protocol (RSTP) chapters.
unauthorizedAccessViaCLI This notification indicates that an unauthorized
access attempt via CLI occurred.
Device Authentication Features chapter of this User
Guide.
warmStart This notification indicates that the sending device is
reinitializing itself so that neither the Agent
configuration nor the protocol entity implementation
is altered.
Configuring the SNMP Notification Log
The snmp-server log-notify command enables the SNMP notification log.
A log entry is created for each notification as it occurs, regardless if a notification is sent or not.
By default, the SNMP notification log is disabled.
Command Syntax
device-name(config)#snmp-server log-notify [TAG-NAME]
device-name(config)#no snmp-server log-notify [TAG-NAME]

Page 33

TAG-NAME
(Optional). Specifies the name of the tag associated with the notifications to be
logged. If the parameter is not supplied, the logging of all notifications is
enabled/disabled. The available names of notifications are specified in Table 8.
no
Disables the SNMP notification log and clear its contents.
If you disable notifications associated with a specific tag name, by specifying
the tag name in the no command, the general snmp-server log-notify
command (without the specific tag name) is not enabling these notifications. In
this case, you have to explicitly enable these notifications.
Example
If you use no snmp-server log-notify Tag1, then snmp-server log-notify enables all
notifications except for those associated with Tag1.
device-name(config)#no snmp-server log-notify Tag1
device-name(config)#snmp-server log-notify
To enable the notifications that are associated with Tag1, use snmp-server log-notify Tag1.
device-name(config)#snmp-server log-notify Tag1
Configuring SNMP Logging of Sent Notifications
The snmp-server log-sent-notify command enables the logging only for notifications that are
sent to management devices.
The command causes the addition of a trap sequence ID based on the request ID field of the
SNMP trap packet. The addition of the sequence ID changes the behavior of the SNMP
notification log by logging the notifications in the order at which they are sent. Every notification
that is sent through the network is logged. The log entry includes the target addresses to which it is
sent.
When applying this command, one entry per notification is added for each IP address that the
notification is destined to, including the sequence ID for each of the IP addresses.

NOTE
The notifications that are not sent to a management device due to a configuration
error are not logged.

Command Syntax
device-name(config)#snmp-server log-sent-notify
device-name(config)#no snmp-server log-sent-notify
no
Disables the SNMP sent-notification logging.

Page 34

Clearing the SNMP Notification Log
The clear snmp-server log-notify command clears the SNMP notification log.
Command Syntax
device-name#clear snmp-server log-notify
Defining the Notification Target Parameter
The snmp-server target-param command defines the notification target parameter.
The SNMP server target parameter sets the trap security parameters and specifies the user that
sends the trap to the target address. The user data contains the keys for the trap PDU encryption.
Command Syntax
device-name(config)#snmp-server target-param NAME USER-NAME v1 [PROFILE-NAME]
device-name(config)#snmp-server target-param NAME USER-NAME v2c [PROFILE-
NAME]
device-name(config)#snmp-server target-param NAME USER-NAME v3 {auth | noauth
| priv} [PROFILE-NAME]
device-name(config)#no snmp-server target-param NAME
NAME
Specifies the name of the target parameter.
USER-NAME
Specifies the name of the user on the host that connects to the Agent.
v1, v2c, v3
Specifies the security model of the target-parameter. It specifies the
version of the protocol in which the traps would be sent (v1, with TRAP-V1
PDU type, v2c with TRAP-V2 PDU type OR v3, with TRAP-V2 PDU type).
noauth
Specifies the security level that implies no authentication and no
encryption of the PDUs.
auth
Specifies the authentication of the PDUs based on HMAC-MD5 or HMAC-
SHA. No encryption is used.
priv
Specifies the authentication based on HMAC-MD5 or HMAC-SHA and
CBC-DES encryption for the message data.
PROFILE-NAME
(Optional) specifies the profile name, defined by the snmp-server
target-profile command. The target profile represents a set of filters
that restrict the access to the MIB tree for trap sending.
no
Removes the notification target parameter.
Example
device-name(config)#snmp-server target-param param1 ABC v3 auth

Page 35

Defining the Notification Target Address
The snmp-server target-addr command defines the notification target address.
Command Syntax
device-name(config)#snmp-server target-addr NAME A.B.C.D <udp-port> PAR-NAME
[<TAG1> ... <TAGN>]
device-name(config)#snmp-server target-addr NAME {addtag | deltag} TAG-NAME
device-name(config)#no snmp-server target-addr NAME

NOTE
Use the command with addtag and deltag arguments only if the notification tag
address is already defined.
NAME
Specifies the name of the notification target address.
A.B.C.D
Specifies the IP address of the target.
udp-port
Specifies the UDP port number of the target address in the range of
<165535>.
PAR-NAME
Specifies the parameter name.
<TAG1> ... <TAGN>
(Optional) specifies a list of tags. You can add one or more tags.
addtag
Adds the specified tag to the list.
deltag
Removes the specified tag from the list.
TAG-NAME
Specifies the name of the added/removed tag.
no
Removes the notification target address.
Example 1
device-name(config)#snmp-server target-addr XYZ 192.168.0.121 162 param1 tag1
Example 2
device-name(config)#snmp-server target-addr XYZ addtag tag2

Page 36

Sending snmpSetExecuted Notifications
The snmp-server set-execute-trap command sends snmpSetExecuted notifications.
Command Syntax
device-name(config)#snmp-server set-execute-trap
device-name(config)#no snmp-server set-execute-trap
no
Disables the sending of snmpSetExecuted notifications.
Sending authenticationFailure Notifications
The snmp-server authentication-failure-trap command sends authenticationFailure
notifications.
This command controls the value of MIB-II mib-2.snmp.snmpEnableAuthTraps.
Command Syntax
device-name(config)#snmp-server authentication-failure-trap
device-name(config)#no snmp-server authentication-failure-trap
no
Disables the sending of authenticationFailure notifications.


Page 37

Defining a Notification Target Profile
The snmp-server target-profile command includes or excludes a branch of the MIB tree in a
notification profile.
Use this command only if you need to supply filters that do not match the users definition.

NOTE
First define the Notification Target Parameter (target-param) and Target Address
(target-addr) and then the Target Profile. Otherwise, you receive an error message.

NOTE
Before you use this command, read RFC 3413 section 6.
When you create target profiles, include snmpTrapOID.0 in the profile.

Command Syntax
device-name(config)#snmp-server target-profile PROFILE-NAME OBJECT-ID
{included | excluded} [MASK]
device-name(config)#no snmp-server target-profile PROFILE-NAME OBJECT-ID
{included | excluded}
PROFILE-NAME
Specifies the name of the profile.
OBJECT-ID
Specifies the starting point inside the MIB tree given in dot-notation or as
an object name.
included
Specifies the Object ID is included in the profile.
excluded
Specifies the Object ID is excluded from the profile.
MASK
(Optional) specifies the bit-mask that defines Object ID wildcard
characters.
no
Removes the notification target profile.
Defining the Retry Inform Operation Value
The snmp-server inform retry command sets an option related to resending unacknowledged
Inform requests and specifies the number of retries for resending Inform PDUs.
By default, the number of retries is 3 times.
Command Syntax
device-name(config)#snmp-server inform retry <number>
device-name(config)#no snmp-server inform retry

Page 38

number
Specifies the number of retries for resending Inform PDUs. The valid range is
<12147483647>.
no
Configures the number of retries to its default value.
Example 1
Set the number of inform PDU retries to 5:
device-name(config)#snmp-server inform retry 5
Example 2
Disable snmp-server informretryoption and set the number of retries to 3 (default value):
device-name(config)#no snmp-server inform retry
Defining the Timeout Inform Operation Value
The snmp-server inform timeout command sets the time to wait for an acknowledgement
before resending an unacknowledged inform PDU.
By default, the time to wait for an acknowledgement before resending an unacknowledged inform
PDU is 30 seconds.
Command Syntax
device-name(config)#snmp-server inform timeout <time>
device-name(config)#no snmp-server inform timeout
time
Specifies the time, in seconds, to wait for an acknowledgement before resending an
unacknowledged Inform PDU. The valid range is <12147483647>.
no
Configures the timeout to its default value.
Example
Set the inform PDU time to 10 seconds:
device-name(config)#snmp-server inform timeout 10

Page 39

Defining the System Contact String
The snmp-server contact command sets the MIB-II system contact string.
Command Syntax
device-name(config)#snmp-server contact .LINE-TEXT
device-name(config)#no snmp-server contact
.LINE-TEXT
Descriptive system contact string, up to 80 characters long.
Use the system contact string for the textual identification of the contact
person for this managed node, together with information on how to contact
this person. If no contact information is known, the value is a zero-length
string.
no
Removes the SNMP system contact string.
Example
device-name(config)#snmp-server contact tom@comp.com
Defining the System Name
The snmp-server system-name command sets the MIB-II system name.
Command Syntax
device-name(config)#snmp-server system-name .LINE-TEXT
device-name(config)#no snmp-server system-name
.LINE-TEXT
Descriptive system name string, up to 80 characters long.
The system name is an administratively-assigned name for this managed
node. If the name is unknown, the value is a zero-length string. If the name
is unknown, the value is a zero-length string.
no
Removes the SNMP system name.
Example
device-name(config)#snmp-server system-name T-Marc

Page 40

Defining the System Location
The snmp-server location command sets the MIB-II system location string.
Command Syntax
device-name(config)#snmp-server location .LINE-TEXT
device-name(config)#no snmp-server location
.LINE-TEXT
Descriptive system location string, up to 80 characters long.
Use the system location string for describing the physical location of this
node (e.g., telephone closet, 3rd floor). If the location is unknown, the value
is a zero-length string.
no
Removes the SNMP system location string.
Example
device-name(config)#snmp-server location ROOM 256
Displaying the Status of the SNMP Server
The show snmp-server command displays the status of the SNMP serverenabledor disabled, and
the UDP port on which the SNMP is enabled.
Also, it can display some other options such as: set-execute-trap, system-name, contact, status of
authentication failure trap and set-execute-trap, inform retry and timeout.
Command Syntax
device-name#show snmp-server
Example
device-name#show snmp-server
snmp- ser ver enabl e
aut hent i cat i on- f ai l ur e t r ap di sabl e
I nf or mr et r i es 10
I nf or mt i meout 2 secs

Page 41

Displaying the Engine ID
The show snmp-server engineID command displays the local SNMP Engine ID of the SNMP
Agent, all Engine IDs that are known to the Agent, and information about the inform operation
values that are different from their default values.
Command Syntax
device-name#show snmp-server engineID
Example
device-name#show snmp-server engineID
Local snmpEngi neI D: 000002DB0300A01211259A0000
snmpEngi neBoot s: 3, snmpEngi neTi me: 2394

Remot e snmpEngi neI D: 80000523010A000001
snmpEngi neBoot s: 273, snmpEngi neTi me: 978
I P addr ess: 10. 0. 0. 1
Displaying the SNMP Groups
The show snmp-server group command displays the configured groups, their associated views,
and the security model. If the security model is USM (v3), the command displays the security level.
Command Syntax
device-name#show snmp-server group
Example
gr oup name: GR1 secur i t y model : v3 aut h
r ead vi ew: READ wr i t e vi ew: WRI TE
not i f y vi ew: NOTI FY r ow st at us: act i ve

Page 42

Displaying the SNMP Users
The show snmp-server user command displays the users and their associated engine ID.
Command Syntax
device-name#show snmp-server users
Example
User name: MAG
Engi ne I D: 1234567890
Gr oup: GR1 model : v3 Aut h
Displaying All Configured Views
The show snmp-server view command displays all configured views and the viewmask of a
particular view (if configured).
A view is displayed in symbolic format, when some portions of the view family OID match the
OID, stored in file batm_oid_table. The symbol with the longest match of the OID is assigned and
concatenated with the unmatched OIDs.
Command Syntax
device-name#show snmp-server view [VIEWNAME]
VIEWNAME (Optional) specifies the name of the view. The view name is limited to 32
characters.
If you specify the view name, only data for the views with the specified name is
displayed on the screen. If you do not specify the view name, all views are
displayed on the screen.

Page 43

Example
Display a view family in symbolic format, the view family has the following long OID:
1.3.6.1.2.1.4.24.4.1.192.168.0.0.255.255.0.0.0.192.168.4.1

The view is displayed in the following format:
ipCidrRouteEntry.192.168.0.0.255.255.0.0.0.192.168.4.1

device-name#show snmp-server view
Vi ew name: MyVi ew
OI D: 1. 3. 6 i ncl uded
Row st at us: Act i ve
St or age t ype: Vol at i l e

Vi ew name: MyVi ew
OI D: 1. 3. 6 excl uded
Row st at us: Act i ve
St or age t ype Vol at i l e

If you load the file batm_oid_tablein the flash file system, the OIDs are displayed with symbolic
names.
The row status can be Active (the row is operable) or notInService (the row is administratively
disabled).
The storage type can be Volatile (the data is in volatile memory, and after reboot it is lost) or Non
Volatile (the data is in non volatile memoryit can restore after reboot).
Displaying the Notification Target Parameters
The show snmp-server target-param command displays the notification target parameters.
Command Syntax
device-name#show snmp-server target-param
Example
device-name#show snmp-server target-param
Tar get Par amet er : par am1
Secur i t y Name : GHJ
Secur i t y Model : v3
Secur i t y Level : aut h
Pr of i l e name : PROFI LE

Page 44

Displaying the Notification Target Profiles
The show snmp-server target-profiles command displays the notification target profiles.
Command Syntax
device-name#show snmp-server target-profiles
Example
device-name#show snmp-server target-profiles
Pr of i l e name: pr of i l e
OI D: 1. 3. 6 i ncl uded

Pr of i l e name: pr of i l e
OI D: 1. 3. 6. 1. 2. 1 excl uded
Displaying the SNMPv3 Notification Type
The show snmp-server notify command displays the SNMPv3 notification parameters.
Command Syntax
device-name#show snmp-server notify
Example
device-name#show snmp-server notify
Not i f y Name: f anSt at usChangel i nkDown
Not i f y t ype: i nf or m
Tag: t ag1

Not i f y Name: l i nkUp
Not i f y t ype: i nf or m
Tag: t ag1

Not i f y Name: r esi l i ent Li nkSt at usChange
Not i f y t ype: t r ap
Tag: t ag

Page 45

Displaying the Notification Log
The show snmp-server log-notify command displays the NVRAM notification log of the
SNMP server.
Command Syntax
device-name#show snmp-server log-notify {first NUMBER | last NUMBER}
first NUMBER Specifies the number of first records to be displayed, in the valid range of <1-
65535>records.
last NUMBER Specifies the number of last records to be displayed, in the valid range of <1-
65535>records.
Example 1
If only the snmp-server log-notify command is present in the SNMP running configuration,
the device displays the following output:
device-name#show snmp-server log-notify
2009/ 01/ 01 00: 04: 11 l i nkDown not i f i cat i on sent : i nt er f ace 1/ 1/ 1

If both snmp-server log-notify and snmp-server log-sent-notify commands are present in
the SNMP running configuration, the device displays the following output:
2009/ 01/ 01 04: 07: 13 10. 0. 0. 33/ 162 13 l i nkDown i f I ndex. 1102 1102
i f Admi nSt at us. 11
02 2 i f Oper St at us. 1102 1
Example 2
device-name#show snmp-server log-notify last 78
%No r ecor ds st or ed i n not i f i cat i on l og.
Displaying the Notification Target Address
The show snmp-server target-addr command displays the notification target address.
Command Syntax
device-name#show snmp-server target-addr

Page 46

Example
device-name#show snmp-server target-addr
Tar get Addr ess: YOU
I P addr ess: 192. 168. 0. 39
UDP por t : 162
Tar get Par amet er : par am
Tag l i st : t ag1
Displaying the Pending Informs
The show snmp-server informs command displays information about the unacknowledged
informs.
The information displayed by this command includes the Statusthat can have one of the following
values:
SENDING_PROBE, indicating that the Agent does not have knowledge of the notification
recipients snmpEngineID and SNMP engine ID discovery procedure is under its way.
WAITING_RETRANSMISSION, indicating that the Agent knows the snmpEngineID of
the notification recipient (and is already time-synchronized with it), and sends correct inform
PDUs to it, but the Manager has not acknowledged it yet.
WAITING_RETRANSMISSION, indicating a lack of communication between the Agent
and the Manager.
Command Syntax
device-name#show snmp-server informs
Example
device-name#show snmp-server informs
I nf or mI D 5 about t o be sent t o 10. 0. 0. 1
Ret r i es l ef t : 9, el apsed: 0, t i meout : 2
St at us: SENDI NG_PROBE



Page 47

Displaying the Access List Applied to a User
The show snmp-server access-list displays the access list assigned to a user.
Command Syntax
device-name#show snmp-server access-list [USER]
USER
(Optional) specifies the user name. If specified, only the access list of this user is
displayed on the screen. If not specified, all the access lists of this user are displayed
on the screen.
Example 1
device-name#show snmp-server access-list
User name : r est r i ct ed_user
Access l i st : acl Rest r i ct

User name : al l _user s
Access l i st : acl Al l
Example 2
Display the SNMP server users and their assigned access-lists:
device-name#show snmp-server access-list
User name: I VAN
Access Li st : MyLyst

device-name#show access-lists
St andar d r out i ng- pr ot ocol access- l i st MyLyst
per mi t 220. 132. 0. 0/ 16

Page 48

Using SNMPv1
In this example two SNMP users are added to the device. Both users use SNMPv1. The first user
uses the public community with read-only permission and the second uses the private community
with read-write access. The SNMPv1 community is parsed by the SNMP Agent as the user name.
1. Enable SNMP:
2. Create a view that includes the entire MIB tree from root:
3. Create a group with read-only access to the view:
device-name(config)#snmp-server group groupAllReadOnly v1 read viewAll
write none notify none
4. Create a group with read-write access to the viewAll view:
device-name(config)#snmp-server group groupAllReadWrite v1 read viewAll
write viewAll notify none
5. Create user name public that uses the read-only access:
device-name(config)#snmp-server user public group groupAllReadOnly v1
6. Create user name private that uses the group with read-write access:
device-name(config)#snmp-server user private group groupAllReadWrite v1
SNMP Notification for Users
A user with IP address 20.0.0.5 is added and receives SNMPv1 notifications: linkUp, linkDownand
coldStart, using the community trap_v1.
1. Enable SNMP:
2. Create a view that includes the entire MIB tree from root:
3. Create a group named gall that supports only notification view:
device-name(config)#snmp-server group gall v1 read viewAll write viewAll
notify viewAll
4. Create a user named trap_v1 with group gall for SNMPv1:
device-name(config)#snmp-server user trap_v1 group gall v1

Page 49

5. Add a target parameter named MyParam that uses trap_v1:
device-name(config)#snmp-server target-param MyParam trap_v1 v1
6. Create the target address TargetAddress1 for IP address 20.0.0.5, port 162 that uses the
target parameter MyParam and sends all the packets to tag1:
device-name(config)#snmp-server target-addr TargetAddress1 20.0.0.5 162
MyParam tag1
7. Add to tag1 the coldStart notification:
device-name(config)#snmp-server notify coldStart tag1
8. Add to tag1 the linkDown notification:
device-name(config)#snmp-server notify linkDown tag1
9. Add to tag1 the linkUp notification:
device-name(config)#snmp-server notify linkUp tag1

The following commands change the device configuration to send the same notification in
SNMPv3 format without authentication and privacy to the same target, as well as SNMPv1
notifications.
1. Create a user named trap_v3 with group gall for SNMPv3:
device-name(config)#snmp-server user trap_v3 group gall v3
2. Add a target parameter named MyParam1 that uses the user trap_v3:
device-name(config)#snmp-server target-param MyParam1 trap_v3 v3 noauth
3. Create the target address TargetAddress_v3 for IP address 20.0.0.5, port 162 that uses the
target parameter MyParam1 and sends all the packets to tag1:
device-name(config)#snmp-server target-addr TargetAddress_v3 20.0.0.5 162
MyParam1 tag1
Group Definition
The following example shows how to create a group with name public_grp.1.
1. Enable the SNMP server:
2. Create SNMP view, starting from the 1.3.6 Object ID in the MIB tree:
device-name(config)#snmp-server view MyView 1.3.6 included
3. Create group public_grp with SNMP v1 security level and define the access rights for the
group:
device-name(config)#snmp-server group public_grp v1 read MyView write
MyView notify none

Page 50

4. Define group public_grp with SNMP v2 security level and define the access rights for the
group:
device-name(config)#snmp-server group public_grp v2 read MyView write
MyView notify none
5. Define group public_grp with SNMP v3 authenticated and encrypted model and define the
access rights of the group:
device-name(config)#snmp-server group public_grp v3 priv read MyView
write MyView notify none
6. Display the created groups and access rights that are assigned above:
gr oup name: publ i c_gr p secur i t y model : v1
r ead vi ew: MyVi ew wr i t e vi ew: MyVi ew
not i f y vi ew: none r ow st at us: act i ve

gr oup name: publ i c_gr p secur i t y model : v2c

gr oup name: publ i c_gr p secur i t y model : v3 pr i v
Defining Users and Assigning Users to Groups
The following example shows how to create users and join them to groups for the v3 security
models.
2. Create a user with name public and connect it to the group public_grp for the user security
model v1:
device-name(config)#snmp-server user public group public_grp v1
3. Connect the user public to the group public_grp for the security model v2 :
device-name(config)#snmp-server user public group public_grp v2
4. Connect the user public to the group public_grp for the security model v3. The restrictions
of the v3_read and v3_write views are applied on the SNMPv3 PDUs received with the user
name public for security level AuthPriv. The PDU has to conform to the DES and MD5
security checks.
device-name(config)#snmp-server user public group public_grp v3 priv
pass1 auth md5 pass2

Page 51

5. Display the created user and above assigned rights:
User name: publ i c
Engi ne I D: 1234567890ABCD
Gr oup: publ i c_gr p model : v1
Gr oup: publ i c_gr p model : v2c
Gr oup: publ i c_gr p model : v3 Pr i v
Using SNMPv3
2. Configure the engine ID of the Agent:
device-name(config)#snmp-server engineID 1234567890
3. Create SNMP view, starting from the 1.3.6 Object ID in the MIB tree:
device-name(config)#snmp-server view MyView 1.3.6 included
4. Configure a group with name GR1 with security model v3. Specify this group to use
authentication, read view name READ, write view for the group WRITE and notify view with
name NOTIFY for this group GR1:
device-name(config)#snmp-server group GR1 v3 auth read READ write WRITE
notify NOTIFY
5. Configure a user MAG and assign this user to group GR1 with security model v3. Specify the
packet authentication SHA authentication and the authentication password MAG:
device-name(config)#snmp-server user MAG group GR1 v3 auth sha MAG
6. Specify the notification target parameter param1:
device-name(config)#snmp-server target-param param1 MAG v3 auth PROFILE
7. Specify the notification target address 192.168.0.39. Assign a UDP port, parameter name
and tag list to the target address:
device-name(config)#snmp-server target-addr YOU 192.168.0.39 162 param1
tag1

Page 52

Configuring a Target Address to Receive Informs and
Traps
The following example shows how to configure RMON risingAlarmas an inform notification and
RMON fallingAlarmas a trap. It also shows how to deliver RMON risingAlarmand RMON
fallingAlarmto a specified IP address (192.168.0.30). The receiver of the Inform has snmpEngineID:
123456789abcd.
2. Define the notification with name risingAlarm, tag tagRmonInform, and create the
notification as an inform:
device-name(config)#snmp-server notify risingAlarm tagRmonInform inform
3. Define the notification with name fallingAlarm and tag tagRmonTrap. Since the parameter
inform is omitted, this notification is created as a trap:
device-name(config)#snmp-server notify fallingAlarm tagRmonTrap
4. Define a notification target address with name informPC and IP address 192.168.0.30.
Specify the default UDP port (162), the parameter name parInform, and a tag
tagRmonInform.
device-name(config)#snmp-server target-addr informPC 192.168.0.30 162
parInform tagRmonInform
5. Define a notification target address with name trapPC and IP address 192.168.0.30. Specify
the default UDP port (162), the parameter name parTrap, and a tag tagRmonTrap.
device-name(config)#snmp-server target-addr trapPC 192.168.0.30 162
parTrap tagRmonTrap
6. Define a notification target parameter with name parInform and security name usrRemote,
security model v3 and Authentication of the PDUs based on HMAC-MD5 or HMAC-SHA:
device-name(config)#snmp-server target-param parInform usrRemote v3 auth
7. Define a notification target parameter with name parTrap and security name usrLocal,
security model v3 and Authentication of the PDUs based on HMAC-MD5 or HMAC-SHA:
device-name(config)#snmp-server target-param parTrap usrLocal v3 auth
8. Create a user with name usrRemote and assign this user to group grpRemote. Specify the
SNMP v3, authentication level auth with HMAC-SHA authentication, and authentication
password string. Create a remote user with engine ID 123456789abcd.:
device-name(config)#snmp-server user usrRemote group grpRemote v3 auth sha
auth_password remote 123456789abcd

Page 53

9. Create a user with name usrLocal and assign this user to group grpLocal. Specify the SNMP
v3, authentication level auth with HMAC-MD5 authentication, and authentication password
string:
device-name(config)#snmp-server user usrLocal group grpLocal v3 auth md5
another_password
10. Configure a group with name grpLocal, SNMP v 3, authentication level auth. Specify the
read view all, the write view all and the notify view all:
device-name(config)#snmp-server group grpLocal v3 auth read all write all
notify all
11. Configure a group with name grpRemote, SNMP v 3, authentication level auth. Specify the
read view all, the write view all and the notify view all:
device-name(config)#snmp-server group grpRemote v3 auth read all write all
notify all
12. Create a view with name all. Specify the OID-TREE ID in the view:
device-name(config)#snmp-server view all 1.3.6 included
Configuring Notification Logs
The following example shows how to configure notification events and logs. It also shows how to
display the notification logs.
2. Define the following notification events: linkUp (tag NotifyTag1), linkDown (tag
NotifyTag2), coldStart and warmStart (tag NotifyTag3):
device-name(config)#snmp-server notify linkUp NotifyTag1
device-name(config)#snmp-server notify linkDown NotifyTag2
device-name(config)#snmp-server notify coldStart NotifyTag3
device-name(config)#snmp-server notify warmStart NotifyTag3
3. Configure the notification log so that only the notifications included in NotifyTag1 and
NotifyTag2 notify tags are logged:
device-name(config)#snmp-server log-notify NotifyTag1
device-name(config)#snmp-server log-notify NotifyTag2
4. Display the notification log.
%No r ecor ds st or ed i n not i f i cat i on l og
5. After a linkDown event occurs on port 1/ 1/ 1, the notification log is displayed as follows:

Page 54

6. Reload the device with option save. Display the notification log. The warmStart notification
is not logged, because its tag NotifyTag3 was not defined earlier:

7. After a linkUp event occurs on port 1/ 1/ 1, the notification log is displayed as follows:
2009/ 01/ 01 00: 02: 26 l i nkUp not i f i cat i on sent : i nt er f ace 1/ 1/ 1
8. Prevent the notifications grouped in tag NotifyTag2 (linkDown in this particular case) from
further inclusion in the notification log:
device-name(config)#no snmp-server log-notify NotifyTag2
9. After linkDown and linkUp events occur on port 1/ 1/ 1, the notification log is displayed as
follows:
10. Include all notification tags in the notify log:
device-name(config)#snmp-server log-notify
11. Reload the device with save option and display the notification log:

2009/ 01/ 01 00: 00: 25 l i nkUp not i f i cat i on sent : i nt er f ace 1/ 1/ 1.

2009/ 01/ 01 00: 00: 17 war mSt ar t not i f i cat i on sent .
12. Clear the notification log:
device-name#clear snmp-server log notify
13. Display the notification log:
device-name#show snmp-server log notify
%No r ecor ds st or ed i n not i f i cat i on l og

Page 55

Supported Platforms
Simple Network Management Protocol (SNMP) + +
Simple Network
Management
Protocol (SNMP)
STD0015, Simple
Network
Management
Protocol
STD0016,
Structure of
Management
Information
STD0017,
Management
Information Base
STD0058,
Structure of
Management
Information
Version 2 (SMIv2)
STD0062, Simple
Network
Management
Protocol Version 3
(SNMPv3)
Public MIBs:
SNMPV1-MIB
MIB-II
(RFC1213-
MIB)
SNMP-
COMMUNITY-
MIB
(RFC2576)
SNMPv2-MIB
SNMP-VIEW-
BASED-ACM-
MIB
SNMP-USER-
BASED-SM-
MIB
RFC 1157, SNMPv1
The Simple Network
Management Protocol:
A full Internet Standard
RFC 1213,
Management
Network Management
of TCP/IP-based
internets: MIB-II
RFC 2579, Textual
Conventions for SMIv2
RFC 2580,
Conformance
Statements for SMIv2
RFC 3410,
Introduction and
Applicability
Statements for Internet
Standard Management
Framework
RFC 3411, An
Architecture for
Describing Simple
Network Management
Protocol (SNMP)
Management
Frameworks
RFC 3412, Message
Processing and
Dispatching for the
Simple Network
Management Protocol
(SNMP)
RFC 3413, Simple
Network Management
Protocol (SNMP)
Applications
RFC 3414, User-based
Security Model (USM)

Page 56

for version 3 of the
Simple Network
Management Protocol
(SNMPv3)
RFC 3415, View-
based Access Control
Model (VACM) for the
Simple Network
Management Protocol
(SNMP)
RFC 3416, Version 2
of the Protocol
Operations for the
Simple Network
Management Protocol
(SNMP)
RFC 3417, Transport
Mappings for the
Simple Network
Management Protocol
(SNMP)
RFC 3418,
Management
Information Base (MIB)
for the Simple Network
Management Protocol
(SNMP)
RFC 1901,
Introduction to
Community-based
SNMPv2.
RFC1902, Structure of
Management
Information for Version
2 of the Simple
Network Management
Protocol (SNMPv2).
RFC1905, Protocol
Operations for Version
2 of the Simple
Network Management
Protocol (SNMPv2).
RFC3584,
Coexistence between
Version 1, Version 2,
and Version 3 of the
Internet-standard
Network Management
Framework

Page 1
SNMP Reference Guide (Rev. 04)

SNMP Reference Guide
Table of Contents
Configuring Fast Ethernet and Giga Ethernet Port via SNMP 6
MIB Architecture: PRVT-SWITCH-MIB 6
Fast Ethernet and Giga Ethernet Port Configuration Examples 9
Configuration via CLI 9
Configuration via SNMP10
Configuring Link Aggregation Groups (LAGs) via SNMP 11
MIB Architecture: PRVT-PORTS-AGGREGATION-MIB11
Notifications12
LAG Configuration Examples 13
Configuration via CLI13
Configuring Resilient Links via SNMP15
MIB Architecture: PRVT-RESILIENT-LINK-MIB15
Notifications16
Resilient Links Configuration Examples 16
Configuring Virtual LANs (VLANs) via SNMP17
MIB Architecture: Q-BRIDGE-MIB17
VLANs Configuration Examples20
Configuring Transparent LAN Services (TLS) via SNMP21
MIB Architecture21

Page 2

PRVT-SERV-MIB21
PRVT-L2TUNNELING-MIB24
Notifications27
TLS Configuration Examples 29
TLS Tunneling Configuration Example30
Configuring Spanning Tree Protocol (STP) via SNMP32
MIB Architecture32
BRIDGE-MIB32
RSTP-MIB35
PRVT-SWITCH-MIB37
Notifications37
STP via SNMP Configuration Example38
Configuring Rapid STP (RSTP) via SNMP40
MIB Architecture40
BRIDGE-MIB40
RSTP-MIB40
PRVT-SWITCH-MIB40
RSTP via SNMP Configuration Example41
Configuring Multiple STP (MSTP) via SNMP43
MIB Architecture43
PRVT-MST-MIB43
PRVT-SWITCH-MIB46
Notifications46
MSTP via SNMP Configuration Examples47
Pending Configuration47
MSTP Global Parameters Configuration47
Configuring Quality of Service (QoS) via SNMP48
MIB Architecture: PRVT-QoS-MIB48
QoS via SNMP Configuration Examples50

Page 3

Mapping Priority to Queue50
Configuring the DSCP-to-FC Mapping52
Configuring QoS Service Policy53
Configuring 802.3ah Ethernet in the First Mile (EFM) via SNMP56
MIB Architecture56
PRVT-SWITCH-EFM-OAM-MIB56
DOT3-OAM-MIB57
Notifications59
EFM-OAM via SNMP Configuration Example60
Configuring 802.1ag Connectivity Fault Management (CFM) via SNMP62
Architecture62
IEEE8021-CFM-MIB62
PRVT-CFM-MIB65
Notifications66
CFM via SNMP Configuration Examples66
Configuring Two Devices in CFM Protocol68
Using the Clear Connectivity Command74
Configuring Ethernet Protection Switching (EPS) via SNMP79
MIB Architecture: PRVT-EPS-MIB79
Notifications81
EPS via SNMP Configuration Example82
Configuring Link Layer Discovery Protocol (LLDP) via SNMP84
MIB Architecture: LLDP-MIB84
Notifications87
LLDP via SNMP Configuration Example88
Configuring Remote Monitoring (RMON) via SNMP89
MIB Architecture: RMON-MIB89
Notifications91
RMON via SNMP Configuration Example92

Page 4

This chapter contains the following sections:
1. ConfiguringFast Ethernet andGiga Ethernet Port via SNMP
T-Marc 300 Series devices allow service providers to deliver multiple services on separate
user interfaces. Multiple application flows are supported over a single customer interface,
with each flow being mapped to a different traffic class.
2. ConfiguringLink AggregationGroups(LAGs) via SNMP
Link Aggregation Groups (LAGs), also known as trunks, provide increased bandwidth
and high reliability while saving the cost of upgrading the hardware.
3. ConfiguringResilient Linksvia SNMP
Using resilient links feature, you can protect critical links and prevent a device failure by
providing a secondary backup link that is inactive until it is needed.
4. ConfiguringVirtual LANs(VLANs) via SNMP
VLANs are used to group users traffic with common requirements, as if they were on the
same LAN although they may be in separate physical locations. The key benefit of
VLANs is its flexibility in allowing any logical LAN to be implemented on any physical
infrastructure.
5. ConfiguringTransparent LAN Services(TLS) via SNMP
Deploying the TLS requires network operators to transport a large number of customers
virtual LANs (VLANs) while keeping traffic in each VLAN secured.
6. ConfiguringSpanningTreeProtocol (STP) via SNMP
Spanning Tree Protocol (STP, IEEE 802.1d) is a Layer 2 protocol that provides path
redundancy, ensuring a loop-free topology for bridged LANs.
7. ConfiguringRapidSTP (RSTP) via SNMP
Rapid Spanning Tree Protocol (RSTP) is an evolution of STP providing faster
convergence (less than one second) upon a network topology change.
8. ConfiguringMultipleSTP (MSTP) via SNMP
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI) while
mapping each VLAN or VLAN group to the most appropriate instance.
9. ConfiguringQualityof Service(QoS) via SNMP
Quality of Service (QoS) allows you to specify different service levels for traffic that
traverses the device and provides preferential treatment to that traffic, possibly at the
expense of other traffic.
10. Configuring802.3ahEthernet intheFirst Mile(EFM) via SNMP
IEEE 802.3ah Ethernet in the First Mile (EFM) specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming
it into a highly reliable technology.
11. Configuring802.1agConnectivityFault Management (CFM) via SNMP
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a network to
monitor the health of an end-to-end service delivered to customers as opposed to just
links or individual bridges.

Page 5

12. ConfiguringEthernet ProtectionSwitching(EPS) via SNMP
ITU-T G.8031 Ethernet Protection Switching (EPS) is a method of protecting point-to-
point Ethernet service connection over VLAN transport networks, assuring traffic
transport between the two service ends.
13. ConfiguringLink Layer DiscoveryProtocol (LLDP) via SNMP
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral Layer 2 protocol that
allows a network device to advertise its identity and capabilities on the local network.
14. ConfiguringRemoteMonitoring(RMON) via SNMP
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between
RMON-compliant console systems and network probes.


Page 6

Configuring Fast Ethernet and Giga Ethernet Port
via SNMP
For additional information about this feature, refer to the Fast Ethernet andGiga Ethernet Port section
of the ConfiguringInterfaceschapter of this User Guide.
MIB Architecture: PRVT-SWITCH-MIB
The Switch MIB is a private MIB used for managing the internal device parameters.
RFC 2863 supported: the Interfaces Group MIB (configL2IfaceTable and interface table). This
RFC specifies an Internet standards track protocol for the Internet community, and requests
discussion and suggestions for improvements.

NOTE
For the configuration via SNMP, only the conf i gL2I f aceTabl e is used.

This table contains the objects:
Object Entry Field Name Description
configL2IfaceTable This table contains a list of Interfaces and their
properties. This table contains the following
objects
configL2IfaceUnit The index that uniquely identifies a unit in the
interface table.
configL2IfaceSlot The index that uniquely identifies a slot within the
unit in the interface table.
configL2IfacePort The index that uniquely identifies a port within the
slot in the interface table.
configL2IfaceName The textual name of this interface.
configL2IfaceEnable Enables(1) or disables(2) the control used for the
interface. This is the only way to enable or
disable the interface. The ifAdminStatus, in
RFC1213, and dot1dStpPortEnable, in RFC1493,
are both implemented as read-only.
configL2IfaceSTPEnable Enables(1) or disables(2) Spanning Tree
operation used for this interface.
configL2IfaceDuplexSpeedSet The desired speed and duplex mode for the
interface. If the selected control is not available
for the interface, a value of illegal(99) is returned.
If the port type does not support the default of
autonegotiate(1), then the application initializes
the port to a valid value (for example,
1000full(6)).
Not all controls are available for all interfaces. For
example, only full-1000(6) is available for Gigabit
Ethernet interfaces.

Page 7

configL2IfaceFlow The desired flow mode for the interface. If the
selected control is not available on the interface,
a value of illegal(99) is returned. If the port type
does not support the default value of
the port to a valid value (for example,
1000full(6)).
example, only full-1000(6) is available for Gigabit
configL2IfaceBackpressure The desired back-pressure mode for the
on the interface, a value of illegal(99) is returned.
configL2IfaceResetCounters Resets the statistics counters selected for this
port.
configL2IfaceDefaultVID Sets the default VLAN ID according to 802.1Q.
configL2IfaceSnifferIfIndex Connects this port to a sniffer port indexed by the
specified ifIndex. Setting this value to 0
disconnects this port from the sniffer.
configL2TopologyChangeDetection Controls the STP topology change detection for
this interface.
configL2IfaceDuplexModeSet The duplex mode for the interface. If the port type
does not support the default of autonegotiate(1),
then the application initializes the port to a valid
value (for example, full (2)).
configL2IfaceSpeedSet The desired speed and duplex mode for the
for the interface, a value of illegal (99) is returned.
If the port type does not support the default of
the port to a valid value (for example, 1000(3)).
example, only 1000(4) is available for Gigabit
configL2IfaceBroadcastRateLimit The rate limit broadcast traffic. Must be a number
between 64 Kbps and 1 Gbps, specified in Kbps.
configL2IfaceMulticastRateLimit The rate limit multicast traffic. Must be a number
configL2IfaceUnknownRateLimit The rate limit unknown traffic. Must be a number
configL2IfaceBroadcastBurstSize The burst size broadcast traffic. Must be a
number between 12 Kbps and 1 Mbps, specified
in Kbps.
configL2IfaceMulticastBurstSize The burst size multicast traffic. Must be a number
between 12 Kbps and 1 Mbps, specified in Kbps.
configL2IfaceUnknownBurstSize The burst size unknown traffic. Must be a number
between 12 Kbps and 1 Mbps, specified in Kbps.
configL2IfaceMtu The Maximum Transmission Unit (MTU), in
octets, of the interface.

Page 8

configL2IfaceAdminCrossOver The administrative MDI/MDI-X cable connection
status of ports, as specified in IEEE 803.2.
The MDI-x mode (crossover) is configured(3), the
port works in MDI-X mode.
The MDI mode(2) defines port to work in
standard MDI mode.
The auto(1) defines automatic crossover
detection, and any type of MDI/MDI-X cabling can
be used on the port.
NOTE
This attribute can be configured only
on ports that support that option.
configL2IfaceRemoteFaultDetect Controls the remote fault detection on interfaces,
connected to 100Base Fiber pair.
Once enabled(1), the device will indicate link-
down event on the interface, once remote peer
detects link down.
NOTE
Relevant only on 100Base Fiber ports.

Page 9

Fast Ethernet and Giga Ethernet Port Configuration
Examples
Configuration via CLI
1. Configure a description on port 1/ 1/ 1:
device-name(config-if 1/1/1)#name port1
2. Configure default VLAN on port 1/ 1/ 1:
device-name(config-if 1/1/1)#default vlan 12
3. Configure desired speed on port 1/ 1/ 1:
device-name(config-if 1/1/1)#speed 1000
4. Configure desired duplex-mode on port 1/ 1/ 1:
device-name(config-if 1/1/1)#duplex full
5. Enable flow-control in full duplex-mode:
device-name(config-if 1/1/1)#flow-control enable
6. Configure broadcast-limit:
device-name(config-if 1/1/1)#storm-control broadcast 10M
7. Configure multicast-limit:
device-name(config-if 1/1/1)#storm-control multicast 20M
8. Configure unknown-limit:
device-name(config-if 1/1/1)#storm-control unknown 30M
9. Enable the port:
device-name(config-if 1/1/1)#no shutdown

Page 10

Configuration via SNMP
1. Configure a description on port 1/ 1/ 1:
***** SNMP SET- RESPONSE START *****
snmpset configL2IfaceName.1.1.1 string port1
***** SNMP SET- RESPONSE END *******
2. Configure Default VLAN on port 1/ 1/ 1:
snmpset configL2IfaceDefaultVID.1.1.1 integer 12
3. Configure desired speed on port 1/ 1/ 1:
snmpset configL2IfaceSpeedSet.1.1.1 integer 4 (1000 mbps)
4. Configure desired duplex-mode on port 1/ 1/ 1:
snmpset configL2IfaceDuplexModeSet.1.1.1 integer 2 (full)
5. Enable flow-control in full duplex-mode:
snmpset configL2IfaceFlow.1.1.1 integer 2 (on)
6. Configure broadcast-limit:
snmpset configL2IfaceBroadcastRateLimit.1.1.1 integer 100
7. Configure multicast-limit:
snmpset configL2IfaceMulticastRateLimit.1.1.1 integer 200
8. Configure unknown-limit:
snmpset configL2IfaceUnknownRateLimit.1.1.1 integer 300
9. Enable the port:
snmpset configL2IfaceEnable.1.1.1 integer 1 (enable)

Page 11

Configuring Link Aggregation Groups (LAGs) via
SNMP
For additional information about this feature, refer to the Link AggregationGroups(LAGs) section of
the ConfiguringInterfaceschapter of this User Guide.
MIB Architecture: PRVT-PORTS-AGGREGATION-MIB
The Ports Aggregation MIB is used for managing BiNOS devices or ipSwitch static and dynamic
port aggregation.

NOTE
For the configuration via SNMP, only the por t sAggr egat i onConf i gTabl e is used.

This table contains the objects:
portsAggregationConfigTable This table contains only the static (created by
management) port trunk configuration. This
table contains the following objects:
staticAggregationID Specifies a number representing the
aggregation group that this port belongs to.
The value 0 means that this port does not
belong to any static group.
dynamicAggregationID Specifies a number representing the
aggregation group that this port belongs to.
The value 0 means that this port does not
belong to any dynamic group.
aggregationType Specifies the aggregation type of the interface:
disable(1) if the port does not belong to a
group
static(2) if the port belongs to a static
group
protocol-802-1adAcive(3) or protocol-802-
1adPassive (4) if the interface is part of a
dynamic group.
aggregationLacpPortPriority Specifies the LACP priority for a port.
aggregationLacpPortKey Specifies the LACP identification key for a port.

Page 12

Notifications
The PRVT-PORTS-AGGREGATION-MIB contains the following notifications:
lagMemberLinkUpis generated when the LAG link becomes up. It has two indexes. The
first ifIndex indicates the ID of the trunk interface. The second one shows the port member
with link status change.
OID: 1.3.6.1.4.1.738.1.5.106.3.1
lagMemberLinkDownis generated when the LAG link becomes down. It has two
indexes. The first ifIndex indicates the ID of the trunk interface. The second one shows the
port member with link status change.
OID: 1.3.6.1.4.1.738.1.5.106.3.2
lagMemberAddis generated when a new port is added to a LAG link. It has two indexes.
The first ifIndex indicates the ID of the trunk interface. The second one shows the added port
member.
OID: 1.3.6.1.4.1.738.1.5.106.3.3
lagMemberRemoveis generated when a port is removed from a LAG link. It has two
indexes. The first ifIndex indicates the ID of the trunk interface. The second one shows the
removed port member.
OID: 1.3.6.1.4.1.738.1.5.106.3.4
For more information regarding traps definition, refer to the ConfiguringSimpleNetwork Management
Protocol (SNMP) chapter of this User Guide.

Page 13

LAG Configuration Examples
Static Link-Aggregation via SNMP Configuration Example
1. Configure static link aggregation:
2. Remove the port from aggregation:
device-name(config-if 1/2/1)#no link-aggregation
Dynamic Link-Aggregation via SNMP Configuration Example
1. Enable LACP globally
device-name(cfg protocol)#link-aggregation lacp enable
2. Enable LACP in Active mode on port 1/ 2/ 4:
device-name(config-if 1/2/4)#link-aggregation lacp active
3. Configure LACP priority
device-name(config-if 1/2/4)#link-aggregation lacp port-priority 40000
4. Configure LACP key
device-name(config-if 1/2/4)#link-aggregation lacp key 4
5. Disable aggregation on port 1/ 2/ 4:
device-name(config-if 1/2/4)#no link-aggregation

Page 14

Static Link-Aggregation via SNMP Configuration Example
1. Configure static link aggregation:
snmpset staticAggregationID.1.2.1 integer 3
2. Remove the port from aggregation:
snmpset aggregationType.1.2.1 integer 1 (disabled)
Dynamic Link-Aggregation via SNMP Configuration Example
1. Enable LACP globally:
snmpset aggregationLacpSystemEnable.0 integer 1
2. Enable LACP in Active mode on port 1/ 2/ 4:
snmpset aggregationType.1.2.4 integer 3 (active)
3. Configure LACP priority:
snmpset aggregationLacpPortPriority.1.2.4 integer 40000
4. Configure LACP key:
snmpset aggregationLacpPortKey.1.2.4 integer 4
5. Disable aggregation on port 1/ 2/ 4:
snmpset aggregationType.1.2.4 integer 1 (disabled)

Page 15

Configuring Resilient Links via SNMP
For additional information about this feature, refer to the Resilient Linkssection of the Configuring
Interfaceschapter of this User Guide.
MIB Architecture: PRVT-RESILIENT-LINK-MIB
The Resilient link MIB is used for managing BiNOS devices or ipSwitch resilient link.
This MIB contains the following tables and objects:
resilientLinkConfigTable This table contains the resilient link
configuration and contains the following
objects:
resilientLinkIndex This object identifies the resilient link.
resilientLinkEnable This object enables or disables the resilient
link.
resilientLinkPort1ifIndex This object identifies the first port belonging to
this resilient link; the value 0 means that no
port is selected.
resilientLinkPort2ifIndex This object identifies the second port belonging
to this resilient link; the value 0 means that no
port is selected.
resilientLinkPreferredPort This object identifies the preferred port (1 or 2)
in this resilient link; the value 0 means that no
port is selected.
resilientLinkActivePort This object identifies the active port (1 or 2) in
this resilient link. Only ports with link up can be
configured as active ports.
resilientLinkStatusTable This table contains the resilient link status and
contains the following objects:
resilientLinkConnectedPort This object shows the connected ports in the
resilient link.
resilientLinkCurrentActivePort This object identifies the active port (1 or 2) in
this resilient link. Only ports with link up can be
configured as active ports.

Page 16

Notifications
The PRVT-RESILIENT-LINK-MIB contains the resilientLinkStatusChange notification. It
indicates that the resilient link status was changed; it is identified by the resilientLinkIndex (OID:
1.3.6.1.4.1.738.1.5.102.0.1).
Resilient Links Configuration Examples
1. Configure resilient-link 5 on ports 1/ 2/ 3 and 1/ 2/ 4:
device-name(config-resil-link 5)#ports 1/2/3 1/2/4
2. Configure the preferred port:
device-name(config-resil-link 5)#prefer port 1/2/3
3. Check the currently active port:
device-name(config-resil-link 5)#active port 1/2/3
device-name(config-resil-link 5)#exit
4. Remove the resilient-link:
device-name(config)#no resilient-link 5
1. Enable resilient-link:
snmpset resilientLinkEnable.5 (integer) enable(1)
2. Configure resilient-link 5 on ports 1/ 2/ 3 and 1/ 2/ 4:
snmpset resilientLinkPort1ifIndex.5 integer 1203
snmpset resilientLinkPort2ifIndex.5 integer 1204
3. Configure the preferred port:
snmpset resilientLinkPreferredPort.5 integer 1
4. Check the currently active port:
snmpget resilientLinkCurrentActivePort.5
5. Remove the resilient-link:
snmpset resilientLinkEnable.5 integer 2 (disabled)

Page 17

Configuring Virtual LANs (VLANs) via SNMP
For additional information about VLANs, refer to the Virtual LANssection of the Configuring
VLANsandSuper VLANschapter of this User Guide.
MIB Architecture: Q-BRIDGE-MIB
The VLAN Bridge MIB is used for managing Virtual Bridged Local Area Networks, as defined by
IEEE 802.1Q-1998. This MIB is managing the MAC Address Table and is also referred to as
8021Q_d6.mib.
dot1qBase
dot1qVlanVersionNumber Contains the version number of IEEE 802.1Q that this
device supports.
dot1qMaxVlanId Contains the maximum IEEE 802.1Q VLAN ID that this
device supports.
dot1qMaxSupportedVlans Contains the maximum number of IEEE 802.1Q VLANs that
this device supports.
dot1qNumVlans Contains the current number of IEEE 802.1Q VLANs that
are configured in this device.
dot1qGvrpStatus Contains the administrative status requested by
management for GVRP. The value enabled(1) indicates that
GVRP should be enabled on this device, on all ports for
which it has not been specifically disabled. When
disabled(2), GVRP is disabled on all ports and all GVRP
packets will be forwarded transparently. This object affects
all GVRP Applicant and Registrar state machines. A
transition from disabled(2) to enabled(1) will cause a reset of
all GVRP state machines on all ports.
dot1qTp
dot1qFdbTable Contains the configuration and control information for each
Filtering Database currently operating on this device. Entries
in this table appear automatically when VLANs are assigned
FDB IDs in the dot1qVlanCurrentTable.
dot1qTpFdbTable Contains information about unicast entries for which the
device has forwarding and/or filtering information. This
information is used by the transparent bridging function in
determining how to propagate a received frame.
dot1qTpGroupTable Contains filtering information for VLANs configured into the
bridge by (local or network) management, or learnt
dynamically, specifying the set of ports to which frames
received on a VLAN for this FDB and containing a specific
Group destination address are allowed to be forwarded.

Page 18

dot1qForwardAllTable Contains forwarding information for each VLAN, specifying
the set of ports to which forwarding of all multicasts applies,
configured statically by management or dynamically by
GMRP. An entry appears in this table for all VLANs that are
currently instantiated.
dot1qForwardUnregister
edTable
Contains forwarding information for each VLAN, specifying
the set of ports to which forwarding of multicast group-
addressed frames for which there is no more specific
forwarding information applies. This is configured statically
by management and determined dynamically by GMRP. An
entry appears in this table for all VLANs that are currently
instantiated.
dot1qStatic
dot1qStaticUnicastTabl
e
Contains filtering information for Unicast MAC addresses for
each Filtering Database, configured into the device by (local
or network) management specifying the set of ports to which
frames received from specific ports and containing specific
unicast destination addresses are allowed to be forwarded.
A value of zero in this table, as the port number from which
frames with a specific destination address are received, is
used to specify all ports for which there is no specific entry
in this table for that particular destination address. Entries
are valid for unicast addresses only.
dot1qStaticMulticastTa
ble
Contains filtering information for Multicast and Broadcast
MAC addresses for each VLAN, configured into the device
by (local or network) management specifying the set of ports
to which frames received from specific ports and containing
specific Multicast and Broadcast destination addresses are
allowed to be forwarded. A value of zero in this table, as the
port number from which frames with a specific destination
address are received, is used to specify all ports for which
there is no specific entry in this table for that particular
destination address. Entries are valid for Multicast and
Broadcast addresses only.
dot1qVlan
dot1qVlanNumDeletes Contains the number of times a VLAN entry has been
deleted from the dot1qVlanCurrentTable (for any reason). If
an entry is deleted, then inserted, and then deleted, this
counter will be incremented by 2.
dot1qVlanCurrentTable Contains current configuration information for each VLAN
currently configured into the device by (local or network)
management, or dynamically created as a result of GVRP
requests received.
dot1qVlanStaticTable Contains static configuration information for each VLAN
configured into the device by (local or network)
management. All entries are permanent and will be restored
after the device is reset.

Page 19

dot1qNextFreeLocalVlan
Index
Contains the next available value for dot1qVlanIndex of a
local VLAN entry in dot1qVlanStaticTable. This will report
values >=4096 if a new Local VLAN may be created or else
the value 0 if this is not possible. A row creation operation in
this table for an entry with a local VlanIndex value may fail if
the current value of this object is not used as the index.
Even if the value read is used, there is no guarantee that it
will still be the valid index when the create operation is
attemptedanother manager may have already got in
during the intervening time interval. In this case,
dot1qNextFreeLocalVlanIndex should be re-read and the
creation re-tried with the new value. This value will
automatically change when the current value is used to
create a new row.
dot1qPortVlanTable Contains per port control and status information for VLAN
configuration in the device.
dot1qPortVlanStatistic
sTable
Contains per-port, per-VLAN statistics for traffic received.
Separate objects are provided for both the most-significant
and least-significant bits of statistics counters for ports that
are associated with this transparent bridge. The most-
significant bit objects are only required on high capacity
interfaces, as defined in the conformance clauses for these
objects. This mechanism is provided as a way to read 64-bit
counters for agents which support only SNMPv1. Note that
the reporting of most-significant and least- significant
counter bits separately runs the risk of missing an overflow
of the lower bits in the interval between sampling. The
manager must be aware of this possibility, even within the
same varbindlist, when interpreting the results of a request
or asynchronous notification.
dot1qPortVlanHCStatist
icsTable
Contains per port, per VLAN statistics for traffic on high
capacity interfaces.
dot1qLearningConstrain
tsTable
Contains learning constraints for sets of Shared and
Independendent VLANs.
dot1qConstraintSetDefa
ult
Contains the identity of the constraint set to which a VLAN
belongs, if there is not an explicit entry for that VLAN in
dot1qLearningConstraintsTable.
dot1qConstraintType
Default
Contains the type of constraint set to which a VLAN
belongs, if there is not an explicit entry for that VLAN in
dot1qLearningConstraintsTable. The types are as defined
for dot1qConstraintType.

Page 20

VLANs Configuration Examples
1. Create a VLAN:
2. Add port 1/ 2/ 1 tagged and port 1/ 2/ 2 untagged:
3. Delete the created VLAN:
device-name(config vlan)#delete v1000
1. Create a VLAN:
set dot1qVlanStaticRowStatus.1000 integer 5 (createAndWait)
set dot1qVlanStaticName.1000 string v1000
2. Add port 1/ 2/ 1 tagged and port 1/ 2/ 2 untagged:
set dot1qVlanStaticEgressPorts.1000 (octet string) 30.00.00.00 (hex)
set dot1qVlanStaticUntaggedPorts.1000 (octet string) 10.00.00.00 (hex)
set configL2IfaceDefaultVID.1.2.2 (integer) 1000
set dot1qVlanStaticRowStatus.1000 (integer) 1 (active)
3. Remove the created VLAN:
set dot1qVlanStaticRowStatus.1000 integer 6 (destroy)

Page 21

Configuring Transparent LAN Services (TLS) via
SNMP
For additional information about the TLS feature, refer to the ConfiguringTransparent LAN Services
(TLS) chapter of this User Guide.
MIB Architecture
To configure TLS via SNMP, use the following MIBs:
PRVT-SERV-MIB
PRVT-L2TUNNELING-MIB
PRVT-SERV-MIB
The PRVT-SERV-MIB has 4 basic modules:
prvtTMSvcObjs: This module contains objects which allow configuration the individual
service instances
prvtTMSapObjs: This module contains information about the Service Access Ports (SAPs)
prvtTMSdpObjs: The objects for configuring Service Distribution Paths (SDPs)
prvtTMCustObjs (Currently not supported)
svcBaseInfoTable This is the table used to create and configure a
service instance in general. This table is indexed by
service instance number, and contains all instance-
specific service parameters.
svcId The service ID.
svcVpnId The object is not supported.
svcRowStatus This object is used to create entries in
svcBaseInfoTable.
svcType This object represents the type of service being
created. In this version it is read-only and
configured to tls(3) because only supports VPLS
services. Currently supported as read-only.
svcDescription The filed is not supported.
svcMtu The filed is not supported.
svcAdminStatus The filed is not supported.
svcOperStatus This object contains the operating state of the
service.

Page 22

svcNumSaps The filed is not supported.
svcNumSdps The filed is not supported.
svcLastMgmtChange The filed is not supported.
svcLastStatusChange The filed is not supported.
svcEnableSecureSaps This object is used to configure forwarding of traffic
from the uplink ports only.
svcCustName The name of the customer this service belongs to.
svcRevertTimer This object contains the revert timer of the service.
sapBaseInfoTable This is the table responsible for configuring and
displaying the Service Access Ports. This table is
indexed by the name of the service to which a SAP
is bound, the unique SAP id, which in this case is
the ifIndex of the port, and the object
sapEncapValue, which have the value of a valid
VLAN ID.
sapPortId This object contains the ifIndex of the port and part
of the index of sapBaseInfoTable.
sapEncapValue This object contains the VLAN ID. Part of the index
of sapBaseInfoTable.
sapRowStatus This object is used to create entries in
sapBaseInfoTable. Entries can be created only for
existing service instances.
sapType The filed is not supported.
sapDescription The filed is not supported.
sapAdminStatus The filed is not supported.
sapOperStatus This object contains the operational status of this
SAP. Currently supported as read-only.
sapLastMgmtChange The filed is not supported.
sapOperFlags The filed is not supported.
sapCustMultSvcSiteName The filed is not supported.
sapIngressQosPolicyId The filed is not supported.
sapEgressQosPolicyId The filed is not supported.
sapIngressQosSchedulerPolicy The filed is not supported.
sapEgressQosSchedulerPolicy The filed is not supported.
sapLearnMode The filed is not supported.
sdpInfoTable This table contains one entry for each SDP
configured. It is indexed by svcName and sdpId.
Maximum two SDPs can be configured per service:
one main and one backup.

Page 23

sdpId This is the SdpId, index of the table along with the
svcId.
sdpRowStatus This object is used to create new SDPs.
sdpDelivery This field is not supported.
sdpFarEndIpAddress This field is not supported.
sdpDescription This field is not supported.
sdpLabelSignaling This field is not supported.
sdpAdminStatus This field is not supported.
sdpOperStatus This object contains the operational status of the
SDP. Currently supported as read-only.
sdpLastMgmtChange This field is not supported.
sdpLdpEnabled This field is not supported.
sdpOperFlags This object specifies all the conditions that affect the
operating status of this SDP. If the SDP is up, the
value of this object is ignored.
This field is not supported.
sdpLastStatusChange This field is not supported.
sdpAdminIngressLabel This field is not supported.
sdpAdminEgressLabel This field is not supported.
sdpOperIngressLabel This field is not supported.
sdpOperEgressLabel This field is not supported.
sdpAdminIsBackup This field is not supported.
sdpOperIsBackup This field is not supported.
sdpOutInterface This object contains the desired outbound interface
for this SDP.
sdpGroupIdentifier This field is not supported.
sdpTransportTunnelName This field is not supported.
sdpVCType This field is not supported.
sdpType This field is not supported.
sdpMtu This field is not supported.
sdpBindVlanTag Outgoing VLAN.
sdpIsPwStatusSignalingEnable Specifies if PW-status signaling is enabled per
given SDP.
sdpEpsAdminIsPrimary This object specifies the CFM pair of MEPs that
monitor the primary path.

Page 24

sdpEpsAdminIsSecondary This object specifies the CFM pair of MEPs that
monitor the secondary path.
PRVT-L2TUNNELING-MIB
In BiNOS version 10.1.Rx and above, the configuration of TLS tunneling via SNMP support has
been added.
PRVT-L2TUNNELING-MIB provides configuration abilities and statistical information about L2
protocols tunneling via SNMP.
prvtL2TunnEnable Enables/disables the Layer 2 protocol tunneling
prvtL2TunnProfileTable Contains a read-create object used to create a new
profile. After it is created, the profile can not be
modified so NotInService state is not relevant for
prvtL2TunnProfile table
prvtL2TunnProfileName TLS profile name. There are three profiles that
represent the predefined policies:
discard-all: a policy of discarding only L2 PDUs
tunnel-all: a policy of tunneling only L2 PDUs
tunnel-bpdu: a policy of tunneling only xSTP
packets. When the tunneling of xSTP protocols
is enabled, it allows tunneling the BPDUs
between the TLS access (user) ports over the
TLS core (uplink) ports. The tunneling is done
for packets with Multicast DA of 01-80-c2-00-
00-00 (STP)
prvtL2TunnProfileRowStatus TLS profile row status. It is not possible to modify
the predefined profiles:
active(1): the object is active
notInService(2): the object is not in service
notReady(3): the object is in not ready state
createAndGo(4): creates entries
createAndWait(5): creates entries
destroy(6): removes entries
prvtL2TunnProtocolsTable Contains read-crated objects used to create new
protocols

Page 25

prvtL2ProtocolName Specifies one of the allowed Layer 2 protocol PDUs
to be tunneled or discarded:
all-bridges: the PDUs intended for the MAC
address that is reserved for the exclusive use
by the All Bridges are tunneled
bridge: the PDUs intended for the MAC
addresses from the bridge block but are not
PDUs of any of the specified protocols are
tunneled
dot1x: IEEE 802.1x standard
efm-oam: Ethernet in the First Mile-Operations,
Administration and Maintenance standard
elmi: Enhanced Local Management Interface
garp: Generic Attribute Registration Protocol
lacp: Link Aggregation Protocol
lldp: Link Layer Discovery Protocol
pvst: Per-VLAN Spanning Tree (PVST)
maintains a spanning tree instance for each
VLAN configured in the network. Since PVST
treats each VLAN as a separate network, it has
the ability to load balance traffic (at layer-2) by
forwarding some VLANs on one link and other
VLANs on another link without causing a
spanning tree loop
pb-stp: Provider Bridge Spanning Tree
Protocol
stp: Spanning Tree Protocol
prvtL2ProtocolEthertype The EtherType value: a hexadecimal VLAN
EtherType value (for example 0x9000)
prvtL2ProtocolMAC The multicast MAC address used for PDU
distribution
prvtL2ReplaceMAC A MAC address that is used to replace the original
destination MAC address in the encapsulated PDU
prvtL2ProtocolRowStatus TLS protocol row status. It is not possible to modify
the predefined protocols
prvtL2TunnProfMapProtTable Displays information about which protocol are
discarded and which protocol are tunneled per each
profile. An entry in this table contains only profiles
and protocols that are in active state
prvtL2TunnAction Specifies that one of the allowed Layer 2 Protocol
PDUs is tunneled or discarded
prvtL2TunnSAPPointsTable The tunneling service access point table. It has a
single object needed to configure a tunneling point.
You cannot create entries in it. This table always
contains the maximum number of SAPs
profileSAP The profile ID associated to a SAP. Setting this
object with an empty string disables the profile

Page 26

prvtL2TunnSDPPointsTable The tunneling service distribution point table. It has
a single object needed to configure a tunneling
point. You cannot create entries in it. This table
always contains the maximum number of SDPs
profileSDP The profile ID associated to an SDP. Setting this
object with an empty string disables the profile
prvtL2TunnClearStatistics Clears the L2 tunneling statistics for each tunneling
SAP or SDP:
none(0)
clear(1)
prvtL2TunnSapStatisticsTable Provides statistics for each tunneling SAP per
protocol
l2TunnSapRxPackets The number of SAP Rx L2 tunneling packets
l2TunnSapTxPackets The number of SAP Tx L2 tunneling packets
prvtL2TunnSdpStatisticsTable Provides statistics for each tunneling SDP per
protocol
l2TunnSdpRxPackets The number of SDP Rx L2 tunneling packets
l2TunnSdpTxPackets The number of SDP Tx L2 tunneling packets


Page 27

Notifications
The PRVT-SERVICES-MIB contains the following notifications:
svcCreatedis sent when a new row is created in the svcBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.1
The object included in the svcCreated notification is svcName.
svcDeletedis sent when an existing row is deleted from the svcBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.2
The object included in the svcDeleted notification is svcName.
svcStatusChangedis generated when there is a change in the administrative or operating
status of a service.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.3
The objects included in the svcStatusChanged notification are:
svcName
svcVCId
svcAdminStatus
svcOperStatus
sapCreatedis sent when a new row is created in the sapBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.1
The objects included in the sapCreated notification are:
sapName
sapPortId
sapEncapValue
sapDeletedis sent when an existing row is deleted from the sapBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.2
The objects included in the sapDeleted notification are:
sapName
sapPortId
sapEncapValue
sapStatusChangedis generated when there is a change in the administrative or operating
status of an SAP.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.3
The objects included in the sapStatusChanged notification are:
sapName
sapPortId
sapEncapValue
sapAdminStatus
sapOperStatus

Page 28

sdpCreatedis sent when a new row is created in the sdpInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.1
The object included in the sdpCreated notification is sdpId.
sdpDeletedis sent when an existing row is deleted from the sdpInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.2
The object included in the sdpDeleted notification is sdpId.
sdpStatusChangedis generated when there is a change in the administrative or operating
status of an SDP.
OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.3
The objects included in the sdpStatusChanged notification are:
sdpId
sdpAdminStatus
sdpOperStatus

Page 29

TLS Configuration Examples
1. Configure a new TLS service withID 7 and name serv:
device-name(config-tls serv)#
2. Configure the SDP on port 1/ 2/ 1:
device-name(config-tls serv)#sdp 1/2/1 s-vlan 12 4096
3. Add wildcard VLAN for SAP on port 1/ 2/ 2:
device-name(config-tls serv)#sap 1/2/2 c-vlan-wildcard all
1. Configure a new TLS service with ID 7 and name serv
1: svcRowStatus. 7 (integer) createAndGo(4)
2. Configure the SDP:
2.1 Configure the SDP with ID 7 and VLAN ID3:
1: sdpRowStatus.7.4096 (integer) createAndGo(4)
2.2. Configure the outgoing VLAN ID:
1: sdpBindVlanTag.7.4096 (gauge) 12
2.3. Assign port 1/ 2/ 1 to the SDP:
1: sdpOutInterface.7.4096 (integer) 1201
3. Add wildcard VLAN for SAP on port 1/ 2/ 2
1: sapRowStatus.7.1202.0 (integer) createAndGo(4)

Page 30

TLS Tunneling Configuration Example
1. Enable TLS tunneling:
2. Create a tunneling profile:
device-name(config)#tls tunnel-profile lacp
3. Create a new L2 tunneling protocol:
device-name(config)#tls tunneled-ieee-pdu add newp 01:80:c2:22:22:22
01:a0:12:22:22:22 0x8281
4. Specify an action for a profile per a protocol:
device-name(config)#tls tunnel-profile lacp
device-name(tls-profile lacp)#tls tunnel stp
1. Set value of the object "prvtL2ProtocolRowStatus":
1: prvtL2ProtocolRowStatus.4.110.101.119.112 (integer) createAndWait(5)
***** SNMP SET- RESPONSE END *****
2. Set the MAC address:
1: prvtL2ProtocolMAC.4.110.101.119.112 (octet string) 01.80.C2.22.22.22
(hex)
3. Set the tunneling MAC address:
1: prvtL2ReplaceMAC.4.110.101.119.112 (octet string) 01.A0.12.22.22.22
(hex)
4. Set the ether-type value:
1: prvtL2ProtocolEthertype.4.110.101.119.112 (integer) 33409
5. Activate new custom protocol:
1: prvtL2ProtocolRowStatus.4.110.101.119.112 (integer) active(1)

Page 31

6. Specify an action for a profile per a protocol (profil LACP to tunnel STP BPDUs):
1: prvtL2TunnAction.4.108.97.99.112.3.115.116.112 (integer) tunnel(1)


Page 32

Configuring Spanning Tree Protocol (STP) via
SNMP
For information regarding STP feature, refer to the ConfiguringSpanningTreeProtocol (STP) chapter of
this User Guide.
MIB Architecture
To configure STP via SNMP, use the following MIBs:
BRIDGE-MIB
RSTP-MIB
PRVT-SWITCH-MIB
BRIDGE-MIB
The BRIDGE-MIB provides information about the STP module management. This MIB defines
objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area
Network (LAN) segments.
Standard supported: IEEE 802.1D-1990.
The RFC supported: RFC 1493. This RFC specifies an IAB standards track protocol for the
Internet community, and requests discussion and suggestions for improvements.
dot1dBase
dot1dBaseBridgeAddress This object is the MAC address used by this bridge. This is
the numerically smallest MAC address of all ports that
belong to this bridge. However, it is required to be unique.
When concatenated with dot1dStpPriority a unique bridge
Identifier is formed and is used in the STP.
dot1dBaseNumPorts This object specifies the number of ports controlled by this
bridging entity.
dot1dBaseType This object indicates what type of bridging this bridge can
perform. If a bridge is actually performing a certain type of
bridging, this is indicated by entries in the port table for the
given type.
dot1dBasePortTable This table contains generic information about every port that
is associated with this bridge.
Transparent, source-route, and SRT ports are included.

Page 33

dot1dStp
dot1dStpProtocol
Specification
This object represents an indication of what version of the
Spanning Tree Protocol is being run. The value
'decLb100(2)' indicates the DEC LANbridge 100 Spanning
Tree protocol. IEEE 802.1d implementations will return
ieee8021d(3).
dot1dStpPriority This object represents the value of the write-able portion of
the bridge ID, for example, the first two octets of the (8
octets long) Bridge ID. The other (last) 6 octets of the Bridge
ID are given by the value of dot1dBaseBridgeAddress.
dot1dStpTimeSinceTopolo
gyChange
This object represents the time (in hundredths of a second)
since the last time a topology change was detected by the
bridge entity.
dot1dStpTopChanges This object represents the total number of topology changes
detected by this bridge since the management entity was
last reset or initialized.
dot1dStpDesignatedRoot This object represents the bridge identifier of the root of the
spanning tree as determined by the STP as executed by this
node. This value is used as the root Identifier parameter in
all Configuration BPDUs originated by this node.
dot1dStpRootCost This object represents the cost of the path to the root as
seen from this bridge.
dot1dStpRootPort This object represents the port number of the port that offers
the lowest cost path from this bridge to the root bridge.
dot1dStpMaxAge This object represents the maximum age of STP information
learned from the network on any port before it is discarded,
in units of hundredths of a second. This is the actual value
that this bridge is currently using.
dot1dStpHelloTime This object represents the amount of time between the
transmission of Configuration BPDUs by this node on any
port when it is the root of the spanning tree or trying to
become so, in units of hundredths of a second. This is the
actual value that this bridge is currently using.
dot1dStpHoldTime This time value determines the interval length during which
no more than two BPDUs are transmitted by this node, in
units of hundredths of a second.
dot1dStpForwardDelay This time value, measured in units of hundredths of a
second, controls how fast a port changes its spanning state
when moving towards the forwarding state. The value
determines how long the port stays in each of the listening
and learning states, which precede the forwarding state.
This value is also used, when a topology change is detected
and is underway, to age all dynamic entries in the
forwarding database.
This value is the one that this bridge is currently using, in
contrast to dot1dStpBridgeForwardDelay. Is the value that
this bridge and all others start using if/when this bridge
becomes the root.

Page 34

dot1dStpBridgeMaxAge This object represents the value that all bridges use for
MaxAge, when this bridge is acting as the root.
802.1D-1990 specifies that the range for this parameter is
related to the value of dot1dStpBridgeHelloTime.
The granularity of this timer is specified by 802.1D-1990 to
be 1 second. An agent may return a badValue error if a set
is attempted to a value which is not a whole number of
seconds.
dot1dStpBridgeHelloTime This object represents the value that all bridges use for
hello-time, when this bridge is acting as the root. The
granularity of this timer is specified by 802.1D-1990 to be 1
second. An agent may return a badValue error if a set is
attempted to a value which is not a whole number of
seconds
dot1dStpBridgeForward
Delay
This object represents the value all bridges use for forward-
delay, when this bridge is acting as the root.
related to the value of dot1dStpBridgeMaxAge.
The granularity of this timer is specified by 802.1D-1990 to
be 1 second. An agent may return a badValue error if a set
is attempted to a value which is not a whole number of
seconds.
dot1dStpPortTable This is a table that contains port-specific information for the
STP.
dot1dTp
dot1dTpLearnedEntry
Discards
This object specifies the total number of forwarding
database entries that are learnt, but discarded due to a lack
of space to store them in the forwarding database. If this
counter is increasing, it indicates that the forwarding
database is regularly becoming full (a condition that has
unpleasant performance effects on the subnetwork). If this
counter has a significant value but is not presently
increasing, it indicates that the problem occurs but is not
persistent.
dot1dTpAgingTime This object specifies the timeout period in seconds for aging
out dynamically learned forwarding information.
802.1D-1990 recommends a default of 300 seconds.
dot1dTpFdbTable This table contains information about unicast entries for
which the bridge has forwarding and/or filtering information.
This information is used by the transparent bridging function
in determining how to propagate a received frame.
dot1dTpPortTable This table contains information about every port that is
associated with this transparent bridge.

Page 35

dot1dStatic
dot1dStaticTable This table contains filtering information configured into the
bridge by (local or network) the management specifying the
set of ports to which frames are received from specific ports.
The specific destination addresses are allowed to be
forwarded. The value of zero in this table as the port
number, from which frames with a specific destination
address are received, is used to specify all ports for which
there is no specific entry in this table for that particular
destination address. Entries are valid for unicast and for
group/broadcast addresses.
RSTP-MIB
This MIB is an extension of Bridge MIB used for managing devices that support the Rapid
Spanning Tree Protocol defined by IEEE 802.1w.
dot1dStpPortTable This table contains port-specific information for the
STP.
dot1dStpVersion This object specifies the version of STP the bridge is
currently running. The value stpCompatible(0)
indicates the STP specified in IEEE 802.1D and
rstp(2) indicates the RSTP specified in IEEE
802.1w.
dot1dStpPathCostDefault This object specifies the version of the STP default
path cost used by this bridge. A value of
8021d1998(1) uses the 16 bits default path cost from
IEEE Std. 802.1D-1998.
A value of stp8021t2001(2) uses the 32 bits default
path cost from IEEE Std.802.1t.
dot1dStpExtPortTable
dot1dStpPortProtocolMigration When operating in RSTP (version 2) mode, writing
true(1) to this object forces this port to transmit
RSTP BPDUs.
Any other operation on this object has no effect and
it always returns false(2) when read.
dot1dStpPortAdminEdgePort This object specifies the administrative value of the
edge-port parameter. A value of true(1) indicates
that this port should be assumed as an edge-port
and a value of false(2) indicates that this port is
assumed as a non-edge-port.
dot1dStpPortOperEdgePort This object specifies the operational value of the
edge-port parameter. The object is initialized to the
value of dot1dStpPortAdminEdgePort and is
configured to false(2) on reception of a BPDU.

Page 36

dot1dStpPortAdminPointToPoint This object specifies the administrative point-to-point
status of the LAN segment attached to this port. A
value of forceTrue(0) indicates that this port is
always treated as if it is connected to a point-to-point
link. A value of forceFalse(1) indicates that this port
is treated as having a shared media connection. A
value of auto(2) indicates that this port is considered
to have a point-to-point link if it is an Aggregator and
all of its members can be aggregated, or if the MAC
entity is configured for full duplex operation, either
through auto-negotiation or by management means.
dot1dStpPortOperPointToPoint This object specifies the operational point-to-point
status of the LAN segment attached to this port. It
indicates whether a port is considered to have a
point-to-point connection or not.
The value is determined by management or by auto-
detection, as described in the
dot1dStpPortAdminPointToPoint object.
dot1dStpPortAdminPathCost This object specifies the STP port path cost. Each
bridge port has an assigned path cost, a user-
definable parameter that determines the ports
preference to be included in the active spanning tree
topology.

Page 37

PRVT-SWITCH-MIB
The Switch MIB (1.3.6.1.4.1.738.1.5.100) is a private MIB used for managing Telco Systems internal
device parameters.
The RFC supported: RFC 2863 The Interfaces Group MIB (configL2IfaceTable and interface
table)..

NOTE
For the configuration via SNMP, only the configL2SpanOnOff object is used.
This object is used to enable or disable MSTP.
configL2SpanOnOff (1.3.6.1.4.1.738.1.5.100.2.2.1)
This object enables/ disables Spanning Tree protocols. When Spanning Tree is disabled, the device's
ports are placed in forwarding mode, regardless of the current Spanning Tree state. When enabled
again, the normal state transitions take place.
To enable STP, select enableSTP(1) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)
Notifications
The BRIDGE-MIB contains the following notifications:
newRootindicates that a new root is elected by the Spanning Tree algorithm.
OID: 1.3.6.1.2.1.17.1
topologyChangeindicates that the topology change is detected by the Spanning Tree
algorithm.
OID: 1.3.6.1.2.1.17.2

Page 38

STP via SNMP Configuration Example
The following example is based on the STP ConfigurationExample(refer to the ConfiguringSpanning
TreeProtocol (STP) chapter of this User Guide) and it details the steps to configure an Ethernet
network using STP via SNMP.

NOTE
To configure the path cost, set dot 1dSt pPor t Pat hCost object as follows:
for port 1/ 1/ 1, select value 1
for ports 1/ 2/ 11/ 2/ 8, select values from 3 to 10

1. Enable STP:
1: configL2SpanOnOff.0 (integer) enableSTP(1)
2. Configure the STP bridge priority to 4096, to make device A the bridge root.
1: dot1dStpPriority.0 (integer) 4096
3. Configure the STP MaxAge time to 10. Do this calculation according to the following formula:
Max_age= (4 x hello) + (2 x dia) - 2, when the hello-time is 2 and the diameter is 2:
(The aging time value, from this example, is in milliseconds.)
1: dot1dStpBridgeMaxAge.0 (integer) 1000
4. Configure the STP forward-delay timer to 7. Do this calculation according to the following
formula: Forward_delay= ((4 x hello) + (3 x dia)) / 2, when the hello-time is 2 and the diameter
is 2:
(The delay timer value, from this example, is in milliseconds.)
1: dot1dStpBridgeForwardDelay.0 (integer) 700

Page 39

1. Enable STP:
2. Configure port 1/ 2/ 1 with path cost 1:
1: dot1dStpPortPathCost.3 (integer) 1
Enable STP:
1. Enable STP:
Enable STP:

Page 40

Configuring Rapid STP (RSTP) via SNMP
For information regarding the RSTP feature, refer to the ConfiguringRapidSpanningTreeProtocol
(RSTP) chapter of this User Guide.
MIB Architecture
To configure RSTP via SNMP, use the following MIBs:
BRIDGE-MIB
RSTP-MIB
PRVT-SWITCH-MIB
BRIDGE-MIB
Refer to the BRIDGE-MIB section.
RSTP-MIB
Refer to the RSTP-MIB section.
PRVT-SWITCH-MIB
Refer to the PRVT-SWITCH-MIB section.
To enable RSTP, select enableRSTP(3) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)

Page 41

RSTP via SNMP Configuration Example
The following example is based on the RSTP ConfigurationExample(refer to the ConfiguringRapid
SpanningTreeProtocol (RSTP) chapter of this User Guide) and it details the steps to configure an
Ethernet network using RSTP via SNMP.

NOTE
To configure the port priority, path cost, and edge ports:
for ports 1/ 2/ 11/ 2/ 8, select values from 3 to 10
1. Enable RSTP:
1: configL2SpanOnOff.0 (integer) enableRSTP(3)
2. Configure the RSTP bridge priority to 4096, to make device A the root bridge:
1: dot1dStpPriority.0 (integer) 4096
3. Configure the RSTP MaxAge time to 10. Do this calculation according to the following
formula: Max_age= (4 x hello) + (2 x dia) - 2, where the hello-time is 2 and the diameter is 2:
(The aging time value, from this example, is in milliseconds.)
1: dot1dStpBridgeMaxAge.0 (integer) 1000
4. Configure the RSTP forwarding delay timer to 7. Do this calculation according to the
following formula: Forward_delay= ((4 x hello) + (3 x dia)) / 2, where the hello-time is 2 and the
diameter is 2:
(The delay time value, from this example, is in milliseconds.)
1: dot1dStpBridgeForwardDelay.0 (integer) 700
Enable RSTP:

Page 42

1. Enable RSTP:
2. Configure port 1/ 1/ 1 priority to 64 to cause it to be the forwarding port of device D:
1: dot1dStpPortPriority.1 (integer) 64
1. Enable RSTP:
3. Configure ports 1/ 2/ 3 and 1/ 2/ 4 on device D as edge ports, since they are attached to PCs:
1: dot1dStpPortAdminEdgePort.5 (integer) true(1)
1. Enable RSTP:
2. Configure ports 1/ 2/ 3 and 1/ 2/ 4 on device E as edge ports, since they are attached to PCs:

Page 43

Configuring Multiple STP (MSTP) via SNMP
For information regarding MSTP feature, refer to the ConfiguringMultipleSpanningTreeProtocol
(MSTP, IEEE 802.1s) chapter of this User Guide.
MIB Architecture
To configure MSTP via SNMP, use the following MIBs:
PRVT-MST-MIB
PRVT-SWITCH-MIB
PRVT-MST-MIB
This MIB is used for managing 802.1s Multiple Spanning Tree Protocol (MSTP).
MSTP carries the concept of the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) a leap
forward by allowing you to group and associate VLANs to multiple spanning tree instances
(forwarding paths). Used in a VLAN environment, this added capability affords rapid convergence
as well as load balancing.
Standards supported:
IEEE 802.1d-1998
IEEE 802.1t-2001
IEEE 802.1w-2001
IEEE 802.1s-2002
mSTRegion
mSTRegionEditBufferStatu
s
Indicates the current
ownership status of the
unique Region Config Edit
Buffer.
mSTRegionEditControl
mSTRegionEditBufferOpera
tion
Indicates the operation that
is performed on the Region
Config Edit Buffer.
This object always returns
other(1) when it is read.
mSTRegionParameters
mSTRegionName
Indicates the operational
MST region name.

Page 44

mSTRegionEditName
Indicates the MST region
name in the Edit Buffer.
This object is only
instantiated when
themSTRegionEditBufferSt
atus object has the value of
acquiredBySnmp(2).
mSTRegionRevision
Indicates the operational
MST region version.
mSTRegionEditRevision
Indicates the MST region
version in the Edit Buffer.
This object is only
instantiated when the
s object has the value of
acquiredBySnmp(2).
mSTInstanceVlanTable
Contains MST instance
information with one entry
for each MST instance
numbered from 0 to
mSTMaxInstanceNumber.
mSTInstanceVlanEditTable
information in the Edit
Buffer with one entry for
each MST instance
numbered from 0 to
This table is only
instantiated when the
s object has the value of
acquiredBySnmp(2).
mSTMaxHopCount
Indicates the maximum
number of hops for the
MST region
mSTMaxInstanceNumber
Indicates the maximum
MST (Multiple Spanning
Tree) instance IDs that are
supported by the device for
the MST Protocol.
mSTBridgeParams
mSTInstanceTable
information with one entry
for each MST instance
numbered from 0 to
mSTTimers
mSTMigrationTimer This object indicates the MST migration timer.
Determines timeout migration in seconds.
mSTTxHoldCount This object indicates the MST Tx Hold Counter.

Page 45

mSTMaxAge This object indicates the maximum age of Multiple Spanning
Tree Protocol information learned from the network on any
port before it is discarded, in units of hundredths of a second.
This is the actual value that this bridge is currently using.
mSTHelloTime This object indicates the time between the transmissions of
Configuration bridge PDUs by this node on any port when the
port is the root of the spanning tree or trying to become so, in
units of hundredths of a second. This is the actual value that
this bridge is currently using.
mSTForwardDelay This time value, measured in units of hundredths of a second,
controls how fast a port changes its spanning state when
moving toward the Forwarding state. The value determines
how long the port stays in each of the Listening and Learning
states, which precede the Forwarding state. This value is also
used, when a topology change has been detected and is
underway, to age all dynamic entries in the Forwarding
Database. Note that this value is the one that this bridge is
currently using, in contrast to mSTBridgeForwardDelay which
is the value that this bridge and all others would start using
if/when this bridge were to become the root.
mSTBridgeMaxAge This object indicates the value that all bridges use for MaxAge
when this bridge is acting as the root. Note that 802.1D-1990
specifies that the range for this parameter is related to the
value of mSTBridgeHelloTime. The granularity of this timer is
specified by 802.1D-1990 to be 1 second. An agent may
return a badValue error if a set operation is attempted with a
value that is not a whole number of seconds.
mSTBridgeHelloTime This object indicates the value that all bridges use for
HelloTime when this bridge is acting as the root. The
granularity of this timer is specified by 802.1D-1990 to be 1
second. An agent may return a badValue error if a set
operation is attempted with a value that is not a whole number
of seconds.
mSTBridgeForwardDelay This object indicates the value that all bridges use for
ForwardDelay when this bridge is acting as the root. Note that
related to the value of mSTBridgeMaxAge. The granularity of
this timer is specified by 802.1D-1990 to be 1 second. An
agent may return a badValue error if a set operation is
attempted with a value that is not a whole number of seconds.
mSTPort
mSTPortTable It is a table containing port information for the MST Protocol
on all the bridge ports existing on the system.
mSTPortPerMstTable It is a table containing a list of the bridge ports for a particular
MST instance.

Page 46

PRVT-SWITCH-MIB
Refer to PRVT-SWITCH-MIB section.
To enable MSTP, select enableMST(5) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)
Notifications
The PRVT-MST-MIB contains the following notifications:
MSTPNewRootindicates that a new root is selected by the Multiple Spanning Tree
algorithm.
OID: 1.3.6.1.4.1.738.1.5.107.0.1
MSTPTopologyChangeindicates that the topology change is detected by the Multiple
Spanning Tree algorithm.
OID: 1.3.6.1.4.1.738.1.5.107.0.2

Page 47

MSTP via SNMP Configuration Examples
The following example is based on the MSTP ConfigurationExample(refer to the ConfiguringMultiple
SpanningTreeProtocol (MSTP, IEEE 802.1s) chapter of this User Guide) and it details the steps to
configure an Ethernet network using MSTP via SNMP.
Pending Configuration
1. Enter MSTP Protocol Configuration mode and map the VLANs ranging from 1 to 10 to MST
instance 1:
1: mSTInstanceEditVlansMap.1 (octet string) 1-10
2. Assign to the MSTP region the name region1 and the revision number 1:
1: mSTRegionEditName.0 (octet string) region1 [72.65.67.69.6F.6E.31
(hex)]
1: mSTRegionEditRevision.0 (integer) 1
MSTP Global Parameters Configuration
1. Enable MSTP and configure the forward-delay value to 10 seconds:
(The value for forward-delay, from this example, is in milliseconds.)
1: configL2SpanOnOff.0 (integer) enableMST(5)
1: mSTBridgeForwardDelay.0 (integer) 1000
2. Configure the following parameters: hello-time to 5 seconds, MaxAge time to 14 seconds and
max-hop count to 23:
(The values for hello-time and aging time, from this example, are in milliseconds.)
1: mSTBridgeHelloTime.0 (integer) 500
1: mSTBridgeMaxAge.0 (integer) 1400
1: mSTMaxHopCount.0 (integer) 23

Page 48

Configuring Quality of Service (QoS) via SNMP
In BiNOS version 9.3.Rx and above, the configuration of QoS via SNMP support has been added.
In the sections below, you can find explanations for the new PRVT-QoS-MIB and its architecture
used for configuring QoS via SNMP.
For detailed information about QoS and the CLI commands related to this feature, refer to the
ConfiguringQualityof Service(QoS) chapter of this User Guide.
MIB Architecture: PRVT-QoS-MIB
This is a private MIB that defines the full SNMP support functionality for the QoS feature.
The MIB defines all the attributes, needed to create, manage and destroy QoS configuration.
tCongestionAvoidanceProfileObjects
qosTailDropProfileTable The tail-drop profile table. Each entry in this table
defines a set of tail-drop parameters that may be
enforced on a queue or a policy.
qosSredProfileTable The SRED profile configuration table. Each entry in
this table defines a set of SRED parameters that
may be enforced on a queue or a policy.
qosSchedulingProfileObjects
qosSchedulingProfileTable The information about the scheduling profiles.
qosServicePolicyObjects
qosServicePolicyTable The QoS service policy table. It contains common
information for the QoS service policy.
qosServiceIngressPolicyTable The information about all QoS service ingress
policies configuration.
qosServiceIngressQueueTable The information about all QoS service ingress
queues configuration.
qosNetworkPolicyObjects
qosNetworkPolicyTable The QoS network policy table. It keeps common
information for the QoS network policy.
qosNetworkIngressTable The information about the QoS network ingress
policy.
qosNetworkEgressTable The information about the QoS network egress
policy.
qosNetworkEgressQueueTable The information about the QoS network queues.

Page 49

qosGlobalObjects
qosGlobalIngressMapTable The global QoS ingress configuration table.
qosGlobalEgressMapTable The global QoS egress configuration table.
qosServiceObjects
qosServiceTable Is responsible for managing QoS service
configuration.
qosServiceSapTable Is responsible for managing QoS SAP service
configuration.
qosInterfaceObjects
qosInterfaceTable Is responsible for managing QoS interface
configuration.

Page 50

QoS via SNMP Configuration Examples
The following example is based on the ConfigurationExample(refer to the ConfiguringQualityof Service
(QoS) chapter of this User Guide) and it details the steps to configure an Ethernet network using
QoS via SNMP.
Mapping Priority to Queue
Change the mapping of the FC priority levels to the following:
Priority 0 and 1FC l2, drop-level green
Priority 2 and 3FC l1, drop-level yellow
Priority 4 and 5FC ef, drop-level green
Priority 6 and 7FC nc, drop-level yellow

To change the mapping, use the following objects from qosGlobalIngressMapTable:
qosIngressMapTypeis the type of the configuration entry for this mapping:
1: dot1p(1)selects priority mapping
2: dscp(2)selects DSCP mapping
qosIngressMapValuespecifies DSCP or Dot1p value to be mapped to a FC:
1: range is <063> (for DSCP)
2: range is <07> (for priority)
qosIngressRowStatuscreates or removes entries in this table:
qosIngressFCselects FC to which the traffic will flow, see the example
qosIngressFCConformanceselects the conformance level: green or yellow, see the example

Page 51

1. Change the mapping of the FC priority levels:
1: qosIngressFC.1.0 (integer) l2(2)
1: qosIngressFCConformance.1.0 (integer) green(1)
1: qosIngressFCConformance.1.2 (integer) yellow(2)
1: qosIngressFC.1.4 (integer) ef(6)
1: qosIngressFC.1.6 (integer) nc(8)
1: qosIngressFC.1.7 (integer) nc(8)
2. Display the new priority of the FC levels:
1: qosI ngr essFC. 1. 0 ( i nt eger ) l 2( 2)
5: qosI ngr essFC. 1. 4 ( i nt eger ) ef ( 6)
6: qosI ngr essFC. 1. 5 ( i nt eger ) ef ( 6)
7: qosI ngr essFC. 1. 6 ( i nt eger ) nc( 8)
8: qosI ngr essFC. 1. 7 ( i nt eger ) nc( 8)

Page 52

3. Display the new color of the FC levels:
1: qosI ngr essFCConf or mance. 1. 0 ( i nt eger ) gr een( 1)
3: qosI ngr essFCConf or mance. 1. 2 ( i nt eger ) yel l ow( 2)
Configuring the DSCP-to-FC Mapping
Configure the mapping of DSCP 2 and 4 with FC priorities l1 and h2, respectively.
1. Configure the DSCP 2 with FC priority l1 and mark it as green:
2. Configure the DSCP 4 with FC priority h2 and mark it as yellow:
1: qosIngressFC.2.4 (integer) h2(5)

Page 53

Configuring QoS Service Policy
To configure the QoS service policy and apply it on a SAP, use the following tables and objects:
from qosServicePolicyTable use:
qosServicePolicyRowStatuscreates or removes entries in this table:
qosServicePolicyDescriptionadds a description to the service policy. It is a string
up to 30 characters
from qosServiceIngressPolicyTable use qosServicePolicyShaperProfile objectthe
ID of the shaper profile to be configured on the service policy; valid range is <957>
from qosServiceIngressQueueTable use qosServInQueueShaperProfile objectthe ID
of the shaper profile to be configured on a queue; valid range is <957>
from qosServiceIngressQueueTable use:
qosServInQueueQueuethe service ingress queue ID; valid range is <18>
qosServInQueueRowStatuscreates or removes entries in this table; see allowedvalues
qosServInQueueShaperProfilethe service ingress shaper profile ID; valid range is
<957>
from qosServiceTable use:
qosServiceRowStatuscreates or removes entries in this table; see allowedvalues
qosServicePolicyOnServthe policy name to be configured on a service
from qosServiceSapTable use:
qosServiceSapIndexthe index of the SAP
qosServiceSapRowStatuscreates or removes entries in this table for SAP; see allowed
values
qosServiceSapPolicyEnableenables the service policy for this SAP

Page 54

Creating/Removing the Service Policy
1. Create a service policy named service:
1: qosServicePolicyRowStatus.1 (integer) createAndWait(5)
1: qosServicePolicyDescription.1.2 (octet string) service
1: qosServicePolicyRowStatus.1.2 (integer) active(1)
2. Remove the created service policy:
1: qosServicePolicyRowStatus.1.2 (integer) destroy(6)
Applying the Shaper for the Service Policy
1. Apply the shaper (with ID 2) per service policy:
1: qosServicePolicyRowStatus.1 (integer) createAndWait(5)
1: qosServPolicyShaperProfile.1.2 (integer) 2
2. Apply the shaper (with ID 3) per service ingress queue:
1: qosServInQueueRowStatus.1.2.3 (integer) createAndWait(5)
1: qosServInQueueShaperProfile.1.2.3 (integer) 3
1: qosServInQueueRowStatus.1.2.3 (integer) active(1)
1: qosServicePolicyRowStatus.1.2. (integer) active(1)

Page 55

Configuring the Service Ingress Queue
1. Create a service ingress queue with ID 5:
1: qosServInQueueRowStatus.1.2.3 (integer) createAndWait(5)
2. Apply the created shaper profile (with ID 9) on this queue:
1: qosServInQueueShaperProfile.1.2.3 (integer) 9
1: qosServInQueueRowStatus.1.2.3 (integer) active(1)
Applying the QoS Service Policy per SAP

NOTE
Before this configuration, first create the QoS service policy, and then SDP and
SAP for the TLS service (see the TLS Configuration Examples).

1. Apply the created policy (named service) per SAP:
Set qosServiceRowStatus to CreateAndWait(5)
Set qosServicePolicyOnServ to service
Set qosServiceSapRowStatus to CreateAndWait(5)
2. Specify the ID of the SAP:
Set qosServiceSapIndex to 1
3. Enable the service policy for this SAP:
Set qosServiceSapPolicyEnable to enable
Set qosServiceRowStatus to Active(1)

Page 56

Configuring 802.3ah Ethernet in the First Mile
(EFM) via SNMP
For additional information about EFM-OAM feature, refer to the Intermediate802.3ahEthernet inthe
First Mile(EFM) section of the OperationAdministrationandMaintenance(OAM) chapter of this User
Guide.
MIB Architecture
To configure EFM-OAM via SNMP, use the following MIBs:
PRVT-SWITCH-EFM-OAM-MIB
DOT3-OAM-MIB
PRVT-SWITCH-EFM-OAM-MIB
This private MIB is used for managing the IEEE 802.3ah EFM-OAM module.
prvtEfmOamEnable Enables/disables the EFM OAM protocol on the device.
prvtEfmOamMultiPduCount Specifies the number of OAM PDUs sent when the
protocol asks to send multiple subsequent messages.
prvtEfmOamRemoteEvent Enables or disables sending the local event notifications
to the remote device.
prvtEfmOamLocalSysLog Enables/disables the sending of Event Notification OAM
PDU to the local Syslog daemon.
prvtEfmOamPriority Specifies the priority of the sent OAM PDUs.
prvtEfmOamKeepAlive Specifies the aging interval (in milliseconds) of the last
heard neighboring device.
prvtEfmOamHelloInterval Specifies the maximal interval between a pair of PDUs in
milliseconds.
prvtEfmOamPktsSent Specifies the number of sent EFM-OAM packets
prvtEfmOamPktsReceived Specifies the number of received EFM-OAM packets
prvtEfmOamHistorySize Number of entries in EFM_OAM history.
prvtEfmOamTable This table contains an entry per physical port, indexed by
the corresponding ifIndex from IF-MIB and each row in
the table contains a single column.
prvtEfmOamPingTable This table lets the EFM-OAM non-intrusive monitoring on
the specific port by querying a number of time
aFramesTransmittedOK parameter, ping requests, using
the variable retrieval EFM OAM PDU.

Page 57

prvtEfmOamPingResultTable Displays the ping results.
prvtEfmOamLoopbackTable This table permits to perform EFM-OAM intrusive
monitoring on the specific port by setting the remote
device into loopback state and generating test traffic.
It should support storm operation, an operation that sets
remote loopback, stops local data flow to the remote
device and generates a packet burst by CPU. When the
burst is received back it is validated and statistics are
displayed. Burst operation, an operation that sets remote
loopback, stops local data flow to the remote device and
generates a packet test burst by the hardware (when
available).
It means a single packet generated by CPU is repetitively
sent by the hardware. When the burst is received back, it
is ignored and only counters are displayed.
prvtEfmOamLoopbackResultTable Displays the loopback results.
prvtEfmOamPeerTable This table holds the peer extended information available
only when the local port is configured in Enhanced mode
and the remote is detected as T-Marc 300 Series device.
This table contains an entry per physical port, indexed by
the corresponding ifIndex from IF-MIB.
DOT3-OAM-MIB
This public MIB is used for managing the IEEE 802.3ah EFM-OAM module.
This MIB contains the following tables:
dot3OamTable This table contains the primary controls and status for the OAM
capabilities of an Ethernet port. There is one row in this table for
each Ethernet port in the system that supports the OAM functions
defined in 802.3ah standard.
dot3OamPeerTable This table contains information about the OAM peer for a
particular Ethernet port. OAM entities communicate with a single
OAM peer entity on Ethernet links on which OAM is enabled and
operating properly. There is one entry in this table for each entry
in the dot3OamTable for which information on the OAM peer
entity is available.
dot3OamLoopbackTable This table contains controls for the loopback state of the local link
as well as indicates the status of the loopback function. There is
one entry in this table for each entry in dot3OamTable that
supports loopback functionality (where
dot3OamFunctionsSupported includes the loopbackSupport bit
set).
Loopback can be used to place the remote OAM entity in a state
where every received frame (except OAMPDUs) is echoed back
over the same port on which they were received. In this state, at
the remote entity, normal traffic is disabled as only the looped
back frames are transmitted on the port.

Page 58

dot3OamStatsTable This table contains statistics for the OAM function on a particular
Ethernet port. There is an entry in the table for every entry in the
dot3OamTable.
The counters in this table are defined as 32-bit entries to match
the counter size as defined in 802.3ah standard. Given that the
OAM protocol is a slow protocol, the counters increment at a slow
rate.
dot3OamEventConfigTable Ethernet OAM includes the ability to generate and receive Event
Notification OAMPDUs to indicate various link problems.
This table contains the mechanisms to enable Event Notifications
and configure the thresholds to generate the standard Ethernet
OAM events. There is one entry in the table for every entry in
dot3OamTable that supports OAM events (where
dot3OamFunctionsSupported includes the eventSupport bit set).
The values in the table are maintained across changes to
dot3OamOperStatus.
The standard threshold crossing events are:
Errored Symbol Period Eventgenerated when the number
of symbol errors exceeds a threshold within a given window
defined by a number of symbols (for example, 1,000 symbols
out of 1,000,000 had errors).
Errored Frame Period Eventgenerated when the number
of frame errors exceeds a threshold within a given window
defined by a number of frames (for example, 10 frames out
of 1000 had errors).
Errored Frame Eventgenerated when the number of frame
errors exceeds a threshold within a given window defined by
a period of time (for example, 10 frames in 1 second had
errors).
Errored Frame Seconds Summary Eventgenerated when
the number of errored frame seconds exceeds a threshold
within a given time period (for example, 10 errored frame
seconds within the last 100 seconds). An errored frame
second is defined as a 1 second interval which had more
than 0 frame errors.
There are other events (dying gasp, critical events) that are not
threshold crossing events but which can be enabled/disabled via
this table.

Page 59

dot3OamEventLogTable This table records a history of the events that occurred at the
Ethernet OAM level. These events can include locally detected
events, which may result in locally generated OAMPDUs, and
remotely detected events, which are detected by the OAM peer
entity and signaled to the local entity via Ethernet OAM. Ethernet
OAM events can be signaled by Event Notification OAMPDUs or
by the flags field in any OAMPDU.
This table contains both threshold crossing events and non-
threshold crossing events. The parameters for the threshold
window, threshold value, and actual value
(dot3OamEventLogWindowXX, dot3OamEventLogThresholdXX,
dot3OamEventLogValue) are only applicable to threshold
crossing events.
Entries in the table are automatically created when such events
are detected. The size of the table is implementation dependent.
When the table reaches its maximum size, older entries are
automatically deleted to allow newer entries.
Notifications
PRVT-SWITCH-EFM-OAM-MIB contains the following notifications:
prvtOamLoopBackState: is sent whenever the loopback state changes from remote; when
dot3OamMode is passive or dot3OamAdminState is disabled, the interface cannot be on
remoteLoopback state and this trap is sent.
OID: 1.3.6.1.4.1.738.1.5.133.0.1
prvtOamDyingGasp: generates a dying-gasp alarm. In order for dying-gasp trap to be
functional, also configure warmStart and coldStart notifications. Dying-gasp is sent only to
one server (last one used).
OID: 1.3.6.1.4.1.738.1.5.133.0.2
DOT3-OAM-MIB contains the following notifications:
dot3OamThresholdEvent: is sent when a local or remote threshold crossing event is
detected. A local threshold crossing event is detected by the local entity, while a remote
threshold crossing event is detected by the reception of an Ethernet OAM Event Notification
OAMPDU that indicates a threshold event. This notification should not be sent more than
once per second. The OAM entity can be derived from extracting the ifIndex from the
variable bindings. The objects in the notification correspond to the values in a row instance in
the dot3OamEventLogTable. The management entity should periodically check
dot3OamEventLogTable to detect any missed events.
OID: 1.3.6.1.2.1.158.0.1
dot3OamNonThresholdEvent: is sent when a local or remote non-threshold crossing event
is detected. This notification should not be sent more than once per second. For more
information, refer to the dot3OamNonThresholdEvent notification above.
OID: 1.3.6.1.2.1.158.0.2

Page 60

EFM-OAM via SNMP Configuration Example
The following example is based on the EFM-OAM ConfigurationExample(refer to the Operation
AdministrationandMaintenance(OAM) chapter of this User Guide) and it details the steps to
configure an Ethernet network using EFM-OAM via SNMP.
1. Enable EFM-OAM if necessary:
1: prvtEfmOamEnable.0 (integer) true(1)
2. Define the number of OAMPDUs:
1: prvtEfmOamMultiPduCount.0 (gauge) 3
3. Enable the sending of local event notifications to the remote peer:
1: prvtEfmOamRemoteEvent.0 (integer) true(1)
4. Define the OAMPDUs' priority:
1: prvtEfmOamPriority.0 (gauge) 3
5. Define the expected time interval between two consecutive OAMPDUs received from the
peer (the keep-alive interval value, from the example, is in milliseconds):
1: prvtEfmOamKeepAlive.0 (gauge) 3000
1: prvtEfmOamHelloInterval.0 (gauge) 200
6. Enable EFM-OAM on the specified port and define its mode to Active:
1: dot3OamMode.1101 (integer) active(2)
7. Force permanent loopback configuration on the remote side:
1: prvtEfmOamForceLoopbackRemote.1101 (integer) true(1)
8. Define the EFM-OAM thresholds for bit error monitoring:

Page 61

1: dot3OamErrSymPeriodWindowLo.1101 (gauge) 20
1: dot3OamErrSymPeriodThresholdLo.1101 (gauge) 100
9. Define the EFM-OAM thresholds for frame error monitoring:
1: dot3OamErrFrameWindow.1101 (gauge) 30
1: dot3OamErrFrameThreshold.1101 (gauge) 120
1. Enable EFM-OAM if necessary:
1: prvtEfmOamEnable.0 (integer) true(1)
2. Define the number of OAMPDUs:
1: prvtEfmOamMultiPduCount.0 (gauge) 5
3. Enable the sending of local event notifications to the remote peer:
1: prvtEfmOamRemoteEvent.0 (integer) true(1)
4. Define the OAMPDUs' priority:
1: prvtEfmOamPriority.0 (gauge) 5
5. Define the expected time interval between two consecutive OAMPDUs received from the
peer (the keep-alive interval value, from the example, is in milliseconds):
1: prvtEfmOamKeepAlive.0 (gauge) 3000
1: prvtEfmOamHelloInterval.0 (gauge) 200
6. Enable EFM-OAM on the specified interface and define its mode to Active:
1: dot3OamMode.1102 (integer) active(2)

Page 62

Configuring 802.1ag Connectivity Fault
Management (CFM) via SNMP
For additional information about CFM feature, refer to the 802.1agConnectivityFault Management
(CFM) section of the OperationAdministrationandMaintenance(OAM) chapter of this User Guide.
Architecture
To configure CFM via SNMP, use the following MIBs:
IEEE8021-CFM-MIB
PRVT-CFM-MIB
IEEE8021-CFM-MIB
This public MIB is used for managing the IEEE 802.1ag CFM module.
dot1agCfmStack
dot1agCfmStackTable There is one CFM Stack table per bridge. Use this
table to retrieve information about the Maintenance
Points configured on any given interface.
dot1agCfmDefaultMd
dot1agCfmDefaultMdDefLevel Represents a value indicating the MD Level and
Sender ID TLV transmission for each
dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdLevel object contains the
value -1.
After this initialization, this object needs to be
persistent during the reboot or restart of a device.
dot1agCfmDefaultMdDefMhf
Creation
Represents a value indicating if the management
entity can create MHFs (MIP Half Functions) for the
VID, for each dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdMhfCreation object contains
the value defMHFdefer.
Since, in this variable, there is no encompassing
MD, the value defMHFdefer is not allowed.

Page 63

dot1agCfmDefaultMdDefId
Permission
Represents the numeric value indicating the
parameters included in the Sender ID TLV
transmitted by MHFs and created by the default
Maintenance Domain, for each
dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdIdPermission object contains
the value sendIdDefer.
Since, in this variable, there is no encompassing
Maintenance Domain, the value sendIdDefer is not
allowed.
dot1agCfmDefaultMdTable The default MD Level Managed Object controls the
MHF creation for VIDs that are not attached to a
specific Maintenance Association Managed Object
and Sender ID TLV transmission by those MHFs.
When first initialized, this table is created
automatically with entries for all VLAN IDs and with
the default values specified for each object.
After this initialization, the writable objects in this
table need to be persistent during the reboot or
restart of a device.
dot1agCfmVlan
dot1agCfmVlanTable Defines the VIDs associated into VLANs.
This table includes one entry per VID that:
belongs to a VLAN associated with more than
one VID and
is not the Primary VLAN of that VID. The table
entry's contains the VLAN's primary VID.
By default, this table is empty (by default every VID
is the primary VID of a single VID VLAN and the
VLANs associated with only one VID do not have
an entry in this table).
The writable objects in this table need to be
dot1agCfmConfigErrorList
dot1agCfmConfigErrorList
Table
Provides a list of Interfaces and VIDs that are not
configured correctly.
dot1agCfmMd
dot1agCfmMdTableNextIndex Contains an unused value for dot1agCfmMdIndex
in the dot1agCfmMdTable, or a zero to indicate that
doesnt exist.
dot1agCfmMdTable The Maintenance Domain table, each row
representing a different MD.

Page 64

dot1agCfmMa
dot1agCfmMaNetTable The Maintenance Association table.
This table uses two indexes:
the Maintenance Domain table index
the same index as the
dot1agCfmMaCompEntry index for the same
MA
dot1agCfmMaCompTable This table uses three indexes:
the Dot1agCfmPbbComponentIdentifier that
identifies the component (within the Bridge)
the dot1agCfmMaCompEntry information
applies to
the Maintenance Domain table index
the same index as the dot1agCfmMaNetEntry
index for the same MA
dot1agCfmMaMepListTable Represents the MEP IDs' list that belongs to this
Maintenance Association.
dot1agCfmMep
dot1agCfmMepTable The MEPs table, each row representing a different
one.
This table uses the following indexes:
the MD table index
the MA table index
This table also stores all the managed objects for
sending LBMs and LTMs.
dot1agCfmLtrTable Extends the MEP table. This table contains a list of
the Linktrace replies received by specific MEPs, in
response to linktrace messages.
dot1agCfmMepDbTable The MEPs database, maintained by every MEP that
received information about other MEPs in the MD.

Page 65

PRVT-CFM-MIB
This private MIB also uses the dot1agCfmMd, dot1agCfmMa and dot1agCfmMepmodules from
IEEE8021-CFM-MIB and is an extension to the CFM for managing IEEE 802.1ag.
prvtCfmUpdateInterval Specifies the time, in seconds, between the
monitoring parameters update (the default value is
20 seconds).
A 0 value suspends the monitoring task and any
different value resumes it.
prvtCfmStatus Enables/disables the CFM protocol.
prvtCfmProfile
prvtCfmProfileTableNextIndex Contains an unused value for prvtCfmProfileIndex
in the prvtCfmProfileTable, or a zero to indicate that
none exist.
prvtCfmProfileTable Contains the loopback results from all remote
MEPs in the MA.
prvtCfmProcess
prvtCfmProcessTableNextIndex Contains an unused value for prvtCfmProcessIndex
in the prvtCfmProcessTable, or a zero to indicate
that none exists.
prvtCfmProcessTable The private extension of dot1agCfmMaNetTable,
controlling the two-way monitoring process for
MEPs in the MA.
prvtCfmProcessResult
prvtCfmProcessResultTable Contains the process results.
prvtCfmMa Includes extra variables needed for Y.1731 support
and service awareness.
prvtCfmMaTable Includes extra variables needed for Y.1731 support
and service awareness.
prvtCfmMep
prvtCfmMepTable Represents the MEPs table.
prvtCfmLbrTable Contains the last loopback operation results.
prvtCfmLtrTable Enables the functionality to measure the response
time of a linktrace request.

Page 66

Notifications
IEEE8021-CFM-MIB contains the following dot1agCfmFaultAlarm notification. If a MEP has a
persistent defect condition, this notification (fault alarm) is sent to the management entity with the
OID of the MEP that detected the fault (OID: 1.3.111.2.802.1.1.8.0.1).
PRVT-CFM-MIB contains the following notifications:
prvtCfm1wJitterThresholdis sent when CFM one way jitter threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.1
prvtCfmJitterThresholdis sent when CFM two way jitter threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.2
prvtCfmFrameLossThresholdis sent when CFM frame loss threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.3
prvtCfmLatencyThresholdis sent when CFM latency threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.4
CFM via SNMP Configuration Examples
To configure CFM via SNMP, follow the steps:
1. Create the Maintenance Domain (MD) in the dot1agCfmMdTable:
dot1agCfmMdRowStatus: you have to deactivate the row to be able to change the
writable columns. To activate the row, make sure that all columns have a valid value.
dot1agCfmMdMdLevel: defines the MD level.
dot1agCfmMdName: defines a unique MD name.
The type/ format of this object is determined by the value of the
dot1agCfmMdNameType object.
2. Create a Maintenance Association (MA) in the dot1agCfmMaNetTable:
dot1agCfmMaNetRowStatus: you have to deactivate the row to be able to change the
dot1agCfmMaNetName: defines a unique MA name within the MA.
The type/ format of this object is determined by the value of the
dot1agCfmMaNetNameType object.
3. Define the primary VLAN ID in the dot1agCfmMaCompTable. The
dot1agCfmMaCompPrimaryVlanId object defines the primary VLAN ID the MA is
associated to (or 0 if the MA is not attached to any VLAN ID). If the MA is associated with
more than one VLAN ID, list them in the dot1agCfmVlanTable.

Page 67

4. Define the identification data sent to the remote MEPs creation policy in the
dot1agCfmMaCompTable:
dot1agCfmMaCompIdPermission: defines the numeric value indicating the contents of
the Sender ID TLV transmitted by MPs configured in this MA.
dot1agCfmMaCompMhfCreation: defines whether the management entity can create
MHFs (MIP Half Function) for this MA.
dot1agCfmMaCompRowStatus: you have to deactivate the row to be able to change the
5. Add a port as MEP to the MA in the dot1agCfmMepTable:
dot1agCfmMepRowStatus: you have to deactivate the row to be able to change the
dot1agCfmMepIfIndex: this object is the interface index of the interface of either a bridge
port or an aggregated IEEE 802.1 link within a bridge port, to which the MEP is
attached. Upon reboot, the system (if necessary) changes the value of this variable. It
indexes the entry in the interface table with the same value of ifAlias that it indexed before
the system reboot. If no such entry exists, the system sets this variable to 0.
dot1agCfmMepDirection: defines the direction the MEP faces on the Bridge port.
dot1agCfmMepActive: defines the MEP's administrative state (a Boolean):
trueindicates that the MEP functions normally
falseindicates that the MEP ceased functioning
6. Create a profile in the prvtCfmProfileTable:
prvtCfmProfileRowStatus: defines the row's status. You have to deactivate the row to be
able to change the writable columns. To activate the row, make sure that all columns have
a valid value.
prvtCfmProfileName: defines the profile name.
prvtCfmProfileRate: defines the number of request packets to send each time.
7. Create a process in the prvtCfmProcessTable:
prvtCfmProcessRowStatus: defines row's status. You have to deactivate the row to be
able to change the writable columns. To activate the row, make sure that all columns have
a valid value.
prvtCfmProcessName: defines a unique process name per domain/ MA.
prvtCfmProcessProfileIndex: define the monitoring profile index used.
prvtCfmProcessStatus: enables/ disables the two-way monitoring process for MEPs in the
MA.
prvtCfmProcessRepeatInterval: defines the repeating frequency of the monitoring
process.

Page 68

8. To send a loopback message to a specified MEP in a specified domain, define the below
objects in dot1agCfmMepTable:
dot1agCfmMepTransmitLbmDestMepId: defines the MEP ID for sending LBMs within
the same domain.
This address is used if the dot1agCfmMepTransmitLbmDestIsMepId column's value is
true.
dot1agCfmMepTransmitLbmDestIsMepId: selects the loopback transmission target:
Trueto use a MEPID
Falseto use a unicast destination MAC address
dot1agCfmMepTransmitLbmMessages: defines the number of transmitted loopback
messages.
9. To send a linktrace message to a specified MEP in a specified domain, define the following
objects in dot1agCfmMepTable:
dot1agCfmMepTransmitLtmTargetMepId: defines the target MAC address transmitted.
This address is used if the dot1agCfmMepTransmitLtmTargetIsMepId column's value is
true.
dot1agCfmMepTransmitLtmTargetIsMepId: selects the linktrace transmission target:
Trueto use a MEPID
False to use a unicast destination MAC address
10. To clear the inactive remote MEPs from the local MEP's connectivity list, define the following
object in prvtCfmMaTable:
prvtCfmMaCompClearConnectivity: define the MEP ID (or 0 for all MEPs).
Configuring Two Devices in CFM Protocol
The following example is based on the CFM ConfigurationExample(refer to the Operation
configure an Ethernet network using CFM via SNMP.
1. Create a VLAN where the VLAN name is vl10and the VLAN ID is 10:
1: dot1qVlanStaticRowStatus.10 (integer) createAndWait(5)
1: dot1qVlanStaticName.10 (octet string) vl10 [76.6C.31.30 (hex)]
1: dot1qVlanStaticEgressPorts.10 (octet string) 20 00 00 00

Page 69

3. Enable the CFM protocol:
1: prvtCfmStatus.0 (integer) enable(1)
4. Create an MD with named d7and level 7; create an MA within the domain:
1: dot1agCfmMdRowStatus.1 (integer) createAndWait(5)
1: dot1agCfmMdMdLevel.1 (integer) 7 [7]
1: dot1agCfmMdName.1 (octet string) d7
1: dot1agCfmMdRowStatus.1 (integer) active(1)
1: dot1agCfmMaNetRowStatus.1.1 (integer) createAndWait(5)
1: dot1agCfmMaNetName.1.1 (octet string) ma7
1: dot1agCfmMaNetRowStatus.1.1 (integer) active(1)
1: dot1agCfmMaCompRowStatus.1.1.1 (integer) createAndWait(5)
1: dot1agCfmMaCompPrimaryVlanId.1.1.1 (integer) 10
1: dot1agCfmMaCompRowStatus.1.1.1 (integer) active(1)
5. Define the identification data sent to the remote MEPs creation policy on the specified MA:
1: dot1agCfmMaCompIdPermission.1.1.1 (integer) sendIdChassis(2)
1: dot1agCfmMaCompMhfCreation.1.1.1 (integer) defMHFexplicit(3)

Page 70

6. Add port 1/ 2/ 1 as a MEP to the MA:
1: dot1agCfmMepRowStatus.1.1.1 (integer) createAndWait(5)
1: dot1agCfmMepIfIndex.1.1.1 (integer) 1201 [1201]
1: dot1agCfmMepDirection.1.1.1 (integer) down(1)
1: dot1agCfmMepActive.1.1.1 (integer) true(1)
1: dot1agCfmMepRowStatus.1.1.1 (integer) active(1)
7. Create profile p1and process proc1for Device1:
1: prvtCfmProfileRowStatus.2 (integer) createAndWait(5)
1: prvtCfmProfileName.2 (octet string) p1 [70.31 (hex)]
1: prvtCfmProfileRate.2 (gauge) 3
1: prvtCfmProfileRowStatus.2 (integer) active(1)
1: prvtCfmProcessRowStatus.1.1.1 (integer) createAndWait(5)
1: prvtCfmProcessName.1.1.1 (octet string) proc1
1: prvtCfmProcessProfileIndex.1.1.1 (gauge) 2
1: prvtCfmProcessStatus.1.1.1 (integer) true(1)
1: prvtCfmProcessRepeatInterval.1.1.1 (gauge) 1
1: prvtCfmProcessRowStatus.1.1.1 (integer) active(1)

Page 71


Page 72

5. Define the identification data sent to the remote MEPs creation policy on the specified MA:
1: dot1agCfmMaCompIdPermission.1.1.1 (integer) sendIdChassis(2)
1: dot1agCfmMaCompMhfCreation.1.1.1 (integer) defMHFexplicit(3)
Sending a loopback message to a specified MEP in a specified
domain:
1: dot1agCfmMepTransmitLbmDestMepId.1.1.1 (gauge) 2
1: dot1agCfmMepTransmitLbmDestIsMepId.1.1.1 (integer) true(1)
1: dot1agCfmMepTransmitLbmMessages.1.1.1 (integer) 10

Page 73

Sending a loopback message to a specified MIP in a specified
domain:
1: dot1agCfmMepTransmitLbmDestMacAddress.1.1.1 (gauge) 2
(octet string) 00:A0:12:22:E1:40 [00.A0.12.22.E1.40 (hex)]
1: dot1agCfmMepTransmitLbmMessages.1.1.1 (integer) 10
Sending a linktrace message to a specified MEP in a specified
domain:
1: dot1agCfmMepTransmitLtmTargetMepId.1.1.1 (gauge) 2
1: dot1agCfmMepTransmitLtmTargetIsMepId.1.1.1 (integer) true(1)
Sending a linktrace message to a specified MIP in a specified
domain:
1: dot1agCfmMepTransmitLtmTargetMacAddress.1.1.1
(octet string) 00:A0:12:22:E1:40 [00.A0.12.22.E1.40 (hex)]

Page 74

Using the Clear Connectivity Command
This example is describing the usage of the clear connectivity command; refer to the CFM
ConfigurationExampleof the OperationAdministrationandMaintenance(OAM) chapter of this User
Guide.
2. Add ports 1/ 2/ 1 and 1/ 2/ 2 as tagged ports:

Page 75


Page 76


Page 77


Page 78

6. Clear the remote inactive and unused MEPs using the clear connectivity command:
1: prvtCfmMaCompClearConnectivity.1.1.1 (gauge) 0

Page 79

Configuring Ethernet Protection Switching (EPS) via
SNMP
In BiNOS version 9.4.Rx and above, the configuration of EPS via SNMP support has been added.
In the sections below, you can find explanations for the new PRVT-EPS-MIB and its architecture
used for configuring EPS via SNMP.
For additional information about EPS feature, refer to the ITU-T G.8031 Ethernet ProtectionSwitching
(EPS) section of the OperationAdministrationandMaintenance(OAM) chapter of this User Guide.
MIB Architecture: PRVT-EPS-MIB
This is a private MIB supporting Linear Ethernet Protection Switching (ITU-T G.8031).
prvtEpsServiceTable
prvtEpsSvcId The service ID (SVCID), a unique service
identifier, in the range of <14294967295>.
prvtEpsServiceCfmMdLevel The value of the CFM MD level where the
protected domain is situated. The valid
range is <07>.
prvtEpsServicePrimaryLocalCfmMep Defines the CFM pair of MEPs that monitor
the primary path. Specifies the service
MEP ID of the local device.
prvtEpsServicePrimaryRemoteCfmMep Defines the CFM pair of MEPs that monitor
the primary path. Specifies the discovered
service MEP ID of the remote device.
prvtEpsServiceSecondaryLocalCfmMep Defines the CFM pair of MEPs that monitor
the backup path. Specifies the service MEP
ID of the local device.
prvtEpsServiceSecondaryRemoteCfmMep Defines the CFM pair of MEPs that monitor
the backup path. Specifies the discovered
service MEP ID of the remote device.
prvtEpsServiceLocalState The protection state of the local side.
prvtEpsServiceHoldOffTimer Defines the hold off timeout. This timer
postpones the switchover for a specified
time. The valid range is <010000>
milliseconds, with 100 ms increments.
prvtEpsServiceWaitToRestoreTimer Defines the wait-to-restore timeout. If the
revertive mode is disabled, this timer will
also be disabled. To configure the timer,
select one of the values: 0 or <512>
minutes; 0 means revert immediately.
prvtEpsServiceApsChannel Active APS communication.

Page 80

prvtEpsServiceProtection Type of protection (1+1 or 1:1).
prvtEpsServiceDirection Type of direction (unidirectional or
bidirectional).
prvtEpsServiceRevertive The revertive mode for the protection. In
case of a signal failure when the primary
transport is repaired, the traffic is
automatically moved to the primary
transport after the wait-to-restore timer
expired.
prvtEpsServiceActivePath The EPS active path.
prvtEpsServiceDegradeTestType The type of test used for monitoring signal-
degrade.
prvtEpsServiceDegradeTestOwner The owner of the SAA test used for
monitoring.
prvtEpsServiceDegradeTestName The name of test used for monitoring
signal-degrade.
prvtEpsServiceDegradeTestEnable Starts/stops CFM test for performance
monitoring.
prvtEpsServiceDefectFop Defects noticed by APS protocol.
prvtEpsServiceOperationalStatus The purpose of this status is to identify to
the User whether this service is ready for
running. The operational status can be up
or down. When creating the service the
operational status will be down. Receiving
CCMs from both transport entities and
establishment of APS on the protection
transport entity will bring the operational
status to up.
prvtEpsServicePrimaryStatus Primary EPS path state.
prvtEpsServiceSecondaryStatus Secondary EPS path state.
prvtEpsServiceRemoteState The protection state of the remote side.
prvtEpsServiceRemoteApsChannel Active APS communication reported by the
remote.
prvtEpsServiceRemoteProtection Type of protection (1+1 or 1:1) reported by
the remote.
prvtEpsServiceRemoteDirection Direction of protection (unidirectional or
bidirectional) reported by the remote.
prvtEpsServiceRemoteRevertive Protection type (revertive or non-revertive)
reported by the remote.
prvtEpsServiceAdminFreeze Used to freeze the state of the protection
service. Until the freeze is cleared, all local
and remote commands are ignored. After
the freeze is cleared, the state of the
services is recomputed using the ignored
commands.

Page 81

prvtEpsServiceAdminStatus Administrative status of the protection.
prvtEpsServiceRowStatus The status of the row. The writable columns
in a row can not be changed if the row is
active. All columns must have a valid value
before a row can be activated.
Notifications
Following notifications are supported:
prvtEpsDefectAlarmis sent when EPS service operational status changed or protocol
defect occurred.
OID: 1.3.6.1.4.1.738.1.5.132.0.1
prvtEpsSwitchoverAlarmis sent when EPS service active link changed.
OID: 1.3.6.1.4.1.738.1.5.132.0.2
prvtEpsLostCommunicationis sent when APS communication failed.
OID: 1.3.6.1.4.1.738.1.5.132.0.3
prvtEpsRestoredCommunicationis sent when APS communication restored.
OID: 1.3.6.1.4.1.738.1.5.132.0.4
prvtEpsSignalFailDetectedis sent when three consecutive CCMs are not received.
OID: 1.3.6.1.4.1.738.1.5.132.0.5
prvtEpsSignalDegradeDetectedis sent when monitored error threshold is crossed.
OID: 1.3.6.1.4.1.738.1.5.132.0.6

Page 82

EPS via SNMP Configuration Example
The following example is based on the EPS ConfigurationExample(refer to the Operation
configure an Ethernet network using EPS via SNMP.
1. Create a TLS service; refer to the TLS ConfigurationExamplessection.
2. Activate the primary status for the specified SDP:
set prvtEpsSvcSdpAdminIsPrimary to true(1)
3. Activate the secondary status for the specified SDP:
set prvtEpsSvcSdpAdminIsSecondary to true(1)
4. Activate TLS service; refer to the TLS ConfigurationExamplessection.
5. Configure the MD, MA, and MEP ID; refer to the ConfiguringTwoDevicesinCFM Protocol
section.
6. Set EPS parameters:
set prvtEpsServiceRowStatus to createAndWait(5)
set prvtEpsServiceCfmMdLevel to 1
set prvtEpsServicePrimaryLocalCfmMep to 1
set prvtEpsServicePrimaryRemoteCfmMep to 2
set prvtEpsServiceSecondaryLocalCfmMep to 1
set prvtEpsServiceSecondaryRemoteCfmMep to 2
set prvtEpsServiceRowStatus to active(1)
set prvtEpsServiceAdminStatus to active(1)
1. Create a TLS service; refer to the TLS ConfigurationExamplessection.
2. Activate the primary status for the specified SDP:
set prvtEpsSvcSdpAdminIsPrimary to true(1)
3. Activate the secondary status for the specified SDP:
set prvtEpsSvcSdpAdminIsSecondary to true(1)
4. Activate the TLS service; refer to the TLS ConfigurationExamplessection.
5. Configure the MD, MA, and MEP ID; refer to the ConfiguringTwoDevicesinCFM Protocol
section.

Page 83

6. Set EPS parameters:
set prvtEpsServiceRowStatus to createAndWait(5)
set prvtEpsServiceCfmMdLevel to 1
set prvtEpsServicePrimaryLocalCfmMep to 2
set prvtEpsServicePrimaryRemoteCfmMep to 1
set prvtEpsServiceSecondaryLocalCfmMep to 2
set prvtEpsServiceSecondaryRemoteCfmMep to 1
set prvtEpsServiceRowStatus to active(1)
set prvtEpsServiceAdminStatus to active(1)

Page 84

Configuring Link Layer Discovery Protocol (LLDP)
via SNMP
In BiNOS version 9.4.Rx and above, the configuration of LLDP via SNMP support has been
added.
In the sections below, you can find explanations for the LLDP-MIB and its architecture used for
configuring LLDP via SNMP.
For additional information about LLDP feature, refer to the ConfiguringLink Layer DiscoveryProtocol
(LLDP) chapter of this User Guide.
MIB Architecture: LLDP-MIB
The LLDP-MIB is used for configuring LLDP statistics, local system data and remote system data
components.
lldpConfiguration
lldpMessageTxInterval The interval at which LLDP frames are
transmitted on behalf of this LLDP agent.
Transmit-interval is from 5 to 32768 (5 can
be set when transmit-delay is set to its
minimum value of 1)
lldpMessageTxHoldMultiplier The time-to-live value expressed as a
multiple of the lldpMessageTxInterval object.
The valid range is <210>seconds.
The TTL value is the smaller value between
65535 and (LLDP transmit interval *
transmit-hold).
The TTL value is calculated by the following
formula: TTL=(lldpMessageTxInterval *
lldpMessageTxHoldMultiplier).
lldpReinitDelay Indicates the delay, in seconds, from when
lldpPortConfigAdminStatus object of a
particular port becomes 'disabled' until re-
initialization is attempted. The valid range is
<110>seconds.

Page 85

lldpTxDelay Indicates the delay, in seconds, between
successive LLDP frame transmissions
initiated by value/status changes in the
LLDP local systems MIB. Transmit-delay is
from 1 to 8192 (8192 can be set when
transmit-interval is set to its maximum value
of 32768).
Transmit-delay can be set only to values
smaller than (0.25 *
lldpMessageTxInterval)
lldpNotificationInterval Controls the transmission of LLDP
notifications.
lldpPortConfigTable Controls LLDP frame transmission on
individual ports.
lldpConfigManAddrTable The table that controls selection of LLDP
management address and TLV instances to
be transmitted on individual ports.
lldpStatistics
lldpStatsRemTablesLastChangeTime The value of sysUpTime object (defined in
IETF RFC 3418) at the time an entry is
created, modified, or deleted in the tables
associated with the lldpRemoteSystemsData
objects and all LLDP extension objects
associated with remote systems.
lldpStatsRemTablesInserts The number of times the complete set of
information advertised by a particular MSAP
has been inserted into tables contained in
lldpRemoteSystemsData and lldpExtensions
objects.
lldpStatsRemTablesDeletes The number of times the complete set of
has been deleted from tables contained in
objects
lldpStatsRemTablesDrops The number of times the complete set of
could not be entered into tables contained in
objects because of insufficient resources
lldpStatsRemTablesAgeouts The number of times the complete set of
has been deleted from tables contained in
objects because the information timeliness
interval has expired.
lldpStatsTxPortTable A table containing LLDP transmission
statistics for individual ports. Entries are not
required to exist in this table while the
lldpPortConfigEntry object is equal to
disabled(4).

Page 86

lldpStatsRxPortTable A table containing LLDP reception statistics
for individual ports. Entries are not required
to exist in this table while the
lldpPortConfigEntry object is equal to
disabled(4)
lldpLocalSystemData
lldpLocChassisIdSubtype The type of encoding used to identify the
chassis associated with the local system.
lldpLocChassisId The string value used to identify the chassis
component associated with the local system.
lldpLocSysName The string value used to identify the system
name of the local system.
lldpLocSysDesc The string value used to identify the system
description of the local system.
lldpLocSysCapSupported The bitmap value used to identify which
system capabilities are supported on the
local system.
lldpLocSysCapEnabled The bitmap value used to identify which
system capabilities are enabled on the local
system
lldpLocPortTable This table contains one or more rows per
port information associated with the local
system known to this agent.
lldpLocManAddrTable This table contains management address
information on the local system known to
this agent.
lldpRemoteSystemsData
lldpRemTable This table contains one or more rows per
physical network connection known to the
agent
lldpRemManAddrTable This table contains one or more rows per
management address information on the
remote system learned on a particular port
contained in the local chassis known to this
agent.
lldpRemUnknownTLVTable This table contains information about an
incoming TLV which is not recognized by the
receiving LLDP agent
lldpRemOrgDefInfoTable This table contains one or more rows per
physical network connection which
advertises the organizationally defined
information.

Page 87

Notifications
The LLDP-MIB contains the lldpRemTablesChange notification. This notification is sent when
the value of lldpStatsRemTablesLastChangeTime changes. It can be used by an NMS to trigger
LLDP remote systems table maintenance polls (OID: 1.0.8802.1.1.2.0.0.1).

Page 88

LLDP via SNMP Configuration Example
The following example is based on the ConfigurationExample(refer to the ConfiguringLink Layer
DiscoveryProtocol (LLDP) chapter of this User Guide) and it details the steps to configure an
Ethernet network using LLDP via SNMP.

This example uses the lldpPortConfigAdminStatus object to set the desired status of the LLDP.
You can select one of the values:
txOnly(1)the port will only transmit LLDP packets
rxOnly(2)the port will only receive LLDP packets
txAndRx(3)the port will both transmit and receive LLDP packets
disabled(4)the port will neither receive nor transmit LLDP packets
Configuring Device 1 and Device 2:
1. Enable the LLDP on the device:
set prvtLldpEnable to true(1)
2. Define the reinitialized-delay value:
set lldpReinitDelay to 4
3. Define the transmit-delay value:
set lldpTxDelay to 4
4. Define the transmit-hold value:
set lldpMessageTxHoldMultiplier to 5
5. Define the transmit-interval value:
set lldpMessageTxInterval to 500
set lldpPortConfigAdminStatus to txAndRx(3)
7. Configure what to be advertised (one or more) on the selected port:
set lldpPortConfigTLVsTxEnable (portDesc, sysName, sysDesc or sysCap)


Page 89

Configuring Remote Monitoring (RMON) via SNMP
For additional information about RMON feature, refer to the ConfiguringRemoteMonitoring(RMON)
MIB Architecture: RMON-MIB
Remote Monitoring MIB (RMON-MIB) is a standard monitoring specification that enables various
network monitors and console systems to exchange network-monitoring data. RMON-MIB
provides network administrators with more freedom in selecting network-monitoring probes and
consoles with features that meet their particular networking needs.
The RFCs supported: RFC 2863, Interfaces Group MIB (configL2IfaceTable and interface table).
This RFC specifies an Internet standards track protocol for the Internet community, and requests
discussion and suggestions for improvements.
RFC 1271, Remote Network Monitoring Management Information Base
Standards supported:
IEEE 802.3 Ethernet
IEEE 802.3u Fast Ethernet
IEEE 802.3x Flow Control
IEEE 802.3z Gigabit Ethernet

statistics
etherStatsTable Contains a list of Ethernet statistics entries.
tokenRingMLStatsTable Contains a list of MAC-layer token ring statistics
entries.
tokenRingPStatsTable Contains a list of promiscuous token ring statistics
entries.
etherStats2Table Contains the RMON-2 augmentations to RMON-1.
tokenRingMLStats2Table Contains the RMON-2 augmentations to RMON-1.
tokenRingPStats2Table Contains the RMON-2 augmentations to RMON-1.
etherStatsHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 etherStatsTable
history
historyControlTable Contains a list of history control entries.
etherHistoryTable Contains a list of Ethernet history entries.

Page 90

tokenRingMLHistoryTable Contains a list of MAC-layer token ring statistics
entries.
tokenRingPHistoryTable Contains a list of promiscuous token ring
statistics entries
historyControl2Table Contains the RMON-2 augmentations to RMON-1.
etherHistoryHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 etherHistoryTable.
alarm
alarmTable Contains a list of alarm entries.
hosts
hostControlTable Contains a list of host table control entries.
hostTable Contains a list of host entries.
hostTimeTable Contains a list of time-ordered host table entries.
hostControl2Table Contains the RMON-2 augmentations to RMON-1.
hostHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 hostTable.
hostTimeHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 hostTimeTable.
hostTopN
hostTopNControlTable Contains a list of top N host control entries
hostTopNTable Contains a list of top N host entries.
hostTopNHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 hostTopNTable when
hostTopNRateBase specifies a high capacity top
N report
matrix
matrixControlTable Contains a list of information entries for the traffic
matrix on each interface.
matrixSDTable Contains a list of traffic matrix entries indexed by
source and destination MAC address.
matrixDSTable Contains a list of traffic matrix entries indexed by
destination and source MAC address.
matrixControl2Table Contains the RMON-2 augmentations to RMON-1
matrixSDHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 matrixSDTable
matrixDSHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 matrixDSTable.
filter
filterTable Contains a list of packet filter entries.

Page 91

channelTable Contains a list of packet channel entries.
channel2Table Contains the RMON-2 augmentations to RMON-1.
filter2Table Provides a variable-length packet filter feature to
the RMON-1 filter table.
capture
bufferControlTable Contains a list of buffers control entries.
captureBufferTable Contains a list of packets captured off of a
channel.
captureBufferHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 captureBufferTable.
event
eventTable Contains a list of events to be generated.
logTable Contains a list of events that have been logged.
Notifications
The RMON-MIB contains the following notifications:
risingAlarmis generated when a value rises above its pre-programmed threshold.
OID: 1.3.6.1.2.1.16.0.2
fallingAlarmis generated when a value falls below its pre-programmed threshold.
OID: 1.3.6.1.2.1.16.0.2


Page 92

RMON via SNMP Configuration Example
The following example is based on the RMON ConfigurationExample(refer to the ConfiguringRemote
Monitoring(RMON) chapter of this User Guide) and it details the steps to configure an Ethernet
network using RMON via SNMP.

1. To define an RMON event description, select:
The event index to be 1
The event description to be the_tank_is_full
The event notification to be snmp-trap
The community string, as defined previously, to be PUBLIC
The event owner to be STN1

1: eventStatus.1 (integer) createRequest(2)
1: eventDescription.1 (octet string) the_tank_is_full
1: eventType.1 (integer) snmp-trap(3)
1: eventCommunity.1 (octet string) PUBLIC
1: eventOwner.1 (octet string) STN1
1: eventStatus.1 (integer) valid(1)

Page 93

2. Define RMON alarm conditions. The threshold type is absolute, so the falling event is
insignificant. The index has an arbitrary value of zero. If the threshold type is delta, the index
has the number of the event of the falling value:
1: alarmStatus.1 (integer) createRequest(2)
1: alarmVariable.1 (object identifier) etherStatsOctets.5
1: alarmSampleType.1 (integer) absoluteValue(1)
1: alarmStartupAlarm.1 (integer) risingAlarm(1)
1: alarmRisingThreshold.1 (integer) 20000
1: alarmFallingThreshold.1 (integer) 0
1: alarmRisingEventIndex.1 (integer) 1
1: alarmFallingEventIndex.1 (integer) 0
1: alarmOwner.1 (octet string) STN1
1: alarmStatus.1 (integer) valid(1)

Page 94

Supported Platforms
Fast Ethernet and Giga Ethernet Port via SNMP + +
LAGs via SNMP + +
Resilient Links via SNMP + +
VLANs via SNMP + +
TLS via SNMP + +
STP via SNMP + +
RSTP via SNMP + +
MSTP via SNMP + +
QoS via SNMP + +
EFM-OAM via SNMP + +
CFM-OAM via SNMP + +
EPS via SNMP + +
LLDP via SNMP + +
RMON via SNMP + +
Fast Ethernet
and Giga
Ethernet Port via
SNMP
IEEE 802.3
Ethernet
IEEE 802.3u
Fast Ethernet
IEEE 802.3x
Flow Control
IEEE 802.3z
Gigabit Ethernet
Public MIBs:
RFC 1213,
Management
Network
Management of
TCP/IP-based
internets: MIB-II
(qwerinterface table
and
onfigL2IfaceTable)
RMON MIB
Private MIB,
prvt_switch.mib
RFC 2863 The Interfaces
Group MIB
(configL2IfaceTable and
interface table)
LAGs via SNMP IEEE 802.3ad Private MIB,
prvt_Ports_Aggregation.
mib
by this feature.
Resilient Links
via SNMP
No standards are
supported by this
feature.
Private MIB,
prvt_resilient_link.mib
by this feature.

Page 95

VLANs via SNMP
IEEE 802.1Q-
1998
IEEE 802.1Q-
2003
IEEE 802.1P
IEEE 802.1u-
2001
IEEE 802.1Q No RFCs are supported
by this feature.
TLS via SNMP No standards are
supported by this
feature.
Private MIBs:
prvt_serv.mib
prvt_L2tunneling.mib
by this feature.
STP via SNMP IEEE 802.1d-1998 Public MIBs:
bridge.mib
rstp.mib
Private MIB,
prvt_switch.mib
RFC 1493,
Definitions of
Managed Objects for
Bridges
RFC 2863,
Interfaces Group
MIB
RSTP via SNMP
IEEE 802.1d-
1998
IEEE 802.1t-
2001
IEEE 802.1w-
2001
Public MIBs:
bridge.mib
rstp.mib
Private MIB,
prvt_switch.mib
RFC 1493,
Definitions of
Managed Objects for
Bridges
RFC 2863,
Interfaces Group
MIB
MSTP via SNMP
IEEE 802.1d-
1998
IEEE 802.1t-
2001
IEEE 802.1w-
2001
IEEE 802.1s-
2002
Private MIBs:
prvt_mst.mib
prvt_switch.mib
Group MIB
QoS via SNMP
IEEE 802.1p
Priority Queuing
IEEE 802.1ad
Describes port-
based service
Private MIB, prvt_qos.mib
RFC 2474, Definition
of the Differentiated
Services Field (DS
Field) in the IPv4
and IPv6 Headers
RFC 2475, An
Architecture for
Differentiated
Services
RFC 2597, Assured
Forwarding PHB
Group
RFC 2598, An
Expedited

Page 96

Forwarding PHB
RFC 2697, A Single
Rate Three Color
Marker
RFC 2698, A Two
Rate Three Color
Marker
RFC 3140, Per Hop
Behavior
Identification Codes
EFM-OAM via
SNMP
IEEE Draft P 802.3ah
/D3.3 Clause 57
Public MIB,
dot3_oam.mib
Private MIB,
prvt_switch_efm_oam.mi
b
by this feature.
CFM-OAM via
SNMP
IEEE 802.1ag-
2007 (draft
8.1)Virtual
Bridged Local
Area Networks
(Amendment 5:
Connectivity
Fault
Management).
Connectivity
Fault
Management
An Update on
Bridging
Technologies
(IEEE Tutorial,
J uly 18, 2005).
Public MIB,
ieee8021_cfm.mib
Private MIB, prvt_cfm.mib
RFC 2544, Benchmarking
Methodology for Network
Interconnect Devices
EPS via SNMP
ITUT-G.8031
IEEE 802.1ag-
2007 (draft 8.1)
ITUT-Y.1731
Private MIB, prvt_eps.mib No RFCs are supported
by this feature.
LLDP via SNMP IEEE 802.1AB Public MIB, lldp.mib No RFCs are supported
by this feature.
RMON via SNMP No standards are
supported by this
feature.
Public MIBs:
rmon.mib
hc_rmon.mib
RFC 1271, Remote
Network Monitoring
Management
Information Base
RFC 3273, Remote
Network Monitoring
Management
High Capacity
Networks

Page 1
Configuring Remote Monitoring (RMON) (Rev. 07)
Configuring Remote Monitoring (RMON)
Table of Figures 2
Overview 3
RMON Groups 4
RMON Alarms and Events Default Configuration 5
RMON Alarms and Events Commands 5
Configuring RMON Alarms 6
Configuring RMON Events 9
Displaying RMON Alarms 10
Displaying RMON Events11
Displaying RMON Statistics11
Displaying High-Capacity Counters14
Page 2

Table of Figures
Figure 1: RMON Monitoring Example 3

Page 3

Overview
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between RMON-
compliant console systems and network probes.
RMON provides you with comprehensive network-fault diagnosis, planning, and performance-
tuning information.
You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent in
the device to monitor all the traffic flowing among devices on all connected LAN segments.

Figure 1: RMON Monitoring Example
Page 4

RMON Groups
The T-Marc 300 Series devices support the following four RMON groups:
Statistics (group 1)
The Ethernet statistics group collects Fast Ethernet and Gigabit Ethernet statistics on an
interface.
Use the information from the Statistics group to detect changes in traffic and error
patterns in critical areas of the network.
History (group 3)
The History group provides historical views of network performance by taking periodic
samples of the counters supplied by the Statistics group.
The group is useful for analyzing traffic patterns and trends on an Ethernet interface on
the device and for establishing baseline information indicating normal operating
parameters.
Alarms (group 4)
The Alarms group provides a general mechanism for setting threshold and sampling
intervals to generate events on any RMON variable. This group monitors a specific
management information base (MIB) object for a specified interval, triggers an alarm at a
specified value (rising threshold), and resets the alarm at another value (falling threshold).
You can use alarms with RMON events to generate a log entry and/ or an SNMP
notification when the RMON alarm triggers.
Events (group 10)
The Events group creates entries in an event log and/ or sends SNMP traps. An event is
triggered by an RMON alarm. The action taken can be configured to ignore it, to log the
event, to send an SNMP trap to the receivers listed in the trap receiver table, or to both
log and send a trap.
Page 5

RMON Alarms and Events Default Configuration
Table 1: RMON Default Configuration
RMON Disabled (no events or alarms are configured)
RMON Alarms and Events Commands
Table 2: RMON Alarms and Events Commands
Command Description
rmon alarm counter Configures RMON alarms (see Configuring RMON Alarm)
rmon event Configures RMON events (see Configuring RMON Events)

Table 3: RMON Display Commands
NOTE
You must first configure RMON alarms and events to display collection
information.

Command Description
show rmon alarm Displays information about RMON alarms (see Displaying
RMON Alarms)
show rmon event Displays information about RMON events (see Displaying
RMON Events)
show rmon statistics Displays counter statistics of the specified port or all available
ports on the device (see Displaying RMON Statistics)
show rmon statistics
high-capacity
Displays the high capacity of RMON statistics for a specified
port or for all ports (see Displaying High-Capacity Counters)
Page 6

Configuring RMON Alarms
The rmon alarm counter command configures RMON alarms.
Command Syntax
device-name(config)#rmon alarm <alarm-index> counter <index> UU/SS/PP
<polling-interval> {absolute | delta} <rising-threshold> <falling-
threshold> <rising-index> <falling-index> OWNER
device-name(config)#no rmon alarm [<alarm-index>]
alarm-index Specifies the alarm index, in the range <165535>.
If it is a new index, the alarm is created. If the index already exists, the
alarm is updated.
counter <index> Specifies the counter number of the statistics kept for a particular
Ethernet interface. The counter number is in the range <1-25>. For
more information about the RMON counters, see Table 4.
UU/SS/PP Specifies the Ethernet interface on which to collect statistics.
polling-interval Specifies the time in seconds the alarm monitors the counters. The
range is <12147483647>seconds.
absolute Use absolute threshold values.
The trap is sent only once when the rising threshold value is met.
delta Use threshold value differences.
The agent sends the trap whenever the difference between the last
and the current value reaches the rising or falling value.
The delta keyword requires you to define two eventsone for the
case when the rising value is met and one for the case when the
falling value is met.
rising-threshold Specifies the rising-threshold, in the range <02147483647>.
falling-threshold Specifies the falling-threshold, in the range <02147483647>.
Insignificant if absolute is specified.
rising-index Specifies the rising-event index, in the range <065535>.
falling-index Specifies the falling-event index, in the range <065535>.
OWNER The owner name can be any alphanumeric string (without spaces).
no Removes all defined RMON alarms. When the alarm index is
specified, only the selected RMON alarm is removed.
Page 7

Table 4: Counter Statistics Kept for a Particular Ethernet Interface
Counter
Number
Counter Name Description
1
DropEvents
The total number of events in which, packets are
dropped by the probe due to lack of resources. Note
that this number is not necessarily the number of
packets dropped; it is just the number of times this
condition is detected.
2
Octets
The total number of octets of data, including those in
bad packets, received on the network (excluding
framing bits but including FCS octets).
3
Pkts
The total number of packets received, including bad
packets, broadcast packets, and multicast packets.
4
BroadcastPkts
The total number of good packets received that are
directed to the broadcast address. Note that this does
not include multicast packets.
5
MulticastPkts
The total number of good packets received that are
directed to a multicast address. Note that this number
does not include packets directed to the broadcast
address.
6
CRCAlignErrors
The total number of packets received that had
lengths between 64 and 1518 octets inclusive
(excluding framing bits, but including FCS octets) but
had either a bad Frame Check Sequence (FCS) with
an integral number of octets (FCS Error) or a bad
FCS with a non-integral number of octets (Alignment
Error).
7
UndersizePkts
The total number of packets received that are less
than 64 octets long (excluding framing bits, but
including FCS octets) and are otherwise well formed.
8
OversizePkts
The total number of packets received that are longer
than 1518 octets (excluding framing bits, but
including FCS octets) and are otherwise well formed.
9
Fragments
The total number of packets received that are less
than 64 octets in length (excluding framing bits but
including FCS octets) and had either a bad Frame
Check Sequence (FCS) with an integral number of
octets (FCS Error) or a bad FCS with a non-integral
number of octets (Alignment Error).
10
Jabbers
The total number of packets received that are longer
than 1518 octets (excluding framing bits, but
including FCS octets), and had either a bad Frame
Check Sequence (FCS) with an integral number of
octets (FCS Error) or a bad FCS with a non-integral
number of octets (Alignment Error).
J abber is defined as the condition where any packet
exceeds 20 ms. The allowed range to detect jabber is
between 20 ms and 150 ms.
11
Collisions
The best estimate of the total number of collisions on
this Ethernet segment.
Page 8

Counter
Number
Counter Name Description
12
Pkts64Octets
The total number of packets (including bad packets)
received that are 64 octets in length (excluding
framing bits but including FCS octets).
13
Pkts65to127Octets
The total number of packets, including bad packets,
received with lengths between 65 and 127 octets
inclusive (excluding framing bits but including FCS
octets).
14
Pkts128to255Octets
octets).
15
Pkts256to511Octets
octets).
16
Pkts512to1023Octets
octets).
17
Pkts1024to1518Octets
octets).
18 High Capacity Pkts For more information, refer to Pkts counter from this
table. This high capacity counter has 64bits.
19 High Capacity Octets For more information, refer to Octets counter from
this table. This high capacity counter has 64bits.
20 High Capacity
Pkts64Octets
For more information, refer to Pkts64Octets counter
from this table. This high capacity counter has 64bits.
21 High Capacity
Pkts65to127Octets
For more information, refer to Pkts65to127Octets
counter from this table. This high capacity counter
has 64bits.
22 High Capacity
Pkts128to255Octets
has 64bits.
23 High Capacity
Pkts256to511Octets
has 64bits.
24 High Capacity
Pkts512to1023Octets
has 64bits.
25 High Capacity
Pkts1024to1518Octets
For more information, refer to
Pkts1024to1518Octets counter from this table. This
high capacity counter has 64bits.
Page 9

Example 1
In the following example, the threshold type is absolute, so the falling event is insignificant. The
index has an arbitrary value of zero.
If the threshold type is delta, the index has the number of the event of the falling value.
device-name(config)#rmon alarm 1 counter 2 1/2/3 5 absolute 20000 0 1 0 STN1
Example 2
To remove all defined RMON alarms, perform the following command:
device-name(config)#no rmon alarm
r emove al l def i ned RMON al ar ms ? [ y/ n] : y
Example 3
To remove a specific RMON alarm, perform the following command:
device-name(config)#no rmon alarm 1
Configuring RMON Events
The rmon event command configures RMON events.
Command Syntax
device-name(config)#rmon event <event-index> DESCRIPTION {none | log |
snmp-trap | trap-and-log} COMM OWNER
device-name(config)#no rmon event [<event-index>]
event-index Specifies the event index, in the range <165535>.
If it is a new index, the event is created. If the index already exists, the event is
updated.
DESCRIPTION
The event description can be any alphanumeric string (without spaces).
none No notification.
log Generates an RMON log entry when the event is triggered.
snmp-trap Generates an SNMP trap entry when the event is triggered.
trap-and-log Generates an SNMP trap and RMON log entries when the event is triggered.
COMM Specifies the trap community (alphanumeric string without blank spaces).
OWNER The owner name can be any alphanumeric string.
no Removes all existing RMON events. When the event index is specified, only
the selected RMON event is removed.
Page 10

Example 1
To define an RMON event description, select:
device-name(config)#rmon event 1 the_tank_is_full snmp-trap PUBLIC STN1
Example 2
To remove all defined RMON events, perform the following command:
device-name(config)#no rmon event
r emove al l def i ned RMON event s ? [ y/ n] : y
Displaying RMON Alarms
The show rmon alarm command displays information about RMON alarms.
Command Syntax
device-name#show rmon alarm [<alarm-index>]
alarm-index (Optional). Displays information about the specified RMON alarm in the
range <165535>.
Example
device-name#show rmon alarm
Al ar m1, st at us act i ve, owned by STN1
Count er Oct et s, i nt er f ace 1/ 2/ 3
Sampl i ng i nt er val ( h: m: s) 00: 00: 05, Sampl eType absol ut e
Cur r ent val ue 5986918 St ar t up : r i si ng
Ri si ngThr eshol d 20000 Fal l i ngThr eshol d 0
Ri si ngEvent I ndex 1 Fal l i ngEvent I ndex 0
Page 11

Displaying RMON Events
The show rmon event command displays information about RMON events.
Command Syntax
device-name#show rmon event [<event-index>]
event-index (Optional). Displays information for the specified RMON event, in the
range <165535>.
Example 1
device-name#show rmon event
Event 1, st at us act i ve, owned by STN1
Descr i pt i on : t he_t ank_i s_f ul l
Type : snmp- t r ap, Last Ti meSent : 01: 36: 29
Communi t y : PUBLI C
Descr i pt i on : t he_t ank_i s_empt y
Communi t y : PUBLI C2
Example 2
device-name#show rmon event 1
Displaying RMON Statistics
The show rmon statistics command displays counter statistics of the specified port or all
available ports on the device.
Command Syntax
device-name#show rmon statistics [UU/SS/PP]
UU/SS/PP (Optional). Displays counter statistics on the specified port.
Page 12

Example
device-name#show rmon statistics 1/2/3
Under si ze 0 I n/ Out Pkt s 1024- MaxFr ameSi ze 3915499
J abber s 0 Down Count 0
Dr opEvent s 0
Table 5: Counters Displayed by the show r mon st at i st i cs Command
Counter Description
Oct et s This counter is incremented once for every data octet of all received
packets. This includes data octets of rejected and local packets that
are not forwarded to the switching core for transmission. This
counter reflects all the data octets received on the line.
For oversized packets, when they exceed the allocated buffer-size,
only buffer-size bytes are counted and all the rest of the bytes are
not.
Col l i si ons This counter is incremented once for every received packet when
detecting a Collision Event.
Br oadcast This counter is incremented once for every good Broadcast packet
received.
Mul t i cast This counter is incremented once for every good Multicast packet
received.
CRCal i gnEr r or s This counter is incremented once for every received packet that
meets all the following conditions:
Packet data length is between 64 and MaxFrameSize bytes
(=1518) inclusive
Packet has invalid CRC
Collision Event is not detected
Late Collision Event is not detected
Under si ze This counter is incremented once for every received packet that
Packet data length is less than 64 bytes
Packet has valid CRC
Page 13

Counter Description
Over si ze This counter is incremented once for every received packet that
Packet data length is greater than MaxFrameSize bytes
(=1518)
Packet has valid CRC
Fr agment s This counter is incremented once for every received packet that
The packets data length is less than 64 bytes, or the packet is
without SFD (Start Frame Delimiter) and is less than 64 bytes
in length
J abber s This counter is incremented once for every received packet that
Packet data length is greater than MaxFrameSize bytes
(=1518)
Dr opEvent s Not supported.
Last 5secI nPkt s Counts the number of packets received on the device during the five
Last 1mi nI nPkt s Counts the number of packets received on the device during the
minute before executing the command.
Last 5mi nI nPkt s Counts the number of packets received on the device during the five
Last 5secOut Pkt s Counts the number of packets transmitted to the device during the
five seconds after executing the command.
Last 1mi nOut Pkt s Counts the number of packets transmitted to the device during the
minute after executing the command.
Last 5mi nOut Pkt s Counts the number of packets transmitted to the device during the
five minutes after executing the command.
I n/ Out Pkt s 65- 127 This counter is incremented once for every received and transmitted
packet that is 65 to 127 bytes in size. This counter includes rejected,
received, and transmitted packets.
packet that is 128 to 255 bytes in size. This counter includes
I n/ Out Pkt s 1024-
MaxFr ameSi ze
This counter is incremented once for every received and transmitted
packet that is 1024 to MaxFrameSize bytes (1518) in size. This
counter includes rejected, received, and transmitted packets.
Page 14

Counter Description
Tot al I nPkt s This counter is incremented once for every received packet. This
includes rejected and local packets that are not forwarded to the
switching core for transmission. This counter reflects all packets
received on the line.
Tot al I n/ Out Pkt s This counter is incremented once for every received and transmitted
packet that is 64 to MaxFrameSize bytes (1518) in size. This
counter includes rejected, received, and transmitted packets.
Down Count This counter is incremented once for every disconnection of the
port. The counter is initialized in any of the following cases:
When the device starts running (provided that the link to the
port is attached), the counter is initialized to zero.
When inserting the module at run-time (hot-swapped), the
counter is initialized to one.
If attaching the link to the port for the first time during run-time,
the counter is initialized to one.
Last 5secI nBps Counts the number of Bps received on the device during the five
Last 1mi nI nBps Counts the number of Bps received on the device during the minute
Last 5mi nI nBps Counts the number of Bps received on the device during the five
Last 5secOut Bps Counts the number of Bps transmitted to the device during the five
seconds after executing the command.
Last 1mi nOut Bps Counts the number of Bps transmitted to the device during the
minute after executing the command.
Last 5mi nOut Bps Counts the number of Bps transmitted to the device during the five
minutes after executing the command.
Displaying High-Capacity Counters
The show rmon statistics high-capacity command displays the high capacity of RMON
statistics for a specified port or for all ports.
Command Syntax
device-name#show rmon statistics [UU/SS/PP] high-capacity
UU/SS/PP (Optional). Displays RMON statistics for the specified port.
Page 15

Example 1
The following example shows interface statistics for port 1/ 1/ 1:
device-name#show rmon statistics 1/1/1 high-capacity
i nt er f ace 1/ 1/ 1 Hi gh Capaci t y
Over f l ow Oct et s N/ A Oct et s 1
Over f l ow Packet s N/ A Packet s 6
Over f l ow 64 N/ A I n/ Out Pkt s 64 1
Over f l ow 65- 127 N/ A I n/ Out Pkt s 65- 127 1
Over f l ow 1024- MaxSi ze N/ A I n/ Out Pkt s 1024- MaxSi ze 1
Example 2
The following example shows interface statistics for all supported ports: 1/ 1/ 1, 1/ 1/ 2, 1/ 2/ 1
1/ 2/ 8:
device-name#show interface statistics high-capacity



Page 16

Page 17

1. To define an RMON event description, select:
device-name(config)#rmon event 1 the_tank_is_full snmp-trap PUBLIC STN1
2. Define RMON alarm conditions. The threshold type is absolute, so the falling event is
insignificant. The index has an arbitrary value of zero. If the threshold type is delta, the index
has the number of the event of the falling value.
device-name(config)#rmon alarm 1 counter 2 1/2/2 5 absolute 20000 0 1 0
STN1
3. Display the configured RMON events:
device-name#show rmon event
4. Display the configured RMON alarms:
device-name#show rmon alarm
Al ar m1, st at us act i ve, owned by STN1
Count er Oct et s, i nt er f ace 1/ 2/ 2
Sampl i ng i nt er val ( h: m: s) 00: 00: 05, Sampl eType absol ut e
Cur r ent val ue 0 St ar t up : r i si ng
Ri si ngThr eshol d 20000 Fal l i ngThr eshol d 0
Ri si ngEvent I ndex 1 Fal l i ngEvent I ndex 0
Page 18

Supported Platforms
Remote Monitoring (RMON) + +
Remote Monitoring
(RMON)
No standards are
supported by this
feature.
Public MIBs:
RMON-MIB
HC-RMON-MIB
RFC 1271, Remote
Network Monitoring
Management Information
Base
RFC 3273, Remote
Network Monitoring
Management Information
Base for High Capacity
Networks

Page 1
Configuring System Message Logging (Rev. 07)

Configuring System Message Logging
System Log Messages Overview 3
System Log Message Format 3
NVRAM-based Configuration History Logging 4
Settings and Values 4
Trap Levels 4
Syslog Facility 5
Log Modules 6
The System Message Logging Default Configuration 7
The System Message Logging Step by Step Configuration 8
The System Message Logging Commands 9
Local Console Logging11
Telnet Console Logging11
Configuring the Console Log to a Syslog Server 12
Configuring Message Logging to Memory Buffer13
Resizing Memory Buffer13
Enabling the Privilege-limited Logging14
Including the PRIORITY Field or SEQUENCE NUMBER14
Synchronizing System Log Messages15
Adding Timestamps15
Storing Message Logging to NVRAM16
Displaying the NVRAM Trap Log17
Clearing the NVRAM Trap Log17
Displaying the Logging Configuration18
Uploading the Log Buffer to a TFTP Server19
Recording Configuration Commands to NVRAM19
Clearing the Configuration History Log20
Displaying the Configuration History for a Specific Session20
Enabling Log Messages22

Page 2

Enabling Configuration History22


Page 3

System Log Messages Overview
The application software provides system log messages that are useful to the system administrator
for troubleshooting problems in the network:
The console log routes system messages to a local or remote console, to a Syslog server, to the
NVRAM history table, or to the system memory buffer
A configuration history log records configuration commands submitted to the device in non-
volatile memory (NVRAM)
Message logging is configurable (for example, what is included, what trap levels, and where the
log is sent)
System Log Message Format
The logging subsystem takes messages initiated by various software processes within the application
software, formats the messages, and writes them to the appropriate log files. These messages and
come from a local facility or module(a hardware device, protocol, or module within the system
software). The logging subsystem:
provides logging information for monitoring and troubleshooting
allows configuration of the types of logging information to be captured and the destination
(log file or other devices)
supports monitoring of messages remotely (via Telnet or the console port) or on a Syslog
server, and allows privilege-limited viewing
includes system log messages, configuration history, and trap logging
The system message is stored and displayed based on the following format:
[ SEQUENCE_NUMBER: ] [ DATE TI ME: ] SOURCE- TASK: [ PRI ORI TY: ] MESSAGE- TEXT

Table 1: System Message Fields
Field Description
SOURCE- TASK
The name of a system task that generated the message.
MESSAGE- TEXT
The textual content of the message.
DATE and TI ME
(Optional). Indicates when the message is issued.
NOTE
The date and time are displayed in System Time. Specify
either DayTime or NTP protocol to receive the correct
date and time in the log message body (refer the Device
Administration chapter of this User Guide)
PRI ORI TY
(Optional). The literal messages priority level
SEQUENCE NUMBER
(Optional). The sequence number included in the message


Page 4

NOTE
The PRIORITY, SEQUENCE NUMBER and DATE TIME fields are optional. By
default, these fields are not included in any message. To force inclusion of the
PRIORITY and SEQUENCE NUMBER fields in trap-messages, use the l og
i ncl ude command.

The log timestamp datetime localtime timezone msecs command displays the date and
time.
Example
3180: 1993- 01- 03 22: 59: 25: t Tel net d: i nf or mat i onal : Access f r om10. 3. 127. 102
gr ant ed !
NVRAM-based Configuration History Logging
The Configuration History log is an integral function of the CLI (command line interface). It
records all configuration commands (that is, commands that change the configuration) that are
entered into the device. These commands are recorded into NVRAM, even if the device
configuration is not saved with the write command in Privileged (Enable) mode (refer to the Device
SetupandMaintenanceof this User Guide). The configuration-session history is generated and stored
into NVRAM in script-like format, which can be re-executed later. The format is:
!
! t i me_st amp : : user _i d : : devi ce{consol e | t el net | ssh}
!
! conf i gur at i on sessi on number st ar t
!
command 1
command 2
.
!
! conf i gur at i on sessi on number end
!
Settings and Values
Trap Levels
Trap level for logging should be configured per device (NVRAM history, buffer, CLI console, VTY
terminal, and Telnet console) and per facility.
You can configure the device to store messages from the Error level up. Lower level trap messages
are never stored.
By default, only Emergency-level messages are stored in NVRAM. All lower-level trap messages are
filtered out.
To change the level of the trap message logging filter, use the log nvram-history command. The
setting will take effect on the next startup.

Page 5

Table 2: Log Message Severity Levels
Severity Level Keyword Description
0 emergency Internal error occurred. The device reached a crash state and
cannot continue to operate.
1 alert Immediate action needed. The device might operate
incorrectly.
2 critical Internal error or non-supported event occurred.
3 error Error condition (for example, error messages about software or
hardware malfunctions).
4 warning Warning condition.
5 notification Normal but significant condition (for example, interface
up/down transitions and system restart messages).
6 information Informational message only (for example, reload requests and
low-process stack messages).
7 debugging Appears during debugging only.
Syslog Facility
A Syslog facility is a setting for the remote Syslog server and is represented by a number between 0
and 23.
Table 3: Syslog Message Facilities
Numerical Code Facility
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messages (0)
5 Messages generated internally by Syslog
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon (0)
10 Security/authorization messages (1)
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Clock daemon (1)
16 Local use 0 (local0)

Page 6

Numerical Code Facility

NOTE
1. Some operating systems use Facilities 4, 10, 13 and 14 for security/ authorization
and audit/ alert messages.
2. Some operating systems use both Facilities 9 and 15 for clock (clockd0/ clockd1)
messages.
Log Modules
The module that generates the message and sends it to the log daemon is represented by a keyword.

NOTE
When a module is configured explicitly, all system log messages from that module
are logged according to the module configuration, and the default configuration is
ignored.
When a module is not configured, the log output contains system log messages from
all system modules.

Table 4: Log Modules
Module Name Keyword Description
DHCP dhcp Dynamic Host Configuration Protocol
FDB fdb MAC-address table module
TIME time Time synchronization clients
KERNEL kernel Router Manager module
IGMP igmp Internet Group Management Protocol
RMON rmon Remote Monitoring module
SNMP snmp Simple Network Management Protocol
STP stp Spanning Tree Protocol
RSTP rstp Rapid Spanning Tree Protocol
MSTP mstp Multiple Spanning Tree Protocol
LACP lacp Link Aggregation Control Protocol
System System General System Messages
MSTP-tx mstp-tx Multiple Spanning Tree Protocol Transmitter
GARP garp Generic Attribute Registration Protocol

Page 7

Module Name Keyword Description
Default default Enables the configurations of all modules, which are not
explicitly configured.
The System Message Logging Default
Configuration
Table 5: Message Logging Default Configuration
NVRAM history Logging Only Emergency Level trap messages are logged.
The PRIORITY field is not recorded.
NVRAM-based Configuration History Disabled
Logging buffer size 1000 messages
Syslog server IP address None configured
Logging to buffer log module default buffer trap debugging

Page 8

The System Message Logging Step by Step
Configuration
To configure the system message logging, proceed as follows:
1. Enable displaying of system log messages:
Display log messages on the CLI console that is attached to the COM port (see Local
ConsoleLogging)
or
Display the system log messages on a Telnet console (see Telnet ConsoleLogging)
or
Display the system log messages on a Syslog server (remote device) (see Configuringthe
ConsoleLogtoa SyslogServer)
or
Enable storing message logging in the NVRAM history table (see StoringMessageLoggingto
NVRAM)
or
Copy system log messages to an internal buffer (see ConfiguringMessageLoggingtoMemory
Buffer)
Uploads the log buffer to a TFTP server, using the specified file-name (see Uploadingthe
LogBuffer toa TFTP Server)
Copies system log messages to an internal buffer instead of writing them to the console
(see ConfiguringMessageLoggingtoMemoryBuffer)
Enable resizing and displaying the memory buffer (see ResizingMemoryBuffer)
Enable privilege-limited logging (see EnablingthePrivilege-limitedLogging)
Include the PRIORITY field or the sequence number in the logged trap messages (see
IncludingthePRIORITY Fieldor SEQUENCE NUMBER)
Synchronize system log messages with a solicited command output (see Synchronizing
SystemLogMessages)
Add timestamps to the system log messages (see AddingTimestamps)
3. Clear all the memory buffer contents or all System trap-messages from NVRAM (see Clearing
theNVRAM TrapLog)
4. Display the logging configuration (see DisplayingtheLoggingConfiguration) and the contents of
the stored system message history (see DisplayingtheNVRAM TrapLog)

NOTE
When the module MODULE-NAME argument is not specified, the default module is
assumed.
By default, l og [ modul e MODULE-NAME] buf f er t r ap debuggi ng and l og
[ modul e MODULE- NAME] nvr am- hi st or y t r ap emer genci es commands do not
appear in the running configuration for any module.

Page 9

The System Message Logging Commands
Table 6: Commands for System Message Logging
Command Description
log cli-console Displays system log messages on the CLI console that is
attached to the COM port (see Local Console Logging)
log telnet-console Display the system log messages on a Telnet console (see
Telnet Console Logging)
log server syslog-facility Display the system log messages on a Syslog server
(remote device) (see Configuring the Console Log to a
Syslog Server)
log nvram-history Enables storing message logging in the NVRAM history
table (see Storing Message Logging to NVRAM)

Table 7: Commands for Optional System Message Logging Configurations
Command Description
log buffer upload-to Uploads the log buffer to a TFTP server, using the specified
file-name (see Uploading the Log Buffer to a TFTP Server)
log buffer trap Copies system log messages to an internal buffer instead of
writing them to the console (see Configuring Message
Logging to Memory Buffer)
log buffer resize-to Enables resizing and displaying the memory buffer (see
Resizing Memory Buffer)
log group users-limit Enables privilege-limited logging (see Enabling the
Privilege-limited Logging)
log include Causes displayed and logged trap-messages to include the
optional PRIORITY field or sequence number (see Including
the PRIORITY Field or SEQUENCE NUMBER)
log synchronous Synchronizes system log messages with a command output
on the CLI console or Telnet session (see Synchronizing
System Log Messages)
log timestamp Adds a timestamp with Uptime or DateTime format (see
Adding Timestamps )

Table 8: Commands for Clearing System Log Messages
Command Description
clear log Clears all the memory buffer contents or all System trap-
messages from NVRAM (see Clearing the NVRAM Trap
Log)


Page 10

Table 9: Commands for Displaying System Log Messages
Command Description
show log Displays the logging configuration (see Displaying the
Logging Configuration)
show log nvram-history Displays the contents of the stored system message history
(see Displaying the NVRAM Trap Log)

Table 10: History Configuration Commands
Command Description
record configuration-history
nvram
Enables recording the configured commands in
NVRAM (see Recording Configuration Commands to
NVRAM).
clear configuration-history
nvram
Clears the history of configuration commands (see
Clearing the Configuration History Log).
show configuration-history Displays all configuration commands stored in NVRAM
(see Displaying the Configuration History for a Specific
Session).

Page 11

Local Console Logging
The log cli-console command displays system log messages on the CLI console that is attached
to the COM port
Command Syntax
device-name(config)#log [module MODULE-NAME] cli-console trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] cli-console
module MODULE-
NAME
(Optional). Specifies the name of the module for which log output to a
local console is enabled.
See Table 4 for the module name keyword.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed
in Table 2.
no
Stops log output to the CLI console.
Example
The following example enables local console logging for the whole system and configures a
message log filter to the severity level 6.
device-name(config)#log cli-console trap informational
Telnet Console Logging
The log telnet-console command displays the system log messages on a Telnet console if you
are connected through a Telnet client.

NOTE
When applied in a Telnet session, the l og t el net - consol e command is effective
only in the current Telnet session. Therefore, the command is not added to the
configuration file.
Command Syntax
device-name(config)#log [module MODULE-NAME] telnet-console trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] telnet-console

Page 12

module MODULE-
NAME
local console is enabled. See Table 4 for the module name keyword.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed in
Table 2.
no Stops log output to the Telnet console.
Example
The following example enables Telnet console logging for the whole system and configures a
message log filter to the severity level 7.
device-name(config)#log telnet-console trap debugging
Configuring the Console Log to a Syslog Server
The log server syslog-facility command displays the system log messages on a Syslog server
(remote device).
To enable console logging to a Syslog server:
1. Configure the Syslog server to accept and log messages.
2. Apply the log server syslog-facility command.
Command Syntax
device-name(config)#log [module MODULE-NAME] server A.B.C.D syslog-facility
<syslog-facility> trap TRAP-LEVEL

device-name(config)#no log [module MODULE-NAME] server [A.B.C.D]
A.B.C.D IP address of the Syslog server.
module MODULE-
NAME
local console is enabled.
See Table 4 for the module name keyword.
syslog-facility
<syslog-facility>
Syslog facility valid entries are all values from 0 to 23 according to RFC
3164. Recommended values are local6 and local7 (22, 23). The Syslog
message facilities are listed in Table 3.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed
in Table 2.
no
Disables the remote logging.

Page 13

Configuring Message Logging to Memory Buffer
The log buffer trap command copies system log messages to an internal buffer instead of
writing them to the console.
The buffer is circular in nature, so newer messages overwrite older messages.
Command Syntax
device-name(config)#log [module MODULE-NAME] buffer trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] buffer trap TRAP-LEVEL
module MODULE-
NAME
local console is enabled. See Table 4 for the module name keyword.
Table 2.
no
Disables the memory buffer logging.
Resizing Memory Buffer
The log buffer resize-to command enables resizing and displaying the memory buffer.
By default, the memory buffer size is 1000.
Command Syntax
device-name(config)#log buffer resize-to <buffer-size>
device-name(config)#no log buffer resize-to <buffer-size>
no Sets the default value of the memory buffer.
resize-to <buffer-
size>
Resizes the number of messages in the memory buffer, in the range
<21000>.

Page 14

Enabling the Privilege-limited Logging
The log group users-limit command enables privilege-limited logging; that is, limits the system
log messages that are displayed to the specified trap level when you are not an authorized adminor
net-adminuser.
This command is only relevant for serial consoles.
Command Syntax
device-name(config)#log group users-limit trap TRAP-LEVEL
device-name(config)#no log group users-limit
Table 2.
no
Disables privilege-limited logging and all users can see all console
messages.
Including the PRIORITY Field or SEQUENCE
NUMBER
The log include command includes the PRIORITY field or SEQUENCE NUMBER in
displayed and logged trap messages.
By default, the PRIORITY field and the SEQUENCE NUMBER are excluded.
Command Syntax
device-name(config)#log include {priority | sequence-number | syslog-prefix }
device-name(config)#no log include {priority | sequence-number}
priority Sets the PRIORITY field in the messages to be displayed and logged.
sequence-number Includes the SEQUENCE NUMBER in the log messages.
syslog-prefix Includes prefix in the syslog message.
no Causes displayed and logged trap messages to exclude the optional
PRIORITY field or the SEQUENCE NUMBER.

Page 15

Synchronizing System Log Messages
The log synchronous command synchronizes system log messages with a command output on
the CLI console or Telnet session.
By default, the synchronous logging feature is disabled.
Command Syntax
device-name(config)#log synchronous {cli-console | telnet-console}
device-name(config)#no log synchronous {cli-console | telnet-console}
cli-console Enables the log synchronous feature on the CLI console.
telnet-console Enables the log synchronous feature on the Telnet console.
no Disables the log synchronous feature.
Example
This example shows how to prevent displaying system log messages on the CLI console until the
command output finishes or is interrupted if press <Ctrl+Z>. Logging to the console session
resumes after displaying all the requested output.
device-name(config)#log synchronous cli-console
Adding Timestamps
The log timestamp command adds a timestamp with Uptimeor DateTimeformat.

NOTE
This command does not affect system log messages sent to the Syslog server.
Command Syntax
device-name(config)#log timestamp {uptime | datetime [<localtime> | <timezone>
| <msec>]}
device-name(config)#no log timestamp {uptime | datetime [<localtime> |
<timezone> | <msec>]}

Page 16

uptime The Uptime format: Days hh:mm:ss.
datetime The DateTime format: is MM/dd hh:mm:ss[.msec].
localtime (Optional). Displays the local time-zone offset relative to GMT.
timezone (Optional). Displays the time zone name.
msec (Optional). Adds milliseconds to the format.
no Disables timestamps in the system log messages.
Storing Message Logging to NVRAM
The log nvram-history command enables storing message logging in the NVRAM history table.

NOTE
This feature logs only the most important system log messages of the system and
cannot be turned off by design.
All trap-messages of the specified level and higher levels (lower severity level
numbers) are stored.

The default trap value set to 0 (emergency).
Command Syntax
device-name(config)#log [module MODULE-NAME] nvram-history trap {alerts |
critical | emergencies | errors}
device-name(config)#no log [module MODULE-NAME] nvram-history
module
MODULE- NAME
(Optional). Specifies the name of the module for which console logging to a
Syslog server is enabled. See Table 4 for the module name keyword.
alerts Log messages in the event of an internal error that requires immediate
action. Severity level is one.
critical Log messages in the event of an internal error or a non-supported event.
Severity level is two.
emergencies Log messages in the event of an internal error that causes the System to be
unusable. Severity level is zero.
errors Log messages if error conditions exist. Severity level is three.
no Disables the recording, but does not clear existing command records.

Page 17

Displaying the NVRAM Trap Log
The show log nvram-history command displays the contents of the stored system message
history.
You can select output of the first (oldest) specified number of messages, the last (latest) specified
number of messages, or the size of the stored history (number of records).
If no arguments are specified, the entire history is displayed. Stop the output by pressing
<Ctrl+C>.

NOTE
This command determines the severity level that limits trap messages currently
stored, but does not indicate the minimal severity level of previously stored system
log messages that exist in NVRAM.
Command Syntax
device-name#show log nvram-history [first <number-of-records> | last <number-
of-records> | size | status]
first <number-of-
records>
(Optional). Displays the specified number of stored trap-messages,
starting at the oldest existing record. The range is <165535>.
last <number-of-
records>
(Optional). Displays the latest specified number of stored trap-
messages. The range is <165535>.
size (Optional). Displays the number of records in the system-message
history.
status (Optional). Displays the status of recording.
Clearing the NVRAM Trap Log
The clear log command clears all memory buffer contents or all system trap-messages from
NVRAM.
Command Syntax
device-name#clear log [buffer | nvram-history]
buffer (Optional). Clears the memory buffer contents.
nvram-history (Optional). Clears the system trap-messages from NVRAM.

Page 18

Displaying the Logging Configuration
The show log command displays the detailed logging configuration.
Command Syntax
device-name#show log {buffer | module MODULE-NAME | nvram-history}
buffer (Optional). Displays the contents of the log memory buffer.
module MODULE-NAME (Optional). Displays the logging configuration for the specified
module. See Table 4 for the module name keyword.
nvram-history Log history in NVRAM.

NOTE
After each reload of the device there are some logs in the log buffer. Even if you clear
the log buffer after reload (no matter reload to defaults or reload save) the buffer has
logs!
Example
This example shows that the buffer size is reduced to 20 messages and log messages are directed to
the CLI and Telnet consoles and to the memory buffer:
device-name#show log module default
Modul e def aul t conf i gur at i on:
buf f er si ze: 1000 t r ap: debuggi ng
nvr am- hi st or y t r ap: emer genci es
Synchr onous l oggi ng t er mi nal s:

device-name(config)#log buffer resize-to 20

device-name#show log module all
Modul e def aul t conf i gur at i on:
buf f er si ze: 20 t r ap: debuggi ng
nvr am- hi st or y t r ap: emer genci es
cl i - consol e t r ap: not i f i cat i ons
t el net - consol e t r ap: war ni ngs
Synchr onous l oggi ng t er mi nal s:

Page 19

Uploading the Log Buffer to a TFTP Server
The log buffer upload-to command uploads the log buffer to a TFTP server, using a specified
file-name.
Command Syntax
device-name#log buffer upload-to A.B.C.D FILE-NAME
A.B.C.D The IP address of the TFTP server.
FILE-NAME (Optional). The name of the uploaded buffer for storing.
Example
device-name#log buffer upload-to 192.168.0.56 buf
Recording Configuration Commands to NVRAM
The record configuration-history nvram command enables recording the configuration
commands in NVRAM.
If you enable configuration recording, you must exit the Global configuration mode for the
command to take effect. Actual recording of configuration commandsnot commands in the
View and Privileged (Enable) modesstarts the next time Global Configuration mode is entered
and continues as long as that mode or any mode under it is active. In subsequent configuration
sessions, as long as configuration-history recording is enabled, configuration commands accumulate
in NVRAM by session.
If configuration-history recording is disabled, recording stops immediately (that is, it is not
necessary to exit Global Configuration mode for the command to take effect).
Command Syntax
device-name(config)#record configuration-history nvram
device-name(config)#no record configuration-history
no Disables the recording, but does not clear existing command records.

Page 20

Clearing the Configuration History Log
The clear configuration-history nvram command removes all the recorded configuration
commands from NVRAM.
Command Syntax
device-name#clear configuration-history nvram
Displaying the Configuration History for a Specific
Session
The show configuration-history command displays all configuration commands stored in
NVRAM during the specified session.
Command Syntax
device-name#show configuration-history [<session-number> | all | size | status]
session-
number
(Optional). Number of session displayed in the range <165535>. If no
session number is specified, the command displays all configuration
commands stored in NVRAM during the last session.
all Displays all configuration commands stored in NVRAM during all recorded
sessions.
size Displays the number of sessions currently stored in NVRAM.
status Displays the current recording state of configuration history (as set by the
record configuration-history nvram command).
Example 1
The following example displays the last configuration-session (two sessions were recorded):
device-name#show configuration-history
! Conf i gur at i on sessi on 2 st ar t

conf i gur e t er mi nal
mac access- gr oup 400
! Conf i gur at i on sessi on 2 end

Page 21

Example 2
The following example displays the specified configuration-session (session number 1):
device-name#show configuration-history 1

access- l i st 400 per mi t host 00: 00: 11: 22: 33: 45 any
Example 3
The following example displays all recorded configuration-sessions:
device-name#show configuration-history all

access- l i st 400 per mi t host 00: 00: 11: 22: 33: 45 any


no mac access- gr oup 400
Example 4
device-name#show configuration-history size
Conf i gur at i on hi st or y consi st s of 2 sessi ons ( num. 1 - 2) .
Example 5
device-name#show configuration-history status
Conf i gur at i on hi st or y r ecor di ng enabl ed

Page 22

Enabling Log Messages
The following example shows how to enable log messages for the notification level that is displayed
by the console port, on Telnet session and on remote Syslog server with IP address 220.119.10.1.
1. Enable logging to the console port:
device-name(config)#log cli-console trap notifications
2. Enable logging to Telnet:
device-name(config)#log telnet-console trap notifications
3. Enable logging to a Syslog server with the IP address 220.119.10.1:
device-name(config)#log server 220.119.10.1 syslog-facility user trap
notifications
Enabling Configuration History
1. Enable configuration recording:
device-name(config)#record configuration-history nvram
Exi t t hi s conf i gur at i on sessi on f or t hi s set t i ng t o t ake ef f ect
and r e- ent er conf i gur at i on mode.
2. Exit from Global Configuration mode:
3. Make the device configuration, for example:
device-name(config-if 1/1/2)#show
Name =
Li nk = down

Page 23

Mul t i cast l i mi t = unl i mi t ed
Unknown l i mi t = unl i mi t ed
Def aul t VLAN = 1
4. Display the configuration recording:

l i nk- aggr egat i on st at i c i d 2
l i nk- aggr egat i on st at i c i d 2
show
5. Clear the configuration recording:
device-name#clear configuration-history nvram
6. Display the configuration recording after clearing:
%No commands st or ed i n conf i gur at i on hi st or y.

Page 24

Supported Platforms
System Message Logging + +
System Message
Logging
No standards are
supported by this feature.
No MIBs are
supported by this
feature.
RFC 3164, The
BSD syslog
Protocol (client
mode)

Page 1
Troubleshooting and Monitoring (Rev. 10)

Troubleshooting and Monitoring
Table of Figures 5
Chapter Overview 6
Layer 1 ToolsTroubleshooting Hardware Issues 6
Layer 2 ToolsTroubleshooting Traffic Issues 6
Layer 3 ToolsTroubleshooting Network Issues 7
General Troubleshooting Tools 7
Built-in Self Test (BiST) 8
Startup BiST 8
BiST Commands 9
Invoking BiST 9
Clearing the Power Supply Alert10
Displaying BiST Results10
CPU Utilization 11
CPU Utilization Default Configuration11
Enabling CPU Utilization Monitoring11
Hardware and Environment Monitoring12
Displaying the CPU Utilization12
Displaying the CPU Temperature13
Displaying the Power Supply Status13
Displaying the Fan Status14
Periodic Monitoring15
Periodic-Monitoring Indicator Types15
Alert Types16
Monitoring Limited Values16
Periodic Monitoring Default Configuration17
Periodic Monitoring Configuration Flow18
Periodic Monitoring Configuration-Commands19
Configuring Periodic Monitoring for All the Indicators21

Page 2

Enabling CPU Monitoring and Entering the CPU Monitoring Mode21
Enabling Flash-Usage Monitoring and Entering the Flash Monitoring Mode22
Enabling Fan Monitoring and Entering the Fan Monitoring Mode22
Enabling Power Monitoring and Entering the Power Monitoring Mode23
Enabling RAM Monitoring and Entering the RAM Monitoring Mode23
Enabling Temperature Monitoring and Entering the Temperature Monitoring Mode
24
Enabling Laser Management Monitoring and Entering the Laser Monitoring Mode25
Enabling Port Monitoring and Entering the Port Monitoring Mode26
Enabling Periodic Monitoring for a Specific Indicator27
Disabling Periodic Monitoring for a Specific Indicator27
Restoring Default Settings for a Specific Indicator27
Enabling Log-Alert Notification for a Specific Indicator28
Enabling LED-Alert Notification for a Specific Indicator28
Enabling SNMP Trap Notifications for a Specific Indicator29
Defining the Monitoring Interval for a Specific Indicator29
Defining a Limit Value for a Specific Indicator 30
Defining a Scale for Triggering New Alerts31
Displaying the Periodic Monitoring Settings32
Displaying a Specific Indicators Monitoring Settings 34
CPU Usage Monitoring35
RAM Usage Monitoring36
Flash Usage Monitoring37
Laser Management39
Laser Management Default Configuration39
Laser Management Configuration Flow40
Laser Management Commands41
Enabling Laser Management and Entering the Laser Monitoring Mode42
Enabling Periodic Laser Management42
Disabling the Periodic Laser Management42
Restoring the Default Laser Management Configuration43
Defining the Laser Management Polling Intervals43

Page 3

Enabling Laser Management Log-Alert Notification44
Enables Laser Management LED-Alert Notification44
Enabling Laser Management SNMP Trap Notification45
Defining the Port(s) Temperature Threshold45
Defining the Port(s) Tx Power Threshold46
Defining the Port(s) Rx Power Threshold47
Displaying the Laser Management Settings48
Displaying the Port(s) Laser Settings48
Virtual Cable Testing (VCT)51
Possible Test Results51
Initiating VCT on a Port51
Port Mirroring (Port Monitoring)54
Source Port Characteristics55
Destination Port Characteristics55
Port Monitoring Defaults55
Port Monitoring Commands 55
Initiating a Monitor Session56
Displaying a Monitor Session56
Iometrix Loopback and Logical Services Loopback (LSL)58
Iometrix Loopback58
LSL58
Iometrix Loopback and LSL Default Configuration59
Iometrix Loopback and LSL Commands 59
Enabling Iometrix Loopback on a Port/ LAG60
Displaying a Port/ LAG Iometrix Configuration60
Enabling LSL on a Port/ LAG61
Configuring the LSL Destination MAC Address62
Displaying the LSL Configuration62
Network Loopback Tester64
Network Loopback Tester Commands64
Configuring Network Loopback Tester on a Port/ LAG64
Displaying Network Loopback Tester65

Page 4

Watchdog Features67
Watchdog Default Configuration67
Watchdog Commands67
Entering the Watchdog Configuration Mode68
Configuring Reset-Loop Detection68
Configuring SNMP Request Failure Detection69
Configuring CPU Task Suspension Detection69
Displaying the Watchdog Configuration70
Diagnosing Connectivity Issues71
Packet Internet Groper (PING)71
Traceroute72
Connectivity-Troubleshooting Defaults73
Connectivity-Troubleshooting Commands 73
Pinging a Device74
Executing Traceroute75
Technical Support Information76
Technical Support Commands76
Selecting the Extracted Technical Support Information76
Displaying Technical Support Information79
Uploading the Tech-Support File80


Page 5

Table of Figures
Figure 1: Periodic Monitoring Configuration Flow18
Figure 2: Laser Management Configuration Flow40
Figure 3: Local Port Mirroring54
Figure 4: Remote Port Mirroring54
Figure 5: Monitor-Session Configuration Example57


Page 6

Chapter Overview
Telco Systems provides a set of powerful tools for troubleshooting and resolving technical issues
with T-Marc 300 Series devices. This chapter details these tools.
Layer 1 ToolsTroubleshooting Hardware Issues
Built-inSelf Test (BiST)
BiST is a set of basic and configuration validity tests that report hardware failures.
CPU Utilization
The CPU utilization tool provides a clear picture of how the device CPU handles the
load.
HardwareandEnvironment Monitoring
This section lists the show commands for monitoring the current hardware and
environmental parameters of the device.
PeriodicMonitoring
Periodic monitoring is a method for monitoring hardware conditions in order to identify
problematic hardware and deteriorated environmental conditions.
Laser Management
Laser management is used for monitoring optical SFP transceivers operational-
parameters.
Virtual CableTesting(VCT)
VCT is a feature that utilizes time domain reflectometry to diagnose cable and link
problems.
Layer 2 ToolsTroubleshooting Traffic Issues
Port Mirroring(Port Monitoring)
Port Mirroring is a method for monitoring network traffic by sending copies of all
incoming and outgoing packets from one port to a monitoring port, where these packets
are diagnosed.
Iometrix Loopback andLogical ServicesLoopback (LSL)
Both of these features perform loopback quality-of-service measurements over IP and
Carrier Ethernet networks to ensure service level agreements.
Network Loopback Tester
Network Loopback is a network troubleshooting mechanism for diagnosting network
failures, available on all Ethernet ports with line-rate response and based on specified
ACGs.
WatchdogFeatures
This is a feature used to monitor the performance of a set of tasks to ensure their proper
functionality.

Page 7

Layer 3 ToolsTroubleshooting Network Issues
DiagnosingConnectivity
This section provides information about the Pingand Tracerouteutilities used for
diagnosing connectivity problems.
SNMP Notifications
A management tool for monitoring events on the device. For more information, refer to
the ConfiguringSNMP and SNMP ReferenceGuidechapters of this user guide.
General Troubleshooting Tools
Showcommands, debugcommands, andLogs
The T-Marc 300 Series CLI includes sets of show and debug commands per feature. You
can use these commands to extract relevant information on the features configuration
and performance.
For the detailed list of show and debug commands, refer to the relevant features chapter
of this user guide.
In addition, refer to the ConfiguringSystemMessageLoggingchapter for detailed information
about the devices system logs.
Technical Support Information
This section lists commands that retrieve the devices' technical information. The system
administrators can forward the commands output to Telco Systems technical support
team to assist them in the troubleshooting task.

Page 8

Built-in Self Test (BiST)
The BiST is a set of basic hardware and configuration validity tests. It is performed automatically on
startup (Startup BiST) and its results are summarized on the terminal before the switch banner. In
addition, you can invoke the BiST at any time during the T-Marc 300 Series operation.
The BiST results are grouped as shown in the following table:
Table 1: BiST Result Groups
Test Group Description
CPU Core Test Checks the validity of the packet processor
Power Supply Test Checks the voltage output of internal PSU
Fan Test Checks the device fans status
Temperature Test Validates that the temperature is within the configured range
CPU Resources test Checks the CPU utilization percentage
Laser Management Test Checks the Rx/Tx optical power (to enable this test, refer to Enabling
Laser Management Monitoring and Entering the Laser Monitoring
Mode)
Port Statistics Tests Checks CRC and malformed packets on port
RAM Resources Test Checks the RAM utilization percentage
Flash Resources Test Checks the Flash utilization percentage
Startup BiST
The Startup BiST reports a summary of the results by BiST group, stating whether the group tests
passed or failed.
When all the BiST tests pass, the device Status LED (STS) turns steady green.
When one or more tests fail, the device STS LED starts blinking.
Below is the console-port screen example of a Startup BIST:
BUI LT- I N SELF TEST

- - - - - - - - - - - - - - - - - -

CPU Cor e Test : Passed

Power Suppl y Test : Passed

Fan Test : Passed


Page 9

BiST Commands
Table 2: BiST Commands
Command Description
self-test Invokes BiST (see Invoking BiST)
clear power-supply-
alarms
Clears the BiST external power supply alert or clears the second
power feed alert (see Clearing the Power Supply Alert)
show self-test Displays the results of last BiST (see Displaying BiST Results)
Invoking BiST
The self-test command runs a BiST test.

Caution

This command does not execute the RAM Resource Test since this test clears
the RAM memory. This test is executed during the startup BiST.
Command Syntax
device-name#self-test
Example
device-name#self-test
Pr ocessi ng BI ST by r equest . . .

CPU Cor e Test :
CPU Val i dat i on - Passed

Power Suppl y Test :
Power Suppl y- I - Passed

Fan Test :
Fan 1 - Passed
Fan 2 - Passed
Fan 3 - Passed

Temper at ur e Test :
Temper at ur e - Passed

Page 10

Clearing the Power Supply Alert
The clear power-supply-alarms command clears the BiST external power-supply alert (PS-I or
PS-E LEDs).
Command Syntax
device-name#clear power-supply-alarms
Displaying BiST Results
The show self-test command displays the tests that failed during the last BiST.

NOTE
The report that is displayed by the show sel f - t est command is based on the
periodic monitoring on operational indicators (see Periodic Monitoring).
Command Syntax
device-name#show self-test [full]
full (Optional) the command displays the full details of the last BiST, including
additional tests (that are not usually displayed), stating each tests results.
If you do not use this argument, the command displays:
a notification, stating whether the BiST encountered any problems
only failed items and their status
Example 1
Below is an example of BiST results when all tests pass:
device-name#show self-test
No pr obl emencount er ed by BI ST
Example 2
Below is an example of BiST results when the fan test failed:
device-name#show self-test
Pr obl emencount er ed by BI ST
FLASH Resour ces Test :
FLASH Usage - Fai l ed

Page 11

CPU Utilization
CPU utilization provides a picture of how the device CPU handles the load. The higher the
percentage of the CPU used by data transfer, the less power the CPU can devote to other tasks. A
device is diagnosed underpoweredor has depleted resources, if it utilizes 80-85% of its CPU for an
extended period of time.
CPU Utilization Default Configuration
Table 3: CPU Utilization Default Configuration
CPU utilization monitoring Enabled

Enabling CPU Utilization Monitoring
The cpu monitoring command enables CPU utilization monitoring. (To display the CPU
utilization, refer to the HardwareandEnvironment Monitoringsection below).
CPU utilization monitoring is enabled by default.
Command Syntax
device-name(config)#[no] cpu monitoring
no Disables CPU utilization monitoring

Page 12

Hardware and Environment Monitoring
The T-Marc 300 Series CLI provides a sets of show commands to monitor the current hardware
and environmental parameters of the device.

Table 4: Periodic Monitoring Display Commands
Command Description
show cpu utilization
Displays real-time CPU usage (see Displaying the CPU Utilization)
show temperature
Displays the current temperature at the CPU area (see Displaying
the CPU Temperature)
show power supply
Displays the power supply status (see Displaying the Power
Supply Status)
show fan
Displays the fan status (see
Displaying the Fan Status)
Displaying the CPU Utilization
The show cpu utilization command displays the devices real-time CPU usage. You have to
enable CPU utilization monitoring prior to executing this command.
Command Syntax
device-name#show cpu utilization
Example
device-name#show cpu utilization
CPU usage 6%

Page 13

Displaying the CPU Temperature
The show temperature command displays the current temperature at the CPU area in both
Celsius and Fahrenheit.
Command Syntax
device-name#show temperature [high-limit]
high-limit
(Optional) displays the defined CPU temperature limit-value
Example 1
device-name#show temperature
CPU Temper at ur e = 30C ( 86F)
Example 2
device-name#show temperature high-limit
CPU t emper at ur e hi gh l i mi t = 55C ( 131F)
Displaying the Power Supply Status
The show power supply command displays the power supply status.
Command Syntax
device-name#show power-supply
Example
device-name#show power-supply
Power Suppl y- I : Power OK - 12V
Power Suppl y- E: No Power

Page 14

Displaying the Fan Status
The show fan command displays the fan status. The fan status can have one of two values: OK or
Failed.
Command Syntax
device-name#show fan
Example
device-name#show fan
Fan t r ay:
Fan 1 : OK
Fan 2 : OK
Fan 3 : OK

Page 15

Periodic Monitoring
Periodic monitoring is a method used for monitoring different hardware conditions before they
become critical. This method generates SNMP traps notifying of the device status.
You can use periodic monitoring:
to ensure a more reliable day-to-day operation. You can periodically monitor crucial device
functions in the background, receiving alerts when the monitored indicators vary from
operating norms.
as a troubleshooting tool, monitoring transient conditions and tracking irregular behaviors.
You can use this method for triggering diagnostic data-polling based on the device operational
status.
Periodic-Monitoring Indicator Types
There are two types of monitored indicators:
Pass/ Fail conditionsthe monitor function returns a simple Pass or Fail operational status for
the monitored indicator (for example, whether the fans are working or not, or is the power
supply working or not).
Measuredvaluesthe monitor function returns a measured value of the monitored indicator (for
example, the device temperature or the number of packet errors).
Below is the list of the operational indicators that are periodically monitored.
Table 5: Periodic Monitored Operational Indicators
Indicator Monitored As
Power supply Pass/Fail
Fan Pass/Fail
Laser Management Pass/Fail
CPU usage Measured value
Flash usage Measured value
RAM usage Measured value
Temperature Measured value

Page 16

Alert Types
You can assign any or all of the actions below to monitor an alert status:
logthe alert status is written to the CLI history and error message log files
led statusthe STS LED flashes on the device front panel
trapgenerate an SNMP trap
You can define an alert behavior globally (for all monitored indicators) or individually (for each
specific indicator).
Monitoring Limited Values
In order to monitor measured values, you can define limit values that generate alerts when they are
crossed.
You can configure the following conditions:
the measured value rises above the limit value
the measured value drops below the limit value
the measured value crosses the limit value in either direction


Page 17

Periodic Monitoring Default Configuration
Table 6: Periodic Monitoring Default Configuration
Temperature Enabled
Temperature monitoring scale Celsius
Fan Enabled
Power supply Enabled
CPU usage Enabled
Flash usage Enabled
RAM (memory) usage Enabled
Laser Management Disabled
Port Disabled
Log message alert Enabled
LED alert Enabled
Trap alert Enabled
Limit values for monitoring alert See Table 11
Delta value for monitoring alert Disabled
Monitoring interval See Table 7

Table 7: Monitoring-Interval Default Configuration
Power supply 60 seconds
Fans 60 seconds
Temperature 20 seconds
Port statistics 10 seconds
CPU usage 10 seconds
RAM usage 30 seconds
Flash usage 60 seconds
Laser Management 20 seconds


Page 18

Periodic Monitoring Configuration Flow

Figure 1: Periodic Monitoring Configuration Flow
Start
End
Define the indicators' monitoring interval
Enable periodic monitoring for a specific
indicator (see Table 8)
Select the alert type(s):
log alert, LED alert, or SNMP Trap
Define the indicators' limit value
Define a scale for triggering new alerts

Page 19

Periodic Monitoring Configuration-Commands
Table 8: Global Monitoring Configuration Commands
Command Description
monitor all
Configures periodic monitoring for all indicators (see Configuring
Periodic Monitoring)
monitor cpu-usage
Enables CPU Monitoring (see Enabling CPU Monitoring and
Entering the CPU Monitoring Mode)
monitor flash-usage
Enables Flash-usage monitoring (see Enabling Flash-Usage
Monitoring and Entering the Flash Monitoring Mode)
monitor fan
Enables fan monitoring (see Enabling Fan Monitoring and Entering
the Fan Monitoring Mode)
monitor power
Enables power monitoring (see Enabling Power Monitoring and
Entering the Power Monitoring Mode)
monitor ram-usage
Enables RAM monitoring (see Enabling RAM Monitoring and
Entering the RAM Monitoring Mode)
monitor temperature
Enables temperature monitoring (see Enabling Temperature
Monitoring and Entering the Temperature Monitoring Mode)
monitor laser
Enables Laser Management monitoring (see Enabling Laser
Management Monitoring and Entering the Laser Monitoring Mode)
monitor ports
Enables port monitoring (see Enabling Port Monitoring and
Entering the Port Monitoring Mode)


Page 20

Table 9: Specific Monitoring Configuration Commands
NOTE
You must enter the specific-indicators Monitoring Configuration mode to use these
commands (refer to Table 8 )

Command Description
enable
Enables periodic monitoring for a specific indicator (see Enabling
Periodic Monitoring for a Specific Indicator)
disable
Disables periodic monitoring for a specific indicator (see Disabling
Periodic Monitoring for a Specific Indicator)
default
Restores the default settings for a specific indicator (see Restoring
Default Settings for a Specific Indicator)
log
Enables alert-notification logging for a specific indicator (see
Enabling Log-Alert Notification for a Specific Indicator)
status-led
Enables LED-alert notification for a specific indicator (see Enabling
LED-Alert Notification for a Specific Indicator)
trap
Enables SNMP trap notification for a specific indicator.(see
Enabling SNMP Trap Notifications for a Specific Indicator)
period
Defines the interval at which an indicator is polled (see Defining
the Monitoring Interval for a Specific Indicator)
limit
Defines a limit value for a specific indicator (see Defining a Limit
Value for a Specific Indicator)
delta
Defines the scale for triggering new alerts as the measured value
changes (see Defining a Scale for Triggering New Alerts)

Table 10: Periodic Monitoring Display Commands
Command Description
show monitor
Displays the periodic monitoring settings for enabled indicators
(see Displaying the Periodic Monitoring Settings)
show
Displays the monitoring settings of a specific indicator (see
Displaying a Specific Indicators Monitoring Settings)

Page 21

Configuring Periodic Monitoring for All the Indicators
The monitor all command configures periodic monitoring for all the indicators.
All alert options are enabled by default. If you use this command without specifying any of the
three optional arguments (log, status-led, or trap), the command enables all alert options.
Command Syntax
device-name(config)#monitor all [log | status-led | trap] {enable | disable}
device-name(config)#no monitor all [log | status-led | trap]
log (Optional) writes alert messages to the log history
status-led (Optional) triggers the STS LED to blink in case of a failure
trap (Optional) sends SNMP traps
enable Enables periodical monitoring
disable Disables periodical monitoring
Enabling CPU Monitoring and Entering the CPU Monitoring Mode
The monitor cpu-usage command enables CPU monitoring. Use this command without
arguments to enter the CPU Monitoring Configuration mode.
The CPU monitoring periodically samples the CPU usage and calculates their average value. If the
calculated value exceeds a configured limit value, the monitor triggers an alert.
CPU usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor cpu-usage [enable | disable]
device-name(config)#no monitor cpu-usage

device-name(config)#monitor cpu-usage
device-name(config monitor cpu-usage)#
enable
(Optional) enables CPU usage monitoring
disable
(Optional) disables CPU usage monitoring
no
Restores to default

Page 22

Enabling Flash-Usage Monitoring and Entering the Flash
Monitoring Mode
The monitor flash-usage command enables Flash-usage monitoring. Use this command without
arguments to enter the Flash Monitoring Configuration mode.
The Flash-usage monitoring periodically samples the remaining Flash space available for allocation.
If the calculated value drops from a configured limit value, the monitor triggers an alert.
Flash usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor flash-usage [enable | disable]
device-name(config)#no monitor flash-usage

device-name(config)#monitor flash-usage
device-name(config monitor flash-usage)#
enable
(Optional) enables Flash usage monitoring
disable
(Optional) disables Flash usage monitoring
no
Restores to default
Enabling Fan Monitoring and Entering the Fan Monitoring Mode
The monitor fan command enables fan monitoring. Use this command without arguments to
enter the Fan Monitoring Configuration mode.
Fan monitoring is enabled by default.
Command Syntax
device-name(config)#monitor fan [enable | disable]
device-name(config)#no monitor fan

device-name(config)#monitor fan
device-name(config monitor fan)#
enable
(Optional) enables fan monitoring
disable
(Optional) disables fan monitoring
no
Restores to default

Page 23

Enabling Power Monitoring and Entering the Power Monitoring
Mode
The monitor power command enables power monitoring. Use this command without arguments
to enter the Power Monitoring Configuration mode.
Power monitoring is enabled by default.
Command Syntax
device-name(config)#monitor power [enable | disable]
device-name(config)#no monitor power
device-name(config)#monitor power
device-name(config monitor power)#
enable
(Optional) enables power monitoring
disable
(Optional) disables power monitoring
no
Restores to default
Enabling RAM Monitoring and Entering the RAM Monitoring Mode
The monitor ram-usage command enables RAM Monitoring, Use this commands without
arguments to enter the RAM Monitoring Configuration mode.
The RAM usage monitoring periodically checks the remaining RAM that is available for allocation.
If this amount is less than a configured limit value, the monitor triggers an alert.
RAM usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor ram-usage [enable | disable]
device-name(config)#no monitor ram-usage

device-name(config)#monitor ram-usage
device-name(config monitor ram-usage)#
enable
(Optional) enables RAM usage monitoring
disable
(Optional) disables RAM usage monitoring
no
Restores to default

Page 24

Enabling Temperature Monitoring and Entering the Temperature
Monitoring Mode
The monitor temperature command enables temperature monitoring and defines the
temperature scale. Use this commands without arguments to enter the Temperature Monitoring
Configuration mode.
The Temperature Monitoring Configuration mode indicates the temperature scale settings,
displaying C for Celsius or F for Fahrenheit.
Temperature monitoring is enabled by default.
Command Syntax
device-name(config)#monitor temperature [enable | disable | celsius |
fahrenheit]
device-name(config)#no monitor temperature

device-name(config)#monitor temperature
device-name(config monitor temperature C)#

device-name(config monitor temperature F)#
enable
(Optional) enables temperature monitoring
disable
(Optional) disables temperature monitoring
celsius
(Optional) configures the temperature scale to Celsius.
Celsius
fahrenheit
(Optional) configures the temperature scale to Fahrenheit
no
Restores to default
Example
device-name(config)#monitor temperature fahrenheit
device-name(config monitor temperature F)#

Page 25

Enabling Laser Management Monitoring and Entering the Laser
Monitoring Mode
The monitor laser command enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode.
For more information, refer to the Laser Management section of this document.
Laser Management monitoring is disabled by default.
Command Syntax
device-name(config)#monitor laser [enable | disable]
device-name(config monitor laser)#
enable
(Optional) enables Laser Management monitoring
disable
(Optional) disables Laser Management monitoring


Page 26

Enabling Port Monitoring and Entering the Port Monitoring Mode
The monitor ports command enables port monitoring. Use this commands without arguments to
enter the Port Monitoring Configuration mode.
Port monitoring includes the following counters:
Runtsthis counter is incremented by one for each received and transmitted packet that is
less than 64 bytes in size. This counter includes rejected, received, and transmitted packets.
Over Sizethis counter is incremented by one for each received and transmitted packet that
is more than the configured MaxFrameSize(for more information, refer to the Configuring
Interfaceschapter of this user guide). This counter includes rejected, received, and transmitted
packets
CRCAlignErrorsthis counter is incremented by one for every received packet that meets all
the following conditions:
The packet data length is between 64 and MaxFrameSize bytes inclusive
The packet has an invalid CRC
No collision event is detected
No late collision event is detected

NOTE
In order to avoid excessive load on the server, a trap notification is sent only when
the number of errors on a port increases. However, you can configure a trap
notification to also indicate a decrease in the number of errors on a port.

Port monitoring is disabled by default.
Command Syntax
device-name(config)#monitor ports [enable | disable]
device-name(config)#no monitor ports

device-name(config)#monitor ports
device-name(config monitor ports)#
enable
(Optional) enables port monitoring
disable
(Optional) disables port monitoring
no
Restores to default


Page 27

Enabling Periodic Monitoring for a Specific Indicator
The enable command enables periodic monitoring for a specific indicator.
CLI Mode: Specific Monitoring Configuration
Command Syntax
device-name(config monitor INDICATOR)#enable
Example
The following example enables temperature monitoring:
device-name(config monitor temperature)#enable
Disabling Periodic Monitoring for a Specific Indicator
The disable command disables periodic monitoring for a specific indicator.
Command Syntax
device-name(config monitor INDICATOR)#disable
Example
The following example disables temperature monitoring:
device-name(config monitor temperature)#disable
Restoring Default Settings for a Specific Indicator
The default command restores the default settings for a specific indicator.
Command Syntax
device-name(config monitor INDICATOR)#default

Page 28

Enabling Log-Alert Notification for a Specific Indicator
The log command enables alert-notification logging for a specific indicator. When you enable this
option, an alert message is written to the log and history files when one of the following conditions
occurs:
the indicator status is fail
the indicators measured value exceeds its configured limit value
the indicators measured value crosses a configured delta point
To use the Syslog server, refer to the ConfiguringSystemMessageLoggingchapter of this user guide.
Log-alert notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#log {enable | disable}
enable
Enables log-alert notification
disable
Disables log-alert notification
Enabling LED-Alert Notification for a Specific Indicator
The status-led command enables LED-alert notification for a specific indicator. When you
enable this option, the STS LED starts blinking when one of the following conditions occurs:
the indicators measured value exceeds its configured limit
LED-alert notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#status-led {enable | disable}
enable
Enables LED-alert notification
disable
Disables LED-alert notification


Page 29

Enabling SNMP Trap Notifications for a Specific Indicator
The trap command enables SNMP trap notification for a specific indicator. When you enable this
option, an SNMP trap is issued when one of the following conditions occurs:
the indicators measured value exceeds its configured limit
For more information, refer to the ConfiguringSimpleNetwork Management Protocol (SNMP) chapter of
this user guide.
SNMP trap notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#trap {enable | disable}
enable
Enables SNMP trap notification
disable
Disables SNMP trap notification
Defining the Monitoring Interval for a Specific Indicator
The period command defines the intervals at which an indicator is polled.
Table7 lists the default monitoring intervals.
Command Syntax
device-name(config monitor INDICATOR)#period {hour | minutes | seconds}
<value>
device-name(config monitor INDICATOR)#no period
hour
Sets the monitoring interval in hour units
minutes
Sets the monitoring interval in minute units
seconds
Sets the monitoring interval in second units
value
The monitoring interval. Valid values are:
<124>hours
<11440>minutes
<186400>seconds
no
Restores to default

Page 30

Defining a Limit Value for a Specific Indicator
The limit command defines a limit value for a specific indicator.
The below table list the default and allowed limit values.
Command Syntax
device-name(config monitor INDICATOR)#limit <value>
device-name(config monitor INDICATOR)#no limit
value
The limit value. Defining a zero (00 value disables limit-based alerts and
erases the limit
no
Restores to default

Table 11: Allowed Limit Values
Indicator Units of
Measurement
Allowed Limit Values Default Value
Degrees Celsius 060 C 55C
monitor
temperature
Degrees Fahrenheit 32140 F 131F
monitor cpu-usage
% 0100 75%
monitor flash-
usage
KB 0Flash size KB 3047 KB
monitor ram-usage
KB 0Installed RAM 1000 KB
monitor laser
see Laser Management Commands

NOTE
When a monitored value exceeds the specified limit value, alert notification is
triggered. An exception is the RAM usage value: when this value is lower than the
specified limit value, an alert notification is triggered.


Page 31

Defining a Scale for Triggering New Alerts
The delta command defines the scale for triggering new alerts as the measured value changes.
Command Syntax
device-name(config monitor INDICATOR)#delta <difference> [always | greater |
less]
device-name(config monitor INDICATOR)#no delta
This command defines delta points that are whole multiples of the <difference> argument, in which a
new alert is generated. For example, if the limit value is 55 and <difference> is 3, new alerts are
generated when the value crosses each of the values: 55, 58, 61, 64, and so on.
difference
The delta between the current monitored value and previous measurement
that should trigger an alert.
For temperature monitoring, the configured unit is in Fahrenheit or Celsius
degrees, depending on the selected temperature scale.
always
(Optional) triggers an alert when the measured value rises above or drops
below the value limit by a multiple of the <difference>
greater
(Optional) triggers an alert when the measured value rises above the limit
by a multiple of the <difference>
less
(Optional) triggers an alert when the measured value drops below the limit
by a multiple of the <difference>
no
Restores to defaults. Specifying a zero value disables delta alerts.
Example
In this example an alert is generated when the measured temperature rises above the limit by 5,
10, 15, and so on. No alert is generated when the temperature drops below the limit..
device-name(config monitor temperature C)#delta 5 greater

Page 32

Displaying the Periodic Monitoring Settings
The show monitor command displays the periodic monitoring settings for enabled indicators,
including Laser Management monitoring (see also DisplayingBiST Results).
Command Syntax
device-name#show monitor [INDICATOR] [brief]
INDICATOR
(Optional) displays periodic monitoring settings for a specific indicator. The
valid options are:
power
fan
temperature
port
cpu-usage
ram-usage
flash-usage
laser
brief
(Optional) displays a summary of all monitored indicators
Example 1
Use the command without any options to display the status of all enabled indicators:
device-name#show monitor

Power Suppl y Test

Per i od : 60 sec.
St at us LED : Enabl ed
Tr aps : Enabl ed
Log : Enabl ed

Fan Test

Per i od : 60 sec.
Tr aps : Enabl ed
Log : Enabl ed

Temper at ur e Test

Page 33

Per i od : 20 sec.
Tr aps : Enabl ed
Log : Enabl ed
Temper at ur e l i mi t : 55C

Por t St at i st i cs Test

Per i od : 10 sec.
Tr aps : Enabl ed
Log : Enabl ed
Li mi t val ue : 1%

CPU Resour ces Test

Per i od : 10 sec.
Tr aps : Enabl ed
Log : Enabl ed
Li mi t val ue : 75%

RAM Resour ces Test

Per i od : 30 sec.
Tr aps : Enabl ed
Log : Enabl ed
Li mi t val ue : 1000KB

FLASH Resour ces Test

Per i od : 60 sec.
Log : Enabl ed

Laser Management Test
: Di sabl ed

Page 34

Example 2
Display a summary of enabled indicators:
device-name #show monitor brief
Power Suppl y Test : Per i od 60 sec.
Fan Test : Per i od 60 sec.
Temper at ur e Test : Per i od 20 sec.
Por t St at i st i cs Test : Per i od 10 sec.
CPU Resour ces Test : Per i od 10 sec.
RAM Resour ces Test : Per i od 30 sec.
FLASH Resour ces Test : Per i od 60 sec.
Laser Management Test : Di sabl ed
Example 3
Display the temperature indicator: settings:
device-name#show monitor temperature
Per i od : 20 sec.
Tr aps : Enabl ed
Log : Enabl ed
Temper at ur e l i mi t : 55C
Displaying a Specific Indicators Monitoring Settings
The show command displays the monitoring settings of a specific indicator (see also the
show monitor command above).
CLI Mode: Monitoring Configuration
Command Syntax
device-name(config monitor INDICATOR)#show
Example:
device-name(config monitor cpu-usage)#show
Per i od : 10 sec.
Tr aps : Enabl ed
Log : Enabl ed


Page 35

CPU Usage Monitoring
In the following example, CPU usage monitoring is enabled and configured with both limit and
delta commands.
1. Enable CPU usage monitoring:
device-name(config)#monitor cpu-usage enable
2. Enter the CPU Monitoring Configuration mode:
device-name(config)#monitor cpu-usage
3. Display the CPU usage monitoring settings:
device-name(config cpu-usage)#show
Per i od : 10 sec.
Faul t LED : Enabl ed
Tr aps : Enabl ed
Log : Enabl ed
4. Define the CPU usage limit value to 5%:
device-name(config monitor cpu-usage)#limit 5
5. Define the delta to 1%:
device-name(config monitor cpu-usage)#delta 1 greater
device-name(config monitor cpu-usage)#end
6. Display the CPU usage monitoring settings:
device-name#show monitor cpu-usage
Per i od : 10 sec.
Tr aps : Enabl ed
Log : Enabl ed
Li mi t val ue : 5%
Del t a val ue : 1%
Not i f y on del t a i f cr i t er i a gr eat er t han l i mi t
7. Display the CPU usage monitoring on the CLI console and store the information in the
NVRAM history table:
device-name(config)#log cli-console trap debugging
device-name(config)#log nvram-history trap errors

Page 36

The traps are displayed on the CLI console:
t Hi SwMoni t r : CPU Usage BI ST f ai l : 7( l i mi t 5)
t Hi SwMoni t r : CPU usage del t a: cur r ent 7
t Hi SwMoni t r : CPU Usage BI ST OK: 5( max 7)
t Hi SwMoni t r : CPU Usage BI ST f ai l : 6( l i mi t 5)
t Hi SwMoni t r : CPU Usage BI ST OK: 5( max 7)
RAM Usage Monitoring
In the following example, RAM usage monitoring is enabled and configured with period, limit,
and delta commands.
8. Enable RAM usage monitoring:
device-name(config)#monitor ram-usage enable
9. Enter the RAM Monitoring Configuration mode:
device-name(config)#monitor ram-usage
10. Display the RAM usage monitoring settings:
device-name(config monitor ram-usage)#show
Per i od : 30 sec.
Tr aps : Enabl ed
Log : Enabl ed
Li mi t val ue : 1000Kb
11. Define the RAM usage limit value to 10:
device-name(config monitor ram-usage)#limit 10
12. Define the delta to 3 KB:
device-name(config monitor ram-usage)#delta 3 less
13. Define the monitoring interval to 5 seconds:
device-name(config monitor ram-usage)#period seconds 5
device-name(config monitor ram-usage)#end
14. Display the RAM usage monitoring settings:
device-name#show monitor ram-usage
Per i od : 5 sec.
Tr aps : Enabl ed
Log : Enabl ed
Del t a val ue : 3Kb
Not i f y on del t a i f cr i t er i a l ess t han l i mi t

Page 37

15. Display the RAM usage monitoring on the CLI console and store the information in the
t Hi SwMoni t r : RAM Usage BI ST f ai l : 166424Kb ( l i mi t 170450Kb)
t Hi SwMoni t r : RAM Usage BI ST OK: 196424Kb ( mi n 196424Kb)
Flash Usage Monitoring
In the following example, Flash usage monitoring is enabled and configured with period, limit,
and delta commands.
16. Enable Flash usage monitoring:
device-name(config)#monitor flash-usage enable
17. Enter the Flash Monitoring Configuration mode:
device-name(config)#monitor flash-usage
18. Display the Flash usage monitoring settings:
device-name(config monitor flash-usage)#show
Per i od : 60 sec.
Tr aps : Enabl ed
Log : Enabl ed
19. Define the Flash usage limit:
device-name(config monitor flash-usage)#limit 15669824
20. Define the delta to 3 KB:
device-name(config monitor flash-usage)#delta 3 less
21. Define the monitoring interval to 5 seconds:
device-name(config monitor flash-usage)#period seconds 5
device-name(config monitor flash-usage)#end
22. Display the Flash usage monitoring settings:
device-name#show monitor flash-usage
Per i od : 5 sec.
Log : Enabl ed
Del t a val ue : 3Kb
Not i f y on del t a i f cr i t er i a l ess t han l i mi t

Page 38

23. Display the Flash usage monitoring on the CLI console and store the information in the
t TMSApp: FLASH Usage BI ST f ai l : 14326KB 47%( l i mi t 15669824KB 51420%)
device-name(config monitor flash-usage)#no limit
device-name(config monitor flash-usage)#
t TMSApp: FLASH Usage BI ST OK: 14326KB 47%( mi n 14326KB 47%)

Page 39

Laser Management
Laser Management is a feature used for monitoring optical SFP transceivers operational-
parameters. This feature is based on the enhanced digital-diagnostic interface, described in SFF-
8472 specification.
Using this method you can monitor parameters such as received optical power, transmitter (Tx) and
receiver (Rx) output power, and transceiver temperature. In addition you can configure high/ low
monitoring thresholds and receive notification in case these thresholds are crossed.
Laser Management Default Configuration
Table 12: Laser Management Default Configuration
Periodic Laser Management monitoring Disabled
Polling period 20 seconds
LED alert Enabled
Trap alert Enabled
Logging alert messages Enabled
High temperature threshold 85 C
Low temperature threshold -45 C
High Rx power threshold -7 dBm
Low Rx power threshold -32 dBm
High Tx power threshold -5 dBm
Low Tx power threshold -16 dBm

Page 40

Laser Management Configuration Flow

Figure 2: Laser Management Configuration Flow
Start
End
Enable Laser Management monitoring
(Optional) define the polling interval
(Optional) Define the port temperature threshold
(optional) Select the alert type(s):
log alert, LED alert, or SNMP Trap
(Optional) Define the port Tx Power threshold
(Optional) Define the port Rx Power threshold

Page 41

Laser Management Commands
Table 13: Laser Management Configuration Commands
Command Description
monitor laser
Enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode (see Enabling Laser Management
and Entering the Laser Monitoring Mode)
enable
Enables periodic Laser Management monitoring (see Enabling
Periodic Laser Management)
disable
Disables periodic Laser Management monitoring (see Disabling
the Periodic Laser Management)

Table 14: Laser Management Optional Commands
Command Description
default
Restores the Laser Management monitoring configuration to its
default settings (see Restoring the Default Laser Management
Configuration)
period
Defines the Laser Management monitoring polling intervals (see
Defining the Laser Management Polling Intervals)
log
Enables alert notification logging for Laser Management
monitoring (see Enabling Laser Management Log-Alert
Notification)
status-led
Enables LED-alert notifications for Laser Management monitoring
(see Enables Laser Management LED-Alert Notification)
trap
Enables SNMP trap notifications for Laser Management monitoring
(see Enabling Laser Management SNMP Trap Notification)
temperature-threshold
Defines a specified port(s) temperature threshold (see Defining the
Port(s) Temperature Threshold)
tx-power-threshold
Defines a specified port(s) Tx power threshold (see Defining the
Port(s) Tx Power Threshold)
rx-power-threshold
Defines a specified port(s) Rx power threshold (see Defining the
Port(s) Rx Power Threshold)

Table 15: Laser Management Display Commands
Command Description
show monitor
Displays the Laser Management monitoring settings (refer to
Displaying the Laser Management Settings)
show laser
Displays current values of laser-related metrics (see Displaying the
Port(s) Laser Settings)


Page 42

Enabling Laser Management and Entering the Laser Monitoring
Mode
The monitor laser command enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode.
Laser monitoring is disabled by default.
Command Syntax
device-name(config)#monitor laser {enable | disable}
device-name(config monitor laser)#
enable
Enables laser monitoring
disable
Disables laser monitoring
Enabling Periodic Laser Management
The enable command enables periodic Laser Management monitoring.
Command Syntax
device-name(config monitor laser)#enable
Disabling the Periodic Laser Management
The disable command disables periodic Laser Management monitoring.
Command Syntax
device-name(config monitor laser)#disable

Page 43

Restoring the Default Laser Management Configuration
The default command restores the Laser Management monitoring configuration to its default
settings.
Command Syntax
device-name(config monitor laser)#default
Defining the Laser Management Polling Intervals
The period command defines the Laser Management polling intervals.
The default Laser Management polling interval is 20 seconds.
Command Syntax
device-name(config monitor laser)#period {hour | minutes | seconds} <value>
device-name(config monitor laser)#no period
hour
Sets the interval in hour units
minutes
Sets the interval in minute units
seconds
Sets the interval in second units
value
The interval value. The valid values are:
<124>hours
<11440>minutes
<186400>seconds
no
Restores to default
Example
device-name(config monitor laser)#period minutes 100

Page 44

Enabling Laser Management Log-Alert Notification
The log command enables alert notification logging for Laser Management. When this option is
enabled, an alert message is written to the log and history files when a measured value crosses the
configured limit value.
Log-alert notification is enabled by default
Command Syntax
device-name(config monitor laser)#log {enable | disable}
enable
Enables alert notification logging
disable
Disables alert notification logging
Enables Laser Management LED-Alert Notification
The status-led command enables LED-alert notifications for Laser Management. When this
option is enabled, the device STS LED starts blinking when a measured value crosses the
configured limit value.
LED alert notification is enabled by default.
Command Syntax
device-name(config monitor laser)#status-led {enable | disable}
enable
Enables LED-alert notification
disable
Disables LED-alert notification


Page 45

Enabling Laser Management SNMP Trap Notification
The trap command enables SNMP trap notifications for Laser Management. When this option is
enabled, an SNMP trap is generated when a measured value crosses the configured limit value.
SNMP trap notification is enabled by default.
Command Syntax
device-name(config monitor laser)#trap {enable | disable}
enable
Enables SNMP trap notification
disable
Disables SNMP trap notification
Defining the Port(s) Temperature Threshold
The temperature-threshold command defines a specified port(s) temperature threshold.
Command Syntax
device-name(config monitor laser)#temperature-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no temperature-threshold {high | low} [PORT-
LIST]
high
Defines the high temperature threshold
85 C
low
Defines the low temperature threshold
-40 C
VALUE
The temperature threshold value, with an accuracy range of 1 C
PORT-LIST
(Optional) one or more port numbers, specified by the following options:
UUall ports on a specified unit
UU/SSall ports on a specified slot
A hyphenated range of ports (for example: 1/2/11/2/2 or 1/11/2)
Several port numbers and/or ranges, separated by commas
(for example: 1/1/1, 1/2/11/2/2, 1/3/1)
NOTE
Do not leave blank spaces before or after the comma
separating sequential lists.

Page 46

no
Restores to default
Defining the Port(s) Tx Power Threshold
The tx-power-threshold command defines a specified port(s) Tx power threshold.
Command Syntax
device-name(config monitor laser)#tx-power-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no tx-power-threshold {high | low} [PORT-
LIST]
high
Defines the Tx power high threshold
-5 dBm
low
Defines the Tx power low threshold
-16 dBm
VALUE
The Tx power threshold value
PORT-LIST
(for example: 1/1/1, 1/2/11/2/2, 1/3/1)
NOTE
no
Restores to default


Page 47

Defining the Port(s) Rx Power Threshold
The rx-power-threshold command defines a specified port(s) Rx power threshold.
Command Syntax
device-name(config monitor laser)#rx-power-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no rx-power-threshold {high | low} [PORT-
LIST]
high
Defines the Rx power high threshold
-7 dBm
low
Defines the Rx power low threshold
-32 dBm
VALUE
The Rx power threshold value
PORT-LIST
(for example: 1/2/11/2/2 or 1/11/2)
Several port numbers and/or ranges, separated by commas (for
example: 1/1/1, 1/2/11/2/2, 1/3/1).
NOTE
no
Restores to default


Page 48

Displaying the Laser Management Settings
The show monitor laser command displays the Laser Management settings.
Command Syntax
device-name#show monitor laser
Example
device-name#show monitor laser
Laser Management Test
Per i od : 20 sec.
Tr aps : Enabl ed
Log : Enabl ed
Temper at ur e Li mi t :
Def aul t : - 45C. . 85C
1/ 2/ 2: - 35C. . 90C
Tx- Power Li mi t :
Def aul t : - 16dBm. . - 5dBm
1/ 2/ 4: - 13dBm. . - 5dBm
Rx- Power Li mi t :
Def aul t : - 32dBm. . - 7dBm
1/ 2/ 4: - 13dBm. . - 7dBm
Displaying the Port(s) Laser Settings
The show laser command displays the defined laser-related settings.
Command Syntax
device-name#show laser [PORT-LIST]

Page 49

PORT-LIST
(for example: 1/1/1, 1/2/11/2/2, 1/3/1).
NOTE


Page 50

Example 1
device-name#show laser
Por t 1/ 2/ 1
Temper at ur e : 30C
Tx- Power : - 10dBm
Rx- Power : - 9dBm

Por t 1/ 2/ 2
Tx- Power : - 10dBm
Rx- Power : - 9dBm
Example 2
device-name#show laser 1/2/1
Por t 1/ 2/ 1
Tx- Power : - 10dBm
Rx- Power : - 9dBm

Page 51

Virtual Cable Testing (VCT)
VCT is a transceiver feature that utilizes time domain reflectometry to diagnose cable and link
problems.
For proper VCT results, you must use the following physical attachments:
Cable Pair Attaches to Pin Pair
Pin 1, 2 (1, 2) or (2, 1) or (3, 6) or (6, 3)
Pin 3, 6 (3, 6) or (6, 3) or (1, 2) or (2, 1)

For example, you cannot attach pin pair (1, 2) to pins (3, 4).
Possible Test Results
The possible command outputs are:
Normalno problems are detected along the cable
ImpedanceMismatchdifferent types of cables are attached to one another
Openat X metersthe pair is open
Short at Y metersa short circuit is detected on the pair
Test failedthe test failed for the specific pair
Test not supportedonspecificportthe port does not support VCT
Initiating VCT on a Port
The vct-run command initiates VCT on a specific port.
Command Syntax
device-name#vct-run {UU/SS/PP | full-device}
UU/SS/PP
The port on which VCT is performed
full-device
Performs VCT on all ports
Example 1
device-name#vct-run 1/1/1
Por t wi l l be di sabl ed dur i ng t he t est . Ar e you sur e?( y/ n) : y
%Thi s por t does not suppor t VCT.

Page 52

Example 2
VCT t est r unni ng. Pl ease wai t t o gat her avai l abl e dat a . . .

Test r esul t ( Di st ance accur acy 2m) :
Pi ns 1, 2: Nor mal - Cabl e Lengt h i s unknown.
Example 3

Pi ns 1, 2: Open at 1m.
Example 4
device-name#vct-run full-device
The t est wi l l di sabl e al l por t s on devi ce. Ar e you sur e?( y/ n) : y

Por t : 1/ 1/ 1

Por t : 1/ 1/ 2

Por t : 1/ 2/ 1

Por t : 1/ 2/ 2

Por t : 1/ 2/ 3

Page 53


Por t : 1/ 2/ 4

Por t : 1/ 2/ 5

Por t : 1/ 2/ 6

Por t : 1/ 2/ 7

Por t : 1/ 2/ 8

Page 54

Port Mirroring (Port Monitoring)
Port Mirroring is a method for monitoring network traffic. Port mirroring forwards all the data
transmitted and received by a port to a different location where it can be examined. The port
monitoring the traffic has to be connected to a Network Analyzer or RMON probe for packet
analysis.
There are two methods of Port Mirroring:
Local Port Mirroringcopies packets passing through one or more ports (sourceports) of a device to
the monitor port (destinationport). In this case, both the source ports and destination port are
located on the same device.

Figure 3: Local Port Mirroring
RemotePort Mirroringcopies packets passing through the source port(s) to a destination port on
a different device.

Figure 4: Remote Port Mirroring
A monitor session includes the following traffic types:
Receive(Rx, ingressmonitoring)the destination port receives a copy of the packets transmitted to
the source port, before the source device modifies or processes them.
Transmit (Tx, egressmonitoring)the destination port receives a copy of the packets transmitted
by the source port, after the source device modifies and processes them.

NOTE
In egress monitoring, the packets are forwarded to the destination port before
the source port changes the packets 802.1q header. Therefore, the packets
transmitted to the destination port may differ from the packets sent out by the
source port.


Page 55

Source Port Characteristics
The T-Marc 300 Series device can monitor egress traffic, ingress traffic, or both simultaneously.
The device supports up to eight source ports, when monitoring egress traffic.
The device can monitor any port type such as Fast Ethernet, Gigabit Ethernet, and link-
aggregation group.
The source port cannot be a destination port.
Source ports can be in the same or different VLANs.
Destination Port Characteristics
The destination port:
must reside on the same device as the source port (for a local monitor session)
can be any physical Ethernet port
cannot be a source port
can participate in only one monitor session at a time (it cannot be a destination port for a
second monitor session)
does not transmit any traffic except the traffic required for the monitoring session
is limited to its capacity: any traffic exceeding the ports capacity is dropped
Port Monitoring Defaults
Table 16: Port Monitoring Default Configuration
Monitor session Disabled
Port Monitoring Commands
Table 17: Monitor Session Commands
Command Description
monitor session
Initiates a monitor session (see Initiating a Monitor Session)
show monitor session
Displays the monitor session configuration (see Displaying a
Monitor Session)


Page 56

Initiating a Monitor Session
The monitor session command initiates a new monitor session.
Command Syntax
device-name(config)#monitor session {tx | rx} {destination interface UU/SS/PP
| source interface PORT_LIST}
device-name(config)#no monitor session {tx | rx}
tx
The session monitors egress traffic
rx
The session monitors ingress traffic
destination
interface UU/SS/PP
The destination port (monitoring port)
source interface
Configures the source port(s)
PORT_LIST
List of source ports, separated by commas. Use hyphens to indicate
a port range (for example, 1/1/11/1/2, 1/2/2)
no
Removes the monitor session
Displaying a Monitor Session
The show monitor session command displays the monitor session information
Command Syntax
device-name(config)#show monitor session
Example
device-name(config)#monitor session tx destination interface 1/1/1
device-name(config)#monitor session tx source interface 1/1/2
device-name#show monitor session
====================================================
Moni t or | Dest i nat i on | Sour ce | Moni t or ed Sour ce
- - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - -
Tr ansmi t | por t 1/ 1/ 1 | por t s | 1/ 1/ 2
Recei ve |

Page 57

In the following example port 1/ 2/ 1 mirrors the traffic on ports 1/ 1/ 1 and 1/ 1/ 2. The port
monitors both Rx and Tx traffic.

Figure 5: Monitor- Session Configuration Example
24. Define the destination port for both Rx and Tx:
device-name(config)#monitor session rx destination interface 1/2/1
device-name(config)#monitor session tx destination interface 1/2/1
25. Define the source ports:
device-name(config)#monitor session rx source interface 1/1/1
device-name(config)#monitor session tx source interface 1/1/2
26. Display the monitor session configuration:
device-name#show monitor session
====================================================
Moni t or | Dest i nat i on | Sour ce | Moni t or ed Sour ce
- - - - - - - - - - +- - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - - - - - -
Tr ansmi t | por t 1/ 2/ 1 | por t s | 1/ 1/ 2
Recei ve | por t 1/ 2/ 1 | por t s | 1/ 1/ 1

Page 58

Iometrix Loopback and Logical Services Loopback
(LSL)
Iometrix Loopback
The Iometrix loopback feature performs quality-of-service measurements over IP and Carrier
Ethernet networks by looping measurement packets back to the sending device.
This feature works with specific Iometrix MAC addresses (it does not process packets containing
multicast or broadcast source MAC addresses).
The Iometrix measurement packet is dropped if:
the source MAC address is non-unicast or equal to the default MAC address
(00:30:79:FF:FF:FF)
the source MAC address does not begin with 00:30:79
an Iometrix measurement packet arrives on a port on which Iometrix loopback is disabled
The device can continue receiving and transmitting normal data frames while Iometrix loopback is
enabled.
LSL
LSL provides end-to-end service-level verification across multiple providers to support individual
service level agreements. LSL extracts the source MAC address from the incoming loopback frame
and modifies the incoming frame by using the extracted source address as the destination address.
The device can continue receiving and transmitting normal data frames while LSL is enabled.
BiNOS utilizes hardware-based Iometrix loopback and LSL, ensuring wire-speed reply from these
tests.

Page 59

Iometrix Loopback and LSL Default Configuration
Table 18: Iometrix and LSL Loopbacks Default Configuration
Iometrix Loopback Disabled
Iometrix measurement packets Not captured
Iometrix destination MAC address 00:30:79:FF:FF:FF
LSL Disabled
LSL destination MAC address The device MAC address+12.
12 is added only to the last byte of the MAC address.
For example if the device MAC is 00:a0:12:b0:b0:b0,
the default LSL destination MAC address is
00:a0:12:b0:b0:bc.
Iometrix Loopback and LSL Commands
Table 19: Iometrix Loopback commands
Command Description
iometrix
Enables the process of sending of Iometrix loopback packets on a
port/LAG (see Enabling Iometrix Loopback)
show iometrix
Displays the Iometrix status configuration (see Displaying a
Port/LAG Iometrix )

Table 20: LSL commands
Command Description
lsl
Configures the process of sending LSL measurement packets (see
Enabling LSL on a Port/LAG)
lsl loopback
destination-mac
Specifies a destination MAC address used to verify if the
processed packets should be looped back to their origin port after
MAC swapping (see Configuring the LSL Destination MAC
Address)
show lsl
Displays the LSL status configuration (see Displaying the LSL
Configuration)

Page 60

Enabling Iometrix Loopback on a Port/LAG
The iometrix command enables the Iometrix loopback feature on a specific port or LAG. Once
enabled, the port/ LAG is able to loopback Iometrix packets received.
CLI Mode: Interface Configuration, LAG Interface Configuration
The Iometrix loopback feature is disabled by default.
Command Syntax
device-name(configif UU/SS/PP)#iometrix {enable | disable}
device-name(configif AG0N)#iometrix {enable | disable}
enable
Enables Iometrix loopback
disable
Disables Iometrix loopback
Example
device-name(configif 1/1/1)#iometrix enable

device-name(config-if AG01)#iometrix disable
Displaying a Port/LAG Iometrix Configuration
The show iometrix command displays the Iometrix configuration on a specified port or LAG.

NOTE
Do not remove the CPU from the VLAN used by Iometrix and LSL. The port should
participate as a tagged/ untagged member of the default VLAN that is configured on
that port. The looped back packets egress the port with/ without tag (depending on
the port configuration: tagged in case the port is a tagged member of the default
VLAN or untagged in case the port is an untagged member of the default VLAN).

Command Syntax
device-name#show iometrix {UU/SS/PP | ag0N}
UU/SS/PP
(Optional) the port number
agON
(Optional) the LAG ID, in the of range <17>

Page 61

Example 1
device-name#show iometrix
======================
| I nt er f ace | St at us |
======================
| 1/ 1/ 1 | Enabl ed |
| 1/ 1/ 2 | Di sabl ed |
| 1/ 2/ 1 | Di sabl ed |
. . .
| 1/ 2/ 8 | Di sabl ed |
| AG01 | Di sabl ed |
| . . .

Example 2
device-name#show iometrix 1/1/1
======================
======================
| 1/ 1/ 1 | Enabl ed |
Enabling LSL on a Port/LAG
The lsl command enables LSL on a specific port or LAG. Once enabled, the port/ LAG is able to
loopback LSL packets.
CLI Mode: Interface Configuration, LAG Interface Configuration
LSL is disabled on the ports and the device does not loopback LSL packets by default.
Command Syntax
device-name(configif UU/SS/PP)#lsl {enable | disable}
device-name(configif AG0N)#lsl {enable | disable}
enable
Enables LSL
disable
Disables LSL
Example
device-name(configif 1/1/1)#lsl enable

device-name(config-if AG01)#lsl disable

Page 62

Configuring the LSL Destination MAC Address
The lsl loopback destination-mac command configures a destination MAC address used for
LSL packets.
Command Syntax
device-name(config)#lsl loopback destination-mac {MM:MM:MM:MM:MM:MM | default}
MM:MM:MM:MM:MM:MM
The destination multicast MAC address
default
The device MAC address+12.
12 is added only to the last byte of the MAC address. For example if
the device MAC is 00:a0:12:b0:b0:b0, the default LSL destination
MAC address is 00:a0:12:b0:b0:bc.
Example
device-name(config)#lsl loopback destination-mac 01:00:11:22:33:44
Displaying the LSL Configuration
The show lsl command displays the LSL configuration on a specified port or LAG.
Command Syntax
device-name#show lsl {UU/SS/PP | ag0N}
UU/SS/PP
ag0N


Page 63

Example 1
device-name#show lsl
Dest i nat i on MAC: 01: 00: 11: 22: 33: 44
======================
======================
| 1/ 1/ 1 | Enabl ed |
| 1/ 1/ 2 | Di sabl ed |
| 1/ 2/ 1 | Di sabl ed |
. . .
| 1/ 2/ 8 | Di sabl ed |
. . .
Example 2
device-name#show lsl 1/1/1
Dest i nat i on MAC: 01: 00: 11: 22: 33: 44
======================
======================
| 1/ 1/ 1 | Enabl ed |

Page 64

Network Loopback Tester
Network Loopback Tester is a network troubleshooting mechanism for diagnosing network
failures. This mechanism loops back traffic permitted by a specified ACG. By comparing the
transmitted packets to the looped back packets you can evaluate the integrity of the equipment or
transmission path.

NOTE
You can enable this mechanism only on ports or LAGs with an already configured
ACG.

Network Loopback Tester Commands
Table 21: Network Loopback Tester Commands
Command Description
network-loopback-
tester
Configures Network Loopback Tester on a specified port or LAG
(see Configuring Network Loopback Tester on a Port/LAG)
show network-
loopback-tester
Displays the Network Loopback Tester configuration for the
specified port or LAG (see Displaying Network Loopback Tester)
Configuring Network Loopback Tester on a Port/LAG
The network-loopback-tester command configures Network Loopback Tester on a specified
port or LAG.
Command Syntax
device-name(config)#network-loopback-tester {UU/SS/PP | ag0N} access-group
<acl-number> [time <seconds>]
device-name(config)#no network-loopback-tester {UU/SS/PP | ag0N} access-group
<acl-number>
UU/SS/PP
The port number
ag0N
The LAG ID, in the of range <17>
access-group
<acl-number>
The ACL number (for detailed information, refer to the Configuring Access
Control Lists (ACLs) chapter).
Traffic permitted by this condition is looped back through the port/LAG.
time
<seconds>
(Optional) the period of time the tests is enabled, in the range of <1100000>
seconds

Page 65

Displaying Network Loopback Tester
The show network-loopback-tester command displays the Network Loopback Tester
configuration for a specified port or LAG.
Command Syntax
device-name#show network-loopback-tester [UU/SS/PP | ag0N]
UU/SS/PP
ag0N
Example
device-name#show network-loopback-tester
Net wor k Loopback Test er :
Access Cont r ol Gr oup: 401
Test Dur at i on: 12s
St ar t Dur at i on: 15: 11: 12
End Dur at i on: 15: 11: 24

Page 66

device-name(config-if 1/1/1 acg 400)#rate-limit single-rate 100k 128k exceed-
action mark-yellow
device-name(config-if 1/1/1 acg 402)#rate-limit single-rate 512K 8K
device-name(config)#network-loopback-tester 1/1/1 access-group 400 time 20

r at e- l i mi t si ngl e- r at e 100K 128K exceed- act i on mar k- yel l ow

device-name#show network-loopback-tester
Net wor k Loopback Test er :
Access Cont r ol Gr oup: 400
Test Dur at i on: 20s
St ar t Dur at i on: 12: 25: 37
End Dur at i on: 12: 25: 57


Page 67

Watchdog Features
Watchdog is a feature used to monitor the performance of a set of tasks/ processes to ensure their
proper functionality.
The Watchdog feature also triggers several automated actions in order to correct malfunctioning
monitored tasks/ processes.
Watchdog integrates three features:
Reset-Loop Detectiondetects and stops a reset-loop. A reset-loop is a condition where the
software causes the device to reset. However since this software is configured to start
automatically upon the device startup, it causes the device to reset again.
SNMP Request Failure Detectionmonitors the timing and validity of SNMP requests,
resetting the device when detecting a failure in receiving SNMP requests.
CPU Task Suspension Detectionmonitors suspended (interrupted) CPU tasks and issues
log notifications whenever a CPU task is suspended.
Watchdog Default Configuration
Table 22: Watchdog Default Configuration
Reset-Loop Detection Disabled
SNMP Request Failure Detection Disabled
CPU Task Suspension Detection Disabled
Watchdog Commands
Table 23: Watchdog Configuration Commands
Command Description
service sw-watchdog
Enters the Watchdog Configuration mode (see Entering the
Watchdog Configuration Mode)
sw-watchdog system
reset-loop
Configures Reset-Loop Detection (see Configuring Reset-Loop
Detection)
sw-watchdog system
snmp-request-reset
Configures SNMP Request Failure Detection (see Configuring
SNMP Request Failure Detection)
sw-watchdog task-
suspension
Configures CPU Task Suspension Detection (see Configuring
CPU Task Suspension Detection)


Page 68

Table 24: Watchdog Display Command
Command Description
show sw-watchdog
Displays the Watchdog configuration (see Displaying the
Watchdog Configuration)
Entering the Watchdog Configuration Mode
The service sw-watchdog command enters the Watchdog Configuration mode.
Command Syntax
device-name(config)#service sw-watchdog
device-name(sw-watchdog)#
Configuring Reset-Loop Detection
The sw-watchdog system reset-loop command configures the Reset-Loop Detection feature.
When the Watchdog detects a reset-loop, it disables the device LAN ports except for the one
configured as the maintenance port. In addition it logs a notification in the NVRAM.
The Watchdog identifies a reset-loop when the device resets more than 3 times within a specified
time period.
CLI Mode: Watchdog Configuration
Reset-Loop Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#sw-watchdog system reset-loop <time> interface
UU/SS/PP
device-name(sw-watchdog)#no sw-watchdog system reset-loop
time
The Reset-Loop Detection time period, in the range of <301500>
seconds.
interface
UU/SS/PP
The selected maintenance port
no
Disables Reset-Loop Detection
Example
The following command configures port 1/ 1/ 1 as the maintenance port and the Reset-Loop
Detection time to 30 seconds:
device-name(sw-watchdog)#sw-watchdog system reset-loop 30 interface 1/1/1

Page 69

Configuring SNMP Request Failure Detection
The sw-watchdog system snmp-request-reset command enables and configures SNMP
Request Failure Detection.

NOTE
Enable this feature only if the SNMP server is configured to send periodic requests.
Otherwise, the Watchdog interprets the lack of SNMP requests as an SNMP request
failure and resets the device repeatedly (thus causing a reset-loop).

SNMP Request Failure Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#sw-watchdog system snmp-request-reset <time>
device-name(sw-watchdog)#no sw-watchdog system snmp-request-reset
time
The SNMP request failure timeout, in the range of <5360>minutes, after which
the device is reset if no valid SNMP request is received.
no
Disables SNMP Request Failure Detection
Configuring CPU Task Suspension Detection
The sw-watchdog task-suspension command enables the monitoring of suspended CPU tasks
and logs notifications to the NVRAM upon detecting a suspended task.
CPU Task Suspension Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#[no] sw-watchdog task-suspension {all | TASK-NAME}
all
All CPU tasks are monitored.
TASK-NAME
A specified CPU task name (see the table below for the list of tasks)

NOTE
You can loop up the list of task-names by using the t ask
command in the Show System mode.
no
Disables CPU Task Suspension Detection


Page 70

Table 25: CPU Tasks
all intSched0 mTrAging tAlarmTask
tAppUpgradeMgmt tCPUIdleCapt tCfmMaster tCfmMonitor
tCliUart tDYINGGASPTMP tDelayReload tDhcpcd
tDot3ahMain tEPAppd tElmiMain tEps
tExcTask tFPGA_app tFdb tGARPRecv
tGARPTimer tGARPTx tHiSwMonitr tHistoryF
tIgSnoop tIomxTask tKernel tL2TunTask
tLacTimer tLacp tLldpTask tLogCatch
tLogNew tMefoamMain tMfib tMfibTimer
tMonCPUIdle tMstPIM tMstPRT tMstPRX
tMstPTX tNVDB tNetTask tNvlTask
tPLDTest tPTP_app tPortPoll tQoSTask
tRmon tRmonAlrm tRmonHist tRmonTimer
tRtrd tSFPManTask tSecTask tSendArpTask
tServiceManager tSnmpd tSnoop tSpanPIM
tSpanPPM tSpanPRS tSpanPRT tSpanPST
tSpanPTX tSpanRecv tSpanTCM tSpanTimer
tTMSApp tTelnetd tTffsPTask tTimesync
tTmsOemTrap tTxTask tWdbTask tpssEvents
Example
To configure monitoring of the tRmon task:
device-name(sw-watchdog)#sw-watchdog task-suspension tRmon
t Rmon_Susp added t o wat chdog
Displaying the Watchdog Configuration
The show sw-watchdog command displays the watchdog configuration.
Command Syntax
device-name#show sw-watchdog
Example
device-name#show sw-watchdog
Wat ch Dog Obj ect s st at us
===========================================
| No | Obj ect | STATUS |
===========================================
| 1 | Memor y| OK|
| 1 | t Rmon_Susp| FAI LED|

Page 71

Diagnosing Connectivity Issues
The T-Marc 300 Series offers the below utilities for troubleshooting network-connectivity issues:
PING
Traceroute
Packet Internet Groper (PING)
PING verifies Internet connectivity at the IP level. It sends an Internet Control Message Protocol
(ICMP) echo request to a specified IP address and waits for one of the below ICMP responses:
Normal responsethe device is alive and replies within 110 seconds, depending on the network
traffic.
Destinationdoesnot respondif the device does not respond in the above interval, a no-answer
message is returned.
Example: Reachable Device
device-name#ping 11.0.91.201
Sendi ng 5, 100- byt e I CMP Echoes t o 11. 0. 91. 201, t i meout 2 sec, del ay 0 sec:
! ! ! ! !
Success r at e i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 0/ 1/ 5 ms
Example: Unreachable Device
device-name#ping 11.0.91.209
. . . . .
Success r at e i s 0 per cent ( 0/ 5) , r ound- t r i p mi n/ avg/ max = 0/ 0/ 0 ms

Page 72

Traceroute
Traceroute sends ICMP echo packets with increasing Time-to-Live (TTL) values to the destination.
When a device receives an ICMP echo packet with TTL value of 1 or 0, it drops the packet and
sends a time-to-live-exceededmessage to the sender. Traceroute uses this mechanism for determining
the route to the destination:
It starts by sending an ICMP echo (PING) to the destination device, setting its TTL value to 1,
receiving a time-to-live-exceededmessage from the next hop.
To identify the next hop, Traceroute sends another PING, setting its TTL value to 2. The first
device reached decreases the TTL field by 1 and sends the PING to the next device. This device
discards the PING (identifying a TTL value of 1) and returns a time-to-live-exceededmessage to the
source.
This process continues until the TTL is incremented to a value large enough for the PING to reach
the destination device (or until reaching the maximum TTL). When the PING reaches the
destination device, it returns an ICMP Echo Reply back to the sender.

Page 73

Connectivity-Troubleshooting Defaults
Table 26: Connectivity-Troubleshooting Default Configuration
Traceroute TTL 64
Traceroute timeout 2 seconds
Ping delay Immediately
Ping packet length 100
Ping number of echo packets to send 5
Ping timeout 2 seconds
Connectivity-Troubleshooting Commands
Table 27: Connectivity Diagnostics Commands
Command Description
ping Pings a remote device (see Pinging a Device)
traceroute Traces the data-packets route to their destination IP address (see
Executing Traceroute)

Page 74

Pinging a Device
The ping command pings a remote device.
Command Syntax
device-name#ping A.B.C.D [delay <delay>] [length <length>] [number <number>]
[timeout <timeout>]
A.B.C.D
The destination IP address
number <number>
(Optional) the number of echo packets sent, in the range of
<12147483646>
5
timeout <timeout>
(Optional) the timeout for receiving a response, in the range of
<1600>seconds
2 seconds
delay <delay>
(Optional) the delay between packets, in the range of <1600>
seconds
immediately
length <length>
(Optional) the size of the ICMP echo packets in the range of
<165535>
100
The command has two possible output characters:
!Each exclamation point indicates receiving a reply
.Each period indicates that the network-server timed out while waiting for a reply
Example
To send 5 pings of 80 bytes with a 30-second timeout for reply and a 20-second delay between
pings, type the following command:
device-name#ping 212.29.220.136 number 5 timeout 30 delay 20 length 80
! ! ! ! !

Page 75

Executing Traceroute
The traceroute command traces the data-packets route to their destination IP address. The
command displays each device the packets go through until reaching the destination.
To stop the command's execution, press <ESC>.
Command Syntax
device-name#traceroute A.B.C.D [ttl <ttl>] [timeout <timeout>]
A.B.C.D
The destination IP address
ttl <ttl>
(Optional) the maximum number of devices the traceroute command
passes, in the range of <1255>
64
timeout
<timeout>
(Optional) the timeout for receiving responses, in the range of <1600>
seconds
2 seconds
Example
device-name#traceroute 192.118.82.140
1 : 10ms. 20ms. 10ms. Hop [ 212. 29. 220. 193]
2 : 50ms. 40ms. 40ms. Hop [ 10. 96. 96. 1]
3 : 60ms. 95ms. 95ms. Hop [ 212. 29. 196. 109]
4 : 60ms. 60ms. 100ms. Hop [ 206. 49. 94. 116]
5 : 225ms. 100ms. 220ms. Hop [ 212. 29. 206. 214]
6 : 60ms. 60ms. 55ms. Hop [ 212. 29. 206. 66]
7 : 60ms. 60ms. 60ms. Hop [ 212. 29. 206. 210]
8 : 60ms. 60ms. 65ms. Hop [ 212. 150. 63. 186]
9 : 80ms. 85ms. 80ms. Hop [ 192. 118. 68. 17]
10 : 65ms. 70ms. 70ms. Tar get [ 192. 118. 82. 140]

Page 76

Technical Support Information
Telco Systems provides special-purpose CLI commands in order to retrieve the devices' technical
information. You can then forward this information to Telco Systems technical support in order to
aid them in tracking and resolving issues that cause system failures.
These commands dump the required information on the screen. In addition, you can save the
commands output on a specified remote server.
Technical Support Commands
Table 28: Technical Support Commands
Command Description
tech-support Enters the Technical Support Configuration mode. This mode
includes a list of commands for displaying and extracting specific
technical support information (see Selecting the Extracted
Technical Support )
show tech-support Displays the selected technical-support parameters information
(see Displaying Technical Support Information)
copy tech-support
upload-to
Saves the tech-support file on a remote server (see Uploading the
Tech-Support File)
Selecting the Extracted Technical Support Information
The tech-support command enters the Technical Support Configuration mode. In this mode you
can select specific technical-support parameters that should be extracted when using this feature
(see the showtech-support command).
Command Syntax
device-name(config)#tech-support
device-name(tech-support)#
The parameters extraced by default are:
task
pend
memory
network stack system
network arp
cpu task
flash

Page 77

Table 29: Available Technical-Support Parameters
Command Description
alias
Creates a command alias (a short form of a command; for more
information, refer to the Using the Command Line Interface
chapter)
cpu
CPU usage
cpu-cache
The addresses in the CPU cache
no cpu-cache
Disables CPU cache display
cpu task monitoring
CPU monitoring for existing tasks
no cpu task
monitoring
Disables the display of CPU monitoring of existing tasks
cpu task report
Detailed CPU information for every task
no cpu task report
Disables the display of detailed CPU information
flash
The content of the Flash memory file system
network routing table
Network routing-information
no network routing
table
Disables network routing-information display
network connections
The list of all active Internet protocol sockets in the application-
software kernel
no network
connections
Disables the display of the active Internet protocol sockets in the
application-software kernel
network arp
The ARP table
no network arp
Disables ARP table display
network stack system
The application-software kernel network stack system pool
statistics
no network stack
system
Disables the display of the application-software kernel network
stack system pool statistics
network stack data
Usage statistics of blocks and clusters in the application-software
kernel network data pool
no network stack data
Disables the display of usage statistics of blocks and clusters in
the application-software kernel network data pool
memory
The system-memory pool information, including the number of
blocks, and the size of free and allocated memory
no memory
Disables the system-memory pool information display
pend
Pending tasks detailed status
no pend
Disables the display of pending tasks
task
Running tasks information
no task
Disables the running tasks display
quit
Quits the Telnet session
reset
Restores to technical support defaults values
show
The current tech-support configuration
show mstp
The MSTP configuration

Page 78

Command Description
show mstp disable
Disables the MSTP configuration display
show rapid-spanning-
tree
The RSTP configuration and RSTP topology of all ports
show rapid-spanning-
tree disable
Disables the RSTP configuration display
show spanning-tree
The STP configuration and STP topology of all ports
show spanning-tree
disable
Disables the STP configuration display
show self-test
The last BiST results
show self-test
disable
Disables the BiST display
show configuration-
history all
The stored configuration history
show configuration-
history all disable
Disables the stored configuration history display
show log nvram-
history
The stored log history
show log nvram-
history disable
Disables the stored log history display
show ip route
The IP routing table information
show ip route disable
Disables the IP routing table information display
show ip arp
The ARP table
show ip arp disable
Disables the ARP table display
aggregation
The LAG configuration
aggregation disable
Disables the LAG configuration display
show interface
statistics
The physical and aggregated interfaces statistics
show interface
statistics extended
The physical and aggregated interfaces packet counters
show interface
statistics extended
disable
Disables the physical and aggregated interfaces packet counters
display
show interface
statistics disable
Disables physical and aggregated interfaces statistics display
show mac-address-
table
The MAC-address table contents
show mac-address-
table multicast
The user-configured and/or dynamically learned multicast MAC
addresses
show mac-address-
table multicast
disable
Disables the multicast MAC address table display
show mac-address-
table disable
Disables the MAC-address table contents display

Page 79

Command Description
show manufacturing-
details
The device hardware information
show manufacturing-
details disable
Disables the device hardware information display
show vlan
The device VLAN configuration
show vlan disable
Disables the device VLAN configuration display
show running-config
The device running-configuration
show running-config
disable
Disables the device running-configuration display
show startup-config
The device startup-configuration
show startup-config
disable
Disables the device startup-configuration display
no tech-support
commands
Disables the display of all configured technical support parameters
Displaying Technical Support Information
The show tech-support command displays the selected technical-support parameters
information.

Command Syntax
device-name#show tech-support
Example
device-name#show tech-support
I t coul d t ake sever al mi nut es t o compl et e t he t ask. Pl ease wai t . . .

Execut i ng command cpu- cache

Out put f r omcpu- cache :

St at i c MAC cache

Mcache

0 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
1 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
2 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
3 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
4 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
5 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000

Page 80

6 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
7 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
8 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
9 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
10 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
11 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
12 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
13 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
14 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
15 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
16 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
17 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
18 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
19 00: 00: 00: 00: 00: 00 P=0, Vi d=0, Age=00000000
Done
Uploading the Tech-Support File
The copy tech-support upload-to command saves the tech-support output file on a remote
server.
Command Syntax
device-name#copy tech-support upload-to A.B.C.D FILE-NAME
A.B.C.D
The TFTP-server IP address
FILE-NAME
The tech-support filename (located on the TFTP server)
Example
The following command uploads the tech-support output file to a new file named TECHSUP on
device-name#copy tech-support upload-to 192.168.30.1 TECHSUP

Page 81

Supported Platforms
BiST + +
CPU Utilization Commands + +
Periodic Monitoring + +
Laser Management + +
Port Mirroring + +
LSL and Iometrix Loopback + +
Network Loopback Tester + +
Watchdog + +
Diagnosing Connectivity Problems + +
Technical Support Information + +
BiST No standards are
supported by this
feature.
Private MIB,
prvt_bist.mib
RFC 791, Internet Protocol
DARPA Internet Program Protocol
Specifications
CPU Utilization No standards are
supported by this
feature.
Private MIB,
prvt_sys_mon.mib
Specifications
Periodic
Monitoring
No standards are
supported by this
feature.
No MIBs are
supported by this
feature
feature.
Laser
Management
No standards are
supported by this
feature
Private MIB,
prvt_sys_mon.mib
Specifications
Port Mirroring No standards are
supported by this
feature
No MIBs are
supported by this
feature
feature.
LSL and
Iometrix
Loopback
No standards are
supported by this
feature
No MIBs are
supported by this
feature
feature.
Network
Loopback
Tester
No standards are
supported by this
feature
No MIBs are
supported by this
feature
feature.
Watchdog No standards are
supported by this
feature.
No MIBs are
supported by this
feature
Specifications

Page 82

Diagnosing
Connectivity
Problems
No standards are
supported by this
feature.
Public MIB,
disman_ping.mib
Specifications
Technical
Support
Information
No standards are
supported by this
feature.
No MIBs are
supported by this
feature
Specifications

Page 1
Appendix B: Products Capabilities (Rev. 07)
Appendix B: Products Capabilities
Overview 2
Key Features 2
Main Features 3
Product Applications 5
Technical Summary 6
Page 2

Overview
The T-Marc 300 Series are comprised of the T-Marc 340 and T-Marc 380. These products are
compact, cost-effective, single/ multi user Ethernet Demarcation Devices with full OAM
capabilities and support for MPLS Pseudowire LER.
The device operates using an internal AC or DC power supply, offering various power source
redundancy capabilities and may be installed as a table-top, wall, or rack mount.
Key Features
The T-Marc 300 Series devices offer the following features:
One RJ45 connector for CLI configuration & device management
2 GE/ FE Network Uplink Ports (1/ 1/ 1, 1/ 1/ 2)two WAN uplink ports
4 GE/ FE Access Ports (1/ 2/ 11/ 2/ 4)four LAN access ports
4 GE/ FE Access Ports (1/ 2/ 51/ 2/ 8)four LAN access ports supported on T-Marc 380
only
one internal AC or DC (-48V) power supply unit (PSU)
Ethernet Transport & OAM for remote fault isolation and for end-to-end SLA monitoring
and verification:
Resiliency and link protection
Remote management and control
Fault isolation and diagnostics of network infrastructure and services
Ethernet services network demarcation unit
Advanced QoS with 802.1p and DSCP filtering/ marking/ re-marking 8 output queues per
port
Flexible 10/ 100/ 1000 Mbps Ethernet or 100BaseFX (via SFP) LAN/ WAN interface
selection
Ethernet Switching Support:
802.1Q support with full range of VLAN ID support
Port based VLAN
4K VLANs per IEEE 802.1q
MAC address table
Transparent LAN services (TLS) (VLAN stacking Q-in-Q)
802.3x (pause) flow control and backpressure
IEEE 802.3ad Link Aggregation
Page 3

Main Features
T-Marc 340 and T-Marc 380 features include:
Ethernet CapabilitiesFor the delivery of enhanced Ethernet services, the devices support:
4K VLAN tags per IEEE 802.1q, VLAN stacking, IEEE 802.3x flow control, super
VLAN, and IEEE 802.3ad link aggregation.
IEEE 802.1ad formalizes the definition of Ethernet frames with multiple VLAN
tags. It also formally labels Customer VLANs (C-VLANs) and Service VLAN (S-
VLANs).
802.1ad Provider Bridging that adds a second 802.1Q VLAN tag into the Ethernet
packet. The customers IEEE 802.1Q VLAN tag is enveloped by the provider tag. A
service provider can then ignore the customers VLAN tag and only switch traffic based
upon the outer provider tag. Since the provider is tunneling the customers VLAN tag,
each customer is free to use its own bank of 4K VLAN IDs to separate traffic types and
classes within their network.
OAM ToolsOAM is a family of standards providing reliable remotely-managed service-
assurance (SA) mechanisms for both the provider and customer networks, offering the ability
to perform automatic periodic network-wide service assurance and quality verifications. The
following OAM standards are supported:
802.3ah support (EFM-OAM): specifies the protocols and Ethernet interfaces for using
Ethernet over access links as a first-mile technology and transforming it into a highly
reliable technology.
802.1ag support (CFM-OAM): refers to the ability of a network to monitor the health of
an end-to-end service delivered to customers (as oppose to just links or individual
bridges).
SAA Throughput Test: describes the steps for configuring and executing unidirectional
and bi-directional throughput tests.
SAA: allows you to monitor the performance of network-hosted applications by
emulating the traffic of these applications.
EPS: is a method of protecting point-to-point Ethernet service connection over VLAN
transport networks, assuring traffic transport between the two service ends.
Event Propagation: allows users to configure automatic actions executed upon the
occurrence of specific events.
E-LMI application: is an OAM protocol enabling the CE to auto configure its support of
Metro Ethernet services
Access Control Listsallow network operators to define large numbers of QoS and security
policies without compromising wire-speed performance. The ACLs enhance service levels
through high-performance differentiated services (DiffServ) marking, Denial of Service (DoS)
and Distributed Denial of Service (DDoS) attack mitigation, and by enforcing service access
rights across the service infrastructure. The ability to classify traffic according to C-VLAN
and/ or S-VLAN provides full QinQ ACL support.
Page 4

Troubleshootingdescribes troubleshooting and monitoring tools used to detect and
resolve device related problems. The laser management extends the SFP (System File
Protection) manager by providing ability to monitor optical transceiver operational parameters,
such as received optical power, TX output power and transceiver temperature. You can set
high and low thresholds.
QoSallows you to specify different service levels for traffic that traverses the device and
provides preferential treatment to the traffic, possibly at the expense of other traffic.
Without QoS, the device offers best-effort service to each packet and transmits packets
without any assurance of reliability, delay bounds (latency), or throughput (bandwidth).
Implementing QoS in a network makes performance more predictable and bandwidth
utilization more effective.
Page 5

Product Applications
T-Marc 300 Series can be used in the following applications:
1. Aggregation node in campus environments
2. Laser Management
3. Test-Head
Page 6

Technical Summary
One RJ 45 connector for CLI configuration & device management
2 GE/FE Network Uplink Ports (1/1/1, 1/1/2)
4 GE/FE Access Ports (1/2/11/2/4)
Interfaces

4 GE/FE Access Ports (1/2/5
1/2/8)
QoS
Advanced QoS with 802.1p and DSCP filtering/marking/re-marking
8 output queues per port
Packet and byte counter statistics (ingress and egress)
Rate-limiting for bandwidth allocation
ACLs
ACL support with 2 VLAN tags for QinQ/802.1ad services (based
on customer VLAN IDs
Remarking/forwarding/policing/filtering/etc support per ACL
VLAN Stacking
TLS (QinQ)
Bridging
IEEE 802.1d Spanning Tree Algorithm
IEEE 802.1w Rapid Spanning Tree Algorithm
IEEE 802.1s Multiple Spanning Tree Algorithm
VLANS
4K VLANs per IEEE 802.1q
Resiliency
Fast ring Ethernet restoration (<50ms)
Resilient Link
MAC Table
Size
16K
Forwarding
Rate
148,000 pps per 100 Mb/s port
1,488,000 pps per 1 Gb/s port
Flow Control
IEEE 802.3x for full duplex back pressure for half duplex
transmission
Ethernet
Switching
Port Trunking
IEEE 802.3ad Link Aggregation
OAM
Protocols
Ethernet OAM
IEEE 802.1ag (CFM-OAM)
IEEE 802.3ah (EFM-OAM)
SAA Test-Head
SAA Throughput Test
EPS
Event Propagation
E-LMI
Troubleshooting
Laser Management

Page 1
Appendix A: Default Configuration (Rev. 09)

Appendix A: Default Configuration
Access List Default Configuration 3
ACL Default Configuration 3
Boot Loader Default Configuration 3
CFM-OAM Default Configuration 4
Connectivity Diagnosing Default Configuration 6
CPU Resource Control Default Configuration 6
CPU Utilization Settings Default Configuration 6
DNS Resolver Default Configuration 6
EFM-OAM Default Configuration 7
E-LMI Default Configuration 7
EPS Default Configuration 8
Fast and Giga Ethernet Ports Default Configuration 8
File System Default Configuration 9
IGMP Snooping Default Configuration 9
Laser Management Default Configuration10
Link Aggregation Default Configuration10
LLDP Default Configuration11
Loader Configuration Default Configuration11
LSL and Iometrix Loopback Default Configuration11
MAC Address Table Default Configuration12
Message Logging Default Configuration12
MSTP Configuration Default Configuration12
NTP Default Configuration14
Passwords Default Configuration14
Packet Size Limit Default14
Passwords Default Configuration14
Periodic Monitoring Default Configuration15
Port Security Default Configuration16
QoS Default Configuration16
QoS Mapping Default Configuration18
Scheduler Profile Default Configuration19
Page 2

Shaper Default Configuration19
Port Default Configuration19
RADIUS Default Configuration20
Resilient Link Default Configuration20
RSTP Default Configuration20
SAA Default Configuration22
SAA Throughput Test Default Configuration23
Script File System Default Configuration23
SFTP Client Default Configuration24
SNMP Default Configuration24
SSH Default Configuration24
STP Configuration Default Configuration25
Super VLAN Default Configuration25
TACACS+ Default Configuration25
Telnet Default Configuration26
TLS Default Configuration26
Traffic Monitoring Default Configuration26
User Privilege Levels Default Configuration26
VLAN Default Configuration27
VTY Default Configuration27
Zero-touch Default Configuration27
1588v2 PTP Default Configuration28
Page 3

Access List Default Configuration
Table 1: Access List Default Configuration
Named access list Not created
Exact match Disabled
ACL Default Configuration
Table 2: ACL Default Configuration
Access Control List (ACL) Not defined
Access Control Group (ACG) Not defined
Rate limit color awareness Color blind
Boot Loader Default Configuration
Table 3: Boot Loader Default Configuration
Password batm
Block length 256
Line-card module operation mode line-module
Page 4

CFM-OAM Default Configuration
Table 4: CFM-OAM Default Configuration
CFM-OAM Disabled
The domain name Appears as a string in the MAID
Compatibility with the IEEE 802.1ag protocol
version 6.1
Standard IEEE 802.1ag-2007 (draft 8.1)
CFM Maintenance Domain
The way the name will appear in the MAID ieee
MIPs Are always created
Content of the Sender ID TLV All (hostname and management address of
the device)
CFM Maintenance Association
Hello-interval 1 second
CCM Priority 6
The decision regarding the MIPs If no MIP creation policy per MA is defined,
the default policy is inherited from the
domain policy configuration
Content of the Sender ID TLV All (hostname and management address of
the device)
Defect priority 1 (Alarms are reported for all conditions)
FNG reset interval time 1000 hundredths of a second
FNG alarm interval 250 hundredths of a second
AIS/LCK level One higher than the configured MA level
AIS/LCK priority 6
Interval between two successive AIS or LCK
packets
1 second
MEP state Inactive
MEP Is not able to send CCMs
CFM Performance Monitoring
Profile When CFM protocol is enabled, a default
profile is created automatically
Repetition interval of the monitoring process 1 minute
Update-interval 20 seconds
CFM Profile Monitoring
Priority 0
Number of the Loopback Request packets 1
Loopback Request packets' size 0 bytes
Page 5

One-way J itter Enabled
One-way jitter error 350 milliseconds
One-way jitter warning 300 milliseconds
Round-trip jitter error value 700 milliseconds
Round-trip jitter error duration 90 seconds
Round-trip jitter warning value 600 milliseconds
Round-trip jitter warning duration 180 seconds
Round-trip frame-loss error value 10 %
Round-trip frame-loss warning value 8 %
Round-trip latency error value 2000 milliseconds
Round-trip latency error duration 90 seconds
Round-trip latency-warning value 1600 milliseconds
Round-trip latency-warning duration 180 seconds
Results-bucket-size 20 results
Bucket-size 20 PDUs
Display CFM
The statistics information for all defined domains. Are displayed
All MAs, defined in DOMAIN NAME Are displayed
All defined domains Are displayed
Sending Linktrace and Loopback
Number of sent loopback request packets 3
Loopback message PDU size 0 bytes
Timeout used to wait for linktrace reply 2 seconds
Number of loopback messages to be sent 3 messages
Loopback interval of the CFM process Configured
Delay between 2 consecutive loopback
messages
5 seconds
Page 6

Connectivity Diagnosing Default Configuration
Table 5: Connectivity Diagnosing Default Configuration
Traceroute TTL 64
Traceroute timeout 2 seconds
Ping delay Immediately
Ping packet length 100
Ping number of echo packets to send 5
Ping timeout 2 seconds
CPU Resource Control Default Configuration
Table 6: CPU Resource Control Default Configuration
Rate limit for learning new addresses for the
entire device
1500 PPS
Rate limit to the CPU for the entire device 1500 PPS
CPU Utilization Settings Default Configuration
Table 7: CPU Utilization Default Configuration
CPU Utilization Monitoring Enabled
DNS Resolver Default Configuration
Table 8: DNS Resolver Default Configuration
DNS servers None specified
Page 7

EFM-OAM Default Configuration
Table 9: EFM-OAM Default Configuration
EFM-OAM Enabled
Number of OAMPDUs 5 OAMPDUs
Event propagation Enabled
Sending of the event notification OAMPDUs Enabled
Priority Undefined
Aging interval 5 seconds
Hello Interval 1000 milliseconds
Port state uplink ports Passive
Port state for user ports Disabled
Local loopback Disabled
Remote loopback Disabled
EFM-OAM Is using enhanced mode
Bit-errors threshold Disabled
Frame-errors threshold monitoring Enabled and it is defined as 256 errors
during 20 seconds
Event monitoring Disabled
Requests sent on the specified interface 5
Accept remote loopback Disabled
E-LMI Default Configuration
Table 10: E-LMI Default Configuration
E-LMI Disabled
E-LMI mode uni-n (network mode)
Polling timer 10
Polling verification timer 15
Polling counter 360
Polling status counter 4
Page 8

EPS Default Configuration
Table 11: EPS Default Configuration
EPS Disabled
Hold Off Timer 0 seconds
Switchovers Are allowed
wait-to-restore timer 5 minutes
Fast and Giga Ethernet Ports Default Configuration
Table 12: Fast Ethernet and Giga Ethernet Ports Default Configuration
Interface state Enabled
Port name None
Backpressure mode Disabled
Duplex speed Autonegotiation
Duplex mode Autonegotiation
Duplex status Unknown
Flow Control mode Disabled
Flow Control status Disabled
VLAN 1
Super VLAN port No
Broadcast rate limit Unlimited
Multicast rate limit Unlimited
Unknown rate limit Unlimited
Packet size limit 1632
Remote fault detect Disabled
Crossover detection Automatic
Learning new address Enabled
Page 9

File System Default Configuration
Table 13: System Directories Default Configuration
Directory Default Value
\Boot\ Contains all executable applications and firmware images
\J ava\ Contains all stored J ava images
\Log\ Stores all logs of the system operation
\Usr\ Contains all configuration scripts of the system
\Etc\ Contains default startup configuration
\Hidden\ Internal settings storage
Table 14: System File Names and Settings Default Configuration
Image name Image.Z
Auto-boot timeout 5 seconds
Startup configuration name dflt_startup.cfg
Application software System Loader password batm
IGMP Snooping Default Configuration
Table 15: IGMP Snooping Default Configuration
IGMP Snooping Disabled
IGMP Snooping per VLAN Enabled if IGMP Snooping is enabled
Immediate Leave Disabled
Report suppression Enabled if IGMP Snooping is enabled
Source tracking Enabled if IGMP Snooping is enabled
Query Interval 125 seconds
Query response time 10 seconds
Robustness 2 packets
Maximum IGMP Groups per port and VLAN 2000
Maximum IGMP Reports per port and VLAN 2000
Query source IP address IP address of the IP interface (swN)
IGMP snooping behavior Drop packets without setting the Router Alert flag
Page 10

Laser Management Default Configuration
Table 16: Laser Management Default Configuration
Periodic laser monitoring Disabled
Polling period 20 seconds
Logging alert messages Enabled
Trap alert Enabled
LED alert Enabled
High temperature threshold 85 C
Low temperature threshold -45 C
High RX power threshold -7 dBm
Low RX power threshold -32 dBm
High TX power threshold -5 dBm
Low TX power threshold -16 dBm
Link Aggregation Default Configuration
Table 17: Link Aggregation Default Configuration
Static Link Aggregation Disabled
Global Link Aggregation Control Protocol (LACP) Disabled
Per port Link Aggregation Control Protocol
(LACP)
Disabled
LACP system priority 32768
LACP port mode Active
LACP port priority 32768
LACP administrative key 1
LAG distribution MAC address
The marker PDU responder per port Disabled
Page 11

LLDP Default Configuration
Table 18: LLDP Default Configuration
LLDP Disabled
LLDP reinitialize-delay 2 seconds
LLDP transmit-delay 2 seconds
LLDP transmit-hold 4 seconds
LLDP transmit-interval 30 seconds
LLDP basic management-address no-advertise
LLDP basic port-description no-advertise
LLDP basic system-capabilities no-advertise
LLDP basic system-description no-advertise
LLDP basic system-name no-advertise
Loader Configuration Default Configuration
Table 19: Boot Loader Default Configuration
Password batm
Block length 256
Line-card module operation mode line-module
LSL and Iometrix Loopback Default Configuration
Table 20: LSL and Iometrix Loopback Default Configuration
LSL Disabled
Iometrix Loopback Disabled
Iometrix measurement packets Are not captured
Iometrix MAC address 00:30:79:FF:FF:FF
Page 12

LSL destination MAC address Devices MAC +12
where 12 is added only to the last byte of
the MAC, for example if the device MAC is
00:A0:12:b0:b0:b0, then LSL default
destination MAC is 00:A0:12:b0:b0:bc.
MAC Address Table Default Configuration
Table 21: MAC Address Table Default Configuration
MAC Address aging time 300 seconds
New MAC address learning Enabled
Displaying the learned MAC addresses Enabled
Message Logging Default Configuration
Table 22: Message Logging Default Configuration
NVRAM history Logging Only emergency level trap messages are
logged.
The PRIORITY field is not recorded.
NVRAM-based Configuration History Disabled
Logging buffer size 1000 messages
Logging to buffer log module default buffer trap debugging
Syslog server IP address None configured
MSTP Configuration Default Configuration
Table 23: MSTP Default Configuration
Multiple Spanning tree mode (MSTP) Disabled
Protocol Specification ieee802.1s
Spanning tree port priority 128
Hello time 2 seconds
Forward delay time 15 seconds
Maximum aging time 20 seconds
Page 13

Maximum hop count 40 hops
Span IGMP Fast Recovery Disabled
Revision number 1
Default MTS Instance 0
Bridge priority 32768
Path cost See Table 24
Edge Port Disabled
Flush Edge Port Disabled
Link Type Auto
MSTP Link Flapping feature Disabled
Cisco MSTP compliance Disabled (IEEE 802.1s-2002 compliance is
enabled)
Fast Ring mode Disabled
Fast Ring Border Bridge mode Disabled
Learn mode Standard
BPDU guard Disabled
Loop guard Disabled
Restricted Root Disabled
Restricted TCN Disabled
MSTP debug Disabled
Table 24: Default Path Cost Values (IEEE802.1s)
<=100 Kbps 200,000,000 20,000,000200,000,000 1200,000,000
1 Mbps 20,000,000 2,000,00020,000,000 1200,000,000
10 Mbps 2,000,000 200,0002,000,000 1200,000,000
100 Mbps 200,000 20,000-200,000 1200,000,000
1 Gbps 20,000 2,000200,000 1200,000,000
10 Gbps 2,000 20020,000 1200,000,000
100 Gbps 200 202,000 1200,000,000
1 Tbps 20 2200 1200,000,000
10 Tbps 2 120 1200,000,000
Page 14

NTP Default Configuration
Table 25: NTP Default Configuration
NTP authentication Disabled
Summer time (Daylight Saving Time) Disabled
Passwords Default Configuration
Table 26: Passwords Default Configuration
Device login password batm
Privileged (Enable) password Not set
Loader password batm
Caps Lock warning Enabled
Packet Size Limit Default
The default packet size limit for jumbo frames is 1632 bytes.
Passwords Default Configuration
Table 27: Passwords Default Configuration
Device login password batm
Privileged (Enable) password Not set
Loader password batm
Caps Lock warning Enabled
Page 15

Periodic Monitoring Default Configuration
Table 28: Periodic Monitoring Default Configuration
Temperature monitoring Enabled
Temperature monitoring scale Celsius
Fan monitoring Enabled
Power supply monitoring Enabled
CPU usage Enabled
RAM (memory) usage Enabled
Periodic laser monitoring Disabled
Port monitoring Disabled
Log message alert Enabled
Led alert Enabled
Trap alert Enabled
Limit values for monitoring alert See Table 29
Delta value for monitoring alert Disabled
Monitoring period See Table 30
Table 29: Limit Values for Monitoring Alert Default Configuration
Limit value for temperature monitoring alert 55C / 131F
Limit value for CPU usage monitoring alert 75%
Limit value for RAM usage monitoring alert 1000 KB
Limit value for port monitoring alert 1%
Limit value for FLASH resources test 3047 KB
Table 30: Monitoring Period Default Configuration
Monitoring period for Fan 60 seconds
Monitoring period for power supply 60 seconds
Monitoring period for temperature 20 seconds
Monitoring period for CPU usage 10 seconds
Monitoring period for RAM usage 30 seconds
Monitoring period for port statistics 10 seconds
Monitoring period for FLASH Resources Test 60 seconds
Page 16

Port Security Default Configuration
Table 31: Port Security Default Configuration
Port security Disabled
Port limit Disabled
Port security action Trap
Disable MAC filtered learning Disabled
QoS Default Configuration
Table 32: QoS Default Configuration
Priority-to-queue assignment 0
Priority remark 0
Port profile index 0 (see Table 36)
DSCP priority 0
DSCP-to-profile assignment See Table 33
Traffic shaping Disabled
Trust mode Untrusted
SP scheduling Is applied
Table 33: DSCP-to-QoS Profile Index Mapping
DSCP Profile Index
07 0
815 1
1623 2
2431 3
3239 4
4047 5
4855 6
5663 7
Page 17

Table 34: Default Storm Control Values
Traffic storm control Disabled
Table 35: Default Egress Filtering Values
Egress broadcast, unknown-unicast, and multicast
packets filtering
Disabled
Table 36: QoS Profile Default Configuration
Profile Index TC DP UP DSCP
0 0 Green 0 0
1 1 Green 1 0
2 2 Green 2 0
3 3 Green 3 0
4 4 Green 4 0
5 5 Green 5 0
6 6 Green 6 0
7 7 Green 7 0
8 0 Yellow 0 0
9 1 Yellow 1 0
10 2 Yellow 2 0
11 3 Yellow 3 0
12 4 Yellow 4 0
13 5 Yellow 5 0
14 6 Yellow 6 0
15 7 Yellow 7 0
#16127 Not Used Not Used Not Used Not Used
Page 18

QoS Mapping Default Configuration
Table 37: CoS to FC and Color Mapping
Priority Txq Drop Level
0 1 green
1 2 green
2 3 green
3 4 green
4 5 green
5 6 green
6 7 green
7 8 green
Table 38: DSCP to FC and Color Mapping
DSCP Txq Drop Level
07 1 green
815 2 green
1623 3 green
2431 4 green
3239 5 green
4047 6 green
4855 7 green
5663 8 green
Table 39: Egress Remarking with Dot1p
0 green 0 be
1 green 1 l2
2 green 2 af
3 green 3 l1
4 green 4 h2
5 green 5 ef
6 green 6 h1
7 green 7 nc
0 yellow 0 be
1 yellow 1 l2
2 yellow 2 af
Page 19

3 yellow 3 l1
4 yellow 4 h2
5 yellow 5 ef
6 yellow 6 h1
7 yellow 7 nc
Scheduler Profile Default Configuration
All the ports in the system are bound to profile-1, which is SP scheduling.
Shaper Default Configuration
By default, per-port and per-queue shaper is disabled.
Port Default Configuration
All ports in the system are:
Bound to a SP scheduling profile 1
Untrusted (port default) with default policy
Default mapping to TC=be and color green
Default port settings are applied in the following cases:
Untrusted modeall packets
L2+L3 trust modeDSCP mapping is used for all IP packets.
Page 20

RADIUS Default Configuration
Table 40: RADIUS Default Configuration
UDP authentication port number 1812
Number of retransmits 3
RADIUS Server timeout 3 seconds
RADIUS Server dead time 3 authentication sessions
IP stack Selects the source IP address
Resilient Link Default Configuration
Table 41: Resilient Link Default Configuration
Preferred port The port with the higher bandwidth
Active port The port with the higher bandwidth. If both
ports have the same bandwidth, the active
port is the port with the lower port number.
For example, for ports 1/2/1 and 1/2/4 the
active port is 1/2/3, and for ports 1/1/1 and
1/2/1 the active port is 1/1/1.
Backup port status Power-on enabled
RSTP Default Configuration
Table 42: RSTP Default Configuration
Rapid Spanning Tree Protocol Disabled
Protocol specification ieee8021w
RSTP Bridge Priority 32768
RSTP Hello-time 2 seconds
RSTP Forward-delay 15 seconds
RSTP Maximum Aging Time 20 seconds
Span IGMP Fast Recovery Disabled
RSTP Edge Port Enabled
Page 21

RSTP Link Type Auto
RSTP Interface Path-cost See Table 43
RSTP Interface Priority 128
Time Since Topology Changed 0 seconds
Line flapping detection Disabled
RSTP debug Disabled
Table 43: Default Path Cost Values (IEEE802.1s)
<=100 Kbps 200,000,000 20,000,000200,000,000 1200,000,000
1 Mbps 20,000,000 2,000,00020,000,000 1200,000,000
10 Mbps 2,000,000 200,0002,000,000 1200,000,000
100 Mbps 200,000 20,000200,000 1200,000,000
1 Gbps 20,000 2,000200,000 1200,000,000
10 Gbps 2,000 20020,000 1200,000,000
100 Gbps 200 202,000 1200,000,000
1 Tbps 20 2200 1200,000,000
10 Tbps 2 120 1200,000,000
Page 22

SAA Default Configuration
Table 44: SAA Default Configuration
1 way delay threshold 1 second
1 way jitter threshold 300 milliseconds
1 way frame-loss threshold 8%
all the configured SAA profiles Are displayed
test state Disabled
the calculations Are done at the end of an interval and the
results are stored in the result history
database.
maximum number of concurrent active tests 10
repeat frequency 0 seconds
number of probe statistics 96
probe timeout 3 seconds
time interval 1 second
monitored interval 15 minutes
priority 6
the delay calculation method Average (Uses a simple average of the delay,
measured by all packets)
the jitter calculation method Variance (Uses a simple variance of the
delay, measured by all packets)
p-percentile 50
traps Not generated
Page 23

SAA Throughput Test Default Configuration
Table 45: OAM Data Path Acceleration Default Configuration
priority (for source command) 6
priority (for c-vlan command) 0
drop-eligible 0 (no drop-eligible)
packet Not tagged
CIR (Committed Information Rate) 500 Mbps
CBS (Committed Burst Size) 1MB
duration 5 seconds
pattern of the test packet PRBS (Pseudo Random Bit Sequence)
frame-loss ratio 0 %
test Performed for all data-sizes specified in this
document (64, 128, 256, 512, 1024, 1280,
1518, 2000, 9000)
maximum timeout 1 second
result acknowledge timeout 5 seconds
loopback type OAM loopback
Script File System Default Configuration
Table 46: Script File System Default Configuration
Startup configuration name startup_config
Running configuration name running_config
Page 24

SFTP Client Default Configuration
Table 47: SFTP Client Default Configuration
SFTP Client Enabled
Port number 22
SNMP Default Configuration
Table 48: SNMP Default Configuration
SNMP Engine ID 00 00 02 DB 03 [MAC ADDR] 00 00.
SNMP contact Empty (null).
System name The default value is the devices model name
Location Empty (null)
SNMP agent Disabled
UDP port 161
SNMP user Not configured
Retry inform operation 3 times
Inform operation timeout 30 seconds
SNMP notification log Disabled
SSH Default Configuration
Table 49: SSH Default Configuration
SSH Disabled
Page 25

STP Configuration Default Configuration
Table 50: STP Default Configuration
Spanning Tree protocol Disabled
Protocol specification ieee8021d
STP Bridge Priority 32768
STP Hello-time 2 seconds
STP Forward-delay 15 seconds
STP Maximum Aging Time 20 seconds
STP Interface Path-cost 10
STP Interface Priority 128
STP Topology Change Detection on Interface Enabled
STP IGMP Fast Recovery Disabled
Debug Spanning Tree Protocol (STP) Disabled
Super VLAN Default Configuration
Table 51: Super VLAN Default Configuration
Super VLAN Disabled
Residential user Disabled
TACACS+ Default Configuration
Table 52: TACACS+ Default Configuration
TACACS+ Disabled
TCP port 49
TACACS+server timeout 15 seconds
IP stack Selects the source IP address
Page 26

Telnet Default Configuration
Table 53: Telnet Default Configuration
Telnet server Enabled
TCP Telnet session port number 23
Timeout value 10 minutes
TLS Default Configuration
Table 54: TLS Default Configuration
Transparent LAN Services (TLS) Disabled
TLS port Residential port
EtherType 0x8100
IEEE control packets tunneling Disabled
Traffic Monitoring Default Configuration
Table 55: Traffic Monitoring Default Configuration
Monitor Session Disabled
User Privilege Levels Default Configuration
Table 56: User Privilege Level Default Configuration
User privilege level for local users Administrator (0)
User privilege level for RADIUS users Guest (15)
Page 27

VLAN Default Configuration
Table 57: VLAN Default Configuration
All ports VLAN VLAN 1
PVID of all ports VLAN 1
VLAN management Enabled
Filter transmitted ARP Disabled
VTY Default Configuration
Table 58: VTY Default Configuration
Terminal length 25 lines.
The MOTD and login banners Not configured
Default host-name T-Marc
Advanced VTY mode Disabled
Zero-touch Default Configuration
Table 59: Zero-touch Configuration Default Configuration
Zero Touch Configuration Disabled
TFTP IP address 0.0.0.0
Configuration file Not saved to NVRAM
Number of retries 3 times
The time interval between each retry 64 seconds
Page 28

1588v2 PTP Default Configuration
Table 60: 1588v2 PTP Default Configuration
PTP Disabled
PTP mode Slave
PTP primary priority (priority1) 255
PTP secondary priority (priority2) 255
Domain number 0
Announce interval 16 seconds
Synchronization interval 4 seconds
Static master address (none)
PTP per interface Disabled
Announce-receipt timeout intervals 3
Synchronization-receipt timeout intervals 3

Page 1
Appendix C: Acronyms Glossary (Rev. 03)
Appendix C: Acronyms Glossary
This appendix provides a detailed list of the acronyms used in the T-Marc 300 Series User Guide
and their meaning.

Acronym Meaning
AAA Authentication, Authorization and Accounting
ACL Access Control List
ACG Access Control Group
ARP Address Resolution Protocol
BID Bridge ID
BiST Built-in Self Test
BP Boundary Port
BPDU Bridge Protocol Data Units
CBS Committed Burst Size
CCM Continuity Check Message
CCS Common Channel Signaling
CFM Connectivity Fault Management
CIR Committed Information Rate
CIST Common and Internal Spanning Tree
CLI Command Line Interface
CPE Customer Premise Equipment
CPU Central Processing Unit
CoS Class of Service
CRC Cyclical Redundancy Checking
CST Common Spanning Tree
C-VLAN Customer VLAN
DEI Data Exchange Interface
DLC Data-Link Control
DNS Domain Name System
DoS Denial of Service
DoSAP Domain Service Access Point
DRARP Dynamic RARP
DSA Digital Signature Algorithm
DSCP Differentiated Services Code Point
Page 2

Acronym Meaning
DSS Digital Signature Standard
DST Daylight Saving Time
DTE Data Terminating Entity
EAP Extensible Authentication Protocol
EAPOL EAP encapsulation over LAN
EBS Excess Burst Size
ECN Explicit Congestion Notification
EFM-OAM Ethernet in the First Mile-Operations, Administration, and
Maintenance standards as defined by IEEE 802.3ah/D3.0.
EVC Ethernet Virtual Connection
FC Forwarding Class
FS File System
IP Internet Protocol
IST Internal Spanning Tree
ISAP Intermediate Service Access Point
LACP Link Aggregation Control Protocol
LAG Link Aggregation Group
LAN Local Area Network
LBM Loopback message
LBR Loopback Reply
LLDP Link Layer Discovery Protocol
LLDPDU LLDP Data Units
LSL Logical Service Loopback
LTM Linktrace Message
LTR Linktrace Reply
MA Maintenance Association
MAID Maintenance Association Identifier
MAC Media Access Control
MCID MST Configuration Identifier
MDI Medium-Dependant Interface
MEP Maintenance Association End Points
MEPID Maintenance association End Point Identifier
MIB Management information Base
MIP Maintenance Intermediate Points
MOTD Message-of-the-day
MSTI Multiple Spanning Tree Instance
NAS Network Access Server
Page 3

Acronym Meaning
NTP Network Time Protocol
OAM Operations, Administration and Maintenance
OAMPDU OAM protocol data units.
PDU Protocol Data Unit
PING Packet Internet Groper
PRBS Pseudo Random Bit Sequence
PVID Port VLAN Identifier
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
RARP Reverse Address Resolution Protocol
RFC Request For Comments
RMON Remote Monitoring.
RSTP Rapid STP
RTR Response Time Reporter
SAA Service Assurance Agent
SAP Service Access Point
SDP Service Distribution Point
SFD Start of Frame Delimiter.
SFP Small Form-factor Pluggable
SLA Service Level Agreement
SLO Service Level Objectives
SNMP Simple Network Management Protocol
SSH Secure Shell
SST Bridge Single Spanning Tree Bridge
STP Spanning Tree Protocol
TACACS+ Terminal Access Controller Access Control System Plus
TC Topology Change
TCP Transmission Control Protocol
TCN TC Notification
TIME Time synchronization clients
TLS Transparent LAN Service
TLV Type Length Value
TTL Time-to-Live
UDP User Datagram Protocol
USM User-based Security Model
VACM View-based Access Control Model
VID VLAN Identifier
Page 4

Acronym Meaning
VLAN Virtual LAN
VPT VLAN Priority Tag
VTP VLAN Priority Tag
VTY Virtual Telnet Type
WAN World Area Network
WRED Weighted Random Early Detection
WRR Weighted Round Robin

T-Marc 300 Series v10.1.Rx User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

T-Marc 300 Series v10.1.Rx User Guide

Uploaded by

Copyright:

Available Formats

T-Marc 300 Series

(T-Marc 340 and T-Marc 380)

Super VLAN Por t s = 1/ 2/ 7 ( act i ve) , 1/ 2/ 8

SpanI gmpFast Recover y = enabl ed

01/ 01/ 21 128 Root f r wr d 200000 0 04096. 00A012170100 128. 002

| AG07 | Resi dent i al |

1/ 2/ 8 | Act i ve | Unknown | Unknown | Unknown | Li nk- Down

1/ 2/ 8 | Di sabl ed | Unknown | Unknown | Unknown | Unknown

1/ 2/ 8 | Act i ve | Unknown | Unknown | UU/ SS/ PP| Unknown

1/ 2/ 8 | Di sabl ed | Unknown | Unknown | UU/ SS/ PP| Unknown

T-Marc 300 Series User Guide

You might also like