Operation Manual

Installation and
ETS-1-10G-A
Ethernet Aggregation Switches
Version 5.5.4.2
© 2019–2020 RAD Data Communications Ltd.
This manual contains information that is proprietary to RAD Data Communications Ltd. ("RAD"). No part
of this publication may be reproduced in any form whatsoever without prior written approval by RAD
Data Communications.
Right, title and interest, all information, copyrights, patents, know-how, trade secrets, and other
intellectual property or other proprietary rights relating to this manual and to the ETS-1-10G-A and any
software components contained therein are proprietary products of RAD protected under international
copyright law and shall be and remain solely with RAD.
The ETS-1-10G-A product name is owned by RAD. No right, license, or interest to such trademark is
granted hereunder, and you agree that no such right, license, or interest shall be asserted by you with
respect to such trademark. RAD products/technologies are protected by registered patents. To review
specifically which product is covered by which patent, please see ipr.rad.com. The RAD name, logo,
logotype, and the product names Airmux, IPmux, MiNID, MiCLK, Optimux, and SecFlow are registered
trademarks of RAD Data Communications Ltd. All other trademarks are the property of their respective
holders.
You shall not copy, reverse compile, or reverse assemble all or any portion of the Manual or the ETS-1-
10G-A. You are prohibited from, and shall not, directly or indirectly, develop, market, distribute, license,
or sell any product that supports substantially similar functionality as the ETS-1-10G-A, based on or
derived in any way from the ETS-1-10G-A. Your undertaking in this paragraph shall survive the
termination of this Agreement.
This Agreement is effective upon your opening of the ETS-1-10G-A package and shall continue until
terminated. RAD may terminate this Agreement upon the breach by you of any term hereof. Upon such
termination by RAD, you agree to return to RAD the ETS-1-10G-A and all copies and portions thereof.

Contact Information
For further information, contact RAD at the address below, or contact your local business partner.
International Headquarters North American Headquarters
24 Raoul Wallenberg St., Tel Aviv 6971923, Israel 900 Corporate Drive, Mahwah, NJ 07430, USA
Tel 972-3-6458181 | Fax 972-3-7604732 Tel 201-529-1100 | Toll Free: 800-444-7234 | Fax: 201-529-5777
Email [email protected] Email [email protected]
www.rad.com | radcare-online.rad.com
Publication No. 751-207-06/20
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the ETS-1-10G-A to be delivered hereunder shall be
free of defects in material and workmanship under normal use and service for a period of twelve (12)
months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective by reason of
material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect, RAD shall have the
option to choose the appropriate corrective action: a) supply a replacement part, or b) request return of
equipment to its plant for repair, or c) perform necessary repair at the equipment's location. In the
event that RAD requests the return of equipment, each party shall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment has been
subjected to misuse, neglect, accident, or improper installation, or if repairs or modifications were made
by persons other than RAD's own authorized service personnel, unless such repairs by others were made
with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are no warranties
which extend beyond the face hereof, including, but not limited to, warranties of merchantability and
fitness for a particular purpose, and in no event shall RAD be liable for consequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but not limited to,
lost profits from any cause whatsoever arising from or in any way connected with the manufacture, sale,
handling, repair, maintenance, or use of the ETS-1-10G-A, and in no event shall RAD's liability exceed the
purchase price of the ETS-1-10G-A.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes relating to
ETS-1-10G-A and for ensuring that replacements and other adjustments required in connection with the
said warranties are satisfactory.
Software components in the ETS-1-10G-A are provided "as is" and without warranty of any kind. RAD
disclaims all warranties including the implied warranties of merchantability and fitness for a particular
purpose. RAD shall not be liable for any loss of use, interruption of business, or indirect, special,
incidental or consequential damages of any kind. In spite of the above, RAD shall do its best to provide
error-free software products and shall offer free Software updates during the warranty period under
this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from any claims,
demands, or actions arising out of or relating to this Agreement and the ETS-1-10G-A shall not exceed
the sum paid to RAD for the purchase of the ETS-1-10G-A. In no event shall RAD be liable for any
indirect, incidental, consequential, special, or exemplary damages or lost profits, even if RAD has been
advised of the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State of Israel.
Safety and Disposal (English)
General Safety Instructions
The following instructions serve as a general guide for the safe installation and operation of
telecommunications products. Additional instructions, if applicable, are included inside the manual.

Safety Symbols
This symbol may appear on the equipment or in the text. It indicates
potential safety hazards regarding product operation or maintenance to
operator or service personnel.
Warning

Danger of electric shock! Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.

Protective ground: the marked lug or terminal should be connected to the

building protective ground bus.

Some products may be equipped with a laser diode. In such cases, a label
with the laser class and other warnings as applicable is attached near the
optical transmitter. The laser warning symbol may be also attached.
Please observe the following precautions:
• Before turning on the equipment, make sure that the fiber-optic cable is
intact and is connected to the transmitter.
• Do not attempt to adjust the laser drive current.
• Do not use broken or unterminated fiber-optic cables/connectors or look
straight at the laser beam.
• The use of optical devices with the equipment increases eye hazard.
• Use of controls, adjustments, or performing procedures other than those
specified herein may result in hazardous radiation exposure.
ATTENTION: The laser beam may be invisible!
ETS-1-10G-A Safety and Disposal (English) 5

In some cases, the users may insert their own SFP laser transceivers into the product. Users are alerted
that RAD cannot be held responsible for any damage that may result if non-compliant transceivers are
used. In particular, users are warned to use only agency approved products that comply with the local
laser safety regulations for Class 1 laser products.

Always observe standard safety precautions during installation, operation, and maintenance of this
product. Only qualified and authorized service personnel should carry out adjustment, maintenance or
repairs to this product. No installation, adjustment, maintenance, or repairs should be performed by
either the operator or the user.

Handling Energized Products

General Safety Practices
Do not touch or tamper with the power supply when the power cord is connected. Line voltages may be
present inside certain products even when the power switch (if installed) is in the OFF position or a fuse
is blown. For DC-powered products, although the voltages levels are usually not hazardous, energy
hazards may still exist.

Before working on equipment connected to power lines or telecommunication lines, remove jewelry or
any other metallic object that may come into contact with energized parts.

Unless otherwise specified, all products are intended to be grounded during normal use. Grounding is
provided by connecting the mains plug to a wall socket with a protective ground terminal. If a ground
lug is provided on the product, it should be connected to the protective ground at all times, by a wire of
diameter 18 AWG or wider. Rack-mounted equipment should be mounted only in grounded racks and
cabinets.

Always make the ground connection first and disconnect it last. Do not connect telecommunication
cables to ungrounded equipment. Make sure that all other cables are disconnected before
disconnecting the ground.

Some products may have panels secured by thumbscrews with a slotted head. These panels may cover
hazardous circuits or parts, such as power supplies. These thumbscrews should therefore always be
tightened securely with a screwdriver after both initial installation and subsequent access to the panels.

Connecting AC Mains
Make sure that the electrical installation complies with local codes.

Always connect the AC plug to a wall socket with a protective ground.

ETS-1-10G-A Safety and Disposal (English) 6

The maximum permissible current capability of the branch distribution circuit that supplies power to the
product is 16A (20A for USA and Canada). The circuit breaker in the building installation should have
high breaking capacity and must operate at short-circuit current exceeding 35A (40A for USA and
Canada).

Always connect the power cord first to the equipment and then to the wall socket. If a power switch is
provided in the equipment, set it to the OFF position. If the power cord cannot be readily disconnected
in case of emergency, make sure that a readily accessible circuit breaker or emergency switch is installed
in the building installation.

In cases when the power distribution system is IT type, the switch must disconnect both poles
simultaneously.

Connecting DC Power
Unless otherwise specified in the manual, the DC input to the equipment is floating in reference to the
ground. Any single pole can be externally grounded.

Due to the high current capability of DC power systems, care should be taken when connecting the DC
supply to avoid short-circuits and fire hazards.

Make sure that the DC power supply is electrically isolated from any AC source and that the installation
complies with the local codes.

The maximum permissible current capability of the branch distribution circuit that supplies power to the
product is 16A (20A for USA and Canada). The circuit breaker in the building installation should have
high breaking capacity and must operate at short-circuit current exceeding 35A (40A for USA and
Canada).

Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locate the
circuit breaker of the panel board that services the equipment and switch it to the OFF position. When
connecting the DC supply wires, first connect the ground wire to the corresponding terminal, then the
positive pole, and last the negative pole. Switch the circuit breaker back to the ON position.

A readily accessible disconnect device that is suitably rated and approved should be incorporated in the
building installation.

If the DC power supply is floating, the switch must disconnect both poles simultaneously.

Connecting Data and Telecommunication Cables

Data and telecommunication interfaces are classified according to their safety status.
ETS-1-10G-A Safety and Disposal (English) 7

The following table lists the status of several standard interfaces. If the status of a given port differs
from the standard one, a notice is given in the manual.
Ports Safety Status

V.11, V.28, V.35, V.36, RS-530, X.21, SELV: Safety Extra Low Voltage:
10BaseT, 100BaseT, 1000BaseT, • Ports which do not present a safety hazard. Usually up to 30 VAC
Unbalanced E1, E2, E3, STM, DS-2, DS-3, or 60 VDC.
S-Interface ISDN, Analog voice E&M
xDSL (without feeding voltage), TNV-1: Telecommunication Network Voltage-1:
Balanced E1, T1, Sub E1/T1, POE • Ports whose normal operating voltage is within the limits of SELV,
on which overvoltages from telecommunications networks are
possible.
FXS (Foreign Exchange Subscriber) TNV-2: Telecommunication Network Voltage-2:
• Ports whose normal operating voltage exceeds the limits of SELV
(usually up to 120 VDC or telephone ringing voltages), on which
overvoltages from telecommunication networks are not possible.
• These ports are not permitted to be directly connected to
external telephone and data lines.
FXO (Foreign Exchange Office), xDSL TNV-3: Telecommunication Network Voltage-3:
(with feeding voltage), U-Interface ISDN • Ports whose normal operating voltage exceeds the limits of SELV
(usually up to 120 VDC or telephone ringing voltages), on which
overvoltages from telecommunication networks are possible.

Always connect a given port to a port of the same safety status. If in doubt, seek the assistance of a
qualified safety engineer.

Always make sure that the equipment is grounded before connecting telecommunication cables. Do not
disconnect the ground connection before disconnecting all telecommunication cables.

Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables. Extra
caution should be exercised during thunderstorms.

When using shielded or coaxial cables, verify that there is a good ground connection at both ends. The
grounding and bonding of the ground connections should comply with the local codes.

The telecommunication wiring in the building may be damaged or present a fire hazard in case of
contact between exposed external wires and the AC power lines. In order to reduce the risk, there are
restrictions on the diameter of wires in the telecom cables, between the equipment and the mating
connectors.
ETS-1-10G-A Safety and Disposal (English) 8

To reduce the risk of fire, use only No. 26 AWG or larger telecommunication
line cords.

Warning

Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. In such
cases, a notice is given in the installation instructions.

Do not attempt to tamper with any carrier-provided equipment or connection hardware.

Electromagnetic Compatibility (EMC)

The equipment is designed and approved to comply with the electromagnetic regulations of major
regulatory bodies. The following instructions may enhance the performance of the equipment and
provide better protection against excessive emission and better immunity against disturbances.

A good ground connection is essential. When installing the equipment in a rack, make sure to remove all
traces of paint from the mounting points. Use suitable lock-washers and torque. If an external grounding
lug is provided, connect it to the ground bus using braided wire as short as possible.

The equipment is designed to comply with EMC requirements when connecting it with unshielded
twisted pair (UTP) cables with the exception of 1000BaseT ports that must always use shielded twisted
pair cables of good quality (CAT 5E or higher). However, the use of shielded wires is always
recommended, especially for high-rate data. In some cases, when unshielded wires are used, ferrite
cores should be installed on certain cables. In such cases, special instructions are provided in the
manual.

Disconnect all wires which are not in permanent use, such as cables used for one-time configuration.

The compliance of the equipment with the regulations for conducted emission on the data lines is
dependent on the cable quality. The emission is tested for UTP with 80 dB longitudinal conversion loss
(LCL).

Unless otherwise specified or described in the manual, TNV-1 and TNV-3 ports provide secondary
protection against surges on the data lines. Primary protectors should be provided in the building
installation.

The equipment is designed to provide adequate protection against electrostatic discharge (ESD).
However, it is good working practice to use caution when connecting cables terminated with plastic
connectors (without a grounded metal hood, such as flat cables) to sensitive data lines. Before
connecting such cables, discharge yourself by touching ground or wear an ESD preventive wrist strap.
ETS-1-10G-A Safety and Disposal (English) 9

FCC-15 User Information

This equipment has been tested and found to comply with the limits of the Class A digital device,
pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against
harmful interference when the equipment is operated in a commercial environment. This equipment
generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with
the Installation and Operation Manual, may cause harmful interference to the radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which case
the user will be required to correct the interference at his own expense.

Canadian Emission Requirements

This Class A digital apparatus meets all the requirements of the Canadian Interference-Causing
Equipment Regulations.

Warning per EN 55032 (CISPR 32)

This equipment is compliant with Class A of CISPR 32. In a residential
environment, this equipment may cause radio interference.

Warning

Product Disposal
To facilitate the reuse, recycling and other forms of recovery of waste
equipment in protecting the environment, the owner of this RAD product is
required to refrain from disposing of this product as unsorted municipal
waste at the end of its life cycle. Upon termination of the unit’s use,
customers should provide for its collection for reuse, recycling, or other form
of environmentally conscientious disposal.
Sécurité et élimination (français)
Instructions générales de sécurité
Les instructions suivantes servent de guide général d'installation et d'opération sécurisées des produits
de télécommunications. Des instructions supplémentaires sont éventuellement indiquées dans le
manuel.

Symboles de sécurité
Ce symbole peut apparaitre sur l'équipement ou dans le texte. Il indique des
risques potentiels de sécurité pour l'opérateur ou le personnel de service,
quant à l’utilisation du produit ou à sa maintenance.
Avertissement

Danger de choc électrique ! Evitez tout contact avec la surface marquée tant
que le produit est sous tension ou connecté à des lignes externes de
télécommunications.

Mise à la terre de protection : la cosse ou la borne marquée devrait être

connectée à la prise de terre de protection du bâtiment.
ETS-1-10G-A Sécurité et élimination (français) 11

Certains produits peuvent être équipés d'une diode laser. Dans de tels cas,
une étiquette indiquant la classe laser (ainsi que d'autres avertissements le
cas échéant) sera jointe près du transmetteur optique. Le symbole
d'avertissement laser peut aussi être joint.
Veuillez observer les précautions suivantes :
• Avant la mise en marche de l'équipement, assurez-vous que le câble de
fibre optique est intact et qu'il est connecté au transmetteur.
• Ne tentez pas d'ajuster le courant de la commande laser.
• N'utilisez pas des câbles ou connecteurs de fibre optique cassés ou sans
terminaison et n'observez pas directement un rayon laser.
• L'usage de périphériques optiques avec l'équipement augmentera le
risque pour les yeux.
• L'usage de contrôles, ajustages ou procédures autres que celles
spécifiées ici pourrait résulter en une dangereuse exposition aux
radiations.
ATTENTION : Le rayon laser peut être invisible !

Les utilisateurs pourront, dans certains cas, insérer leurs propres émetteurs-récepteurs Laser SFP dans le
produit. Les utilisateurs sont avertis que RAD ne pourra pas être tenue responsable de tout dommage
pouvant résulter de l'utilisation d'émetteurs-récepteurs non conformes. Plus particulièrement, les
utilisateurs sont avertis de n'utiliser que des produits approuvés par l'agence et conformes à la
réglementation locale de sécurité laser pour les produits laser de classe 1.

Respectez toujours les précautions standards de sécurité durant l'installation, l'opération et la

maintenance de ce produit. Seul le personnel de service qualifié et autorisé devrait effectuer l'ajustage,
la maintenance ou les réparations de ce produit. Aucune opération d'installation, d'ajustage, de
maintenance ou de réparation ne devrait être effectuée par l'opérateur ou l'utilisateur.

Manipuler des produits sous tension

Règles générales de sécurité
Ne pas toucher ou altérer l'alimentation en courant lorsque le câble d'alimentation est branché. Des
tensions de lignes peuvent être présentes dans certains produits, même lorsque le commutateur (s'il est
installé) est en position OFF ou si le fusible est rompu. Pour les produits alimentés par CC, les niveaux de
tension ne sont généralement pas dangereux mais des risques de courant peuvent toujours exister.

Avant de travailler sur un équipement connecté aux lignes de tension ou de télécommunications, retirez
vos bijoux ou tout autre objet métallique pouvant venir en contact avec les pièces sous tension.
ETS-1-10G-A Sécurité et élimination (français) 12

Sauf s'il en est autrement indiqué, tous les produits sont destinés à être mis à la terre durant l'usage
normal. La mise à la terre est fournie par la connexion de la fiche principale à une prise murale équipée
d'une borne protectrice de mise à la terre. Si une cosse de mise à la terre est fournie avec le produit, elle
devrait être connectée à tout moment à une mise à la terre de protection par un conducteur de
diamètre 18 AWG ou plus. L'équipement monté en châssis ne devrait être monté que sur des châssis et
dans des armoires mises à la terre.

Branchez toujours la mise à la terre en premier et débranchez-la en dernier. Ne branchez pas des câbles
de télécommunications à un équipement qui n'est pas mis à la terre. Assurez-vous que tous les autres
câbles sont débranchés avant de déconnecter la mise à la terre.

Certains produits peuvent avoir des panneaux sécurisés par des vis papillons avec une tête fendue. Ces
panneaux peuvent couvrir des circuits ou des composants dangereux, tels que les alimentations
électriques. Ces vis papillons devront par conséquent être solidement serrées avec un tournevis après
chaque installation initiale et chaque accès ultérieur aux panneaux.

Connexion au courant du secteur

Assurez-vous que l'installation électrique est conforme à la réglementation locale.

Branchez toujours la fiche de secteur à une prise murale équipée d'une borne protectrice de mise à la
terre.

La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant le

produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du bâtiment
devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de court-circuit
dépassant 35A (40A aux Etats-Unis et Canada).

Branchez toujours le câble d'alimentation en premier à l'équipement puis à la prise murale. Si un

commutateur est fourni avec l'équipement, fixez-le en position OFF. Si le câble d'alimentation ne peut
pas être facilement débranché en cas d'urgence, assurez-vous qu'un coupe-circuit ou un disjoncteur
d'urgence facilement accessible est installé dans le bâtiment.

Le disjoncteur devrait déconnecter simultanément les deux pôles si le système de distribution de

courant est de type IT.

Connexion d'alimentation CC
Sauf s'il en est autrement spécifié dans le manuel, l'entrée CC de l'équipement est flottante par rapport
à la mise à la terre. Tout pôle doit être mis à la terre en externe.

A cause de la capacité de courant des systèmes à alimentation CC, des précautions devraient être prises
lors de la connexion de l'alimentation CC pour éviter des courts-circuits et des risques d'incendie.
ETS-1-10G-A Sécurité et élimination (français) 13

Assurez-vous que l'alimentation CC est isolée de toute source de courant CA (secteur) et que
l'installation est conforme à la réglementation locale.

La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant le

produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du bâtiment
devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de court-circuit
dépassant 35A (40A aux Etats-Unis et Canada).

Avant la connexion des câbles d'alimentation en courant CC, assurez-vous que le circuit CC n'est pas
sous tension. Localisez le coupe-circuit dans le tableau desservant l'équipement et fixez-le en position
OFF. Lors de la connexion de câbles d'alimentation CC, connectez d'abord le conducteur de mise à la
terre à la borne correspondante, puis le pôle positif et en dernier, le pôle négatif. Remettez le coupe-
circuit en position ON.

Un disjoncteur facilement accessible, adapté et approuvé devrait être intégré à l'installation du

bâtiment.

Le disjoncteur devrait déconnecter simultanément les deux pôles si l'alimentation en courant CC est
flottante.

Connexion de câbles de données et de télécommunications

Les interfaces de données et de télécommunications sont classées selon leur niveau de sécurité.

Le tableau suivant liste les statuts de plusieurs interfaces standards. Si le statut d’un port donné diffère
d’un standard, une notification sera fournie dans le manuel.
Ports Niveau de sécurité

V.11, V.28, V.35, V.36, RS-530, X.21, TBTS (Très Basse Tension de Sécurité):
10BaseT, 100BaseT, 1000BaseT, • Ports qui ne présentent pas un danger pour la sécurité.
Unbalanced E1, E2, E3, STM, DS-2, DS-3, Généralement jusqu’à 30 VAC (courant alternatif) ou 60 VDC
S-Interface ISDN (RNIS), Voix analogique (courant continu).
E&M
xDSL (sans tension d’alimentation), TNV-1 (Tension de Réseau de Télécommunications-1):
Balanced E1, T1, Sub E1/T1, POE • Ports dont la tension de fonctionnement normal est comprise
dans les limites des interfaces SELV (TBTS), sur lesquelles des
surtensions provenant des réseaux de télécommunications sont
possibles.
ETS-1-10G-A Sécurité et élimination (français) 14

Ports Niveau de sécurité

FXS (Foreign Exchange Subscriber) TNV-2 (Tension de Réseau de Télécommunications-2):

• Ports dont la tension de fonctionnement normal excède les
limites des interfaces SELV (TBTS) – habituellement jusqu’à 120
VDC (courant continu) ou tensions de sonnerie téléphonique –
sur lesquelles des surtensions provenant des réseaux de
télécommunications ne sont pas possibles.
• Ces ports ne sont pas autorisés à être directement connectés à
des lignes téléphoniques ou de données externes.
FXO (Foreign Exchange Office), xDSL TNV-3 (Tension de Réseau de Télécommunications-3):
(avec tension d’alimentation), • Ports dont la tension de fonctionnement normal excède les
U-Interface ISDN (RNIS) limites des interfaces SELV (TBTS) – habituellement jusqu’à 120
VDC (courant continu) ou tensions de sonnerie téléphonique –
sur lesquelles des surtensions provenant des réseaux de
télécommunications sont possibles.

Toujours connecter un port donné à un port de même niveau de sécurité. En cas de doute, solliciter
l’assistance d’un ingénieur de sécurité qualifié.

Toujours s’assurer que l’équipement est relié à la terre avant de connecter des câbles de
télécommunications. Ne pas déconnecter la connexion à la terre avant la déconnexion de tous les câbles
de télécommunications.

Certains circuits SELV et non-SELV utilisent les memes connecteurs. Soyez prudents lors de la connexion
des câbles. Une extrême prudence est requise en cas d’orages.

En cas d’utilisation de cables blindés ou coaxiaux, vérifier qu’il y a bien une connexion à la terre aux deux
extrémités. Le raccordement à la terre et la liaison à la prise de terre doivent être conformes à la
réglementation locale.

Il se peut que le câblage de télécommunications dans le bâtiment soit endommagé ou présente un

danger d’incendie en cas de contact entre des câbles externes dénudés et les lignes électriques AC
(courant alternatif). Afin de réduire le risque, il y a une limitation du diamètre des fils dans les câbles de
télécommunications, entre l’équipement et les connecteurs homologues.
Pour réduire les risques d’incendie, utiliser seulement des cordons de
télécommunications 26 AWG ou de section supérieure.

Avertissement
ETS-1-10G-A Sécurité et élimination (français) 15

Certains ports sont uniquement adaptés à une connexion à un câblage interne ou à un câblage non
exposé. Dans ce cas, une notification sera fournie dans les instructions d’installation.

Ne pas tenter de démonter l’équipement ou le matériel de connexion.

Compatibilité Electromagnétique (CEM)

L'équipement est conçu et approuvé pour se conformer aux réglementations électromagnétiques des
principaux organismes de réglementation. Les instructions suivantes peuvent améliorer les
performances de l'équipement et fournir une meilleure protection contre les émissions excessives et
une meilleure immunité contre les perturbations.

Une bonne connexion à la terre est essentielle. Lors de l'installation de l'équipement dans un rack,
veillez à éliminer toute trace de peinture des points de montage. Utilisez des rondelles de blocage et un
couple appropriés. Si une cosse de mise à la terre externe est fournie, connectez-la au bus de terre à
l'aide d'un fil tressé aussi court que possible.

L’équipement est conçu pour répondre aux exigences CEM lors de la connexion avec des câbles à paires
torsadées non blindées (UTP), à l’exception des ports 1000BaseT, qui doivent toujours utiliser des câbles
à paires torsadées blindés de bonne qualité (CAT 5E ou supérieure). Cependant, l'utilisation de câbles
blindés est toujours recommandée, en particulier pour les données à haut débit. Dans certains cas,
lorsque des câbles non blindés sont utilisés, des noyaux en ferrite doivent être installés sur certains
câbles. Dans ce cas, des instructions spéciales sont fournies dans le manuel.

Débranchez tous les câbles qui ne sont pas utilisés de manière permanente, tels que les câbles utilisés
pour une configuration unique.

La conformité de l'équipement à la réglementation en matière d'émission conduite sur les lignes de

données dépend de la qualité du câble. L'émission est testée pour des câbles UTP avec un
affaiblissement de conversion longitudinale (LCL) de 80 dB.

Sauf indication contraire ou décrite dans le manuel, les ports TNV-1 et TNV-3 offrent une protection
secondaire contre les surtensions sur les lignes de données. Des protections primaires doivent être
fournies dans l’installation du bâtiment.

L'équipement est conçu pour fournir une protection adéquate contre les décharges électrostatiques
(DES). Toutefois, il est recommandé de faire preuve de prudence lors du raccordement de câbles munis
de connecteurs en plastique (sans capot métallique mis à la terre, tels que des câbles plats) sur des
lignes de données sensibles. Avant de connecter ces câbles, déchargez-vous en touchant le sol ou portez
un bracelet antistatique.
ETS-1-10G-A Sécurité et élimination (français) 16

FCC-15 Information Utilisateur

Cet équipement a été testé et déclaré conforme aux limites d’un appareil numérique de classe A,
définies à la section 15 du règlement de la FCC. Ces limites sont conçues pour fournir une protection
raisonnable contre les interférences nuisibles lorsque l'équipement est utilisé dans un environnement
commercial. Cet équipement génère, utilise et peut émettre de l'énergie de fréquence radio, s'il n'est
pas installé et utilisé conformément au Manuel d'Installation et d'Utilisation, il peut provoquer des
interférences nuisibles aux communications radio. L'utilisation de cet équipement dans une zone
résidentielle est susceptible de provoquer des interférences nuisibles, dans ce cas, l'utilisateur sera tenu
de corriger les interférences à ses frais.

Exigences d’émissions canadiennes

Cet appareil numérique de Classe A répond a toutes les exigences de la réglementation canadienne sur
les équipements causant des interférences.

Avertissement: EN 55032 (CISPR 32)

Cet appareil est conforme a la Classe A de la CISPR 32. Dans un
environnement résidentiel, il peut provoquer des interférences radio.

Avertissement

Élimination du produit
Afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de
récupération d'équipement mis au rebut dans le cadre de la protection de
l'environnement, il est demandé au propriétaire de ce produit RAD de ne pas
mettre ce dernier au rebut en tant que déchet municipal non trié, une fois
que le produit est arrivé en fin de cycle de vie. Le client devrait proposer des
solutions de réutilisation, de recyclage ou toute autre forme de mise au
rebut de cette unité dans un esprit de protection de l'environnement,
lorsqu'il aura fini de l'utiliser.
Sicherheit und Entsorgung (Deutsch)
Allgemeine Sicherheitsanleitung
Die folgenden Anleitungen dienen als allgemeiner Leitfaden für die sichere Installation und Bedienung
von Telekommunikationsprodukten. Zusätzliche Anleitungen sind im Nutzerhandbuch vorhanden.

Sicherheitssymbole
Dieses Symbol kann auf ihren Geraeten oder im Text auftauchen. Es weist
den Nutzer oder das Servicepersonal auf möglche Gefahren bei der
Bedienung der Geräte hin.
Achtung

Gefahr eines elektrischen Schlages! Vermeiden Sie jeglichen Kontakt mit der
gekennzeichneten Oberfläche während das Gerät unter Spannung steht
oder an auβenliegende Telekommunikationsleitungen angeschlossen ist.

Schutzerdung: Die gekennzeichnete Mutter oder das Terminal müssen an

den Anschluss der Haupterdung des Gebäudes angeschlossen sein.
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 18

Einige Produkte können mit einer Laserdiode ausgestattet sein. In solchen

Fällen muβ ein Aufkleber mit der Laserklasse und entsprechenden
Warnungen neben dem optischen Transmitter angebracht sein. Das
Warnsymbol für Laser kann zusätzlich angebracht sein.
Bitte beachten Se die folgenden Vorsichtsmaβnahmen:
• Vor der Inbetriebnahme des Gerätes, vergewissern Sie sich, daβ das
optische Glasfaserkabel unbeschädigt ist und an den Transmitter
angeschlossen ist.
• Versuchen Sie nicht, den durch den Laser fliessenden Strom zu
regulieren.
• Verwenden Sie keine gebrochenen oder anderweitig unvollständige
Glasfaserkabel oder Stecker. Blicken Sie nicht in den Laserstrahl.
• Die Benutzung optischer Komponenten zusammen mit Ihrem Gerät
erhöhen die Gefahr für Ihre Augen.
• Die Benutzung von Bedienelementen, die Geräteeinstellung oder die
Ausführung von Prozessen, die hier nicht aufgeführt sind, können zu
gefährlicher Strahlung führen.
ACHTUNG: Der Laserstrahl kann unsichtbar sein!

In einigen Fällen werden Nutzer eigene SFP-Lasertransceiver in das Gerät einführen. Nutzer sind darauf
hingewiesen, dass RAD nicht verantwortlich zeichnet für Beschädigungen, die von nicht kompatiblen
Transceivern herrühren. Nutzer seien ferner darauf hingewiesen, daβ ausschlieβlich amtlich zugelassene
Produkte eingesetzt werden sollten, die den ortsüblichen Sicherheitsbestimmungen für Lasergeräte der
Laserklasse 1 entsprechen.

Beachten Sie ferner die üblichen Sicherheitsmaβnahmen während der Installation, des Betriebs, der
Wartung oder der Reparatur des Gerätes. Installationen, Einstellungen und Reparaturen sollten weder
vom Nutzer oder dem zuständigen Operator durchgeführt werden.

Umgang mit Geräten unter Spannung

Grundlegende Sicherheitsmaβnahmen
Berühren oder verändern Sie das Netzteil nicht wenn das Stromkabel angeschlossen ist. Einige Bauteile
im Gerät können auch dann unter Spannung stehen, wenn der Ein/Aus-Schalter auf Aus steht (sofern
vorhanden) oder eine Sicherung defekt ist. Für Produkte, die unter Gleichstromspannung (DC) stehen,
besteht ebenfalls die Gefahr eines elektrischen Schlages, auch wenn die angelegte Spannung in der
Regel nicht gefährlich ist.
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 19

Legen Sie Schmuck oder sonstige Metallobjekte ab, bevor Sie mit Geräten arbeiten, die an das Netz oder
Telekommunikationsleitungen angeschlossen sind, um zu verhindern, daβ dies mit spannungsgeladenen
Bauteilen in Berührung kommen.

Falls nicht anders angegeben, sollten alle Produkte bei normalem Gebrauch geerdet werden. Die Erdung
erfolgt durch den Anschlss an eine Steckdose mit Schutzerdung. Wenn das Gerät mit einer
Erdungslasche ausgestattet ist, sollte diese immer an die Schutzerde angeschlossen sein mit einem
Kabel, das einen Durchmesser von mindestens 18 AWG aufweist. Geräte für die Rack-Montage sollten
ausschlieβlich in geerdeten Racks oder Schränken montiert werden.

Schlieβen Sie grundsätzlich zuerst die Schutzerde an und klemmen Sie diese zuletzt ab. Schlieβen Sie
keine Telekommunikationskabel an nicht geerdete Geräte an. Stellen Sie sicher, dass alle anderen Kabel
abgeklemmt sind, bevor Sie die Erdung abklemmen.

Die Frontpanele einiger Geräte sind mit Flügelschrauben mit Schlitz gesichert. Diese Paneele decken
gefährliche Schalkreise oder Teile, wie zum Beispiel Netzteile ab. Diese Flügelschrauben sollten daher
immer mittels eines Schraubenziehers sicher angezogen werden nach der Erstinstallation und jedem
späterem Zugriff auf die Paneele.

Anschluss an eine Wechselstromquelle (AC)

Stellen Sie sicher, daβ die elektrische Installation den örtlichen Bestimmungen entspricht.

Stecken Sie den Stecker immer in eine Steckdose mit Schutzerdung ein.

Der maximal mögliche Stromfluss im Bereich des Verteilerstromkreis, der die Stromversorgung des
Gerätes sicherstellt, ist 16 A (20A in den USA und in Kanada). Der Schutzschalter in der
Gebäudeinstallation muss starke Ströme unterbrechen können und muss den Stromfluss bei 35A (40A in
den USA und Kanada) unterbrechen.

Schlieβen Sie das Netzkabel zuerst an das Gerät und dann an die Steckdose an. Falls ein Ein/Aus-Schalter
zur Verfügung steht, schalten Sie diesen auf AUS (OFF). Falls das Netzkabel im Notfall nicht schnell
herausgezogen werden kann, stellen Sie sicher, daβ ein Schutzschalter oder Notschalter Bestandteil der
elektrischen Installation des Gebäudes ist.

Falls die Stromversorgung über einen IT Netz-Verteiler erfolgt, muss der Schalter die Stromversorgung
zu beiden Polen gleichzeitig unterbrechen.

Anschluss an eine Gleichstromquelle (DC)

Falls im Benutzerhandbuch (Manual) nicht anderweitig beschrieben, schwankt die Gleichstromzufuhr
relativ zur Erdung. Jeder einzelne Pol kann von aussen geerdet werden.
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 20

Aufgrund der Fähigkeit, hohe Stromflüsse zu verarbeiten, muss sorgfältig vorgegangen werden beim
Anschluss der Gleichstromquelle, um Kurzschlüsse und Brände zu vermeiden.

Stellen Sie sicher, daβ Gleichstromquellen (DC) von Wechselstromquellen (AC) isoliert sind und daβ die
Installation den örtlichen Richtlinien entspricht.

Der maximal mögliche Stromfluss im Bereich des Verteilerstromkreis, der die Stromversorgung des
Gerätes sicherstellt, ist 16 A (20A in den USA und in Kanada). Der Schutzschalter in der
Gebäudeinstallation muss starke Ströme unterbrechen können und muss den Stromfluss bei 35A (40A in
den USA und Kanada) unterbrechen.

Vor dem Anschluss der Gleichstrom-Speisekabel ist sicher zu stellen, daβ kein Strom über den
Gleichstromkreis flieβt. Finden Sie den Schutzschalter an der Schalttafel, die das Gerät bedient, und
schalten Sie ihn auf AUS (OFF). Wenn Sie die Gleichstrohmdrähte anschlieβen, schliessen Sie zuerst den
Erdungsdraht an das zugehörige Terminal an, dann den Pluspol und zuletzt den Minuspol. Schalten Sie
den Schutzschalter zurück auf AN (ON).

Ein verfügbares nicht angeschlossenes Gerät, das ordnungsgemäβ genehmigt und abgenommen wurde,
sollte in die bestehende Installation eingebaut werden.

Falls die Gleichstromspannung schwankt, muss der Schalter beide Pole gleichzeitig trennen.

Anschluss von Daten- und Telekommunikationskabeln

Daten- und Telekommunikationsschnittstellen sind gemäβ ihrem Sicherheitsstatus klassifiziert.

Verschiedene Standardschnittstellen sind zusammen mit ihrem jeweiligen Sicherheitsstatus in der

folgenden Tabelle aufgeführt. Auf eventuelle Abweichungen vom Standardsicherheitsstatus wird im
Benutzerhandbuch (Manual) gesondert hingewiesen.
Schnittstellen Sicherheitsstatus

V.11, V.28, V.35, V.36, RS-530, X.21, SELV: Besonders niedrige Sicherheitsspannung (Safety Extra Low
10BaseT, 100BaseT, 1000BaseT, Voltage)
Unsymmetrisches E1, E2, E3, STM, DS-2, • Anschlüsse, die kein Sicherheitsrisiko darstellen, normalerweise
DS-3, S-Schnittstelle ISDN bis zu 30 VAC oder 60 VDC
xDSL (ohne Einspeisungsspannung), TNV-1: Telekommunikationsnetzwerkspannung 1
symmetrisches E1, T1, Sub-E1/T1, POE (Telecommunication Network Voltage-1):
• Anschlüsse, deren Betriebsspannung innerhalb der SELV-Limits
liegt und für die eine Überspannung von
Telekommunikationsnetzwerken möglich ist.
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 21

Schnittstellen Sicherheitsstatus

FXS (Analoger Endgeräteanschluss) TNV-2: Telekommunikationsnetzwerkspannung 2:

• Anschlüsse, deren normale Betriebsspannung das Limit von SELV
(normalerweise bis zu 120 VDC oder Telefonsignalspannungen)
überschreiten und für die eine Überspannung von
Telekommunikationsnetzwerken nicht möglich sind.
• Solche Anschlüsse dürfen nicht direkt an externe Telefon- und
Datenleitungen angeschlossen werden.
FXO (Analoger Anlagenanschluss), xDSL TNV-3: Telekommunikationsnetzwerkspannung 3:
(mit Einspeisungsspannung), U- • Anschlüsse, deren normale Betriebsspannung das Limit von SELV
Schnittstelle ISDN (normalerweise bis zu 120 VDC oder Telefonsignalspannungen)
überschreiten und für die eine Überspannung von
Telekommunikationsnetzwerken möglich sind

Verbinden Sie Anschlüsse, die denselben Sicherstatus aufweisen. Wenn Sie nicht sicher sind, wenden Sie
sich bitte an einen qualifizierten Sicherheitsingenieur.

Vergewissern Sie sich immer, daβ das Gerät geerdet ist bevor Sie Telekommunikationskabel
anschlieβen. Klemmen Sie die Erdung nie ab, bevor Sie Telekommunikationskabel abklemmen.

Einige SELV und Nicht-SELV-Stromkreise nutzen dieselben Stecker. Seien Sie vorsichtig, wenn Sie Kabel
anschlieβen. Seien Sie besonders vorsichtig während einem Gewitter.

Wenn Sie abgeschirmte -, oder Koaxialkabel nutzen, stellen Sie sicher, daβ diese an beiden Enden eine
gute Erdung aufweisen.

Wenn auβenliegende Kabel und Wechselstromleitungen (AC) in Kontakt kommen, kann die Verkabelung
innerhalb des Gebäudes beschädigt werden oder einen Brand auslösen. Um dieses Risiko zu verringern,
gibt es Bestimmungen zum Durchmesser von Telekommunikationskabeln zwischen den Geräten und
den Anschlüssen.
Um das Brandrisiko zu reduzieren, setzen Sie ausschließlich 26 AWG oder
dickere Telekommunikationskabel ein.

Achtung

Einige Anschlüsse eignen sich lediglich für Verbindungen zu gebäude-internen oder nicht
außenliegenden Verkabelungen. Auf solche Fälle wird in der Installationsanleitung gesondert
hingewiesen.

Versuchen Sie nicht, die vom Carrier erhaltene Ausrüstung oder Verbindungselemente zu manipulieren.
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 22

Elektromagnetische Kompatibilität (EMC)

Die Ausrüstung ist ausgelegt und anerkannt für die Erfüllung elektromagnetischer Bestimmungen der
Regulierungsbehörden. Die nachfolgenden Anleitungen sind darauf ausgerichtet, die Leistungsfähigkeit
der Ausrüstung zu erhöhen und besseren Schutz gegen extreme Emissionen und besseren Schutz gegen
Störungen zu gewährleisten.

Eine gute Erdung ist wesentlich. Wenn die Ausrüstung in einem Rack montiert wird, stellen Sie sicher,
daβ jegliche Farbspuren von den Befestigungspunkten entfernt sind. Benutzen Sie geeignete
Sicherungsscheiben und das richtige Drehmoment. Falls eine externe Erdungsmutter zur Verfügung
steht, schließen Sie diese an den Erdbus an mittels kürzestmöglichem verdrillten Draht.

Die Ausrüstung ist ausgelegt, um den Anforderungen der EMC zu entsprechen, wenn man sie mit nicht
abgeschirmten und verdrillten (UTP) Kabeln anschließt mit Ausnahme von 1000BaseT-Anschlüssen, die
grundsätzlich mit abgeschirmten verdrillten Kabeln hoher Qualität (CAT 5E oder besser) erfordern. Im
Allgemeinen ist die Verwendung von abgeschirmten Kabeln immer empfohlen, besonders für schnellen
Datendurchsatz. Beim Einsatz nicht abgeschirmter Kabel wird in manchen Fällen empfohlen, einen
Ferritkern an bestimmten Kabeln anzubringen. In diesen Fällen werden im Benutzerhandbuch
gesonderte Anleitungen bereitgestellt.

Klemmen Sie alle Kabel ab, die nicht permanent in Gebrauch sind, wie zum Beispiel solche, die fuer eine
einmalige Konfiguration eingesetzt wurden.

Die Einhaltung der Regeln für elektromagnetische Leitungsemissionen an den Datenleitungen hängt von
der Kabelqualität ab. Die Emission wurde für UDP mit 80 db Längsumwandlungsdämpfung (LCL)
getestet.

Falls im Benutzerhandbuch nicht anders spezifiziert oder beschrieben, bieten TNV-1 und TNV-3
Anschlüsse lediglich sekundären Schutz gegen Überspannungen in den Datenleitungen. Primäre
Protektoren müssen innerhalb der Gebäudeinstallation bereitgestellt werden.

Die Ausrüstung ist ausgelegt, ausreichenden Schutz gegen elektrostatische Entladung (ESD) zu bieten. Es
ist jedoch empfehlenswert, vorsichtig zu agieren, wenn Kabel mit Plastikanschlüssen (ohne geerdete
Metallhalterung wie bei flachen Kabeln) und empfindliche Datenleitungen angeschlossen werden. Vor
dem Anschliessen solcher Kabel, entladen Sie sich selbst durch Berührung des Bodens oder durch das
Tragen eines ESD-präventiven Bandes um das Handgelenk.

FCC-15 Informationen für Nutzer

Diese Ausrüstung wurde getestet und bewegt sich innerhalb der Grenzwerte für Class A-Digitalgeräte
gemäß Artikel 15 der FCC-Regeln. Diese Grenzwerte wurden festgelegt, um angemessenen Schutz gegen
schädliche Einflüsse sicherzustellen wenn die Geräte in einer kommerziellen Umgebung betrieben
ETS-1-10G-A Sicherheit und Entsorgung (Deutsch) 23

werden. Diese Geräte produzieren, konsumieren und strahlen möglicherweise Energie im

Radiofrequenzbereich ab, die schädliche Auswirkungen auf den Funkverkehr haben kann, falls sie nicht
gemäß dem Benutzerhandbuch (Installation and Operation Manual) installiert wurden. Es ist
wahrscheinlich, daβ der Betrieb dieser Geräte in einem Wohngebiet zu Störungen führt, die der
Betreiber auf eigene Kosten zu beseitigen hat.

Kanadische Emissionsbestimmungen
Dieses digitale Gerät der Klasse A erfüllt alle Vorgaben der Kanadischen Regulierungen für Geräte, die
Störeffekte haben können (Canadian Interference-Causing Equipment Regulation).

EN 55032 (CISPR 32) Warnung

Das vorliegende Gerät fällt unter die Funkstörgrenzwertklasse A. In
Wohngebieten können beim Betrieb dieses Gerätes Rundfunkströrungen
auftreten, für deren Behebung der Benutzer verantwortlich ist.
Achtung

Entsorgung des Produktes

Um die Wiedernutzung, die Wiederverwertung oder andere Formen der
Wiederaufbereitung von stillgelegten Geräten zum Schutz der Umwelt zu
gewährleisten, ist der Besitzer des RAD-Produktes verpflichtet, die
Entsorgung als unsortierter Abfall am Ende des Lebenszyclus des Produktes
zu unterlassen. Wenn das Gerät ausser Betrieb genommen wird, hat der
Kunde dieses Gerät einer umweltverträglichen Wiederverwendung,
Wiederverwertung oder Entsorgung zuzuführen.
Contents
1 Introduction ..............................................................................................................................29

2 Product Description ...................................................................................................................30

2.1 Purpose ........................................................................................................................................... 30
2.2 Switch Features .............................................................................................................................. 30
Basic Features ................................................................................................................................ 30
MAC address processing features.................................................................................................. 31
Layer 2 Features ............................................................................................................................. 31
Layer 3 Features ............................................................................................................................. 33
QoS Features .................................................................................................................................. 34
Security features ............................................................................................................................ 35
Switch Control Features ................................................................................................................. 36
Additional Features ........................................................................................................................ 37
2.3 Main specifications ......................................................................................................................... 37
2.4 Design ............................................................................................................................................. 40
Layout and description of the switches front panels..................................................................... 40
Layout and the description of the switches rear panels................................................................ 42
Side panels of the device ............................................................................................................... 42
Light Indication .............................................................................................................................. 43
2.5 Delivery Package............................................................................................................................. 45

3 Installation and Connections ...................................................................................................... 46

3.1 Support brackets mounting ............................................................................................................ 46
3.2 Device rack installation................................................................................................................... 47
3.3 Power module installation ............................................................................................................. 48
3.4 Connection to power supply .......................................................................................................... 49
3.5 SFP transceiver installation and removal ....................................................................................... 50

4 Initial Switch Configuration ........................................................................................................ 52

4.1 Configuring the terminal ................................................................................................................ 52
4.2 Turning on the device ..................................................................................................................... 52
4.3 Startup menu .................................................................................................................................. 54
ETS-1-10G-A Contents 26

4.4 Switch operation modes................................................................................................................. 54

4.5 Switch function configuration ........................................................................................................ 56
Basic switch configuration ............................................................................................................. 56
Security system configuration ....................................................................................................... 60
Banner configuration ..................................................................................................................... 62

5 Device management. Command line interface ............................................................................ 63

5.1 Basic commands ............................................................................................................................. 64
5.2 Command line messages filtering .................................................................................................. 66
5.3 Macrocommand configuration....................................................................................................... 66
5.4 System management commands ................................................................................................... 68
5.5 Commands to configure settings for setting passwords ................................................................ 75
5.6 File operations ................................................................................................................................ 76
Command parameters description ................................................................................................ 76
File operation commands .............................................................................................................. 77
Automatic update and configuration commands .......................................................................... 79
5.7 System time configuration ............................................................................................................. 81
5.8 Configuring ‘time-range’ intervals .................................................................................................. 87
5.9 Interfaces and VLAN configuration ................................................................................................ 87
Ethernet, Port-Channel and Loopback interface parameters........................................................ 87
Configuring VLAN and switching modes of interfaces ................................................................... 98
Private VLAN configuration.......................................................................................................... 106
IP interface configuration ............................................................................................................ 108
Selective Q-in-Q ........................................................................................................................... 109
5.10 Broadcast Storm Control ............................................................................................................ 111
5.11 Link Aggregation Group (LAG) .................................................................................................... 113
Static channel aggregation groups............................................................................................... 115
LACP channel aggregation protocol ............................................................................................. 115
5.12 IPv4 addressing configuration .................................................................................................... 117
5.13 Green Ethernet configuration .................................................................................................... 119
5.14 IPv6 addressing configuration .................................................................................................... 122
IPv6 protocol ................................................................................................................................ 122
5.15 Protocol configuration................................................................................................................ 125
DNS protocol configuration ......................................................................................................... 125
ARP configuration ........................................................................................................................ 128
GVRP configuration ...................................................................................................................... 130
ETS-1-10G-A Contents 27

Loopback detection mechanism .................................................................................................. 131

STP (STP, RSTP, MSTP) ................................................................................................................. 133
G.8032v2 (ERPS) configuration .................................................................................................... 142
LLDP configuration ....................................................................................................................... 145
5.16 Voice VLAN ................................................................................................................................. 153
5.17 Multicast addressing .................................................................................................................. 155
Intermediate function of IGMP (IGMP Snooping) ....................................................................... 155
Multicast addressing rules ........................................................................................................... 159
MLD snooping – multicast traffic in IPv6 control protocol .......................................................... 167
IGMP Proxy multicast routing function ....................................................................................... 170
5.18 Multicast routing. PIM protocol ................................................................................................. 172
5.19 Control functions ........................................................................................................................ 176
AAA mechanism ........................................................................................................................... 176
RADIUS ......................................................................................................................................... 182
TACACS+ protocol ........................................................................................................................ 185
Simple network management protocol (SNMP) .......................................................................... 187
Remote Network Monitoring (RMON) ........................................................................................ 192
ACL access lists for device management ..................................................................................... 202
Access configuration .................................................................................................................... 204
5.20 Alarm log, SYSLOG protocol........................................................................................................ 209
5.21 Port mirroring (monitoring)........................................................................................................ 213
5.22 sFlow function ............................................................................................................................ 214
5.23 Physical layer diagnostic functions ............................................................................................. 216
Optical transceiver diagnostics .................................................................................................... 217
5.24 Security features......................................................................................................................... 218
Port security functions ................................................................................................................. 218
Port based client authentication (802.1x standard) .................................................................... 221
DHCP control and option 82 ........................................................................................................ 231
IP-source Guard ........................................................................................................................... 235
ARP Inspection ............................................................................................................................. 238
5.25 Functions of the DHCP Relay Agent............................................................................................ 242
5.26 DHCP Server Configuration ........................................................................................................ 243
5.27 ACL configuration (Access Control List) ...................................................................................... 248
Configuring IPv4-based ACL ......................................................................................................... 251
Configuring IPv6-based ACL ......................................................................................................... 257
Configuring MAC-based ACL ........................................................................................................ 261
5.28 Configuration of protection against DoS attacks ....................................................................... 263
5.29 Quality of Service – QoS ............................................................................................................. 265
ETS-1-10G-A Contents 28

QoS configuration ........................................................................................................................ 265

QoS statistics ................................................................................................................................ 275
5.30 Routing protocols configuration................................................................................................. 276
Static route configuration ............................................................................................................ 276
RIP configuration.......................................................................................................................... 277
OSPF and OSPFv3 configuration .................................................................................................. 281
Virtual Router Redundancy Protocol (VRRP) configuration ........................................................ 289

6 Service Menu, Change of Firmware .......................................................................................... 293

6.1 Startup menu ................................................................................................................................ 293
6.2 Firmware update from TFTP server.............................................................................................. 294
Firmware update.......................................................................................................................... 294

A Examples of Application and Device Configuration.................................................................... 296

B Console Cable .......................................................................................................................... 301

C Supported Ethertype Values ..................................................................................................... 302

D Description of the switch processes .......................................................................................... 304

1 Introduction

Over the last few years, more and more large-scale projects are utilising NGN concept in
communication network development. One of the main tasks in implementing large multiservice
networks is to create reliable high-performance backbone networks for multilayer architecture of next-
generation networks.

High-speed data transmission, especially in large-scale networks, requires a network topology that
will allow flexible distribution of high-speed data flows.

ETS-1-10G-A series switches could be used in large enterprise networks, SMB networks and
operator's networks. These switches deliver high performance, flexibility, security, and multi-tier QoS.
ETS-1-10G-A switches provide better availability due to protection of nodes that enable fail-over
operation and backup of power and ventilation modules.

This operation manual describes intended use, specifications, first-time set-up recommendations,
and the syntax of commands used for configuration, monitoring and firmware update of the switches.
ETS-1-10G-A 2. Product Description 30

2 Product Description

2.1 Purpose
ETS-1-10G-A series aggregation switches are high-performance devices equipped with 10GBASE-R,
1000BASE-X interfaces and designed for use in carrier networks as aggregation devices and in small data
centers.

The device’s ports support operation at rates of 1 Gbps (SFP) and 10 Gbps (SFP+) that provides
flexible using and ability of smooth transition to higher data rates. Non-blocking switch fabric ensures
correct packet processing with minimal and predictable latency at maximum load for all types of traffic.

The front-to-back cooling provides effective cooldown in modern data centers.

Reduntant fans and AC or DC power supplies along with a comprehensive hardware monitoring
system ensure high reliability. The devices allow hot swapping of power and ventilation modules providing
smooth network operation.

2.2 Switch Features

Basic Features
Table 1 lists the basic administrable features of switches of this series.
Table 1 – Basic features of the device

Head-of-Line blocking HOL blocking occurs when device output ports are overloaded with traffic coming
(HOL) from input ports. It may lead to data transfer delays and packet loss.
The ability to support the transmission of super-long frames, which allows data to be
Jumbo frames transmitted by a smaller number of packets. This reduces overhead, processing time
and interruptions.
ETS-1-10G-A 2. Product Description 31

With flow control you can interconnect low-speed and high-speed devices. For avoid
Flow control
buffer overrun, the low-speed device can send PAUSE packets that will force the high-
(IEEE 802.3X) speed device to pause packet transmission.
You can combine multiple switches in a stack. In this case, switches are considered as
Operation in device a single device with shared settings. There are two stack topologies — ring and chain.
stack All ports of each stack unit must be configured from the master switch. Device
stacking allows for reducing network management efforts.

MAC address processing features

lists MAC address processing features.

Table 2 –MAC address processing features

The switch creates an in-memory look-up table which contains mac-addresses and
MAC Address Table
due ports.
When learning is not available, the incoming data on a port will be transmitted to all
other ports of the switch. Learning mode allows the switch to analyse the frame,
Learning mode discover sender's MAC address and add it to the routing table. Then, if the destination
MAC address of an Ethernet frames is already in the routing table, that frame will be
sent only to the port specified in the table.
MAC Multicast support
This feature enables one-to-many and many-to-many data distribution. Thus, the
(MAC Multicast
frame addressed to a multicast group will be transmitted to each port of the group.
support)
Automatic Aging for
If there are no packets from a device with a specific MAC address in a specific period,
MAC Addresses
the entry for this address expires and will be removed. It keeps the switch table up to
(Automatic Aging for date.
MAC Addresses)
Static MAC Entries The network switch allows to define static MAC entries that will be saved in the
(Static MAC Entries) switching table.

Layer 2 Features
The following table lists second-layer functions and special aspects (OSI Layer 2).
ETS-1-10G-A 2. Product Description 32

Table 3 – Second-layer functions description (OSI Layer 2)

IGMP implementation analyses the contents of IGMP packets and discovers

IGMP Snooping network devices participating in multicast groups and forwards the traffic to the
corresponding ports.
MLD Snooping MLD protocol implementation allows the device to minimize multicast IPv6 traffic.
MVR (Multicast VLAN This feature can redirect multicast traffic from one VLAN to another using IGMP
Registration) messages and reduce uplink port load. Used in III-play solutions.
Broadcast storm is a multiplication of broadcast messages in each host causing their
Storm Control
exponential growth that can lead to the network meltdown. The switches can
(Broadcast Storm
restrict the transfer rate for multicast and broadcast frames received and sent by
Control) the switch.
Port mirroring is used to duplicate the traffic on monitored ports by sending ingress
Port Mirroring or and/or egress packets to the controlling port. Switch users can define controlled
(Port Mirroring) and controlling ports and select the type of traffic (ingress or egress) that will be
sent to the controlling port.
This feature assigns the uplink port to the switch port. This uplink port will receive
Protected ports all the traffic and provide isolation from other ports (in a single switch) located in
the same broadcast domain (VLAN).

This feature isolates the ports in a group (in a single switch) located in the same
Private VLAN Edge broadcast domain from each other, allowing traffic exchange with other ports that
are located in the same broadcast domain but do not belong to this group.
Enables isolation of devices located in the same broadcast domain within the entire
Private VLAN (light
L2 network. Only two port operation modes are implemented—Promiscuous and
version) Isolated (isolated ports cannot exchange traffic).
Spanning Tree Protocol is a network protocol that ensures loop-free network
topology by converting networks with redundant links to a spanning tree topology.
Spanning Tree Protocol
Switches exchange configuration messages using frames in a specific format and
selectively enable or disable traffic transmission to ports.
IEEE 802.1w Rapid
Rapid STP (RSTP) is the enhanced version of the STP that enables faster convergence
spanning tree protocol
of a network to a spanning tree topology and provides higher stability.

The protocol is used for increasing stability and reliability of data transmission
ERPS (Ethernet Ring
network having ring topology. It is realized by reducing recovery network time in
Protection Switching)
case of breakdown.Recovery time does not exceed 1 second. It is much less than
protocol network change over time in case of spanning tree protocols usage.
VLAN is a group of switch ports that form a single broadcast domain. The switch
VLAN
supports various packet classification methods to identify the VLAN they belong to.
ETS-1-10G-A 2. Product Description 33

GARP VLAN registration protocol dynamically add/removes VLAN groups on the

GARP VLAN (GVRP) switch ports. If GVRP is enabled, the switch identifies and then distributes the VLAN
inheritance data to all ports that form the active topology.
Port based VLAN Distribution to VLAN groups is performed according to the ingress ports. This
VLAN solution ensures that only one VLAN group is used on each port.
IEEE 802.1Q is an open standard that describes the traffic tagging procedure for
802.1Q transferring VLAN inheritance information. It allows multiple VLAN groups to be
used on one port.

The LACP enables automatic aggregation of separate links between two devices
(switch-switch or switch-server) in a single data communication channel.
Link aggregation with
The protocol constantly monitors whether link aggregation is possible; in case one
LACP link in the aggregated channel fails, its traffic will be automatically redistributed to
functioning components of the aggregated channel.

The device allows for link group creation. Link aggregation, trunking or IEEE 802.3ad
is a technology that enables aggregation of multiple physical links into one logical
link. This leads to greater bandwidth and reliability of the backbone 'switch-switch'
LAG group creation
or 'switch-server' channels. There are three types of balancing—based on MAC
addresses, IP addresses or destination port (socket).
A LAG group contains ports with the same speed operating in full-duplex mode.

Allows to identify voice traffic by OUI (Organizationally Unique Identifier—first 24

bits of the MAC address). If the MAC table of the switch contains a MAC address
Auto Voice VLAN support
with VoIP gateway or IP phone OUI, this port will be automatically added to the
voice VLAN (identification by SIP or the destination MAC address is not supported).

Layer 3 Features
Table lists third-layer functions (OSI Layer 3).
Table 4 – Layer 3 Features description (Layer 3)

BootP and DHCP clients

(Dynamic Host The devices can obtain IP address automatically via the BootP/DHCP.
Configuration Protocol)
ETS-1-10G-A 2. Product Description 34

The switch administrator can add or remove static entries into/from the routing table.
Static IP routes
Address Resolution ARP maps the IP address and the physical address of the device. The mapping is
Protocol established on the basis of the network host response analysis; the host address is
requested by a broadcast packet.
RIP The dynamic routing protocol that allows routers to get new routing information from
(Routing Information the neighbour routers. This protocol detects optimum routes on the basis of hops
Protocol) count data.

IGMP Proxy is a feature that allows simplified routing of multicast data between
IGMP Proxy function
networks. IGMP is used for routing management.
A dynamic routing protocol that is based on a link-state technology and uses
OSPF protocol (Open
Dijkstra's algorithm to find the shortest route. OSPF protocol distributes information
Shortest Path First) on available routes between routers in a single autonomous system.
Virtual Router VRRP is designed for backup of routers acting as default gateways. This is achieved
Redundancy Protocol by joining IP interfaces of the group of routers into one virtual interface which will
(VRRP) be used as the default gateway for the computers of the network.
The Protocol-Independent Multicast protocols for IP networks were created to
address the problem of multicast routing. PIM relies on traditional routing protocols
PIM protocol (such as, Border Gateway Protocol) rather than creates its own network topology. It
uses unicast routing to verify RPF. Routers perform this verification to ensure loop-
free forwarding of multicast traffic.

QoS Features
Table 5 lists the basic quality of service features.

Table 5 – Basic quality of service features

The switch supports egress traffic prioritization with queues for each port. Packets
Priority queues support
are distributed into queues by classifying them by various fields in packet headers.

802.1p standard specifies the method for indicating and using frame priority to
802.1p class of service ensure on-time delivery of time-critical traffic. 802.1p standard defines 8 priority
support levels. The switches can use 802.1p priority value to assign frames to priority queues.
ETS-1-10G-A 2. Product Description 35

Security features
Table 6 – Security features

A switch feature designed for protection from DHCP attacks. Enable filtering of DHCP
messages coming from untrusted ports by building and maintaining DHCP snooping
DHCP snooping
binding database. DHCP snooping performs functions of a firewall between untrusted
ports and DHCP servers.
An option to tell the DHCP server about the DHCP relay and port of the incoming
request.
DHCP Option 82
By default, the switch with DHCP snooping feature enabled identifies and drops all
DHCP requests with Option 82, if they were received via an untrusted port.
UDP Relay Broadcast UDP traffic forwarding to the specified IP address.
DHCP server performs centralised management of network addresses and
DHCP server features corresponding configuration parameters, and automatically provides them to
subscribers.
The switch feature that restricts and filters IP traffic according to the mapping table
IP Source address guard from the DHCP snooping binding database and statically configured IP addresses. This
feature is used to prevent IP address spoofing.
A switch feature designed for protection from ARP attacks. The switch checks the
Dynamic ARP message received from the untrusted port: if the IP address in the body of the
Inspection (Protection) received ARP packet matches the source IP address.
If these addresses do not match, the switch drops this packet.
L2 – L3 – L4 ACL (Access Using information from the level 2, 3, 4 headers, the administrator can configure up
Control List) to 1024 rules for processing or dropping packets.

Time-Based ACL Allow you to configure the time frame for ACL operation.

The key feature of blocking is to improve the network security; access to the switch
Blocked ports support port will be granted only to those devices whose MAC addresses were assigned for
this port.
Port based IEEE 802.1x authentication mechanism manages access to resources through an
authentication (802.1x external server. Authorized users will gain access to the specified network resources.
standard)
ETS-1-10G-A 2. Product Description 36

Switch Control Features

Table 7 – Switch control features

Uploading and Device parameters are saved into the configuration file that contains configuration
downloading the data for the specific device ports as well as for the whole system.
configuration file
The TFTP is used for file read and write operations. This protocol is based on UDP
Trivial File Transfer transport protocol.
Protocol (TFTP) The devices are able to download and transfer configuration files and firmware
images via this protocol.
SCP is used for file read and write operations. This protocol is based on SSH network
Secure Copy protocol protocol.
(SCP) The devices are able to download and transfer configuration files and firmware
images via this protocol.
Remote network monitoring (RMON) is an extension of SNMP that enables
monitoring of computer networks. Compatible devices gather diagnostics data using
Remote monitoring
the network management station. RMON is a standard MIB database that contains
(RMON) actual and historic MAC-level statistics and control objects that provide real-time
data.
Simple Network SNMP is used for monitoring and management of network devices. To control system
Management Protocol access, the community entry list is defined where each entry contains access
(SNMP) privileges.
Switches can be managed using CLI locally via serial port RS-232, or remotely via
Command Line telnet or ssh. Console command line interface (CLI) is an industrial standard. CLI
Interface (CLI) interpreter provides a list of commands and keywords that help the user and reduce
the amount of input data.
Syslog is a protocol designed for transmission of system event messages and error
Syslog
notifications to remote servers.
SNTP SNTP is a network time synchronization protocol; it is used to synchronize time on a
(Simple Network Time network device with the server and can achieve accuracy of up to 1 ms.
Protocol)
Traceroute is a service feature that allows the user to display data transfer routes in
Traceroute
IP networks.
Privilege level
The administrator can define privilege levels for device users and settings for each
controlled access
privilege level (read-only - level 1, full access - level 15).
management
ETS-1-10G-A 2. Product Description 37

The switch can block access to each management interface (SNMP, CLI). Each type of
access can be blocked independently:
Management interface
Telnet (CLI over Telnet Session)
blocking Secure Shell (CLI over SSH)
SNMP
Local authentication Passwords for local authentication can be stored in the switch database.
IP address filtering for Access via SNMP is allowed only for specific IP addresses that are the part of the SNMP
SNMP community.
RADIUS is used for authentication, authorization and accounting. RADIUS server uses
RADIUS client a user database that contains authentication data for each user. The switches
implement a RADIUS client.
(TACACS+) The device supports client authentication with TACACS+ protocol. The TACACS+
Terminal Access protocol provides a centralized security system that handles user authentication and
Controller Access a centralized management system to ensure compatibility with RADIUS and other
Control System authentication mechanisms.

SSH server functionality allows SSH clients to establish secure connection to the
SSH server
device for management purposes.
Macrocommand This feature allows the user to create sets of commands–macrocommands–and user
support them to configure the device.

Additional Features
Table lists additional device features.

Table 8 – Additional functions

The device can be used to test the optical transceiver. During testing, parameters such
Optical transceiver
as current and supply voltage, transceiver temperature are monitored.
diagnostics Implementation requires support of these functions in the transceiver.
This mechanism reduces power consumption of the switch by disabling inactive
Green Ethernet
electric ports.

2.3 Main Specifications

Table shows main switch specifications.
ETS-1-10G-A 2. Product Description 38

Table 9 – Main specifications

General parameters

Packet processor Marvell 98DX8324

1x10/100/1000BASE-T (ООВ)
Interfaces
24x10GBASE-R (SFP+)/1000BASE-X (SFP)

Capacity 480 Gbps

Throughput for 64 bytes 238 MPPS

Buffer memory 3 MB

RAM (DDR3) 1 GB

ROM (NAND Flash) 1 GB

MAC Address Table 32K

For routing: 16K IPv4, 8K IPv6

TCAM
For traffic processing: 9K х 10В

L3 Unicast number of routes 16K

ARP records number 7K 1
L2 Multicast group number (IGMP
4K
snooping)
L3 Multicast (IGMP Proxy, PIM) number of
8K
routes

Optical interfaces 1/10Gbps

Data transfer rate
electric interfaces 10/100/1000 Mbps

VLAN Up to 4K active VLANs as per 802.1Q

Quality of Services (QoS) 8 egress queues per port

1
For each host in the ARP table, an entry is created in the routing table
ETS-1-10G-A 2. Product Description 39

Total number of VRRP routers 255

Total number of L3 interfaces 2048
Total number of virtual Loopback interfaces 64
LAG 32 groups with up to 8 ports in each
MSTP instances quantity 64
DHCP pool 16
Jumbo frames Max. packet size 10K
Stacking Up to 8 devices
IEEE 802.3ab 1000BASE-T Gigabit Ethernet
IEEE 802.3z Fiber Gigabit Ethernet
IEEE 802.3x Full Duplex, Flow Control
IEEE 802.3ad Link Aggregation (LACP)
IEEE 802.1p Traffic Class
IEEE 802.1q VLAN
Standard compliance
IEEE 802.1v
IEEE 802.3 ac
IEEE 802.1d Spanning Tree Protocol (STP)
IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
IEEE 802.1s Multiple Spanning Tree Protocol (MSTP)
IEEE 802.1x Authentication
Control
Local control Console
Remote control SNMP, Telnet, SSH, WEB
Physical specifications and ambient conditions
AC: 220V+-20%, 50 Hz
DC: PoE enabled: 36..72V
Power options:
Power supply - Single AC or DC power supply
- Two AC or DC hot-swappable power supplies
Power supply type is specified when ordering.

Power consumption
max 68 W
ETS-1-10G-A 2. Product Description 40

Dimensions
430х275х44 mm
Operating temperature range -10 to +45°C
Storage temperature range -50 to +70оС
Before the first switch-on after storage at a tempera
Storage temperature range lower than -20оС or higher than +50оС, it is necessa
keep the switch at room temperature for at least
hours.

Operational relative humidity (non-condensing) up to 80%

Storage relative humidity (non-condensing) from 10% to 95%
Average lifetime 10 years

2.4 Design
This section describes the design of devices. Depicted front, rear, and side panels of the device,
connectors, LED indicators and controls.

Ethernet switches ETS-1-10G-A have a metal-enclosed design for 1U 19" racks.

Layout and description of the switches front panels

The front panel layout of ETS-1-10G-A series devices is depicted in the figure below.

Figure 1 – ETS-1-10G-A front panel

ETS-1-10G-A 2. Product Description 41

Table 10 lists connectors, LEDs and controls located on the front panel of the switches.

Table 10 – Description of connectors, LEDs and controls located on ETS-1-10G-A front panel

№ Front panel element Description

Unit ID Indicator of the stack unit number.
Power Device power LED.
1 Master Device operation mode LED (master/slave).
Fan Fan operation LED.
RPS Backup power supply LED.
Functional key that reboots the device and resets it to factory default
configuration:
2 F - pressing the key for less than 10 seconds reboots the device;
- pressing the key for more than 10 seconds resets the device to factory
default configuration.
Console port for local management of the device.
Connector pinning:
1 not used
2 not used
3 RX
4 GND
3 Console
5 GND
6 TX
7 not used
8 not used
9 not used
Soldering pattern of the console pattern is given in Appendix B
Out-of-band 10/100/1000BASE-T (RJ-45) port for remote device
management.
4 OOB
Management is performed over network other than the transportation
network.

5 [1-24] Slots for 10G SFP+/1G SFP transceivers.

6 USB port
ETS-1-10G-A 2. Product Description 42

Layout and the description of the switches rear panels

The rear panel layout of ETS-1-10G-A switches is depicted in Figure 2.

Figure 2 – ETS-1-10G-A rear panel

Table 11 lists connectors located on the rear panel of ETS-1-10G-A switches.

Table 11 – Description of connectors located on ETS-1-10G-A rear panel

№ Rear panel elements Description

1 Earth bonding point Earth bonding point of the device
2 Fans
3 48VDC Connector for DC power supply.
4 ~220 VAC 50 Hz max 1A Connector for AC power supply

Side panels of the device

Figure 3 – ETS-1-10G-A left side panel layout

ETS-1-10G-A 2. Product Description 43

Figure 4 – ETS-1-10G-A left side panel layout

Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the
components to overheat, which may result in device malfunction. For recommendations on device
installation, see section 'Installation and connection'.

Light Indication
Ethernet interface status is represented by two LEDs: green LINK/ACT and amber SPEED. Location
of LEDs is shown in Figures 5, 6.

Figure 5 – SFP/SFP+ socket layout

Figure 6 – RJ-45 socket layout

ETS-1-10G-A 2. Product Description 44

Table 12 – XLG ports status LED

SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state

Disabled Disabled Port is disabled or connection is not established
Disabled Always on 1 Gbps connection is established
Always on Always on 10 Gbps connection is established
X Flashes Data transfer is in progress

Table 13 – Light indication of the 10/100/1000BASE-T (OOB) Ethernet ports status

SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state

Disabled Disabled Port is disabled or connection is not established
Disabled Always on 10/100 Mbps connection is established
Always on Always on 1000 Mbps connection is established
X Flashes Data transfer is in progress

Unit ID (1-8) LED indicates the stack unit number.

System indicators (Power, Master, Fan, RPS) are designed to display the operational status of the
switch modules.

Table 14 – System indicator LED

LED name LED function LED State Device State

Disabled Power is off
solid green Power is on, normal device operation
The primary source of the main power
Power supply
Power supply is unavailable (in case the
status
Orange device is connected to a redundant
power supply) or the main power
supply failed
solid green The device is a stack master
Indicates master
Master The device is not a stack master or
stack unit Disabled
stacking mode is not set
solid green All fans are operational
Fan Cooling fan status
solid red One or more fans are failed
Backup power supply is connected and
RPS solid green
operates correctly
ETS-1-10G-A 2. Product Description 45

Backup power Backup power supply is missing or

solid red
supply operation failed.
mode Disabled Backup power supply is not connected

2.5 Delivery Package

The standard delivery package includes:
– Ethernet switch
– Rack mounting set
– Conformity certificate
– Passport.

If ordered, delivery package may also include:

– ETS-1-10G-PS/AC220/160W or ETS-1-10G-PS/DC48/100W (optional)

– Power cable (if equipped with ETS-1-10G-PS/AC220/160W power supply module).

SFP/SFP+ transceivers may be included in the delivery package on request.

3 Installation and Connections

This section describes installation of the equipment into a rack and connection to a power supply.

3.1 Support brackets mounting

The delivery package includes support brackets for rack installation and mounting screws to fix
the device case on the brackets. There are six fixing holes for different mounting options on the
brackets, which allows to adjust the distance between the front panel and the server cabinet door
(Figures 7, 8). To install the brackets, select one of the mounting options:

Figure 7 – Bracket mounting option #1

ETS-1-10G-A 3. Installation and Connections 47

Figure 8 – Bracket mounting option #2

1. Align four selected mounting holes in the support bracket with the corresponding holes in
the side panel of the device.
2. Use a screwdriver to screw the support bracket to the case.
3. Repeat steps 1 and 2 for the second support bracket.

3.2 Device rack installation

To install the device to the rack:

1. Attach the device to the vertical guides of the rack.

2. Align mounting holes in the support bracket with the corresponding holes in the rack
guides. Use the holes of the same level on both sides of the guides to ensure horizontal
installation of the device.
3. Use a screwdriver to screw the switch to the rack.
ETS-1-10G-A 3. Installation and Connections 48

Fig. 9 - Device rack installation

Do not block air vents and fans located on the rear panel to avoid components overheating
and subsequent switch malfunction.

3.3 Power module installation

Switch can operate with one or two power modules. The second power module installation is
necessary when greater reliability is required.

From the electric point of view, both places for power module installation are equivalent. In the
terms of device operation, the power module located closer to the edge is considered as the main module,
and the one closer to the centre—as the backup module. Power modules can be inserted and removed
without powering the device off. When an additional power module is inserted or removed, the switch
continues to operate without reboot.
ETS-1-10G-A 3. Installation and Connections 49

Figure 10 – Power module installation

You can check the state of power modules by viewing the indication on the front panel of the switch
(see Section 0) or by checking diagnostics available through the switch management interfaces.

Power module fault indication may be caused not only by the module failure, but also by the
absence of the primary power supply.

3.4 Connection to power supply

1. Prior to connecting the power supply, the device case must be grounded. Use an insulated
stranded wire to ground the case. The grounding device and the ground wire cross-section
must comply with Electric Installation Code.
2. If you intend to connect a PC or another device to the switch console port, the device must
be properly grounded as well.
3. Connect the power supply cable to the device. Depending on the delivery package, the
device can be powered by AC or DC electrical network. To connect the device to AC power
supply, use the cable from the delivery package. To connect the device to DC power supply,
use wires with a minimum cross-section of 1 mm2.
4. Turn the device on and check the front panel LEDs to make sure the terminal is in normal
operating conditions.
ETS-1-10G-A 3. Installation and Connections 50

3.5 SFP transceiver installation and removal

Optical modules can be installed when the terminal is turned on or off.

1. Insert the top SFP module into a slot with its open side down, and the bottom SFP module
with its open side up.

Figure 11 – SFP transceiver installation

2. Push the module. When it is in place, you should hear a distinctive 'click'.

Figure 12 – Installed SFP transceivers

To remove a transceiver, perform the following actions:

1. Unlock the module's latch.

Figure 13 – Opening SFP transceiver latch

ETS-1-10G-A 3. Installation and Connections 51

2. Remove the module from the slot.

Figure 14 – SFP transceiver removal

ETS-1-10G-A 4. Initial Switch Configuration 52

4 Initial Switch Configuration

4.1 Configuring the terminal

Run the terminal emulation application on PC (HyperTerminal, TeraTerm, Minicom) and perform
the following actions:
− Select the corresponding serial port.
− Set the data transfer rate to 115200 baud.
− Specify the data format: 8 data bits, 1 stop bit, non-parity.
− Disable hardware and software data flow control.
− Specify VT100 terminal emulation mode (many terminal applications use this emulation
mode by default).

4.2 Turning on the device

Establish connection between the switch console ('console' port) and the serial interface port on
PC that runs the terminal emulation application.
Turn on the device. Upon every startup, the switch performs a power-on self-test (POST) which
checks operational capability of the device before the executable program is loaded into RAM.
POST procedure progress:

BootROM 1.43
Booting from SPI flash

General initialization - Version: 1.0.0

Serdes initialization - Version: 1.0.2
PEX: pexIdx 0, detected no link
PEX: pexIdx 0, detected no link
PEX: pexIdx 0, detected no link
DDR3 Training Sequence - Ver TIP-1.55.0
DDR3 Training Sequence - Switching XBAR Window to FastPath Window
DDR3 Training Sequence - Ended Successfully
BootROM: Image checksum verification PASSED
ETS-1-10G-A 4. Initial Switch Configuration 53

ROS Booton: Jun 13 2018 17:16:12 ver. 1.0

Press x to choose XMODEM...

Booting from SPI flash
Tuned RAM to 512M

Running UBOOT...

U-Boot 2013.01 (Jun 22 2018 - 10:36:09)

Loading system/images/active-image ...

Uncompressing Linux... done, booting the kernel.

Autoboot in 2 seconds - press RETURN or Esc. to abort and enter prom.

The switch firmware will be automatically loaded two seconds after POST is completed. For
execution to specific procedures, you can use the startup menu. To do this, you will interrupt the startup
procedure by pressing <Esc> or <Enter>.
After successful startup, you will see the CLI interface prompt.

>lcli

Console baud-rate auto detection is enabled, press Enter twice to complete the
detection process

User Name:
Detected speed: 115200

User Name:admin
Password:***** (admin)

console#

To quickly get help for available commands, use key combination SHIFT+?.
ETS-1-10G-A 4. Initial Switch Configuration 54

4.3 Startup menu

To enter the startup menu, connect to the device via the RS-232 interface, reboot the device and
press and hold the ESC or ENTER key for 2 seconds after the POST procedure is completed.

U-Boot 2013.01 (Jun 22 2018 - 10:36:09)

Loading system/images/active-image ...

Uncompressing Linux... done, booting the kernel.

Autoboot in 2 seconds - press RETURN or Esc. to abort and enter prom.

Startup menu view:

Startup Menu
[1] Restore Factory Defaults
[2] Password Recovery Procedure
[3] Back
Enter your choice or press 'ESC' to exit:

Table 15 – Startup menu interface functions

Function Description
Restore Factory Defaults Restore the factory default configuration
Password Recovery Procedure Reset authentication settings
Back Resume startup

4.4 Switch operation modes

ETS-1-10G-A switches operate in stacking mode.

Switch operation in stacking mode Switch stack works as a single device and can include up to 8
devices of the same model with the following roles defined by their sequential number (UID):
− Master (device UID 1 or 2) manages all stack units.
− Backup (device UID 1 or 2) is controlled by the master. Replicates all settings, and takes
over stack management functions in case of the master device failure.
− Slave (device UID 3 or 8) is controlled by the master. Can't work in a standalone mode
(without a master device).
ETS-1-10G-A 4. Initial Switch Configuration 55

In stacking mode, switches use XG ports for synchronization. MES2308 andMES2308P use 1G optical
ports. These ports are not used for data transmission. There are two topologies for device synchronisation:
ring and linear. Ring topology is recommended for increased stack robustness.

By default, switch is master and XLG (XG) ports participate in data transmission.

Switch configuration for operating in a stacking mode

Command line prompt is as follows:

console(config)#

Table 16 – Basic commands

Command Value/Default value Action

stack configuration links te
- Assign the interfaces to synchronize switch in the stack.
te_port
stack configuration unit-id Specify the device number unit-id to a local device (where
unit_id unit_id: (1..8,
the command is executed). The device number change
auto)/auto
takes effect after the switch is restarted.
no stack configuration Remove stack settings.
stack unit unit_id unit_id: (1..8, all) Switch to configuring a stack unit.

Example

 Configure ETS-1-10G-A for operating in a stacking mode. Set as the second unit and use te1-2
interfaces as stacking interfaces.

console#config
console(config)#stack configuration unit-id 2 links te1-2
console(config)#

Privileged EXEC mode commands

Command line prompt is as follows:

console#

Table 17 – Basic commands available in the EXEC mode

Command Value/Default value Action

show stack - Shows stack units information.
show stack configuration - Display information on stackable interfaces of stack units.
ETS-1-10G-A 4. Initial Switch Configuration 56

show stack links [details] - Display verbose information on stackable interfaces.

 show stack links command usage example:

console# show stack links

Topology is Chain

Unit Id Active Links Neighbour Links

Operational Down/Standby
Link Speed Links
------- -------------------- -------------------- ----------- -------------------
-
1 te1/0/1 te2/0/2 40G te1/0/2
2 te2/0/2 te1/0/1 40G te2/0/1

Devices with identical Unit IDs can't work in one stack.

4.5 Switch function configuration

Initial configuration functions can be divided into two types.
− Basic configuration includes definition of basic configuration functions and dynamic IP
address configuration.
− Security system parameters configuration includes security system management based on
AAA mechanism (Authentication, Authorization, Accounting).

All unsaved changes will be lost after the device is rebooted. Use the following command
to save all changes made to the switch configuration:

console# write

Basic switch configuration

Prior to configuration, connect the device to the PC using the serial port. Run the terminal emulation
application on the PC according to Section 4.1Terminal configuration.

During initial configuration, you can define which interface will be used for remote connection to
the device.
ETS-1-10G-A 4. Initial Switch Configuration 57

Basic configuration includes:

1. Set up the admin password (with level 15 privileges)
2. Create new users
3. Configure static IP address, subnet mask, default gateway
4. Obtain IP address from the DHCP server
5. Configure SNMP settings

Setting up the admin password and creating new users

Configure the password for the 'admin' privileged user to ensure access to the system.

Username and password are required to log in for device administration. Use the following
commands to create a new system user or configure the username, password, or privilege level:

console# configure
console(config)# username name password password privilege {1-15}

Privilege level 1 allows access to the device, but denies configuration. Privilege level 15
allows both the access and configuration of the device.

Example commands to set admin's password as “RAD” and create the “operator” user with the
“pass” password and privilege level 1:

console# configure
console(config)# username admin password RAD
console(config)# username operator password pass privilege 1
console(config)# exit
console#

Configure static IP address, subnet mask, default gateway.

In order to manage the switch from the network, you have to configure the device IP address,
subnet mask, and, in case the device is managed from another network, default gateway. You can assign
an IP address to any interface—VLAN, physical port, port group (by default, VLAN 1 interface has the IP
address 192.168.1.239, mask 255.255.255.0). Gateway IP address should belong to the subnet that has
one of the IP interfaces of the device.

If the IP address is configured for the physical port or port group interface, this interface
will be deleted from its VLAN group.
ETS-1-10G-A 4. Initial Switch Configuration 58

If all switch IP addresses are deleted, you can access it via IP 192.168.1.239/24.

 Command examples for IP address configuration on VLAN 1 interface.

Interface parameters:

IP address to be assigned for VLAN 1 interface: 192.168.16.144

Subnet mask: 255.255.255.0
The default IP address of the gateway is 192.168.16.1

console# configure
console(config)# interface vlan 1
console(config-if)# ip address 192.168.16.144 /24
console(config-if)# exit
console(config)# ip default-gateway 192.168.16.1
console(config)# exit
console#

To verify that the interface was assigned the correct IP address, enter the following command:

console# show ip interface vlan 1

IP Address I/F
I/F Status Type Directed Prec Redirect Status
admin/oper Broadcast
------------------ --------- ---------- ------- --------- ---- -------- ------
192.168.16.144/24 vlan 1 UP/DOWN Static disable No enable Valid

Obtain IP address from the DHCP server

If there is a DHCP server in the network, you can obtain the IP address via DHCP. IP address can be
obtained from DHCP server via any interface—VLAN, physical port, port group.

By default, DHCP client is enabled on the VLAN 1 interface.

Configuration example for obtaining dynamic IP address from the DHCP server on the VLAN 1
interface:

console# configure
console(config)# interface vlan 1
console(config-if)# ip address dhcp
ETS-1-10G-A 4. Initial Switch Configuration 59

console(config-if)# exit
console#

To verify that the interface was assigned the correct IP address, enter the following command:

console# show ip interface vlan 1

IP Address I/F I/F Status Type Directed Prec Redirect

Status
admin/oper Broadcast
----------------- --------- ---------- ------- --------- ---- -------- --
----
10.10.10.3/24 vlan 1 UP/UP DHCP disable No enable
Valid

Configuring SNMP settings for accessing the device

The device is equipped with an integrated SNMP agent and supports protocol versions 1, 2, 3. The
SNMP agent supports standard MIB variables.

To enable device administration via SNMP, you have to create at least one community string. The
switches support three types of community strings:

– ro – specify read-only access;

– rw – defines read-write access;
– su – define SNMP administrator access;

Most commonly used community strings are public with read-only access to MIB objects, and
private with read-write access to MIB objects. You can set the IP address of the management station for
each community.

Example of private community creation with read-write access and management station IP address
192.168.16.44:

console# configure
console(config)# snmp-server server
console(config)# snmp-server community private rw 192.168.16.44
console(config)# exit
console#

Use the following command to view the community strings and SNMP settings:

console# show snmp

ETS-1-10G-A 4. Initial Switch Configuration 60

SNMP is enabled.

SNMP traps Source IPv4 interface:

SNMP informs Source IPv4 interface:
SNMP traps Source IPv6 interface:
SNMP informs Source IPv6 interface:

Community-String Community-Access View name IP address Mask

-------------------- ------------------ -------------- ------------ ------------
private read write Default 192.168.16.1
44

Community-String Group name IP address Mask Version Type

------------------ ------------ ---------------- ---------------- ------- ------

Traps are enabled.

Authentication-failure trap is enabled.

Version 1,2 notifications

Target Address Type Community Version
Udp Filter To Retries
Port name Sec
---------------- -------- ----------- ---------- ----- ------- ----- ---------

Version 3 notifications
Target Address Type Username
Security Udp Filter To Retries
Level Port name Sec
---------------- -------- ----------- -------- ----- ------- ----- ---------

System Contact:
System Location:

Security system configuration

To ensure system security, the switch uses AAA mechanism (Authentication, Authorization,
Accounting). The SSH mechanism is used for data encryption.

− Authentication – the process of matching with the existing account in the security system.
− Authorization (access level verification) – the process of defining specific privileges for the
existing account (already authorized) in the system.
− Accounting – user resource consumption monitoring.

The default user name is admin and default password is admin. The password is assigned by the
user. If you lose your password, you can restart the device and interrupt its startup via the serial port by
ETS-1-10G-A 4. Initial Switch Configuration 61

pressing the <Esc> or <Enter> keys in two seconds after the automatic startup message is displayed. The
Startup menu will open where you can initiate password recovery procedure ([2]).

To ensure basic security, you can define the password for the following services:

– Console (serial port connection);

– Telnet;
– SSH.

Setting console password

console(config)# aaa authentication login default line
console(config)# aaa authentication enable default line
console(config)# line console
console(config-line)# login authentication default
console(config-line)# enable authentication default
console(config-line)# password console

Enter console in response to the password prompt that appears during the registration in the
console session.

Setting Telnet password

console(config)# aaa authentication login default line
console(config)# aaa authentication enable default line
console(config)# ip telnet server
console(config)# line telnet
console(config-line)# login authentication default
console(config-line)# enable authentication default
console(config-line)# password telnet

Enter telnet in response to the password prompt that appears during the registration in the telnet
session.

Setting SSH password

console(config)# aaa authentication login default line
console(config)# aaa authentication enable default line
console(config)# ip ssh server
console(config)# line ssh
console(config-line)# login authentication default
ETS-1-10G-A 4. Initial Switch Configuration 62

console(config-line)# enable authentication default

console(config-line)# password ssh

Enter ssh in response to the password prompt that appears during the registration in the SSH
session.

Banner configuration
For your convenience, you can specify a banner, a message with any information. For example:

console(config)# banner exec ;

Role: Core switch

Location: Bldg 3
ETS-1-10G-A 5. Device management. Command line interface 63

5 Device management. Command line

interface

Switch settings can be configured in several modes. Each mode has its own specific set of
commands. Enter the ‘?’ character to view the set of commands available for each mode.

Switching between modes is performed by using special commands. The list of existing modes and
commands for mode switching:

Command mode (EXEC). This mode is available immediately after the switch starts up and you enter
your user name and password (for unprivileged users). System prompt in this mode consists of the device
name (host name) and the ‘>’ character.

console>

Privileged command mode (privileged EXEC). This mode is available immediately after the switch
starts up and you enter your user name and password. System prompt in this mode consists of the device
name (host name) and the ‘#’ character.

console#

Global configuration mode.This mode allows to specify general settings of the switch. Global
configuration mode commands are available in any configuration submode. Use the configure
command to enter this mode.

console# configure
console(config)#

Terminal configuration mode (line configuration).This mode is designed for terminal operation
configuration. You can enter this mode from the global configuration mode.

console(config)# line {console | telnet | ssh}

console(config-line)#
ETS-1-10G-A 5. Device management. Command line interface 64

5.1 Basic commands

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 18 – Basic commands available in the EXEC mode

Command Value/Default value Action

enable [priv] Switch to the privileged mode (if the value is not defined,
priv: (1..15)/15
the privilege level is 15).
login - Close the current session and switch the user.
exit - Close the active terminal session.
help - Get help on command line interface operations.
show history - Show command history for the current terminal session.
show privilege - Show the privilege level of the current user.
terminal history -/function is enabled Enable command history for the current terminal session.
terminal no history - Disable command history for the current terminal session.
terminal history size size size: Change the buffer size for command history for the current
(10..207)/10 terminal session.
terminal no history size - Set the default value.
terminal datadump Show command output without splitting into pages
(splitting help output into pages is performed with the
-/command output is
following string: More: <space>, Quit: q or CTRL+Z, One
split into pages
line: <return>).
no terminal datadump Set the default value.
show banner [login | exec] - Display banner configuration.

Privileged EXEC mode commands

Command line prompt is as follows:

console#

Table 19 – Basic commands available in privileged EXEC mode

Command Value/Default value Action

priv: (1, 7,
disable [priv]
15)/1 Switch from privileged mode to a normal operation mode.
ETS-1-10G-A 5. Device management. Command line interface 65

configure[terminal] - Enter the configuration mode.

debug-mode - Enable the debug mode.

The commands available in all configuration modes

Command line prompt is as follows:

console#
console(config)#
console(config-line)#

Table 20 – Basic commands available in the configuration mode

Command Value/Default value Action

exit Exit any configuration mode to the upper level in the CLI
-
command hierarchy.
end Exit any configuration mode to the command mode
-
(Privileged EXEC).
do Execute a command of the command level (EXEC) from any
-
configuration mode.
help - Show help on available commands.

Global mode configuration commands

Command line prompt is as follows:

console(config)#

Table 21 – Basic commands available in the configuration mode

Command Value/Default value Action

banner exec d message_text d Specify the exec message text (example: User logged in
successfully) and show it on the screen
- d – delimiter;
-
- message_text - message text (up to 510 characters in a line, total
count is 2000 characters).
no banner exec Remove the exec message.
banner login d message_text d Specify the login message text (informational message that is
shown before username and password entry) and show it on the
screen.
- - d – delimiter;
- message_text - message text (up to 510 characters in a line, total
count is 2000 characters).
no banner login Remove the login message.
ETS-1-10G-A 5. Device management. Command line interface 66

Terminal configuration mode commands

Command line prompt in the terminal configuration mode is as follows:

console(config-line)#
Table 22 – Basic commands available in terminal configuration mode

Command Value/Default value Action

history Enable command history.
-/function is enabled
no history Disable command history.
history size size Change buffer size for command history.
size: (10..207)/10
no history size Set the default value.
exec-timeout timeout Set timeout for the current terminal session, min.
timeout: (0-65535)/10
no exec-timeout minutes Set the default value.

5.2 Command line messages filtering

Message filtering allows reducing the volume of displayed data in response to user requests and
facilitating the search for necessary information. To filtrate the information, add the “|” symbol to the
end of command line and use one of the filtration options listed in the table.

Table 23 – Global mode configuration commands

Method Value/Default value Action

Shows the lines whose first characters correspond to the pattern.
begin pattern

Prints out all the lines containing the pattern.

include pattern -

Prints out all the lines not containing the pattern.

exclude pattern

5.3 Macrocommand configuration

This function allows to create unified sets of commands – macros that can be used later in the
configuration process.
ETS-1-10G-A 5. Device management. Command line interface 67

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
Table 24 – Global mode configuration commands

Command Value/Default value Action

Creates a new command set if a set with this name exists –
macro name word
overwrites it. The command set is entered line by line. You can
finish the macro with the "@" symbol. Maximum macro length is
word: (1..32 characters) 510 characters.
Deletes the specified macro.
no macro name word

macro global apply Applies the specified macro.

word: (1..32 characters)
word

macro global trace

word: (1..32 characters) Checks the specified macro for validity.
word

macro global Creates the global macro descriptor string.

description word
word: (1..160)
characters Removes the descriptor string.
no macro global
description

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 25 – EXEC mode commands

Command Value/Default value Action

macro apply word Applies the specified macro.
word: (1..32 characters)
macro trace word Checks the specified macro for validity.
ETS-1-10G-A 5. Device management. Command line interface 68

show parser macro Displays the settings of the configured macros on the
[{brief | description device.
te_port: (1..8/0/1..32);
[interface {
tengigabitethernet group: (1..32);
te_port | port- word: (1..32
channel group}] | characters)
name word}]

Interface configuration mode commands

Command line prompt in the interface configuration mode is as follows:

console(config-if)#

Table 26 – interface configuration mode commands

Command Value/Default value Action

macro apply word word: (1..32 characters)
Applies the specified macro.

macro trace word

word: (1..32 characters) Checks the specified macro for validity.

macro description Sets the macro descriptor string.

word word: (1..160)
characters
no macro description Removes the descriptor string.

5.4 System management commands

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 27 – System management commands in EXEC mode

ETS-1-10G-A 5. Device management. Command line interface 69

Command Value/Default value Action

ping [ip] {A.B.C.D | host} [size This command is used to transmit ICMP requests (ICMP
size] [count count] [timeout Echo-Request) to a specific network node and to manage
timeout] [source A.B.C.D] replies (ICMP Echo-Reply).
host: (1..158) characters
size: (64..1518)/64 bytes; - A.B.C.D – network node IPv4 address;
count: (0..65535)/4; - host – domain name of the network node;
timeout: (50..65535)/2000 - size – size of the packet to be sent, the quantity of bytes in
ms. the packet;
- count - quantity of packets to be sent;
- timeout – timeout of the request;
ping ipv6 {A.B.C.D.E.F | host} This command is used to transmit ICMP requests (ICMP
[size size] [count count] Echo-Request) to a specific network node and to manage
[timeout timeout] [source replies (ICMP Echo-Reply).
host: (1..158) characters
A.B.C.D.E.F]
size: (68..1518)/68 bytes; - A.B.C.D.E.F - IPv6 address of the network node;
count: (0..65535)/4; - host – domain name of the network node;
timeout: (50..65535)/2000 - size – size of the packet to be sent, the quantity of bytes in
ms. the packet;
- count - quantity of packets to be sent;
- timeout - request timeout.
traceroute ip {A.B.C.D | host} Detect traffic route to the destination node.
[size size] [ttl ttl] [count - A.B.C.D – network node IPv4 address;
count] [timeout timeout] - host – domain name of the network node;
[source ip_address]
- size – size of the packet to be sent, the quantity of bytes in
host: (1..158) characters the packet;
size: (64..1518)/64 bytes; - ttl - maximum quantity of route sections;
ttl: (1..255)/30; - count – maximum quantity of packet transmission
count: (1..10)/3; attempts for each section;
timeout: (1..60)/3 s; - timeout – timeout of the request;
- IP_address – switch interface IP address used for packet
transmission;
The description of the command errors and results is
given in tables 29, 30.
ETS-1-10G-A 5. Device management. Command line interface 70

traceroute ipv6 Detect traffic route to the destination node.

{A.B.C.D.E.F | host} [size size] - A.B.C.D.E.F – IPv6 address of the network node;
[ttl ttl] [count count] - host – domain name of the network node;
[timeout timeout] [source - size – size of the packet to be sent, the quantity of bytes in
ip_address]
host: (1..158) characters the packet;
size: (66..1518)/66 bytes; - ttl – maximum quantity of route sections;
ttl: (1..255)/30; - count – maximum quantity of packet transmission
count: (1..10)/3; attempts for each section;
timeout: (1..60) /3 s; - timeout – timeout of the request;
- IP_address – switch interface IP address used for packet
transmission.
The description of the command errors and results is
given in tables 29, 30.
telnet {A.B.C.D | host} [port] Open TELNET session for the network node.
[keyword1…] - A.B.C.D – network node IPv4 address;
- host – domain name of the network node;
host: (1..158) characters
port: (1..65535)/23
- port – TCP port which is used by Telnet;
- keyword – keyword.
Specific Telnet commands and keywords are given in
tables 31, 32.
ssh {A.B.C.D | host} [port] Open SSH session for the network node.
[keyword1...] - A.B.C.D – network node IPv4 address;
host: (1..158) characters - host – domain name of the network node;
port: (1..65535)/22. - port – TCP port which is used by SSH;
- keyword – keyword.
Keywords are described in table 32.

resume [connection] connection: (1..5)/the last Switch to another established TELNET session.
established session - connection – number of established telnet session.
show users [accounts] Display information on users that consume device
-
resources.
show sessions - Display information on open sessions to remote devices.
show system - Output system information.
show system id [unit unit] Display the serial number of the unit.
unit: (1..8)/-
- unit – the stack unit number.
show system [unit unit] Show switch system information.
unit: (1..8)/-
- unit – the stack unit number.
show system fans [unit unit] Display information about fan status.
unit: (1..8)/-
- unit – the stack unit number.
show system power-supply - Display information about power module state.
show system sensors - Display information about temperature sensors.
show version - Display the current firmware version.
show hardware version - Display the hardware version information.
ETS-1-10G-A 5. Device management. Command line interface 71

show system router - Display the total and used size of hardware tables (routing,
resources neighbours, interfaces).
show system tcam utilization Display TCAM memory (Ternary Content Addressable
[unit unit] unit: (1..8)/- Memory) resource load.
- unit – the stack unit number.
show tasks utilization - Display switch’s CPU utilization for each system process.
show tech-support [config | Display the device information for initial failure
memory] -
diagnostics.

The ‘Show sessions’ command shows all remote connections for the current session. This
command is used as follows:

1. Connect to a remote device from the switch via TELNET or SSH.

2. Return to the parent session (to the switch). Press <Ctrl+Shift+6>, release the keys and
press <x>. This will switch you to the parent session.
3. Execute the ‘show sessions’ command. All outgoing connections for the current session will
be listed in the table.
4. To return to remote device session, execute the ‘resume N’ command where N is the
connection number from the ‘show sessions’ command output.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 28 – System management commands in priveleged EXEC mode

Command Value/Default value Action

reload [unit unit_id] unit_id: Use this command to restart the device.
(1..8)/- - unit_id – stack unit number.
reload in {minutes | hh:mm} minutes:
(1..999); Set the time period for delayed device restart.
hh: (0..23), mm: (0..59).
reload at hh:mm hh: (0..23), mm: (0..59). Set the device reload time.
reload cancel - Cancel delayed restart.
show cpu utilization - Display statistics on CPU load.
show cpu input rate Display statistics on the speed of ingress frames processed
-
by CPU.
show cpu input-rate detailed Display statistics onthe speed of ingress frames processed
-
by CPUdepending on the traffic type.
ETS-1-10G-A 5. Device management. Command line interface 72

 Example use of the traceroute command:

console# traceroute ip RAD.com

Tracing the route to RAD.com (148.21.11.69) form , 30 hops max, 18 byte packets
Type Esc to abort.
1 gateway.RAD (192.168.1.101) 0 msec 0 msec 0 msec
2 RADsrv (192.168.0.1) 0 msec 0 msec 0 msec
3 * * *

Table 29 – Description of 'traceroute' command results

Field Description
1 The hop number of the router in the path to the specified network node.
gateway.RAD The network name of this router.
192.168.1.101 The IP address of the router.
The time taken by the packet to go to and return from the router. Specify for each packet
0 msec 0 msec 0 msec
transmission attempt.

The errors that occur during execution of the traceroute command are described in the table below.

Table 30 – 'traceroute' command errors

Error symbol Description

* Packet transmission timeout.
? Unknown packet type.
Administratively unavailable. As a rule, this error occurs when the egress traffic is blocked
A
by rules in the ACL access table.
F Fragmentation or DF bit is required.
H Network node is not available.
N Network is not available.
P Protocol is not available.
Q Source is suppressed.
R Expiration of the fragment reassembly timer.
S Egress route error.
U Port is not available.

Switch Telnet software supports special terminal management commands. To enter special
command mode during the active Telnet session, use key combination <Ctrl-shift-6>.
ETS-1-10G-A 5. Device management. Command line interface 73

Table 31 – Telnet special commands

Special command Purpose

^^ b Send disconnect command through telnet.
^^ c Send interrupt process (IP) command through telnet.
^^ h Send erase character (EC) command through telnet.
^^ o Send abort output (AO) command through telnet.
^^ t Telnet the message "Are You There?" (AYT) to control the connection.
^^ u Send erase line (EL) command through telnet.
^^ x Return to the command line mode.

You can also use additional options in the Telnet and SSH open session commands:
Table 32 – Keywords used in the Telnet and SSH open session commands

Option Description
/echo Locally enable the echo function (suppress console output).
/password Set the password for the SSH server
/quiet Suppress output of all Telnet messages.
/source-interface Specify the source interface.
Activate the processing of the stream that enables insecure TCP connection without
Telnet sequence control. The stream connection will not process Telnet options and
/stream could be used to establish connections to ports where UNIX-to-UNIX (UUCP) copy
programs or other non-telnet protocols are running.
/user Set the user name for the SSH server.

Global mode configuration commands

Command line prompt in the global configuration mode is as follows:

console(config)#

Table 33 – System management commands in the global configuration mode

Command Value/Default value Action

hostname name Use this command to specify the network name for the
name: (1..160)
device.
symbols/-
no hostname Set the default network device name.
ETS-1-10G-A 5. Device management. Command line interface 74

service tasks-utilization Allow the device to measure switch’s CPU utilization for each
system process.
/enabled
no service tasks-utilization Deny the device to measure switch’s CPU utilization for each
system process.
service cpu-utilization Allow the device to perform software based measurement
of the switch CPU load level.
/enabled
no service cpu-utilization Deny the device to perform software based measurement of
the switch CPU load level.
service cpu-input-rate Allow the device to change a speed of the incoming frames
processed by the switch CPU
-/disabled
no service cpu-input-rate Deny the device to programmatically measure the speed of
incoming frames processed by the switch’s CPU.
service cpu-rate-limits traffic Setting the incoming frames restriction for specific traffic
pps type.
traffic: (http, telnet, - pps – packets per second.
ssh, snmp, ip, link-local,
arp, arp-inspection, stp-
­bpdu, routing, ip-
­options,other-bpdu,
dhcp-snooping, igmp-
­snooping, mld-
­snooping, sflow, ace,
ip-error, other, vrrp));
pps: 8..2048
no service cpu-rate-limits Restore pps default value for the specific traffic.
traffic
service password-recovery Enable password recovery via‘password recovery procedure’
boot menu with saving configuration.
-/enabled
no service password­recovery Enable password recovery via‘password recovery procedure’
boot menu with deleting configuration.
link-flap prevention enable Enable link flapping prevention.
-/enabled
link-flap prevention disable Disable link flapping prevention.
service mirror­configuration Create a backup copy of the running configuration.
no service -/enabled Disable copying of the running configuration.
mirror­configuration
ETS-1-10G-A 5. Device management. Command line interface 75

system router resources ip_entries: Set the size of the routing table.
[ip­entries ip_entries | (8..8024)/5120;
ipv6­entries ipv6_entries | ipv6_entries:
ipm-entries ipm_entries | (32..8048)/1024;
ipmv6-entries ipmv6_entries | ipm_entries:
(8..8024)/512;
policy-ip-entries
ipmv6_entries:
ip_policy_routing_entries |
(32..8048)/512;
policy-ipv6-entries ip_policy_routin
ipv6_policy_routing_entries | g_entries:
vlan-mapping-entries (0..128)/64;
vlan_mapping_entries] ipv6_policy_rout
ing_entries:(0..
128)/64;
vlan_mapping_ent
ries:
(0..16272)/0

5.5 Commands to configure settings for setting passwords

This set of commands is designed to specify the minimum complexity of the password, as well as to
set the password validity time.

Global mode configuration commands

Command line prompt in the global configuration mode is as follows:

console(config)#

Table 34 – System management commands in the global configuration mode

Command Value/Default value Action

passwords aging age Sets the lifetime of passwords. At the end of the specified period,
you will be prompted to change your password. A value of 0
age: (0..365)/180 days
indicates that the lifetime of passwords is not set.
no password aging Restore the default value.
passwords complexity enable -/disabled Enables password format limitation.
passwords complexity Includes a limit that sets the minimum number of character classes
min­classes value (lower case letters, upper case letters, digits, characters).
value: (0..4)/3
no passwords complexity Restore the default value.
min­classes
passwords complexity Includes a minimum password length limit.
value: (0..64)/8
min­length value
ETS-1-10G-A 5. Device management. Command line interface 76

no passwords complexity Restore the default value.

min­length
passwords complexity Enables a limit that sets the maximum number of consecutive
no­repeat number characters in a new password.
number: (0..16)/3
no password complexity Restore the default value.
no­repeat
passwords complexity Prohibits using the old one as a new password when changing the
not­current password.
-/enabled
no passwords complexity Allows to use the old password when changing.
not­current
passwords complexity Restricts the use of username as a password.
not­username
-/enabled
no passwords complexity Allows the use of use user name as a password.
not­username

Table 35 – System management commands in priveleged EXEC mode

Command Value/Default value Action

show passwords configuration - Displays information about password restrictions.

5.6 File operations

Command parameters description

File operation commands use URL addresses as arguments to resources location defining. For
description of keywords used in operations see 36.

Table 36 – Keywords and their description

Keyword Description
Source or destination address for non-volatile memory. Non-volatile memory is used by default if
flash://
the URL address is defined without the prefix (prefixes include: flash:, tftp:, scp:…).
running-config Current configuration file.
mirror-config Copy of the running configuration file
startup-config Initial configuration file.
active-image Active image file
inactive-image Inactive image file
ETS-1-10G-A 5. Device management. Command line interface 77

Source or destination address for the TFTP server.

Syntax: tftp://host/[directory/] filename.
tftp:// - host – IPv4 address or device network name;
- directory – directory;
- filename – file name.
Source or destination address for the SSH server.
Syntax: scp://[username[:password]@]host/[directory/] filename
- username - username;
scp:// - password - user password;
- host – IPv4 address or device network name;
- directory – directory;
- filename – file name.
logging Command history file.

File operation commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 37 – File operation commands in the Privileged EXEC mode

Command Value/Default value Action

copy source_url Copy file from source location to destination location.
destination_url [exclude | - source_url – source location of the file to copy;
include-encrypted | - destination_url – destination location the file to be copied to.
include­plaintext] The following options are available only for copying from the
configuration file:
- exclude – do not include security information into the output file;
- include-encrypted – include security information in the output file
in encrypted form;
- include-plaintext – include security information in the output file
source_url: (1..160) in unencrypted form.
copy source_url characters; Copy the configuration file from the server to the current
running­config destination_url: (1..160) configuration.
characters;
copy running-config Save the current configuration on the server.
destination_url [exclude | - exclude – do not include secure information (kyes,
include-encrypted | passwords,etc.) into copied file;
include­plaintext]
- include-encrypted – save data on keys and passwords in
encrypted form;
- include-plaintext – save data on keys and passwords in
unencrypted form.
copy startup-config Save the initial configuration on the server.
destination_url
ETS-1-10G-A 5. Device management. Command line interface 78

copy running-config Save the current configuration into the initial configuration.
-
startup­config
copy running-config file Save the current configuration into the specified backup
-
configuration file.
copy startup-config file Save the initial configuration into the specified backup
-
configuration file.
boot config source_url Copy the configuration file from the server to the initial
-
configuration file.
dir [flash:path | dir_name] - Displays a list of files in the specified directory.
more {flash:file | Displays the contents of the file.
startup­config | - startup-config – show the content of the initial
running­config | configuration file;
mirror­config | active­image
- running-config – show the content of the current
| inactive­image | logging |
configuration file;
file}
- flash: – display files from the flash memory of the device;
- mirror-config – show the current configuration file content
from the mirror;
file: (1..160) characters - active-image – display the current software image file
version.
- inactive-image – display the current inactive software
image file version.
- logging – display the log file content.
- file – file name;

Files are displayed as ASCII text.

delete url - Delete the file.

delete startup-config - Delete the initial configuration file.
boot system inactive-image - Boot inactive software image.
show {startup-config | Show the content of the initial configuration file (startup-
running-config} [brief | config) or the current configuration file (running-config).
detailed | interfaces { - interfaces – configuration of the switch interfaces—
te_port: (1..8/0/1..32);
tengigabitethernet te_port |
group: (1..32); physical interfaces, interface groups (port-channel), VLAN
oob | port-channel group |
vlan_id: (1..4094); interfaces, oob ports, loopback interface, tunnels.
vlan vlan_id | tunnel
tunnel_id: (1..16); The running configuration can be output with the following
tunnel_id | loopback
loopback_id: (1..64); options:
loopback_id}]
- brief – do not output binary data, such as SSH and SSL keys.
- detailed – output the configuration with binary data
show bootvar Show the active system firmware file that the device loads
-
on startup.
write [memory] Save the current configuration into the initial configuration
-
file.
ETS-1-10G-A 5. Device management. Command line interface 79

rename url new_url url, new_url: (1..160) Change the file name.
characters - url – current filename; - new-url – new file name.

The TFTP server cannot be used as the source or destination address for a single copy command.

Example use of commands

 Delete the test file from the non-volatile memory:

console# delete flash:test

Delete flash:test? [confirm]

Command execution result: File will be deleted after confirmation.

Automatic update and configuration commands

Automatic update process

The switch starts an automatic DHCP-based update process if it is enabled and the name of the text
file (DHCP option 43, 125) containing the name of the firmware image was provided by the DHCP server.

The automatic update process consists of the following steps:

1. The switch downloads a text file and reads from it the name of the firmware image file on the
TFTP server;
2. The switch downloads the first block (512 bytes) of the firmware image from the TFTP server
containing the firmware version;
3. The switch compares the version of the firmware image file obtained from the TFTP server
with the version of the active switch firmware image. If they are different, the switch
downloads the firmware image from the TFTP server instead of the inactive switch firmware
image and makes this image active;
4. If the firmware image has been downloaded, the switch is rebooted.

Automatic configuration process

The switch starts the DHCP-based automatic configuration process if the following conditions are
met:
− automatic configuration is allowed in the configuration;
ETS-1-10G-A 5. Device management. Command line interface 80

− the DHCP server response contains the IP address of the TFTP server (DHCP option 66) and the
name of the configuration file (DHCP option 67) in ASCII format.

The resulting configuration file is added to the current (running) configuration.

Global mode configuration commands

Command line prompt in the global configuration mode is as follows:

console(config)#

Table 38 – System management commands in the global configuration mode

Command Value/Default value Action

boot host auto-config Enable automatic configuration based on DHCP.
/enabled
no boot host auto-config Disable automatic configuration based on DHCP.
boot host auto-update Enable automatic DHCP-based firmware update.
/enabled
no boot host auto-update Disable automatic DHCP-based firmware update.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 39 – System management commands in privileged EXEC mode

Command Value/Default value Action

show boot - View automatic update and configuration settings.

 ISC DHCP Server configuration example:

option image-filename code 125 = {

unsigned integer 32, #enterprise-number. The manufacturer's ID, always equal
35265(RAD) Natalie
unsigned integer 8, #data-len. The length of all given options. Equals to the
length of string sub-
option-data + 2.
unsigned integer 8, #sub-option-code. Suboption code, always equals 1.
unsigned integer 8, #sub-option-len. sub-option-data string length
text #sub-option-data. Name of the text file, that contains
firmware
image name
ETS-1-10G-A 5. Device management. Command line interface 81

};
Natalie
host mes2124-test {
hardware ethernet a8:f9:4b:85:a2:00; #mac address of the switch
filename "mesXXX-test.cfg"; #switch configuration name
option image-filename 35265 18 1 16 "mesXXX-401.ros"; #name of the
text
file, that contains firmware
image name
next-server 192.168.1.3; #TFTFP server IP address
fixed-address 192.168.1.36; #switch IP address
}

5.7 System time configuration

By default, automatic daylight saving change is performed according to US and EU
standards. You can set any date and time for daylight saving change in the configuration.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#
Table 40 – System time configuration commands in the Privileged EXEC mode

Command Value/Default value Action

clock set hh:mm:ss day month hh: (0..23); Manual system time setting (this command is available to
year mm: (0..59); privileged users only).
clock set hh:mm:ss month day ss: (0..59); - hh – hours, mm – minutes, ss – seconds;
year day: (1..31);
- day – day; month – month; year – year.
month: (jan..dec);
year: (2000..2037)
show sntp configuration - Show SNTP configuration.
show sntp status - Show SNTP statistics.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>
Table 41 – System time configuration commands in the EXEC mode
ETS-1-10G-A 5. Device management. Command line interface 82

Command Value/Default value Action

show clock Show system time and date.
-
show clock detail Show timezone and daylight saving settings.

Global mode configuration commands

Command line prompt in the global configuration mode is as follows:

console(config)#
Table 42 – List of system time configuration commands in the global configuration mode

Command Value/Default value Action

clock source {sntp | browser} Use an external source to set system time.
-/do not use the
no clock source {sntp | Denies the use of an external source for system time setting.
external source
browser}
clock timezone zone zone: (1..4) Sets the timezone value.
hours_offset [minutes characters/no area - zone – abbreviation of the phrase (zone description);
minutes_offset] description; - hours-offset – hour offset from the UTC zero meridian;
hours_offset:
- minutes-offset – minute offset from the UTC zero meridian.
(­12..+13)/0;
no clock timezone Sets the default value.
minutes_offset:
(0..59)/0;
clock summer-time zone date zone: (1..4) Specifies date and time when daylight saving time starts and
date month year hh:mm date characters/no area ends (for a specific year).
month year hh:mm [offset] description; Zone description should be specified first, DST start time—
clock summer-time zone date date: (1..31); second, and DST end time—third.
month date year hh:mm month month: (jan..dec);
- zone – abbreviation of the phrase (zone description);
date year hh:mm [offset] year: (2000 ..2037);
- date – day;
hh: (0..23);
mm: (0..59); - month – month;
week: (1..5); - year – year;
day: (sun..sat); - hh – hours, mm – minutes;
offset: (1..1440)/60 - offset – number of minutes added for the daylight saving
min. change.
ETS-1-10G-A 5. Device management. Command line interface 83

clock summer-time zone The daylight saving Specifies date and time when daylight saving time starts and
recurring {usa | eu | {first | change is disabled by ends for each year.
last | week} day month hh:mm default. - zone – abbreviation of the phrase (zone description);
{first | last | week} day month
- usa – set the daylight saving rules used in the USA (daylight
hh:mm} [offset]
saving starts on the second Sunday of March and ends on the
first Sunday of November, at 2am local time);
- eu – set the daylight saving rules used in EU (daylight saving
starts on the last Sunday of March and ends on the last
Sunday of October, at 1am GMT);
- hh – hours, mm – minutes;
- week – week of month;
- day – day of the week;
- month – month;
- offset – number of minutes added for the daylight saving
change.
Disable daylight saving change
no clock summer-time

sntp authentication- Specify authentication key for SNTP.

key number md5 value - number – key number;
number: - value – key value;
(1..4294967295); - encrypted – set the key value in the encrypted form.
encrypted sntp
value: (1..32)
authentication­key
characters;
number md5 value
By default,
authentication is Delete authentication key for SNTP.
no sntp
disabled
authentication-key
number

Authentication is required to obtain information from NTP

sntp authenticate
-/authentication is not servers.
required Sets the default value.
no sntp authenticate

Require authorization of the system that is used for

sntp trusted-key key_number:
key_number synchronization via SNTP by the specified key.
(1..4294967295);
By default, - key_number – key number.
no sntp trusted-key authentication is Sets the default value.
key_number disabled

Allow multicast SNTP client operation.

sntp broadcast client enable
{both | ipv4 | ipv6}
-/denied
Sets the default value.
no sntp broadcast client
enable
ETS-1-10G-A 5. Device management. Command line interface 84

Allow the operation of SNTP clients that support packet

sntp anycast client enable
{both | ipv4 | ipv6} transmission to the nearest device in a group of receivers.
-/denied
Sets the default value.
no sntp anycast client enable

Set polling time of SNTP server.

sntp client poll timer seconds
seconds:
(60…86400)/24 Sets the default value.
no sntp client poll timer
Allow the operation of SNTP clients that support packet
sntp client enable
{tengigabitethernet transmission to the nearest device in a group of receivers, as well
te_port | port-channel as broadcast SNTP clients for the selected interface.
- for the detailed interface configuration, see Interface
group | oob | vlan
te_port: (1..32); Configuration Section.
vlan_id}
group: (1..32);
vlan_id (1..4094) Sets the default value.
no sntp client enable
{tengigabitethernet /denied
te_port | port-channel
group | oob | vlan
vlan_id}

Allow unicast SNTP client operation.

sntp unicast client enable
-/denied
Sets the default value.
no sntp unicast client enable

Allow sequential polling of the selected unicast SNTP servers.

sntp unicast client poll
-/denied
Sets the default value.
no sntp unicast client poll

sntp server Set the SNTP server address.

{ipv4_address | ipv6_address | - ipv4_address – IPv4-address of a network node;
ipv6_link_local_address%{vlan - A.B.C.D.E.F – IPv6 address of the network node;
{integer} | ch {integer} | isatap - ipv6z-address – IPv6z-address of a network node for
{integer} | pinging.
{physical_port_name}} | Adress format ipv6_link_local_address%interface_name:
hostname} [poll] [key hostname: (1..158)
ipv6_link_local_address – local IPv6 address of the
keyid] characters
keyid: (1..4294967295) channel;
interface_name – the name of the outgoing interface is set
in the following format: vlan {integer} | ch {integer} |
isatap {integer} | {physical_port_name}
- hostname – domain name of the network node;
- poll – enable polling;
- keyid – key identifier;
ETS-1-10G-A 5. Device management. Command line interface 85

no sntp server Delete the server from the NTP server list.
{ipv4_address | ipv6_address |
ipv6_link_local_address%{vlan
{integer} | ch {integer} | isatap
{integer} |
{physical_port_name}} |
hostname}

clock dhcp timezone Get the timezone and daylight saving data from the DHCP
server.
-/denied Prohibit the receipt of the timezone and daylight saving data
no clock dhcp
timezone from the DHCP server.

Interface configuration mode commands

Command line prompt in the interface configuration mode is as follows:

console(config-if)#

Table 43 – List of system time configuration commands in the interface configuration mode

Command Value/Default value Action

Allow the operation of SNTP clients that support packet
sntp client enable
transmission to the nearest device in a group of receivers, as well
as broadcast SNTP client for the selected interface (ethernet, port-
-/denied channel, VLAN).

no sntp client enable Sets the default value.

Command execution example

 Show the system time, date and timezone data:

console# show clock detail

15:29:08 PDT(UTC-7) Jun 17 2009

Time source is SNTP

Time zone:
Acronym is PST
Offset is UTC-8

Summertime:
Acronym is PDT
ETS-1-10G-A 5. Device management. Command line interface 86

Recurring every year.

Begins at first Sunday of April at 2:00.

Synchronization status is indicated by the additional character before the time value.

Example:

*15:29:08 PDT(UTC-7) Jun 17 2009

The following symbols are used:

− The dot (.) means that the time is valid, but there is no synchronization with the SNTP server.
− No symbol means that the time is valid and time is synchronized.
− Asterisk (*) means that the time is not valid.

 Specify system clock date and time: March 7, 2009, 1:32pm

console# clock set 13:32:00 7 Mar 2009

 Show SNTP status:

console# show sntp status

Clock is synchronized, stratum 3, reference is 10.10.10.1, unicast

Unicast servers:

Server : 10.10.10.1
Source : Static
Stratum : 3
Status : up
Last Response : 10:37:38.0 UTC Jun 22 2016
Offset : 1040.1794181 mSec
Delay : 0 mSec

Anycast server:

Broadcast:

In the example above, the system time is synchronized with server 10.10.10.1, the last response is
received at 10:37:38; system time mismatch with the server time is equal to 1.04 seconds.
ETS-1-10G-A 5. Device management. Command line interface 87

5.8 Configuring ‘time-range’ intervals

Time interval configuration mode commands

console# configure
console(config)# time-range range_name, where
range_name – character (1...32) time interval identifier
console(config-time-range)#

Table 44 – time interval configuration mode commands

Command Value/Default value Action

absolute {end | start} hh:mm hh: (0..23); Set the beginning and/or end of the time interval in a format: hour:
date month year mm: (0..59); minute day month year.
date: (1..31);
no absolute {end | start} month: (jan..dec);
year: (2000..2097); Delete time interval

periodic list hh:mm to hh:mm Set the time interval within one day of the week or each day
{all | weekday} hh: (0..23);
of the week.
mm: (0..59);
no periodic list hh:mm to weekday: (mon…sun) Delete time interval
hh:mm {all | weekday}
Set a time interval within a week.
periodic weekday hh:mm to
weekday hh:mm hh: (0..23);
mm: (0..59);
weekday: (mon…sun) Delete time interval
no periodic weekday hh:mm to
weekday hh:mm

5.9 Interfaces and VLAN configuration

Ethernet, Port-Channel and Loopback interface parameters

Interface configuration mode commands (interface range)

console# configure
console(config)# interface {tengigabitethernet te_port | oob | port-
channel group | range {…} | loopback loopback_id }
ETS-1-10G-A 5. Device management. Command line interface 88

console(config-if)#

This mode is available from the configuration mode and designed for configuration of interface
parameters (switch port or port group operating in the load distribution mode) or the interface range
parameters.

The interface is selected using the following commands:

Table 45 – List of interface selection commands for MES5324

Command Purpose
interface tengigabitethernet te_port For configuring10G interfaces
interface port-channel group For configuring channel groups
For configuring control interfaces (control interface is not available
interface oob
for all switches)
interface loopback loopback_id For configuring virtual interface

where:
– group – a sequential number of a group, total number in accordance with table (‘Link aggregation
(LAG)’ string);
– te_port – sequential number of 10G interface specified as follows: 1..8/0/1.. 32;
– loopback_id – sequential number of virtual interface corresponding to table (‘Number of virtual
Loopback interfaces’ string).

Interface entry

1..8/0/1..N

number of the stack unit slot number interface number

The commands entered in the interface configuration mode are applied to the selected interface.

Below are given the commands for entering in the configuration mode of the 10th Ethernet
interface located on the first stack unit and for entering in the configuration mode of channel group 1.

console# configure
console(config)# interface tengigabitethernet 1/0/10
console(config-if)#
console# configure
console(config)# interface port-channel 1
console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 89

The interface range is selected by the following commands:

– interface range tengigabitethernet portlist – to configure the range of

tengigabitethernet interfaces;
– interface range port-channel grouplist – to configure the range of port groups;

Commands entered in this mode are applied to the selected interface range.

Below are given the commands for entering in the configuration mode of the Ethernet interface
range from 1 to 10 and for entering in the configuration mode of all port groups.

console# configure
console(config)# interface range tengigabitethernet 1/0/1-10
console(config-if)#

console# configure
console(config)# interface range port-channel 1-32
console(config-if)#

Table 46 – The commands of Ethernet and Port-Channel interfaces configuration mode

Command Value/Default value Action

shutdown Disable the current interface (Ethernet, port-channel).
-/enabled
no shutdown Enable the current interface.

description descr Add interface description (Ethernet, port-channel).

descr: (1..64) characters
/ no description
no description Remove interface description.

speed mode Set data transfer rate (Ethernet).

mode: (10, 100, 1000,
10000)
no speed Set the default value.

duplex mode
Specify interface duplex mode (full-duplex connection, half-
duplex connection, Ethernet).
mode: (full, half)/full
no duplex Set the default value.

negotiation [cap1
Enable autonegotiation of speed and duplex on the
[cap2…cap5]] interface. You can define specific compatibilities for the
cap: (10f, 10h, 100f,
autonegotiation parameter; if these parameters are not
100h, 1000f, 10000f)
defined, all compatibilities are supported (Ethernet, port-
channel).
ETS-1-10G-A 5. Device management. Command line interface 90

Disable autonegotiation of speed and duplex on the

no negotiation
interface.
flowcontrol mode
Specify the flow control mode (enable, disable or
autonegotiation). Flowcontrol autonegotiation works only
mode: (on, off, when negotiation mode is enabled on the interface
auto)/off (Ethernet, port-channel).
no flowcontrol Disable flow control mode.
Enable the ‘back pressure' function for the interface
back-pressure
(Ethernet).
-/disabled
no back-pressure Disable ‘back pressure' function for the interface.
Specify the period during which the interface utilization
load-average period
statistics is collected.
period: (5..300)/15
no load-average Set the default value.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 47 – Ethernet and Port-Channel interface general configuration mode commands

Command Value/Default value Action

port jumbo-frame Enable processing of large size fames by the switch.
The default value for the maximum transmission unit
(MTU) is 1500 bytes.
Configuration changes will take effect after the switch is
-/denied restarted.

The maximum transmission unit (MTU) value when

configuring port jumbo-frame 10200 bytes.

no port jumbo-frame Disable processing of jumbo fames by the switch.

ETS-1-10G-A 5. Device management. Command line interface 91

errdisable recovery cause {all | Enable automatic interface activation after it is disconnected
loopack­detection | in the following cases:
port­security | - loopback-detection – loopback detection;
dot1x­src­address | acl­deny |
- port-security –security breach for port security;
stp­bpdu­guard |
- dot1x-src-address – MAC based user authentication failed;
stp­loopback-guard | udld |
storm-control | link­flapping} - acl-deny – non-compliance with access lists (ACL);
- stp-bpdu-guard – BPDU Guard activation (unauthorized
BPDU packet transfer on the interface);
- stp-loopback-guard – loopback detection using the STP;
-/denied - udld – UDLD protection activation;
- storm-control – broadcast storm;
- link-flapping – link flapping.
no errdisable recovery cause Set the default value.
{all | loopack­detection |
port­security |
dot1x­src­address | acl­deny |
stp­bpdu­guard |
stp­loopback-guard | udld |
storm-control | link­flapping}
errdisable recovery interval Specify the time period for automatic interface reactivation.
seconds:
seconds (30..86400)/300
no errdisable recovery interval seconds Set the default value.
snmp trap link-status Enables SNMP trap message transmission on interface link
/enabled status.
no snmp trap link-status Disables SNMP trap-message transmission.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 48 – EXEC mode commands

Command Value/Default value Action

Collect statistics for all interfaces.
clear counters -

Collect statistics for an interface.

clear counters {oob | te_port: (1..8/0/1..32);
tengigabitethernet te_port group: (1..32)
| port-channel group
ETS-1-10G-A 5. Device management. Command line interface 92

Activates a port or group of ports disabled by the shutdown

set interface active { te_port: (1..8/0/1..32);
tengigabitethernet te_port group: (1..32) command.
| port-channel group}

Shows the interface configuration.

show interfaces configuration
te_port: (1..8/0/1..32);
{oob | tengigabitethernet
group: (1..32)
te_port | port-channel
group | detailed}

Shows the status for all interfaces.

show interfaces status -

Shows the status for Ethernet port or port group.

show interfaces status {oob |
te_port: (1..8/0/1..32);
tengigabitethernet te_port
group: (1..32)
| port-channel group |
detailed}

Shows autonegotiation parameters announced for all

show interfaces advertise -
interfaces.
Shows autonegotiation parameters announced for an
show interfaces advertise
te_port: (1..8/0/1..32); Ethernet port or port group.
{oob | tengigabitethernet
group: (1..32)
te_port | port-channel
group | detailed}

Shows descriptions for all interfaces.

show interfaces description -

Shows descriptions for an Ethernet port or port group.

show interfaces description
te_port: (1..8/0/1..32);
{oob | tengigabitethernet
group: (1..32)
te_port | port-channel
group | detailed}

Shows statistics for all interfaces.

show interfaces counters -

Shows statistics for an interface.

show interfaces counters
te_port: (1..8/0/1..32);
{oob | tengigabitethernet
group: (1..32)
te_port | port-channel
group | detailed}

Shows all interfaces utilization statistics.

show interfaces utilization -

Shows Ethernet interface utilization statistics.

show interfaces utilization te_port: (1..8/0/1..32);
{tengigabitethernet te_port group: (1..32)
| port-channel group}

Shows jumbo frame settings for the switch.

show ports jumbo-frame -
ETS-1-10G-A 5. Device management. Command line interface 93

Shows automatic port reactivation settings.

show errdisable recovery -

Shows the reason for disabling the port or port group and
show errdisable interfaces { te_port: (1..8/0/1..32);
tengigabitethernet te_port group: (1..32) automatic activation status.
| port-channel group}

Examples of command usage

 Show interface status:

console# show interfaces status

Flow Link Back Mdix

Port Type Duplex Speed Neg ctrl State Pressure Mode Port Mode
-------- ------------ ------ ----- -------- ---- ----------- -------- ------- ------------------
------
te1/0/3 10G-Fiber Full 1000 Disabled Off Up Disabled Off Access
te1/0/4 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/5 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/6 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/7 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/8 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/9 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/10 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/11 10G-Fiber -- -- -- -- Down -- -- Access
te1/0/12 10G-Fiber -- -- -- -- Down -- -- Access
ETS-1-10G-A 5. Device management. Command line interface 94

Flow Link
Ch Type Duplex Speed Neg control State
-------- ------- ------ ----- -------- ------- -----------
Po1 -- -- -- -- -- Not Present
Po2 -- -- -- -- -- Not Present
Po3 -- -- -- -- -- Not Present
Po4 -- -- -- -- -- Not Present
Po5 -- -- -- -- -- Not Present
Po6 -- -- -- -- -- Not Present
Po7 -- -- -- -- -- Not Present
Po8 -- -- -- -- -- Not Present
Po9 -- -- -- -- -- Not Present
Po10 -- -- -- -- -- Not Present
Po11 -- -- -- -- -- Not Present
Po12 -- -- -- -- -- Not Present
Po13 -- -- -- -- -- Not Present
Po14 -- -- -- -- -- Not Present
Po15 -- -- -- -- -- Not Present
Po16 -- -- -- -- -- Not Present
Po17 -- -- -- -- -- Not Present
Po18 -- -- -- -- -- Not Present
Po19 -- -- -- -- -- Not Present
Po20 -- -- -- -- -- Not Present
Po21 -- -- -- -- -- Not Present
Po22 -- -- -- -- -- Not Present
Po23 -- -- -- -- -- Not Present
Po24 -- -- -- -- -- Not Present
Po25 -- -- -- -- -- Not Present
Po26 -- -- -- -- -- Not Present
Po27 -- -- -- -- -- Not Present
Po28 -- -- -- -- -- Not Present
Po29 -- -- -- -- -- Not Present
Po30 -- -- -- -- -- Not Present
Po31 -- -- -- -- -- Not Present
Po32 -- -- -- -- -- Not Present

Link
Oob Type Duplex Speed Neg State
-------- ------------ ------ ----- -------- -----------
oob 1G-Copper -- -- -- Down

Show autonegotiation parameters:

console# show interfaces advertise

Port Type Neg Preferred Operational Link Advertisement

--------- ------------ -------- ---------- -----------------------------------
te1/0/3 10G-Fiber Disabled -- --
te1/0/4 10G-Fiber Disabled -- --
te1/0/5 10G-Fiber Disabled -- --
te1/0/6 10G-Fiber Disabled -- --
te1/0/7 10G-Fiber Disabled -- --
te1/0/8 10G-Fiber Disabled -- --
te1/0/9 10G-Fiber Disabled -- --
te1/0/10 10G-Fiber Disabled -- --
te1/0/11 10G-Fiber Disabled -- --
te1/0/12 10G-Fiber Disabled -- --
ETS-1-10G-A 5. Device management. Command line interface 95

Ch Type Neg Preferred Operational Link Advertisement

--------- ------------ -------- ---------- -----------------------------------
Po1 Unknown Enabled Slave --
Po2 Unknown Enabled Slave --
Po3 Unknown Enabled Slave --
Po4 Unknown Enabled Slave --
Po5 Unknown Enabled Slave --
Po6 Unknown Enabled Slave --
Po7 Unknown Enabled Slave --
Po8 Unknown Enabled Slave --
Po9 Unknown Enabled Slave --
Po10 Unknown Enabled Slave --
Po11 Unknown Enabled Slave --
Po12 Unknown Enabled Slave --
Po13 Unknown Enabled Slave --
Po14 Unknown Enabled Slave --
Po15 Unknown Enabled Slave --
Po16 Unknown Enabled Slave --
Po17 Unknown Enabled Slave --
Po18 Unknown Enabled Slave --
Po19 Unknown Enabled Slave --
Po20 Unknown Enabled Slave --
Po21 Unknown Enabled Slave --
Po22 Unknown Enabled Slave --
Po23 Unknown Enabled Slave --
Po24 Unknown Enabled Slave --
Po25 Unknown Enabled Slave --
Po26 Unknown Enabled Slave --
Po27 Unknown Enabled Slave --
Po28 Unknown Enabled Slave --
Po29 Unknown Enabled Slave --
Po30 Unknown Enabled Slave --
Po31 Unknown Enabled Slave --
Po32 Unknown Enabled Slave --

Oob Type Neg Operational Link Advertisement

--------- ------------ -------- ----------------------------------

 oob 1G- Enabled --

Show interface statistics:

console# show interfaces counters

Port InUcastPkts InMcastPkts InBcastPkts InOctets

---------------- ------------ ------------ ------------ ------------
te1/0/1 0 0 0 0
te1/0/2 0 0 0 0
………………………………………………………………………………………………………………………………………………………………….

te1/0/5 0 0 0 0
ETS-1-10G-A 5. Device management. Command line interface 96

te1/0/6 0 2 0 2176
te1/0/7 0 1 0 4160
te1/0/8 0 0 0 0
………………………………………………………………………………………………………………………………………………………………….

Port OutUcastPkts OutMcastPkts OutBcastPkts OutOctets

---------------- ------------ ------------ ------------ ------------
te1/0/1 0 0 0 0
te1/0/2 0 0 0 0
te1/0/3 0 0 0 0
te1/0/4 0 0 0 0
te1/0/5 0 0 0 0
te1/0/6 0 545 83 62186
te1/0/7 0 1424 216 164048
te1/0/8 0 0 0 0
te1/0/9 0 0 0 0
………………………………………………………………………………………………………………………………………………………………….

OOB InUcastPkts InMcastPkts InBcastPkts InOctets

---------------- ------------ ------------ ------------ ------------
oob 0 13 0 1390

OOB OutUcastPkts OutMcastPkts OutBcastPkts OutOctets

---------------- ------------ ------------ ------------ ------------
oob 3 616 0 39616

 Show channel group 1 statistics:

console# show interfaces counters port-channel 1

Ch InUcastPkts InMcastPkts InBcastPkts InOctets

---------------- ------------ ------------ ------------ ------------
Po1 111 0 0 9007

Ch OutUcastPkts OutMcastPkts OutBcastPkts OutOctets

---------------- ------------ ------------ ------------ ------------
Po1 0 6 3 912

Alignment Errors: 0
FCS Errors: 0
Single Collision Frames: 0
Multiple Collision Frames: 0
SQE Test Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
Carrier Sense Errors: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Symbol Errors: 0
Received Pause Frames: 0
ETS-1-10G-A 5. Device management. Command line interface 97

Transmitted Pause Frames: 0

 Show jumbo frame settings for the switch:

console# show ports jumbo-frame

Jumbo frames are disabled

Jumbo frames will be disabled after reset

Table 49 – Description of counters

Counter Description
InOctets The number of bytes received.
InUcastPkts The number of unicast packets received.
InMcastPkts The number of multicast packets received.
InBcastPkts The number of broadcast packets received.
OutOctets The number of bytes sent.
OutUcastPkts The number of unicast packets sent.
OutMcastPkts The number of multicast packets sent.
OutBcastPkts The number of broadcast packets sent.
Alignment Errors The number of frames that failed integrity verification (whose number of bytes
mismatches the length) and frame check sequence validation (FCS).
FCS Errors The number of frames whose byte number matches the length that failed frame check
sequence (FCS) validation.
Single Collision Frames The number of frames involved in a single collision, but transmitted successfully.
Multiple Collision Frames The number of frames involved in multiple collisions, but transmitted successfully.
Deferred Transmissions The number of frames for which the first transmission attempt was delayed due to busy
transmission media.
Late Collisions The number of cases when collision is identified after transmitting the first 64 bytes of
the packet to the communication link (slotTime).
Excessive Collisions The number of frames that were not sent due to excessive number of collisions.
Carrier Sense Errors The number of cases when the carrier control state was lost or not approved during the
frame transmission attempt.
Oversize Packets The number of received packets whose size exceeds the maximum allowed frame size.
Internal MAC Rx Errors The number of frames for which a reception fails due to an internal MAC receive error.
ETS-1-10G-A 5. Device management. Command line interface 98

Symbol Errors For an interface operating at 100Mbps, the number of cases there was as invalid data
symbol when a valid carrier was present.
For an interface operating in 1000Mbps half-duplex mode, the number of cases when
receiving instrumentation was busy for a time period equal or greater than the slot size
(slotTime) during which there was at least one occurrence of an event that caused the
PHY to indicate Data reception error or Carrier extend error on the GMII.
For an interface operating in 1000Mbps full-duplex mode, the number of times when
receiving instrumentation was busy for a time period equal or greater than the
minimum frame size (minFrameSize), and during which there was at least one
occurrence of an event caused the PHY to indicate Data reception error on the GMII.
Received Pause Frames The number of control MAC frames with PAUSE operation code received.
Transmitted Pause The number of control MAC frames with PAUSE operation code sent.
Frames

Configuring VLAN and switching modes of interfaces

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 50 – Global mode configuration commands

Command Value/Default value Action

vlan database - Enter the VLAN configuration mode.
vlan prohibit-
internal-usage {add - add – add the specific VLAN IDs to the list of VLANIDs
VLANlist | remove prohibited for internal usage;
VLANlist | except - remove – delete specific VLANIDs from the
VLANlist | none}
VLANlist: (2..4094) list of the prohibited VLAN IDs;
- except – add all VLANIDs, except VLAN IDs specified as
parameters, to the list of VLANIDs prohibited for internal usage;
- none – clean the list of VLAN IDs prohibited for internal usage.

VLAN configuration mode commands

Command line prompt in the VLAN configuration mode is as follows:

console# configure
ETS-1-10G-A 5. Device management. Command line interface 99

console(config)# vlan database

console(config-vlan)#

This mode is available in the global configuration mode and designed for configuration of VLAN
parameters.

Table 51 – VLAN configuration mode commands

Command Value/Default value Action

vlan VLANlist [name

Add a single or multiple VLANs.
VLAN_name] VLANlist: (2..4094)
VLAN_name: (1..32)
symbols Remove a single or multiple VLANs.
no vlan VLANlist

map protocol protocol

Tether the protocol to the associated protocol group.
protocol: (ip, ipx, ipv6,
[encaps] protocols- arp, (0600-ffff (hex)}*);
group group encaps: (ethernet,
rfc1042, llcOther);
no map protocol ethernet group: Remove mapping.
protocol [encaps] (1..2147483647); * - protocol number (16 bit).

map mac mac_address Tether a single or a range of MAC addresses to MAC address
{host | mask} macs- group.
group group
mask: (9..48)
no map mac Remove mapping.
mac_address {host |
mask}

map subnet ip_address Map a single or a range of IP addresses to IP address group.

mask subnets-group
group mask: (1..32);
group: Remove mapping.
no map subnet (1..2147483647).
ip_address mask

VLAN interface (interface range) configuration mode commands

Command line prompt in the VLAN interface configuration mode is as follows:

console# configure
console(config)# interface {vlan vlan_id |range vlan VLANlist}
ETS-1-10G-A 5. Device management. Command line interface 100

console(config-if)#

This mode is available in the global configuration mode and designed for configuration of VLAN
interface or VLAN interface range parameters.

The interface is selected by the following command:

interface vlan vlan_id

The interface range is selected by the following command:

interface range vlan VLANlist

Below are given the commands for entering in the configuration mode of the VLAN 1 interface and
for entering in the configuration mode of VLAN 1, 3, 7 group.

console# configure
console(config)# interface vlan 1
console(config-if)#

console# configure
console(config)# interface range vlan 1,3,7
console(config-if)#

Table 52 – Commands of VLAN interface configuration mode

Command Value/Default value Action

name name
name: (1..32) Add a VLAN name.
characters/name
matches VLAN number Set the default value.
no name

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console# configure
console(config)# interface {tengigabitethernet te_port | oob | port-
channel group | range {…}}
console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 101

This mode is available from the configuration mode and designed for configuration of interface
parameters (switch port or port group operating in the load distribution mode) or the interface range
parameters.

The port can operate in four modes:

– access – an untagged access interface for a single VLAN;

– trunk – an interface that accepts tagged traffic only, except for a single VLAN that can be
added by the switchport trunk native vlan command;
– general – an interface with full support of 802.1q that accepts both tagged and untagged
traffic;
– customer – Q-in-Q interface.

Table 53 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

switchport mode mode
Specify port operation mode in VLAN.
mode: (access, trunk,
- mode – port operation mode in VLAN.
general,
no switchport mode customer)/access Set the default value.

switchport access Add VLAN for the access interface.

vlan vlan_id - vlan_id – VLAN ID.
vlan_id:
no switchport access
(1..4094)/1 Set the default value.
vlan

switchport general Accept only specific frame type on the interface:

acceptable­frame-type - untagged-only – only untagged;
{untagged-only | -/accept all frame types - tagged-only – tagged only;
tagged­only | all} - all – all frames.

switchport trunk Add a VLAN list for the interface.

allowed vlan add - vlan_list – list of VLAN IDs. To define a VLAN number range, enter
vlan_list values separated by commas or enter the starting and ending
values separated by a hyphen ’-’.
vlan_list: (2..4094, all).
switchport trunk Remove the VLAN list for the interface.
allowed vlan remove
vlan_list

switchport trunk Add the number of VLAN as a Default VLAN for the interface.
native vlan vlan_id vlan_id: All untagged traffic arriving at this port is routed to this
(1..4094)/1 VLAN.
- vlan_id – VLAN ID.
ETS-1-10G-A 5. Device management. Command line interface 102

no switchport trunk Set the default value.

native vlan

switchport general Add a VLAN list for the interface.

allowed vlan add - tagged – the port will transmit tagged packets for the VLAN;
vlan_list [tagged | - untagged – the port will transmit untagged packets for the
untagged] VLAN;
- vlan_list – list of VLAN IDs. To define a VLAN range, enter
vlan_list: (2..4094, all). values separated by commas or enter the starting and ending
values separated by a hyphen ’-’.
switchport general Remove the VLAN list for the interface.
allowed vlan remove
vlan_list

switchport general Add a port VLAN identifier (PVID) for the main interface.
pvid vlan_id vlan_id: - vlan_id – VLAN port ID.
(1..4094)/1 - if
no switchport general
default VLAN is Set the default value.
set
pvid

switchport general Disable filtering of ingress packets on the main interface

ingress­filtering based on their assigned VLAN ID.
disable
-/filtering is enabled Enable filtering of ingress packets on the main interface
no switchport general
ingress­filtering based on their assigned VLAN ID.
disable If filtering is enabled, and the packet is not in VLAN group
with the assigned VLAN ID, this packet will be dropped.
switchport general Accept only specific frame type on the main interface:
acceptable­frame-type - tagged-only – tagged only;
{tagged-only | - untagged-only – only untagged;
untagged­only | all} -/accept all frame types - all – all frames.

no switchport general Accept all frame types on the main interface.

acceptable-frame-type

switchport general Set a classification rule for the main interface based on
map protocols-group protocol mapping.
group vlan vlan_id - group – group number ID;
vlan_id:
(1..4094) - vlan_id – VLAN ID.
no switchport general group: (1.. 2147483647) Remove a classification rule.
map protocols-group
group
ETS-1-10G-A 5. Device management. Command line interface 103

switchport general Set a classification rule for the main interface based on MAC
map macs­group group address mapping.
vlan_id:
vlan vlan_id (1..4094) - group – group number ID;
group: - vlan_id – VLAN ID.
no switchport general (1..2147483647). Remove a classification rule.
map macs-group group

switchport general Set a classification rule for the main interface based on
map protocols-group protocol mapping.
group vlan vlan_id vlan_id: - group – group number ID;
(1..4094) - vlan_id – VLAN ID.
no switchport general group: (1.. 2147483647) Remove a classification rule.
map protocols-group
group

switchport general Set a classification rule for the main interface based on IP
map subnets-group address mapping.
group vlan vlan_id vlan_id:
(1..4094)
no switchport general group: (1.. 2147483647) Remove a classification rule.
map subnets-group
group

switchport customer Add a VLAN for the user interface.

vlan vlan_id - vlan_id – VLAN ID.
vlan_id:
(1..4094)/1
no switchport
customer vlan Set the default value.

switchport customer Enable the receipt of multicast traffic from the specified
multicast-tv vlan add VLANs (other than the user interface VLAN) on the interface
vlan_list together with other port users that receive multicast traffic
from these VLANs.
- vlan_list – list of VLAN IDs. To define a VLAN range, enter values
vlan_list: (2..4094, all). separated by commas or enter the starting and ending values
separated by a hyphen ’-’.
switchport customer Forbid the interface to receive multicast traffic.
multicast-tv vlan
remove vlan_list

switchport protected- Put the port in isolation mode within the port group.
port
-
no switchport Restore the default value.
protected­port
ETS-1-10G-A 5. Device management. Command line interface 104

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 54 – Privileged EXEC mode commands

Command Value/Default value Action

show vlan -
Show information on all VLANs

show vlan tag vlan_id

vlan_id: Show information on a specific VLAN by ID.
(1..4094)

show vlan internal Show VLAN list for internal use by the switch.
usage -

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
Table 55 – EXEC mode commands

Command Value/Default value Action

show vlan multicast- Show source ports and multicast traffic receivers in the
vlan_id:
tv vlan vlan_id (1..4094) current VLAN. Source ports can both send and receive
multicast traffic.
show vlan protocols- Show information on protocol groups.
groups -

show vlan macs-groups -

Show information on MAC address groups.

show interfaces Show port or port group configuration.

switchport { te_port: (1..8/0/1..32);
tengigabitethernet group: (1..32)
te_port | port-
channel group}
ETS-1-10G-A 5. Device management. Command line interface 105

show interfaces Show port status: Show port status: in Private VLAN Edge
protected­ports mode, in the private-vlan-edge community.
te_port: (1..8/0/1..32);
[tengigabitethernet
te_port | port- group: (1..32)
channel group |
detailed]

Command execution example

 Show information on all VLANs:

console# show vlan

Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan Name Tagged Ports UnTagged Ports Created by

---- ----------------- ------------------ ------------------ ----------------
1 1 te1/0/1-12 D

Po1-8
2 2 S
3 3 S
4 4 S
5 5 S
6 6 S
8 8 S

Show source ports and multicast traffic receivers in VLAN 4:

console# show vlan multicast-tv vlan 4

Source ports : Source ports : te0/1
Receiver ports: te0/2,te0/4,te0/8

 Show information on protocol groups.

console# show vlan protocols-groups

Encapsulation Protocol Group Id
------------- ---------------- ----------------
0x800 (IP) Ethernet 1
0x806 (ARP) Ethernet 1
0x86dd (IPv6) Ethernet 3

 Show TenGigabitEthernet 1/0/1 port configuration:

console# show interfaces switchport TengigabitEthernet 1/0/1

ETS-1-10G-A 5. Device management. Command line interface 106

Gathering information...

Name: te1/0/1
Switchport: enable
Administrative Mode: access
Operational Mode: not present
Access Mode VLAN: 1
Access Multicast TV VLAN: none
Trunking Native Mode VLAN: 1
Trunking VLANs: 1-3
4-4094 (Inactive)
General PVID: 1
General VLANs: none
General Egress Tagged VLANs: none
General Forbidden VLANs: none
General Ingress Filtering: enabled
General Acceptable Frame Type: all
General GVRP status: disabled
Customer Mode VLAN: none
Customer Multicast TV VLANs: none
Private-vlan promiscuous-association primary VLAN: none
Private-vlan promiscuous-association Secondary VLANs: none
Private-vlan host-association primary VLAN: none
Private-vlan host-association Secondary VLAN: none

Classification rules:

Classification type Group ID VLAN ID

------------------- -------- -------

Private VLAN configuration

Private VLAN (PVLAN) technology enables isolation of L2 traffic between switch ports located in the
same broadcast domain.

− Three types of PVLAN ports can be configured on the switches: promiscuous – port capable
of exchanging data between any interface, including isolated and community PVLAN ports;
− isolated – port that is completely isolated from other ports within the same PVLAN, but not
from the same ports. PVLANs block all traffic going to isolated ports except for traffic on
the promiscuous side; packets on the isolated side can only be transmitted to promiscuous
ports;
− community – group of ports that can exchange data between each other and these
interfaces are separated at layer 2 of the OSI model from all other community interfaces as
well as isolated ports within the PVLAN.
ETS-1-10G-A 5. Device management. Command line interface 107

The process of performing the function of additional port separation using Private VLAN technology
is shown in the figure 15.

Figure 15 – Private VLAN technology operation example

Command line prompt in the Ethernet, VLAN, port group interface configuration mode is as follows:

console# configure
console(config)# interface {tengigabitethernet te_port | port-channel
group | range {…} | vlan vlan_id}
console(config-if)#

Table 56 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

switchport mode Specify port operation mode in VLAN.
private-vlan
{promiscuous | host} -

no switchport mode Set the default value.

ETS-1-10G-A 5. Device management. Command line interface 108

switchport private- Add (remove) primary and secondary VLANs to

vlan mapping promiscuous interface.
primary_vlan [add | primary_vlan: You cannot add more than one primary vlan to one
remove (1..4094);
secondary_vlan] secondary_vlan: promiscuous interface.
(1..4094)
no switchport Delete primary and secondary VLANs.
private-vlan mapping

switchport private- Add primary and secondary vlan to the host interface.
vlan host­association You cannot add more than one secondary vlan to one
primary_vlan primary_vlan: host interface.
secondary_vlan (1..4094)
secondary_vlan:
no switchport (1..4094) Delete primary and secondary VLANs.
private-vlan host-
association

Table 57 – Commands of VLAN interface configuration mode

Command Value/Default value Action

private-vlan {primary | Enable the Private VLAN mechanism and set the interface
isolated | community} type.
Disable Private VLAN mechanism.
no private-vlan

Add (remove) binding of a secondary VLAN to the primary

private-vlan association [add |
remove] VLAN. The setting only applies to VLANs.
secondary_vlan
(1..4094)
Rremove mapping of a secondary VLAN to the primary VLAN.
no private-vlan association

Maximum number of secondary VLANs is 256.

The maximum number of community VLANs that can be associated with one primary
VLAN is 8.

IP interface configuration
An IP-interface is created when an IP-address is assigned to any of the device interfaces
tengigabitethernet, oob, port-channel or vlan.
ETS-1-10G-A 5. Device management. Command line interface 109

Command line prompt in the IP interface configuration mode is as follows.

console# configure
console(config)# interface ip A.B.C.D
console(config-ip)#

This mode is available in the configuration mode and designed for configuration of IP interface
parameters.

Table 58 – IP interface configuration mode commands

Command Value/Default value Action

Enables the function of converting an IP directed-broadcast
directed-broadcast
packet to a standard broadcast packet and allows
-/disabled transmission through the selected interface.
no directed-broadcast Disables IP directed-broadcast packets.
Enables redirection of UDP broadcast packets to a specific address.
helper-address ip_address
- ip_address – destination IP address to which packets will be
ip_address: A.B.C.D redirected.

no helper-address ip_address Disables redirection of UDP broadcast packets.

Command execution example

 Enable directed-broadcast feature:

console# configure
console(config)#interface PortChannel 1
console(config-if)#ip address 100.0.0.1 /24
console(config-if)#exit
console(config)# interface ip 100.0.0.1
console(config-ip)# directed-broadcast

Selective Q-in-Q
This functionality allows to add an external SPVLAN (Service Provider's VLAN), replace the Customer
VLAN, and deny traffic based on configurable filtering rules by internal VLAN (Customer VLAN) numbers.

A list of rules is created for the device, based on which the traffic will be processed.
ETS-1-10G-A 5. Device management. Command line interface 110

Ethernet фтв Зщке-Срфттуд interface (interfaces range) configuration mode commands

Command line prompt in the interface configuration mode is as follows:

console# configure
console(config)# interface { tengigabitethernet te_port | port-channel
group | range {…}}
console(config-if)#

Table 59 – Commands of the Ethernet interface configuration mode (interfaces range)

Command Value/Default value Action

Creates a rule based on which a second vlan_id label is added to
selective-qinq list ingress
vlan_id: (1..4094) an incoming package with an external ingress_vlan_id label. If
add_vlan vlan_id [ingress_vlan
ingress_vlan_id: (1..4094) ingress_vlan_id is not specified, the rule will apply to all incoming
ingress_vlan_id]
packets to which no other rule has been applied ('default rule').
Creates a deny rule, based on which incoming packets with an
selective-qinq list ingress deny
ingress_vlan_id: (1..4094) external tag ingress_vlan_id will be discarded. If ingress_vlan_id
[ingress_vlan ingress_vlan_id]
is not specified, all incoming packages will be discarded.
Creates an allowing rule, based on which incoming packets with
selective-qinq list ingress
an external tag ingress_vlan_id will be transmitted without
permit [ingress_vlan ingress_vlan_id: (1..4094)
changes. If ingress_vlan_id is not specified, all incoming packages
ingress_vlan_id]
will be transmitted without changes.
Creates a rule based on which the external ingress_vlan_id label
selective-qinq list ingress
vlan_id: (1..4094); of an incoming package will be replaced by vlan_id. If
override_vlan vlan_id
ingress_vlan_id: (1..4094) ingress_vlan_id is not specified, the rule will apply to all incoming
[ingress_vlan ingress_vlan_id]
packages.
Removes the specified selective qinq rule for incoming packets.
no selective-qinq list ingress
vlan_id: (1..4094) The command without the 'ingress vlan' parameter removes the
[ingress_vlan vlan_id]
default rule.

selective-qinq list egress

vlan_id (1..4094); Creates a rule based on which the external ingress_vlan_id label
override_vlan vlan_id
ingress_vlan_id: (1..4094) of an outgoing package will be replaced by vlan_id.
[ingress_vlan ingress_vlan_id]

no selective-qinq list egress

vlan_id: (1-4094) Removes the list of selective qinq rules for outgoing packages.
ingress_vlan vlan_id

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 111

Table 60 – EXEC mode commands

Command Value/Default value Action

Displays a list of selective qinq rules.
show selective-qinq -

Displays a list of selective qinq rules for the specified port.

show selective-qinq interface {
te_port: (1..8/0/1..32);
tengigabitethernet te_port |
group: (1..32)
port-channel group}

Command execution example

 Create a rule based on which the external tag of an incoming package 11 will be replaced by 10.
console# configure
console(config)# interface tengigabitethernet 1/0/1
console(config-if)# selective-qinq list ingress override vlan 10
ingress­vlan 11
console(config-if)# end

5.10 Broadcast Storm Control

A broadcast storm appears due to excessive number of broadcast messages transmitted on the
network via a single port simultaneously. It leads to an overload of the network resources and appearing
of delays. A storm also can be caused by loopback segments of an Ethernet network.

The switch evaluates the rate of incoming broadcast, multicast and unknown unicast traffic for port
with enabled Broadcast Storm Control and drops packets if the rate exceeds the set maximum value.

Ethernet interface configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console(config-if)#

Table 61 – Commands of Ethernet interface configuration mode

ETS-1-10G-A 5. Device management. Command line interface 112

Command Value/Default value Action

storm-control Enables multicast traffic control.
multicast [registered
| unregistered] - registered – registered;
{level level | kbps
- unregistered – unregistered.
kbps} [trap]
[shutdown] - level – traffic volume as a percentage of the interface bandwidth;
level: (1..100);
- kbps – traffic volume.
kbps: (1..10000000)
If multicast traffic is detected, the interface can be shutdown or a
message log entry can be added (trap).

no storm-control
multicast Disables multicast traffic control.

storm-control unicast Enables control of unknown unicast traffic.

{level level | kbps
kbps} [trap] - level – traffic volume as a percentage of the interface bandwidth;
[shutdown]
- kbps – traffic volume.
level: (1..100);
If unknown unicast traffic is detected, the interface can be
kbps: (1..10000000)
shutdown or a message log entry can be added (trap).

no storm-control
unicast Disables unicast traffic control.

storm-control Enables broadcast traffic control.

broadcast {level
level | kbps kbps} - level – traffic volume as a percentage of the interface bandwidth;
[trap] [shutdown]
- kbps – traffic volume.
level: (1..100);
If broadcast traffic is detected, the interface can be shutdown or a
kbps: (1..10000000)
message log entry can be added (trap).

no storm-control
broadcast Disables broadcast traffic control.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 62 – EXEC mode commands

ETS-1-10G-A 5. Device management. Command line interface 113

Command Value/Default value Action

show storm-control Shows the configuration of the broadcast 'storm' control function
interface te_port: (1..8/0/1..32) for the specified port or all ports.
[tengigabitethernet
te_port]

Command execution example

 Enable control of broadcast, multicast and unicast traffic on the 3rd Ethernet interface. Set the
speed for monitored traffic to 5000 kbps: for broadcast, 30% bandwidth for all multicast, 70% for
unknown unicast.

console# configure
console(config)# interface TengigabitEthernet 1/0/3
console(config-if)# storm-control broadcast kbps 5000 shutdown
console(config-if)# storm-control multicast level 30 trap
console(config-if)# storm-control unicast level 70 trap

5.11 Link Aggregation Group (LAG)

Switches provide support for LAG channel aggregation groups according to the table (line 'Link
aggregation (LAG)'). Each port group must consist of Ethernet interfaces with the same speed, operating
in duplex mode. Combining ports into a group increases bandwidth between interacting devices and
improves fault tolerance. The port group is one logical port for the switch.
The device supports two port group operating modes - static group and LACP group. LACP work is
described in the corresponding configuration section.

If you have configured the interface, you should return the default settings to add it to the
group.

Adding interfaces to the link aggregation group is only available in Ethernet interface configuration
mode.

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#

Table 63 – Commands of Ethernet interface configuration mode

ETS-1-10G-A 5. Device management. Command line interface 114

Command Value/Default value Action

channel-group group mode Add the Ethernet interface to the port group.
mode - on – add a port to the channel without LACP;
group: (1..32); - auto – add a port to the channel with LACP in the 'active' mode.
mode: (on, auto)
no channel-group Remove the Ethernet interface from the port group.

Global mode configuration commands

Command line prompt in the global configuration mode:

console# configure
console(config)#

Table 64 – Global mode configuration commands

Command Value/Default value Action

port-channel load- Defines a load-balancing mechanism for a group of
balance {src-dst-mac- aggregated ports.
ip | src­dst­mac} - src-dst-mac-ip – balancing mechanism is based
[mpls-aware] on MAC address and IP address;
- src-dst-mac – balancing mechanism is based on
-/src-dst-mac MAC address;
- mpls-aware – sets the MPLS traffic balancing
mechanism for an aggregate port group based on the MAC
address.
no port-channel load-
balance Set the default value.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 65 – EXEC mode commands

Command Value/Default value Action

show interfaces port-channel Shows information by channel group.
group: (1..32)
[group]
ETS-1-10G-A 5. Device management. Command line interface 115

Static channel aggregation groups

The function of static LAG is to combine several physical channels into one, which allows to increase
bandwidth of the channel and increase its fault tolerance. For static groups the priority of channel usage
in the combined beam is not set.

To enable the operation of the interface in a static group, use the command channel-group
{group} mode on in the configuration mode of the corresponding interface.

LACP channel aggregation protocol

The function of the Link Aggregation Control Protocol (LACP) is to combine several physical channels
into one. Link aggregation is used to increase channel capacity and improve fault tolerance. LACP allows
to transmit traffic over unified channels according to predefined priorities.

To enable the interface work via LACP protocol use the command channelgroup {group}
mode auto in the configuration mode of the corresponding interface.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 66 – Global mode configuration commands

Command Value/Default value Action

lacp system-priority Sets the system priority.
value
value: (1..65535)/1
no lacp system- Sets the default value.
priority

Ethernet interface configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 116

Table 67 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

Sets LACP administration timeout;
lacp timeout {long |
- long – long timeout;
short} The default value is
- short – short timeout.
long.
Sets the default value.
no lacp timeout

Sets the priority of the Ethernet interface.

lacp port-priority
value
value: (1..65535)/1
Sets the default value.
no lacp port-priority

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 68 – EXEC mode commands

Command Value/Default value Action

Shows LACP information for the Ethernet interface. If additional
show lacp {
tengigabitethernet options are not used, all information will be displayed.
te_port: (1..8/0/1..32); - parameters – displays the protocol settings;
te_port } [parameters
| statistics | - statistics – displays the protocol statistics;
protocol-state] - protocol-state – displays the status of the protocol.

Shows LACP information for the port group.

show lacp port-
group: (1..32)
channel [group]

Command execution example

 Create the first port group working on the LACP protocol and including two Ethernet interfaces –
3 and 4. Speed of the group is 1000 Mbps. Set the system priority – 6, priorities 12 and 13 for
ports 3 and 4 respectively.

console# configure
console(config)# lacp system-priority 6
console(config)# interface port-channel 1
console(config-if)# speed 10000
console(config-if)# exit
console(config)# interface TengigabitEthernet 1/0/3
ETS-1-10G-A 5. Device management. Command line interface 117

console(config-if)# speed 10000

console(config-if)# channel-group 1 mode auto
console(config-if)# lacp port-priority 12
console(config-if)# exit
console(config)# interface TengigabitEthernet 1/0/4
console(config-if)# speed 10000
console(config-if)# channel-group 1 mode auto
console(config-if)# lacp port-priority 13
console(config-if)# exit

5.12 IPv4 addressing configuration

This section describes commands to configure static IP addressing parameters such as IP address,
subnet mask, default gateway. Configuring the DNS and ARP protocols is described in the relevant sections
of the documentation.

Ethernet, port group, VLAN, Loopback interface configuration mode commands

Command line prompt in the Ethernet, port group, VLAN, Loopback interface configuration mode
is as follows:

console(config-if)#

Table 69 – interface configuration mode commands

Command Value/Default value Action

ip address ip_address Mapping an IP address and subnet mask to the specified
{mask | prefix_length} interface.
You can specify the mask value in X.X.X.X format or in /N format,
prefix_length: (8..32) where N is the number of 1's in the binary mask representation.

no ip address Deletion of the IP address of the interface.

[IP_address]

ip address dhcp Obtaining the IP address for the configurable interface from the
- DHCP server.
Not used for loopback-interface.
ETS-1-10G-A 5. Device management. Command line interface 118

no ip address dhcp Restrict the use of DHCP to obtain an IP address from the selected
interface.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 70 – Global mode configuration commands

Command Value/Default value Action

Defines the switch's default gateway address.
ip default-gateway
ip_address -/default gateway is not
specified
Removes the default gateway address assigned.
no ip default-gateway

Enables redirection of UDP broadcast packets to a specific

ip helper-address
{ip_interface | all} address.
ip_address - ip_interface – IP address of the interface for which you are
[udp_port_list] configuring;
- all – allows to select all IP interfaces of the device;
- ip_address – destination IP address to which packets will be
redirected. A value of 0.0.0.0 disables redirection;
-/disabled
- udp_port_list – UDP ports list. Broadcast traffic to the listed ports
is redirected. The maximum total number of ports and addresses
per device is 128.
no ip helper-address
{ip_interface | all} Cancels redirection on specified interfaces.
ip_address

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 71 – Privileged EXEC mode commands

Command Value/Default value Action

Removes DHCP entries of matching interface names and IP
clear host {* | word} word: (1..158)
addresses from memory.
characters
* – remove all matches.
ETS-1-10G-A 5. Device management. Command line interface 119

Sends a request to the DHCP server to update the IP address.

renew dhcp {
tengigabitethernet - force-autoconfig – when updating the IP address, the
te_port: (1..8/0/1..32); configuration is loaded from the TFTP server.
te_port | vlan vlan_id |
group: (1..32)
port­channel group |
vlan_id: (1..4094)
oob}
[force­autoconfig]

Displays a table for forwarding UDP broadcast packets.

show ip helper-
address -

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 72 – EXEC mode commands

Command Value/Default value Action

Shows the IP addressing configuration for the specified interface.
show ip interface
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | port- group: (1..32);
channel group | loopback_id :
loopback loopback_id (1..64);
| vlan vlan_id | tunnel: (1..16);
tunnel tunnel | oob] vlan_id: (1..4094)

5.13 Green Ethernet configuration

Green Ethernet is a technology that allows to reduce the power consumption of the device by
turning off power for inactive electrical ports and change the level of the transmitted signal depending on
the length of the cable.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 120

Table 73 – Global mode configuration commands

Command Value/Default value Action

Enables power saving mode for inactive ports.
green-ethernet
energy­detect
-/disabled
Disables power saving mode for inactive ports.
no green-ethernet
energy­detect

Enables power saving mode for ports to which devices with a

green-ethernet short-
reach connection cable length less than the green-ethernet short-reach
threshold are connected.
-/disabled
Disables power saving mode based on cable length.
no green-ethernet
short­reach

Interface configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#

Table 74 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

Enables power saving mode for interface.
green-ethernet
energy­detect
-/Enabled
Disables power saving mode for interface.
no green-ethernet
energy­detect

Enables power saving mode based on cable length.

green-ethernet short-
reach
-/Enabled
Disables power saving mode based on cable length.
no green-ethernet
short­reach

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 75 – Privileged EXEC mode commands

ETS-1-10G-A 5. Device management. Command line interface 121

Command Value/Default value Action

Displays green-ethernet statistics.
show green-ethernet
te_port: (1..8/0/1..32);
[tengigabitethernet te_port |
detailed]

Resets power measurement counter.

green-ethernet power-meter
-
reset

Command execution example

 Display green-ethernet statistics:

console# show green-ethernet detailed

Energy-Detect mode: Enabled

Short-Reach mode: Enabled
Disable Port LEDs mode: Disabled
Power Savings: 0% (0.00W out of maximum 0.00W)
Cumulative Energy Saved: 0 [Watt*Hour]
* Estimated Annual Power saving: NA [Watt*Hour]
Short-Reach cable length threshold: 50m

* Annual estimate is based on the saving during the previous week

NA - information for previous week is not available

Port Energy-Detect Short-Reach VCT Cable

Admin Oper Reason Admin Force Oper Reason Length
-------- ----- ---- ------- ----- ----- ---- ------- ----------
te1/0/1 on off Unknown on off off NP
te1/0/3 on off LT on off off LT
te1/0/4 on off LT on off off LT
te1/0/5 on off LT on off off LT
te1/0/6 on off LT on off off LT
te1/0/7 on off LT on off off LT
te1/0/8 on off LT on off off LT
te1/0/9 on off LT on off off LT
te1/0/10 on off LT on off off LT
te1/0/11 on off LT on off off LT
te1/0/12 on off LT on off off LT
ETS-1-10G-A 5. Device management. Command line interface 122

5.14 IPv6 addressing configuration

IPv6 protocol
Switches support operation via IPv6. Support for IPv6 is an important advantage, as IPv6 is designed
to completely replace IPv4 addressing in the future. In comparison with IPv4, IPv6 has an extended
address space – 128 bits instead of 32. The IPv6 address is 8 blocks, separated by a colon, each block
contains 16 bits, recorded as four hexadecimal numbers.
In addition to increasing the address space, IPv6 protocol has a hierarchical addressing scheme,
provides route aggregation, simplifies the routing table, while the efficiency of the router is increased by
a mechanism to detect neighboring nodes.
The local IPv6 (IPv6Z) addresses in the switch are assigned to the interfaces, so the following format
is used when using IPv6Z addresses in command syntax:
<ipv6-link-local-address>%<interface-name>
where:
interface-name – interface name:
interface-name = vlan<integer> | ch<integer> |<physical-port-name>
integer = <decimal-number> | <integer><decimal-number>
decimal-number = 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
physical-port-name = tengigabitethernet (1..8/0/1..32)

If the value of a group or several groups in a row in the IPv6 address is zero - 0000, then
these groups can be omitted. For example, the address
FE40:0000:0000:0000:0000:0000:AD21:FE43 can be shortened to FE40::AD21:FE43. 2
separated zero groups cannot be shortened due to ambiguity.

EUI-64 is an identifier based on the MAC address of the interface, which is 64 lower bits of
the IPv6 address. The MAC address is split into two 24-bit parts, between which the FFFE
constant is added.

Global mode configuration commands

Command line prompt in the global configuration mode:

ETS-1-10G-A 5. Device management. Command line interface 123

console(config)#

Table 76 – Global mode configuration commands

Command Value/Default value Action

ipv6 default-gateway Defines the default local IPv6 gateway address.
ipv6_address
no ipv6 default-gateway Removes the IPv6 Gateway default settings.
ipv6_address
ipv6 neighbor ipv6_address { Creates a static match between the MAC address of the
tengigabitethernet te_port | neighbouring device and its IPv6 address.
port-channel group | vlan - ipv6_address – IPv6 address;
vlan_id} mac_address te_port: (1..8/0/1..12); - mac_address – MAC address.
no ipv6 neighbor group: (1..32); Removes a static match between the MAC address of the
[ipv6_address] vlan_id: (1..4094) neighbouring device and its IPv6 address.
[tengigabitethernet te_port |
port-channel group | vlan
vlan_id]
ipv6 icmp error-interval Sets the speed limit for ICMPv6 error messages.
milliseconds:
milliseconds [bucketsize]
(0..2147483647)/100;
no ipv6 icmp error-interval Sets the default value.
bucketsize: (1..200)/10

ipv6 route prefix/prefix_length Adding a static IPv6 route

{gateway} [metric] - prefix – destination network;
prefix: X:X:X:X::X.
- prefix_length – network mask prefix (number of units per
prefix_length: (0..128); mask);
metric: (1..65535)/1 - gateway – gateway to the destination network;
no ipv6 route Removing a static IPv6 route
prefix/prefix_length [gateway]
ipv6 unicast-routing Enables redirecting unicast packets.
-/disabled
no ipv6 unicast-routing Disables redirecting unicast packets.

Commands for interface configuration mode (VLAN, Ethernet, Port-Channel)

Command line prompt in the interface configuration mode is as follows:

console (config-if)#
ETS-1-10G-A 5. Device management. Command line interface 124

Table 77 – Commands of interface configuration mode (VLAN, Ethernet, Port-Channel)

Command Value/Default value Action

ipv6 enable Enables IPv6 support on the interface.
-/disabled Disables IPv6 support on the interface.
no ipv6 enable

ipv6 address autoconfig By default, automatic Enable automatic configuration of IPv6 addresses on the
configuration is interface. Addresses are configured according to the
enabled, no addresses prefixes received in Router Advertisement messages.
no ipv6 address autoconfig have been assigned. Sets the default value.
ipv6 address Defines the local IPv6 address of the interface. Master bits
ipv6_address/prefix_length of local IP addresses in IPv6 – FE80::
link-local Local address by
no ipv6 address default: (FE80::EUI64) Removes the local IPv6 address.
[ipv6_address/prefix-length
link-local]
ipv6 nd dad attempts Defines the number of demand messages sent by the
attempts_number interface to the communicating device in case of a
(0..600)/1
duplicate (collision) IPv6 address.
no ipv6 nd dad attempts Returns the default value.
ipv6 unreachables Enabling ICMPv6 messages about unreachability of the
-/enabled recipient when packets are sent to a specific interface.
no ipv6 unreachables Sets the default value.
ipv6 mld version version Defining the interface version of the MLD protocol.
version: (1..2)/2
no ipv6 mld version Sets the default value.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 78 – Privileged EXEC mode commands

Command Value/Default value Action

show ipv6 neighbors Shows information about neighboring IPv6 devices contained in
{ipv6_address | te_port: (1..8/0/1..32); the cache.
tengigabitethernet group: (1..32);
te_port | port-channel vlan_id: (1..4094)
group | vlan vlan_id}
ETS-1-10G-A 5. Device management. Command line interface 125

clear ipv6 neighbors

Clears the cache that contains information about neighboring
- devices operating over IPv6. Information about static recordings
is saved.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 79 – EXEC mode commands

Command Value/Default value Action

show ipv6 interface Displays IPv6 protocol settings for the specified interface.
[brief |
tengigabitethernet te_port: (1..8/0/1..32);
te_port | port-channel group: (1..32);
group | loopback | vlan vlan_id: (1..4094)
vlan_id]

show ipv6 route [summary |

Displays the table of IPv6 routes.
local |connected | static |
ospf | icmp | nd | te_port: (1..8/0/1..32);
ipv6_address/ipv6_prefix | group: (1..32);
interface { tengigabitethernet vlan_id: (1..4094)
te_port | port-channel group |
loopback | vlan vlan_id}]

5.15 Protocol configuration

DNS protocol configuration

The main task of the DNS protocol is to determine the IP address of the network host (host) on
request containing its domain name. Database of matching domain names of network nodes and their
corresponding IP addresses is maintained on DNS-servers.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

ETS-1-10G-A 5. Device management. Command line interface 126

console(config)#

Table 80 – Global mode configuration commands

Command Value/Default value Action

ip domain lookup Permission to use the DNS protocol.
/enabled
no ip domain lookup Prohibits the use of the DNS protocol.
ip name-server Specifies IPv4/IPv6 addresses for available DNS servers.
{server1_ipv4_address |
server1_ipv6_address |
server1_ipv6z_address}
[server2_address] [...]
-
no ip name-server Removes the IP address of the DNS server from the list of
{server1_ipv4_address | available servers.
server1_ipv6_address |
server1_ipv6z_address}
[server2_address] [...]
ip domain name name Defines the default domain name to be used by the
program to supplement incorrect domain names (domain
name: (1..158) names without a dot). For domain names without a dot, a
characters dot and the domain name specified in the command will be
added to the end of the name.
no ip domain name Removes the default domain name
ip host name address1 Defines static matches of network node names to IP
[address2 … address4] addresses, adds the set match to the cache. Local DNS
name: (1..158) feature. You can define up to four IP addresses.
characters
no ip host name Removes static matches of network node names to IP
addresses.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 81 – EXEC mode commands

Command Value/Default value Action

clear host {name | *} name: (1..158) Removes the record matching the network node name to
characters the cache IP address or all records (*).
ETS-1-10G-A 5. Device management. Command line interface 127

show hosts [name] Displays the default domain name, list of DNS servers, static and
name: (1..158) cached matches of network host names and IP addresses.
characters When a network node name is used in the command, the
corresponding IP address is displayed.

Example use of commands

Use DNS servers at 192.168.16.35 and 192.168.16.38 addresses, set the default domain name – ets:
сonsole# configure
console(config)# ip name-server 192.168.16.35 192.168.16.38
console(config)# ip domain name ets

Establish static matching: The network node named RAD.ets has an IP address of 192.168.16.39:
сonsole# configure
console(config)# ip host RAD.ets 192.168.16.39
ETS-1-10G-A 5. Device management. Command line interface 128

ARP configuration
ARP (Address Resolution Protocol) – channel layer protocol that performs the function of
determining the MAC address based on the IP address contained in the request.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 82 – Global mode configuration commands

Command Value/Default value Action

arp ip_address hw_address ip_addr format: Adds a static IP and MAC address match entry to the ARP
[tengigabitethernet te_port | A.B.C.D; table for the interface specified in the command.
port-channel group | vlan hw_address format: - ip_address – IP address;
vlan_id | oob] H.H.H
- hw_address – MAC address.
H:H:H:H:H:H
no arp ip_address Removes a static IP and MAC address match entry from the
H-H-H-H-H-H;
[tengigabitethernet te_port | te_port: (1..8/0/1..32); ARP table for the interface specified in the command.
port-channel group | vlan group: (1..32)
vlan_id | oob]
vlan_id: (1..4094)
arp timeout sec sec: Adjusts the lifetime of dynamic entries in the ARP table (s).
no arp timeout (1..40000000)/60000 s Sets the default value.
ip arp proxy disable Disables proxy mode for ARP requests to the switch.
-/disabled
no ip arp proxy disable Enables proxy mode for ARP requests to the switch.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 83 – Privileged EXEC mode commands

Command Value/Default value Action

Removes all dynamic entries from the ARP table (the
clear arp-cache -
command is available only to the privileged user).
ETS-1-10G-A 5. Device management. Command line interface 129

ip_address format: Displays the ARP table entries: all entries, filter by IP address; filter
show arp [ip-address
A.B.C.D by MAC address; filter by interface.
ip_address] [mac-address
mac_addres] mac_address format: - ip_address – IP address;
[tengigabitethernet H.H.H or H:H:H:H:H:H - mac_address – MAC address.
te_port | or H-H-H-H-H-H;
port­channel group | te_port: (1..8/0/1..32);
oob] group: (1..32)
Shows the global ARP configuration and the ARP configuration of
show arp
configuration - the interfaces.

Interface configuration mode commands

Command line prompt in the interface configuration mode is as follows:

console(config-if)#
Table 84 – Interface configuration mode commands

Command Value/Default value Action

ip proxy-arp Enables proxy mode for ARP requests on the configurable interface.
-/disabled Disables proxy mode for ARP requests on the configurable
no ip proxy-arp
interface.
arp timeout sec sec: Adjusts the lifetime of dynamic ARP table entries (sec) for the
(1..40000000)/global custom interface.
no arp timeout setting Sets the default value (set globally).

Example use of commands

Add a static record to the ARP table: IP address 192.168.16.32, MAC address 0:0:C:40:F:BC, set the
lifetime of dynamic records in the ARP table to 12000 seconds:
сonsole# configure
console(config)# arp 192.168.16.32 00-00-0c-40-0f-bc tengigabitethernet
1/0/2
сonsole(config)# exit
сonsole# arp timeout 12000

 Display the contents of the ARP table:

сonsole# show arp

VLAN Interface IP address HW address status

--------------------- --------------- ------------------- ---------------
vlan 1 te0/12 192.168.25.1 02:00:2a:00:04:95 dynamic
ETS-1-10G-A 5. Device management. Command line interface 130

GVRP configuration
GARP VLAN Registration Protocol (GVRP) – VLAN registration protocol The protocol allows VLAN
identifiers to be distributed over the network. The main function of the GVRP protocol is to detect
information about VLAN-networks absent in the switch database when receiving GVRP messages. When
the switch receives information about missing VLANs, it adds them to its database.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
Table 85 – Global mode configuration commands

Command Value/Default value Action

gvrp enable Enables the use of the GVRP switch protocol.
-/disabled
no gvrp enable Disables the use of the GVRP switch protocol.

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console# configure
console(config)# interface {tengigabitethernet te_port | port-channel
group}
console(config-if)#
Table 86 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

gvrp enable Enables the use of the GVRP protocol on the custom
interface.
-/disabled
no gvrp enable Disables the use of the GVRP protocol on the custom
interface.
gvrp vlan-creation-forbid Prohibits dynamic modification or creation of a VLAN for the
customizable interface.
-/enabled
no gvrp vlan­creation­forbid Allows dynamic modification or creation of a VLAN for the
customizable interface.
gvrp registration-forbid By default, VLAN Performs deregistration for all VLANs and does not allow the
creation and creation or registration of new VLANs on this interface.
no gvrp registration-forbid registration on the
Sets the default value.
interface is allowed
ETS-1-10G-A 5. Device management. Command line interface 131

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 87 – Privileged EXEC mode commands

Command Value/Default value Action

clear gvrp statistics Clears the accumulated statistics of the GVRP protocol.
te_port: (1..8/0/1..32);
[tengigabitethernet te_port |
group: (1..32)
port-channel group]

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 88 – EXEC mode commands

Command Value/Default value Action

show gvrp configuration Displays the GVRP protocol configuration for the specified interface
[tengigabitethernet te_port | or for all interfaces.
port-channel group | detailed]
show gvrp statistics Displays the GVRP accumulated statistics for the specified interface
te_port: (1..8/0/1..32);
[tengigabitethernet te_port | or for all interfaces.
group: (1..32)
port-channel group]
show gvrp error-statistics Displays error statistics for the GVRP protocol for the specified
[tengigabitethernet te_port | interface, or for all interfaces.
port-channel group]

Loopback detection mechanism

This mechanism allows the device to track ringed ports. A loop on the port is detected by sending a
frame switch with a destination address that matches one of the device's MAC addresses.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 132

Table 89 – Global mode configuration commands

Command Value/Default value Action

loopback-detection enable Enables a loop detection mechanism for the switch.
-/disabled
no loopback-detection enable Restore the default value.
loopback-detection interval Sets the interval between loopback frames.
seconds: (10..60)/30
seconds - seconds – the time interval between LBD frames.
seconds
no loopback-detection interval Restores the default value.

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console# configure
console(config)# interface {tengigabitethernet te_port | port-channel
group}
console(config-if)#

Table 90 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

loopback-detection enable Enables a loop detection mechanism on the port.
-/disabled
no loopback-detection enable Restores the default value.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 91 – EXEC mode commands

Command Value/Default value Action

show loopback- Displays loopback-detection mechanism status.
detection
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | port- group: (1..32).
channel group |
detailed]
ETS-1-10G-A 5. Device management. Command line interface 133

STP (STP, RSTP, MSTP)

The main task of STP (Spanning Tree Protocol) is to bring an Ethernet network with multiple links
to a tree topology that excludes packet cycles. Switches exchange configuration messages using frames in
a specific format and selectively enable or disable traffic transmission to ports.
Rapid STP (RSTP) is the enhanced version of the STP that enables faster convergence of a network
to a spanning tree topology and provides higher stability.
The Multiple STP (MSTP) is the most advanced STP implementation that supports VLAN use. MSTP
involves configuring the required number of instances of the spanning tree regardless of the number of
VLAN groups on the switch. Each instance can contain multiple VLAN groups. The disadvantage of the
MSTP is that all switches communicating via MSTP must have the same VLAN groups configured.

The maximum allowable number of MSTP instances is given in the table 9.

Multiprocess STP mechanism is designed to create independent STP/RSTP/MSTP trees on the

device ports. Changes in the state of an individual tree do not affect the state of other trees, thus
increasing network stability and shortening the tree rebuilding time in case of failures. When configuring,
the possibility of rings between member ports of different trees should be excluded. To serve the isolated
trees, a separate process for each tree is created in the system. The ports of the device belonging to the
tree are matched to the process.

STP, RSTP configuration

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 92 – Global mode configuration commands

Command Value/Default value Action

Enables the switch to use the STP protocol.
spanning-tree
/enabled
Disables the switch to use the STP protocol.
no spanning-tree
ETS-1-10G-A 5. Device management. Command line interface 134

Sets the STP protocol mode:

spanning-tree mode
{stp | rstp | mstp} - stp – IEEE 802.1D Spanning Tree Protocol;
- rstp – IEEE 802.1W Rapid Spanning Tree Protocol;
-/RSTP - mstp – IEEE 802.1S Multiple Spanning Tree Protocol.
Sets the default value.
no spanning-tree
mode
Sets the time interval spent on listening to and examining states
spanning-tree
before switching to the 'transmitting' state.
forward-time seconds
seconds: (4..30)/15 sec
Sets the default value.
no spanning-tree
forward­time

Sets the time interval between broadcasts of 'Hello' messages to

spanning-tree
cooperating switches.
hello-time seconds
seconds: (1..10)/2
seconds Sets the default value.
no spanning-tree
hello-time
Enables protection that switches off any interface when receiving
spanning-tree
loopback­guard BPDU packets.
-/denied
Prohibits protection that switches off the interface when receiving
no spanning-tree
loopback­guard BPDU packages.

Sets STP lifetime.

spanning-tree max-
age seconds
seconds: (6..40)/20 sec
Sets the default value.
no spanning-tree
max-age
Adjusts the priority of the STP binder tree.
spanning-tree
priority prior_val The priority value should be a multiple of 4096.
prior_val:
(0..61440)/32768 Sets the default value.
no spanning-tree
priority
Sets the method to define the value of the path.
spanning-tree
pathcost method - long – cost value in the range of 1..200000000;
{long | short} - short – cost value in the range of 1..65535.
-/short
Sets the default value.
no spanning-tree
pathcost method
ETS-1-10G-A 5. Device management. Command line interface 135

Specifies the mode of packet processing by BPDU interface with

spanning-tree bpdu
{filtering | disabled STP.
flooding} - filtering – BPDU packets are filtrated on the interface with disabled
STP;
-/flooding - flooding – untagged BPDU packets are transmitted on the interface
with disabled STP, tagged ones are filtrated.
Sets the default value.
no spanning-tree
bpdu

When setting STP parameters forward-time, hello-time, max-age, the condition must be met:
2*(Forward-Delay - 1) >= Max-Age >= 2*(Hello-Time + 1).

Ethernet or port group interface configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console(config-if)#

Table 93 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

Denies STP operation on a configured interface.
spanning-tree disable
-/enabled Allows STP operation on a configured interface.
no spanning-tree
disable

Sets the value of the path through this interface.

spanning-tree cost
cost: - cost – path cost.
cost
(1..200000000)/see
table 94 Sets the value based on the port speed and the method for
no spanning-tree cost
determining the value of the track, see table 94
Sets interface priority in STP spanning tree.
spanning-tree port-
priority priority The priority value should be a multiple of 16.
priority: (0..240)/128
Sets the default value.
no spanning-tree
port­priority
Enables the mode in which the port, when the link is brought up,
spanning-tree
portfast [auto] immediately switches to the transmission state without waiting for
the timer to expire.
- auto – adds a delay of 3 seconds before switching to transmission
-/auto
status.
Disables the mode of instantaneous transition to the 'link up'
no spanning-tree
portfast transmission.
ETS-1-10G-A 5. Device management. Command line interface 136

Enables root protection for all STP binding trees on the selected
spanning-tree guard
{root | loop | none} port.
- root – denies the interface from being the root port of the switch;
- loop – enables additional protection against loops on the
interface. In case if the interface is in a state other than Designated
-/global configuration
and stops receiving BPDU, the interface is blocked;
- none – disables all Guard functions on the interface.
Use global configuration.
no spanning-tree
guard

Allows protection that switches off the interface when receiving

spanning-tree
bpduguard {enable | BPDU packages.
disable}
-/disabled
Prohibits protection that switches off the interface when receiving
no spanning-tree
bpduguard BPDU packages.

Sets RSTP to transmission state and defines type of connection for

spanning-tree link-
selected port:
type {point­to-point -/for a duplex port –
- point-to-point – point-to-point;
| shared} point-to-point, for a
- shared – shared.
half-duplex port –
shared. Sets the default value.
no spanning-tree
link-type
Specifies the mode of packet processing by BPDU interface with
spanning-tree bpdu
{filtering | disabled STP.
flooding} - filtering – BPDU packets are filtrated on the interface with
disabled STP;
-
- flooding – untagged BPDU packets are transmitted on the
interface with disabled STP, tagged ones are filtrated.
Sets the default value.
no spanning-tree bpdu

Table 94 – Default path cost (spanning-tree cost)

Method to determine the cost

The interface of the path
Long Short
Port-channel 20000 4
TenGigabit Ethernet (10000 Mbps) 2000000 100

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 137

Table 95 – Privileged EXEC mode commands

Command Value/Default value Action

show spanning-tree Displays STP protocol status.
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | port- group: (1..32).
channel group]

show spanning-tree Displays detailed information about STP protocol settings,

detail [active | - information about active or blocked ports.
blockedports]

clear spanning-tree Restarts the protocol migration process. The STP tree is
detected­protocols recalculated again.
[interface { te_port: (1..8/0/1..32);
tengigabitethernet group: (1..32).
te_port | port-
channel group}]

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
Table 96 – EXEC mode commands

Command Value/Default value Action

Displays BPDU packet processing mode on interfaces.
show spanning-tree
bpdu
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | port- group: (1..32).
channel group |
detailed]

MSTP configuration

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 138

Table 97 – Global mode configuration commands

Command Value/Default value Action

spanning-tree Enables the switch to use the STP protocol.
-/enabled
Disables the switch to use the STP protocol.
no spanning-tree

spanning-tree mode Sets the STP operation mode:

{stp | rstp | mstp}
-/RSTP
no spanning-tree mode Sets the default value.

spanning-tree Sets the method to define the value of the path.

pathcost method {long - long – cost value in the range of 1..200000000;
| short} - short – cost value in the range of 1..65535.
-/short
no spanning-tree Sets the default value.
pathcost method

spanning-tree mst Sets the priority for this switch over others using a shared
instance_id priority MSTP instance.
priority - instance_id – MST instance;
instance_id: (1..15); - priority – switch priority.
priority:
(0..61440)/32768 The priority value should be a multiple of 4096.

no spanning-tree mst Sets the default value.

instance_id priority

spanning-tree mst Sets the maximum amount of hops for BPDU packet that are
max­hops hop_count required to build a tree and to keep its structure information.
If the packet has already passed the maximum amount of
hops, it is dropped on the next hop.
hop_count: (1..40)/20 - hop_count – maximum number of transit sites for a BPDU
package.
no spanning-tree mst Sets the default value.
max­hops

spanning-tree mst Enters the MSTP configuration mode.

configuration -

MSTP configuration mode commands

Command line prompt in the MSTP configuration mode is as follows:

console# configure
console (config)# spanning-tree mst configuration
ETS-1-10G-A 5. Device management. Command line interface 139

console (config-mst)#

Table 98 – MSTP configuration mode commands

Command Value/Default value Action

instance instance_id vlan
Creates the match between MSTP instance and VLAN
vlan_range groups.
instance_id:(1..15);
- instance-id – MSTP instance identifier;
- vlan-range – VLAN group number.
vlan_range: (1..4094)
no instance instance_id
Removes the match between MSTP instance and VLAN
vlan vlan_range groups.

name string Sets the MST configuration name.

string: (1..32) symbols - string – MST configuration name.
no name Removes the MST configuration name.
revision value Defines the MST configuration revision number.
value: (0..65535)/0 - value – MST configuration revision number.
no revision Sets the default value.
show {current | pending} - Shows the current or pending MST configuration.
exit Exits the MSTP configuration mode while with saving the
-
configuration.
abort Exits the MSTP configuration without saving the
-
configuration.

Ethernet or port group interface configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console(config-if)#
Table 99 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

spanning-tree guard Enables root protection for all STP binding trees on the
root selected port. This protection denies the interface from
-/protection disabled being the root port of the switch.
no spanning-tree Sets the default value.
guard root

spanning-tree mst Sets the interface priority in an MSTP instance.

instance_id port- instance_id: (1..15); - instance-id – MSTP instance identifier;
priority priority priority: (0..240)/128 - priority – switch priority.
The priority value should be a multiple of 16.
ETS-1-10G-A 5. Device management. Command line interface 140

no spanning-tree mst Sets the default value.

instance_id port-priority

spanning-tree mst Sets the path value through the selected interface for a
instance_id cost cost particular instance of MSTP.
- instance-id – MSTP instance identifier.
instance_id: (1..15);
cost: (1..200000000) - cost – path cost.
no spanning-tree mst Sets the value based on the port speed and the method for
instance_id cost determining the value of the track, see table 94

Sets interface priority in STP root spanning tree.

spanning-tree port-
priority priority The priority value should be a multiple of 16.

priority: (0..240)/128
Sets the default value.
no spanning-tree
port­priority
ETS-1-10G-A 5. Device management. Command line interface 141

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 100 – EXEC mode commands

Command Value/Default value Action
show spanning-tree Show STP configuration.
[tengigabitethernet te_port: (1..8/0/1..32); - instance_id – MSTP instance identifier.
te_port | port- group: (1..32);
channel group] instance_id: (1..15)
[instance instance_id] .

show spanning-tree Displays detailed information about STP protocol settings,

detail [active | information about active or blocked ports.
blockedports] instance_id: (1..15) - active – view information about active ports;
[instance instance_id] - blockedports – view information about blocked ports;
- instance_id – MSTP instance identifier.
show spanning-tree
- Displays information about configured MSTP instances.
mst­configuration

clear spanning-tree Restarts the protocol migration process. The STP tree is
detected­protocols recalculated.
interface { te_port: (1..8/0/1..32);
tengigabitethernet group: (1..32).
te_port | port-
channel group}

Command execution example

 Enable STP support, set the RSTP bind tree priority value to 12288, forward-time interval to 20
seconds, 'Hello; broadcast message interval to 5 seconds, bind tree lifetime to 38 seconds. Show
STP configuration:

console(config)# spanning-tree
console(config)# spanning-tree mode rstp
console(config)# spanning-tree priority 12288
console(config)# spanning-tree forward-time 20
console(config)# spanning-tree hello-time 5
console(config)# spanning-tree max-age 38
console(config)# exit

console# show spanning-tree

ETS-1-10G-A 5. Device management. Command line interface 142

Spanning tree enabled mode RSTP

Default port cost method: short
Loopback guard: Disabled

Root ID Priority 32768

Address a8:f9:4b:7b:e0:40
This switch is the root
Hello Time 5 sec Max Age 38 sec Forward Delay 20 sec

Number of topology changes 0 last change occurred 23:45:41 ago

Times: hold 1, topology change 58, notification 5
hello 5, max age 38, forward delay 20

Interfaces
Name State Prio.Nbr Cost Sts Role PortFast Type
--------- -------- --------- -------- ------ ---- -------- -----------------
te1/0/1 enabled 128.1 100 Dsbl Dsbl No -
te1/0/2 disabled 128.2 100 Dsbl Dsbl No -
te1/0/5 disabled 128.5 100 Dsbl Dsbl No -
te1/0/6 enabled 128.6 4 Frw Desg Yes P2P (RSTP)
te1/0/7 enabled 128.7 100 Dsbl Dsbl No -
te1/0/8 enabled 128.8 100 Dsbl Dsbl No -
te1/0/9 enabled 128.9 100 Dsbl Dsbl No -
gi1/0/1 enabled 128.49 100 Dsbl Dsbl No -
Po1 enabled 128.1000 4 Dsbl Dsbl No -

G.8032v2 (ERPS) configuration

The ERPS (Ethernet Ring Protection Switching) is used for increasing stability and reliability of data
transmission network having ring topology. It is realized by reducing recovery network time in case of
breakdown. Recovery time does not exceed 1 second. It is much less than network change over time in
case of spanning tree protocols usage.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 101 – Global mode configuration commands

Command Value/Default value Action

Enables the operation of the ERPS protocol.
erps -/disabled
ETS-1-10G-A 5. Device management. Command line interface 143

Disables the operation of the ERPS protocol.

no erps

Create an ERPS ring with R-APS VLAN identifier, which will be

erps vlan vlan_id
used to transmit service information and transition to the ring
configuration mode.
vlan_id: (1..4094)
- vlan_id – R-APS VLAN number.
Deletion of an ERPS ring with identifier vlan_id.
no erps vlan vlan_id

Commands for ring configuration mode

Command line prompt in the ring configuration mode is as follows:

console(config-erps)#

Table 102 – EPRS ring configuration mode commands

Command Value/Default value Action

Adds a VLAN range to the list of protected VLANs.
protected vlan add
- vlan_list – VLAN list. To define a VLAN range, enter values
vlan_list vlan_list:(2..4094, all)
separated by commas or enter the starting and ending values
separated by a hyphen ’-’.
protected vlan remove Removes the VLAN range from the list of protected VLANs.
vlan_list:(2..4094, all)
vlan_list - vlan_list – list of VLANs for deletion.
Select the west (east) switch port that is included in the ring.
port {west | east} {
tengigabitethernet te_port
te_port: (1..8/0/1..24);
| port-channel group}
group: (1..32)
Remove the west (east) switch port that is included in the
no port {west | east}
ring.
Select the switch RPL port and its role.
rpl {west | east} {owner |
- west – west port will be assigned as RPL port;
neighbor}
- east – east port will be assigned as RPL port;
- owner – the switch will own the RPL port;
-/no rpl
- neighbor – the switch will be the neighbor of the RPL port
owner.
no rpl Removes the switch RPL port.
Setting the R-APS message level. It is required to pass
level level
messages through CFM MEP.
level: (0..7)/1 - level – R-APS messages level.
no level Sets the default value:

ring enable -/disabled Activating ring function.

ETS-1-10G-A 5. Device management. Command line interface 144

no ring enable Deactivating ring function.

Selects compatibility mode with other versions of the G.8032
version version
protocol.
version: (1..2)/2 - version – G.8032 protocol version.
no version Sets the default value:

revertive Selects the ring operation mode.

-/revertive
no revertive Sets the default value:

Specifies the subring for this ring.

sub-ring vlan vlan_id
- vlan_id – VLAN number.
(1..4094)
no sub-ring vlan vlan_id Deletes the subring.

sub-ring vlan vlan_id [tc- Enables the MAC table cleaning signal to be sent to the main
propogation] ring when the ring is reconstructed.
(1..4094)
Disables the MAC table cleaning signal to be sent to the main
no sub-ring vlan vlan_id
ring when the ring is reconstructed.
timer guard value Sets a timer for blocking outdated R-APS messages.
value:(10..2000) ms,
multiple of 10/500 ms
no timer guard Sets the default value:
Sets a delay timer for the switch's response to a change in
timer holdoff
state. Instead of reacting to an event, a timer is activated,
value value:(0..10000) ms,
after which the switch informs about its status. Designed to
multiple of 100 with an
reduce packet flood in port flapping.
accuracy of 5 ms/0 ms
no timer holdoff Sets the default value:
Sets a timer that runs on the RPL Owner switch in revertive
timer wtr value
mode. It is used to prevent frequent protective tap-change
value:(1..12) min/5 min operations due to failure signals.
no timer wtr Sets the default value:

switch forced Forces the start of the protective ring changeover, blocking
{west | east} the specified port.
-/no
no switch forced Canceling the ring changeover force.

switch manual Manual locking of the specified west (east) port and
{west | east} unblocking of east (west).
-/no
no switch manual Reset the manual lockdown.

abort - Revert changes made since entering ring configuration mode.

ETS-1-10G-A 5. Device management. Command line interface 145

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 103 – EXEC mode commands

Value/Default
Command Action
value
show erps [vlan Request information about the general status of ERPS or
vlan_id: (1..4094) the state of the specified ring.
vlan_id]

LLDP configuration
The main function of Link Layer Discovery Protocol (LLDP) is the exchange of information about
status and specifications between network devices. Information that LLDP gathers is stored on devices
and can be requested by the master computer via SNMP. Thus, the master computer can model the
network topology based on this information.
The switches support transmission of both standard and optional parameters, such as:
− device name and description;
− port name and description;
− MAC/PHY information;
− etc.

Global mode configuration commands

Command line prompt in the global configuration mode:
console(config)#

Table 104 – Global mode configuration commands

Command Value/Default value Action

lldp run Enable the switch to use LLDP.
-/enabled
no lldp run Forbid the switch to use LLDP.

lldp timer seconds

Specify how frequently the device will send LLDP information
seconds: (5..32768)/30 updates.
sec Sets the default value.
no lldp timer
ETS-1-10G-A 5. Device management. Command line interface 146

lldp hold-Multiplier Specify the amount of time for the receiver to keep LLDP
number packets before dropping them.
This value will be transmitted to the receiving side in the
LLDP update packets; and should be an increment for the
number: (2..10)/4 LLDP timer. Thus, the lifetime of LLDP packets is calculated
by the formula: TTL = min(65535, LLDP-Timer * LLDP-
HoldMultiplier)
no lldp hold- Sets the default value.
multiplier

lldp reinit seconds

Minimum amount of time for the LLDP port to wait before
seconds: (1..10)/2 LLDP reinitialization.
seconds
no lldp reinit Sets the default value.
Specify the delay between the subsequent LLDP packet
lldp tx-delay seconds
transmissions caused by the changes of values or status in the local
LLDP MIB database.
seconds: (1..8192)/2
It is recommended that this delay be less than
sec
0.25* LLDP-Timer.
Sets the default value.
no lldp tx-delay

lldp lldpdu {filtering | flooding} Specify the LLDP packet processing mode when LLDP is disabled on
the switch:
- filtering – LLDP packets are filtered if LLDP is disabled on the
-/filtering switch;
- flooding – LLDP packets are transmitted if LLDP is disabled on the
switch.
no lldp lldpdu Sets the default value.
lldp med fast-start Set the number of PDU LLDP repetitions for quick start defined by
repeat­count number LLDP-MED.
number: (1..10)/3
no lldp med fast-start repeat- Sets the default value.
count
lldp med network-policy Specify a rule for the network-policy parameter (device network
number: (1..32);
number application [vlan policy). This parameter is optional for the LLDP MED protocol
application: (voice,
vlan_id] [vlan-type {tagged | extension.
voice-signaling,
untagged}] [up priority] [dscp - number – sequential number of a network policy rule;
guest-voice,
value] - application – main function defined for this network policy ruleю
guest-voice-signaling,
- vlan_id – VLAN identifier for this rule;
softphone-voice,
- tagged/untagged – specify whether the VLAN used by this rule is
video-conferencing,
tagged or untagged.
streaming-video,
- priority – the priority of this rule (used on the second layer of OSI
video-signaling);
model);
vlan_id: (0..4095);
- value – DSCP value used by this rule.
priority: (0..7);
no lldp med network-policy Remove the created rule for the network-policy parameter.
value: (0..63)
number
ETS-1-10G-A 5. Device management. Command line interface 147

lldp notifications interval Specify the maximum LLDP notification transfer rate.
seconds seconds: (5..3600)/5 - seconds – time period during which the device can send at
sec most one notification.
no lldp notifications interval Sets the default value.

Ethernet interface configuration mode commands:

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 148

Table 105 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

lldp transmit Enable packet transmission via LLDP on the interface.
no lldp transmit By default, can be used in Disable packet transmission via LLDP on the interface.
lldp receive both directions. Enable the interface to receive packets via LLDP.
no lldp receive Disable the interface to receive packets via LLDP.
lldp optional-tlv tlv_list tvl_list: (port-desc, sys- Specify which optional TLV fields (Type, Length, Value) to be
name, sys-desc, sys-cap, included into the LLDP packet by the device.
802.3-mac-phy, 802.3-lag, You can pass up to 5 optional TLV to the command.
802.3-max-frame-size, TLV 802.3-power-via-mdi is available only for devices with PoE
802.3-power-via-mdi)/By support.
default, optional TLVs are
no lldp optional-tlv not included in the Sets the default value.
package.
lldp optional-tlv 802.1 {pvid Specify which optional TLV fields to be included into the LLDP
[enable | disable] | ppvid packet by the device.
{add | remove} ppv_id | - pvid – interface PVID;
vlan­name {add | remove} - ppvid – add/remove PPVID;
ppvid: (1-4094);
vlan_id} - vlan-name – add/remove VLAN number;
vlan_id: (2-4094);
lldp optional-tlv 802.1 - protocol – add/remove a specific protocol.
By default, optional TLVs
protocol {add | remove}
are not included.
{stp | rstp | mstp | pause |
802.1x | lacp | gvrp}
no lldp optional-tlv 802.1 Sets the default value.
pvid
lldp management-address Specify the control address announced on the interface.
{ip_address | none | - ip_address – set a static IP address;
automatic [ - none – indicates that the address is not announced;
tengigabitethernet te_port | - automatic – indicates that the system automatically
port-channel group | vlan
chooses the control address from all IP addresses of the
vlan_id]}
ip-address format: A.B.C.D;
switch;
te_port: (1..8/0/1..32); - automatic – indicatesthat the system selects the control
group: (1..32); address automatically from the configured addresses of a
vlan_id: (1..4094). given interface.
By default, the control If the Ethernet interface or port group interface belongs to VLAN,
address is defined this VLAN address will not be included into the list of available
automatically. control addresses.
If there are multiple IP addresses, the system will
choose the start IP address from the dynamic IP address
range. If dynamic addresses are not available, the system
chooses the start IP address from the available static IP address
range.
no lldp management-address Remove the control IP address.
lldp notification {enable | Enable/disable LLDP notifications on the interface.
By default, LLDP
disable} - enable – allows;
notifications are disabled.
- disable – denies.
ETS-1-10G-A 5. Device management. Command line interface 149

no lldp notifications Sets the default value.

lldp med enable [tlv_list] tvl_list: (network-policy, Enable LLDP MED protocol extension.
location, inventory)/it is You can include one to three special TLV.
prohibited to use the LLDP
MED protocol extension.
lldp med network-policy Specify the network-policy rule for this interface.
{add | remove} number - add – specify the rule;
number: (1-32) - remove – remove the rule;
- number – rule number.
no lldp med network-policy Remove the network-policy rule from this interface.
lldp med location Specify the device location for LLDP ('location' parameter
{coordinate coordinate | value of the LLDP MED protocol).
civic-address coordinate: 16 bytes
- coordinate – address in the coordinate system;
civic_address_data | ecs-elin civic_address_data: (6..160)
bytes; - civic_address_data – device administrative address;
ecs_elin_data}
ecs_elin_data: (10..25) - ecs-elin_data – address in ANSI/TIA 1057 format.
no lldp med location bytes. Remove location parameter settings.
{coordinate | civic-address |
ecs-elin}
lldp med notification Enable/disable sending LLDP MED notifications about topology
topology-change {enable | changes.
disable} - enable – enable notifications;
-/denied
- disable – do not send notifications.
no lldp med notifications Sets the default value.
topology-change

The LLDP packets received through a port group are saved individually by these port groups.
LLDP sends different messages to each port of the group.

LLDP operation is independent from the STP state on the port; LLDP packets are sent and
received via ports blocked by STP.
If the port is controlled via 802.1X, LLDP works only with authorized ports.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 106 – Privileged EXEC mode commands

Command Value/Default value Action

clear lldp table Clear the address table of discovered neighbour devices and
[tengigabitethernet te_port: (1..8/0/1..32); start a new packet exchange cycle via LLDP MED.
te_port | oob]
ETS-1-10G-A 5. Device management. Command line interface 150

show lldp Show LLDP configuration of all physical interfaces of the

configuration device or on specific interfaces only.
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | oob |
detailed]

show lldp med Displays LLDP MED protocol extension configuration for all
configuration physical interfaces or specific interfaces only.
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | oob |
detailed]
show lldp local { Displays LLDP information announced by this port.
te_port: (1..8/0/1..32);
tengigabitethernet te_port |
oob}
show lldp local Show TLVs LLDP restart state.
tlvs­overloading te_port: (1..8/0/1..32);
[tengigabitethernet te_port |
oob]
show lldp neighbors Show information on the neighbour devices on which LLDP
te_port: (1..8/0/1..32);
[tengigabitethernet te_port | is enabled.
oob]
show lldp statistics Show LLDP statistics.
te_port: (1..8/0/1..32);
[tengigabitethernet te_port |
oob | detailed]

Command execution example

 Set the following tlv fields for the te1/0/10 port: port-description, sytem-name, system-
description. Add the control address 10.10.10.70 for this interface.

console(config)# configure
console(config)# interface tengigabitethernet 1/0/10
console(config-if)# lldp optional-tlv port-desc sys-name sys-desc
console(config-if)# lldp management-address 10.10.10.70
ETS-1-10G-A 5. Device management. Command line interface 151

 View LLDP configuration:

console# show lldp configuration

LLDP state: Enabled

Timer: 30 Seconds
Hold multiplier: 4
Reinit delay: 4 Seconds
Tx delay: 2 Seconds
Notifications Interval: 5 Seconds
LLDP packets handling: Filtering
Chassis ID: mac-address
Port State Optional TLVs Address
Notifications
--------- ----------- -------------------- ----------------- ------------
---
te1/0/7 Rx and Tx SN, SC None Disabled
te1/0/8 Rx and Tx SN, SC None Disabled
te1/0/9 Rx and Tx SN, SC None Disabled
te1/0/10 Rx and Tx PD, SD 10.10.10.70 Disabled

Table 107 – Result description

Field Description
Timer Specify how frequently the device will send LLDP updates.
Specify the amount of time (TTL, Time-To-Live) for the receiver to keep LLDP packets
Hold Multiplier
before dropping them: TTL = Timer * Hold Multiplier.
Specify the minimum amount of time for the port to wait before sending the next LLDP
Reinit delay
message.
Specify the delay between the subsequent LLDP frame transmissions initiated by
Tx delay
changes of values or status.
Port Port number.
State Port operation mode for LLDP.
TLV options
Possible values:
PD – Port description;
Optional TLVs
SN – System name;
SD – System description;
SC – System capabilities.
Address Device address sent in LLDP messages.
ETS-1-10G-A 5. Device management. Command line interface 152

Notifications Specify whether LLDP notifications are enabled or disabled.

Show information on neighbour devices:

console# show lldp neighbors

Port Device ID Port ID System Name Capabilities

--------- ---------------- -------- ---------- -------------
Te1/0/1 0060.704C.73FE 1 ts-7800-2 B
Te1/0/2 0060.704C.73FD 1 ts-7800-2 B
Te1/0/3 0060.704C.73FC 9 ts-7900-1 B, R
Te1/0/4 0060.704C.73FB 1 ts-7900-2 W

Table 108 – Result description

Field Description
Port Port number.
Device ID Name or MAC address of the neighbour device.
Port ID Neighbour device port identifier.
System name Device system name.
Capabilities This field describes the device type:
B – Bridge;
R – Router;
W – WLAN Access Point;
T – Telephone;
D – DOCSIS cable device;
H – Host;
r – Repeater;
O – Other.
System description Neighbour device description.
Port description Neighbour device port description.
Management address Device management address.
Auto-negotiation Specify if the automatic port mode identification is supported.
support
Auto-negotiation status Specify if the automatic port mode identification support is enabled.
Auto-negotiation Specify the modes supported by automatic port discovery function.
Advertised Capabilities
Operational MAU type Operational MAU type of the device.
ETS-1-10G-A 5. Device management. Command line interface 153

5.16 Voice VLAN

Voice VLAN is used to separate VoIP equipment into a separate VLAN. QoS attributes can be
assigned to VoIP frames to prioritize traffic. The classification of frames related to VoIP equipment is based
on the sender's OUI (Organizationally Unique Identifier – the first 24 bits of the MAC address). Voice VLAN
assignment for the port is automatic – when a frame from the OUI from the Voice VLAN table arrives at
the port. When a port is defined as belonging to the Voice VLAN, the port is added to the VLAN as tagged.
Voice VLAN is applicable to the following schemes:

− VoIP equipment is configured to send tagged packets, with Voice VLAN ID configured on
the switch.
− VoIP equipment transmits untagged DHCP requests. The response from the DHCP server
includes an option 132 (VLAN ID), with which the device automatically assigns itself a VLAN
for marking traffic (Voice VLAN).
List of VoIP equipment OUI manufacturers dominating the market.

OUI Manufacturer
00:E0:BB 3COM
00:03:6B Cisco
00:E0:75 Veritel
00:D0:1E Pingtel
00:01:E3 Siemens
00:60:B9 NEC/ Philips
00:0F:E2 Huawei-3COM
00:09:6E Avaya

Voice VLAN can be activated on ports operating in trunk and general mode.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 109 – Global mode configuration commands

ETS-1-10G-A 5. Device management. Command line interface 154

Command Value/Default value Action

voice vlan aging- Sets a timeout for a port belonging to voice-vlan. If there
timeout timeout were no frames with OUI VoIP equipment from the port
timeout: during the specified time, voice vlan is removed from this
(1..43200)/1440 port.
no voice vlan Restore the default value.
aging­timeout

voice vlan cos cos Sets the COS that marks the frames belonging to the Voice
[remark] VLAN.
cos: (0-7)/6
no voice vlan cos Restore the default value.

voice vlan id vlan_id Sets VLAN ID for Voice VLAN

no voice vlan id vlan_id: (1..4094) Removes VLAN ID for Voice VLAN

To remove the VLAN ID, you must first disable the voice
vlan function on all ports.
voice vlan oui-table Allows to edit the OUI table.
{add oui | remove - oui – first 3 bytes of the MAC address;
oui} [word] word: (1..32 - word – oui description.
characters)
no voice vlan oui- Removes all custom OUI table changes.
table

Ethernet interface configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console(config-if)#
Table 110 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

voice vlan enable Enables Voice VLAN for port.
-/disabled
no voice vlan enable Disables Voice VLAN for port.
voice vlan cos mode {src | all} Enables traffic marking for all frames, or only for the
-/src source.
no voice vlan cos mode Restore the default value.
ETS-1-10G-A 5. Device management. Command line interface 155

5.17 Multicast addressing

Intermediate function of IGMP (IGMP Snooping)

IGMP Snooping function is used in multicast networks. The main task of IGMP Snooping is to
forward multicast traffic only to those ports that requested it.
IGMP Snooping is used only in static VLAN group. The following protocol versions are
supported – IGMPv1, IGMPv2, IGMPv3.

For IGMP Snooping to be active, the 'bridge multicast filtering' function must be enabled
(see section 0 Multicast addressing rules).
Identification of ports, which connect multicast routers, is based on the following events:
– IGMP requests has been received on the port;
– Protocol Independent Multicast (PIM/PIMv2) packets has been received on the port;
– Distance Vector Multicast Routing Protocol (DVMRP) packets has been received on the port;
– MRDISC protocol packets has been received on the port;
– Multicast Open Shortest Path First (MOSPF) protocol packets has been received on the port.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 111 – Global mode configuration commands

Command Value/Default value Action

ip igmp snooping Enables IGMP Snooping on the switch.
By default, the function
is disabled Disables IGMP Snooping on the switch.
no ip igmp snooping

ip igmp snooping vlan vlan_id Enables IGMP Snooping only for the specific interface on
vlan_id: (1..4094) the switch.
By default, the function - vlan_id – VLAN ID.
no ip igmp snooping vlan is disabled Disables IGMP Snooping only for the specific VLAN
vlan_id interface on the switch.
ETS-1-10G-A 5. Device management. Command line interface 156

ip igmp snooping vlan vlan_id Registers multicast IP address in the multicast addressing table
static ip_multicast_address and statically add group interfaces for the current VLAN.
[interface { tengigabitethernet - vlan_id – VLAN ID.
te_port | port-channel group}] vlan_id: (1..4094); - ip_multicast_address – group IP address.
te_port: (1..8/0/1..32); Interfaces must be separated by “–” and “,”.
no ip igmp snooping vlan group: (1..32) Removes a multicast IP address from the table.
vlan_id static ip_address
[interface { tengigabitethernet
te_port | port-channel group}]
ip igmp snooping vlan Enables automatic identification of ports with connected
vlan_id mrouter learn multicast routers for this VLAN group.
pim-dvmrp - vlan_id – VLAN ID.
vlan_id: (1..4094)
allowed by default Disables automatic identification of ports with connected
no ip igmp snooping
vlan vlan_id mrouter multicast routers for this VLAN group.
learn pim­dvmrp

Specifies the port that is connected to a multicast router

ip igmp snooping vlan vlan_id
mrouter interface { for the selected VLAN.
tengigabitethernet te_port | - vlan_id – VLAN ID.
port-channel group} vlan_id: (1..4094);
te_port: (1..8/0/1..32);
group: (1..32) Indicates that a multicast router is not connected to the
no ip igmp snooping vlan
vlan_id mrouter interface { port.
tengigabitethernet te_port |
port-channel group}

Prohibits identification port (static and dynamic) as a port

ip igmp snooping vlan vlan_id
forbidden mrouter interface { that connects multicast router.
tengigabitethernet te_port | - vlan_id – VLAN ID.
port-channel group} vlan_id: (1..4094);
te_port: (1..8/0/1..32);
group: (1..32) Cancels prohibition to identify the port as a port with a
no ip igmp snooping vlan
vlan_id forbidden mrouter connected multicast router.
interface {tengigabitethernet
te_port | port-channel group}

ip igmp snooping vlan vlan_id Enables igmp-query generation by the switch with in the
querier vlan_id: (1..4094); specific VLAN.
-/request issuance is
no ip igmp snooping vlan disabled Disables igmp-query generation by the switch within the
vlan_id querier specific VLAN.
ip igmp snooping vlan vlan_id Sets IGMP version that will be used as base for forming
querier version {2 | 3} IGMP queries.
-/IGMPv3
no ip igmp snooping vlan Sets the default value.
vlan_id querier version
ETS-1-10G-A 5. Device management. Command line interface 157

ip igmp snooping vlan vlan_id Specifies a source IP address for IGMP querier. Querier is
querier address ip_address adevice that transmits IGMP queries.
no ip igmp snooping vlan vlan_id: (1..4094) Sets the default value. By default, if the IP address is
vlan_id querier address configured for VLAN it is used as source IP address of the
IGMP Snooping Querier.
ip igmp snooping vlan vlan_id Enables IGMP Snooping Immediate-Leave on the current
immediate-leave [host­based] VLAN. It means that the port must be immediately deleted
from the IGMP group after receiving IGMP leave message.
- host-based – ‘fast-leave’ mechanism can only work if all
vlan_id: (1..4094);
users connected to the port unsubscribed from the group
-/disabled
(usage count is conducted on the base of Source MAC
addresses in the IGMP port headers).
no ip igmp snooping vlan Disables IGMP Snooping Immediate-Leave on the current
vlan_id immediate-leave VLAN.

VLAN interface configuration mode commands

Command line prompt in theVLAN interface configuration mode is as follows:

console(config-if)#

Table 112 – Commands of VLAN interface configuration mode

Command Value/Default value Action

ip igmp robustness count Sets IGMP robustness value.
If data loss occurs in the channel, a robustness value should
count: (1..7)/2 be increased.
no ip igmp robustness Sets the default value.

ip igmp query-interval Sets timeout for sending main queries to all multicast
seconds members to check the activity of multicast group
seconds:
(30..18000)/125 sec
members.
no ip igmp query-interval Sets the default value.

ip igmp Sets the maximum query response time.

query­max­response­time
seconds
seconds: (5..20)/10 s
no ip igmp Sets the default value.
query­max­response-time
ETS-1-10G-A 5. Device management. Command line interface 158

Sets number of queries sent before switch will determine

ip igmp
last­member­query­count that there are no multicast group members.
count count:
(1..7)/robustness value
no ip igmp Sets the default value.
last­member­query­count

ip igmp Sets query interval for the last member.

last­member­query­interval
milliseconds milliseconds:
(100..25500)/1000 ms
no ip igmp Sets the default value.
last­member­query­interval

ip igmp version version Set the IGMP version.

version: (1-3)/2
no ip igmp version Set the default value.

Ethernet interface (interfaces range) configuration mode commands

Command line prompt in the interface configuration mode is as follows:

console(config-if)#
Table 113 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

switchport access Enables forwarding of IGMP queries from customer VLANs
multicast-tv vlan to Multicast Vlan and forwarding of multicast traffic to
vlan_id customer VLANs for the interface which is in 'access' mode.
vlan_id: (1..4094)
no switchport access Disables forwarding IGMP queries from customer VLANs to
multicast-tv vlan MulticastVLAN and multicast traffic to customer VLANs for
interface which is in ‘access’ mode.

EXEC mode commands

All commands are available for privileged user only.

Command line prompt in the EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 159

Table 114 – EXEC mode commands

Command Value/Default value Action

show ip igmp snooping Shows information on learnt multicast routers in the
mrouter [interface vlan_id: (1..4094) specified VLAN group.
vlan_id]

show ip igmp snooping Shows information on IGMP Snooping for the current
interface vlan_id vlan_id: (1..4094)
interface.
show ip igmp snooping groups Shows information on learnt multicast groups.
[vlan vlan_id]
[ip­multicast­address vlan_id: (1..4094)
ip_multicast_address]
[ip­address IP_address]
show ip igmp snooping cpe Shows the table of mapping between customer VLAN
vlans [vlan vlan_id] vlan_id: (1..4094)
equipment and TV VLAN.

Command execution example

Enable the IGMP snooping function on the switch. Enable automatic identification ofports with
connected multicast routers for VLAN 6. Increase robustness value to 4. Set maximum query
response time of 15 seconds.

console# configure
console (config)# ip igmp snooping
console (config-if)# ip igmp snooping vlan 6 mrouter learn pim-dvmrp
console (config)# interface vlan 6
console (config-if)# ip igmp robustness 4
console (config-if)# ip igmp query-max-response-time 15

Multicast addressing rules

These commands are used to set multicast addressing rules on the link and network layers of the
OSI network model.

VLAN interface configuration mode commands

Command line prompt in the VLAN interface configuration mode is as follows:

console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 160

Table 115 – Commands of VLAN interface configuration mode

Command Value/Default value Description

Specifies the multicast data transmission mode.
bridge multicast mode
{mac­group | ipv4- - mac-group – multicast transmission based on VLAN and MAC
group | ipv4-src- addresses;
group} - ipv4-group – multicast transmission with filtering based on VLAN
and the recipient's address in IPv4 format;
-/mac-group
- ip-src-group – multicast transmission with filtering based on VLAN
and the sender's address in IPv4 format.
Sets the default value.
no bridge multicast
mode
bridge multicast address Adds a multicast MAC address to the multicast addressing table and
{mac_multicast_address | statically add or remove interfaces to/from the group.
ip_multicast_address} [{add | - mac_multicast_address – multicast MAC address;
remove} {tengigabitethernet - ip_multicast_address – multicast IP address;
te_port |port-channel group}] - add – add a static subscription to a multicast MAC address of a
te_port: (1..8/0/1..32); range of Ethernet ports or port groups.
group: (1..32) - remove – remove the static subscription to a multicast MAC
address.
Interfaces must be separated by “–” and “,”.
no bridge multicast address Remove a multicast MAC address from the table.
{mac_multicast_address |
ip_multicast_address }
bridge multicast forbidden Deny the connection of the port(s) to a multicast IPv6 address (MAC
address address).
{mac_multicast_address | - mac_multicast_address – multicast MAC address;
ip_multicast_address} [{add | - ip_multicast_address – multicast IP address;
remove} {tengigabitethernet - add – add port(s) into the banned list;
te_port |port-channel group}] te_port: (1..8/0/1..32); - remove – remove port(s) from the banned list. Interfaces must be
group: (1..32) separated by “–” and “,”.
Remove a 'deny' rule for a multicast MAC address.
no bridge multicast
forbidden address
{mac_multicast_address |
ip_multicast_address }
bridge multicast forward-all Enables transmission of all multicast packets on the port.
te_port: (1..8/0/1..32);
{add | remove} - add – add ports/aggregated ports to the list of ports which are
group: (1..32)
{tengigabitethernet te_port allowedtransmitting all multicast packets;
By default,
|port-channel group} - remove – remove the port group/aggregated ports from the a
transmission of all
'permit' rule.
multicast packets is
Interfaces must be separated by “–” and “,”.
denied.
no bridge multicast forward-all Restore the default value.
ETS-1-10G-A 5. Device management. Command line interface 161

bridge multicast forbidden Prohibits the port to dynamically join a multicast group.
forward-all {add | remove} { - add – add ports/aggregated ports to the list of ports which are not
te_port: (1..8/0/1..32);
tengigabitethernet te_port | enabled to transmit all multicast packets;
group: (1..32)
port-channel group} - remove – remove the port group/aggregated ports from the a
By default, ports are
'deny' rule.
enabled to dynamically
Interfaces must be separated by “–” and “,”.
join a multicast group.
no bridge multicast forbidden Restore the default value.
forward-all
bridge multicast ip-address Registers IP address in the multicast addressing table and statically
ip_multicast_address {add | add/remove interfaces to/from the group.
remove} { tengigabitethernet - ip_multicast_address – group IP address;
te_port: (1..8/0/1..32);
te_port | port-channel group} - add – add ports to the group;
group: (1..32)
- remove – remove ports from the group;
Interfaces must be separated by “–” and “,”.
no bridge multicast ip-address Removes a multicast IP address from the table.
ip_multicast_address
bridge multicast forbidden Prohibits the port to dynamically join a multicast group.
ip­address - ip_multicast_address – group IP address;
ip_multicast_address {add | - add – add port(s) into the banned list;
remove} { tengigabitethernet - remove – remove port(s) from the banned list.
te_port: (1..8/0/1..32);
te_port | port-channel group} Interfaces must be separated by “–” and “,”.
group: (1..32)
You have to register multicast groups prior to defining
prohibited ports.
no bridge multicast forbidden Restore the default value.
ip-address
ip_multicast_address
bridge multicast source Sets the mapping between the user IP address and a multicast
ip_address group address in the multicast addressing table and statically add/remove
ip_multicast_address {add | interfaces to/from the group.
remove} { tengigabitethernet - ip_address – source IP address;
te_port: (1..8/0/1..32);
te_port | port-channel group} - ip_multicast_address – group IP address;
group: (1..32)
- add – add ports to the source IP address group;
- remove – remove ports from the group of the source IP address.
no bridge multicast source Restore the default value.
ip_address group
ip_multicast_address
bridge multicast forbidden Disables adding/removal of mappings between the user IP address
source ip_address group and a multicast address in the multicast addressing table for a
ip_multicast_address {add | specific port.
remove} { tengigabitethernet - ip_address – source IP address;
te_port: (1..8/0/1..32);
te_port | port-channel group} - ip_multicast_address – group IP address;
group: (1..32)
- add – prohibit adding ports to the source IP address group;
- remove – disable port removal from the source IP address group.
no bridge multicast forbidden Restore the default value.
source ip_address group
ip_multicast_address
ETS-1-10G-A 5. Device management. Command line interface 162

bridge multicast ipv6 mode Sets the multicast data transmission mode for IPv6 multicast
{mac-group | ip-group | packets.
ip­src­group} - mac-group – multicast transmission based on VLAN and MAC
addresses;
-/mac-group - ip-group – multicast transmission with filtering based on VLAN and
the recipient address in IPv6 format;
- ip-src-group – multicast transmission with filtering based on VLAN
and the sender address in IPv6 format.
no bridge multicast ipv6 mode Sets the default value.
bridge multicast ipv6 Registers multicast IPv6 address in the multicast addressing table
ip­address and statically add/remove interfaces to/from the group.
ipv6_multicast_address {add | - ipv6_multicast_address – group IP address;
remove} { tengigabitethernet te_port: (1..8/0/1..32); - add – add ports to the group;
te_port | port-channel group} group: (1..32) - remove – remove ports from the group;
Interfaces must be separated by “–” and “,”.
no bridge multicast ipv6 Removes a multicast IP address from the table.
ip­address
ipv6_multicast_address
bridge multicast ipv6 Deny the connection of the port(s) to a multicast IPv6 address.
forbidden ip-address - ipv6_multicast_address – group IP address;
ipv6_multicast_address {add | - add – add port(s) into the banned list;
te_port: (1..8/0/1..32);
remove} { tengigabitethernet - remove – remove port(s) from the banned list.
group: (1..32)
te_port | port-channel group} Interfaces must be separated by “–” and “,”.
no bridge multicast ipv6 Restore the default value.
forbidden ip-address
ipv6_multicast_address
bridge multicast ipv6 source Sets the mapping between the user IPv6 address and a multicast
ipv6_address group address in the multicast addressing table and statically add/remove
ipv6_multicast_address {add | interfaces to/from the group.
remove} { tengigabitethernet - ipv6_address – source IP address;
te_port: (1..8/0/1..32);
te_port | port-channel group} - ipv6_multicast_address – group IP address;
group: (1..32)
- add – add ports to the source IP address group;
- remove – remove ports from the group of the source IP address.
no bridge multicast ipv6 Restore the default value.
source ipv6_address group
ipv6_multicast_address
bridge multicast ipv6 Disables adding/removal of mappings between the user IPv6
forbidden source ipv6_address address and a multicast address in the multicast addressing table
group ipv6_multicast_address for a specific port.
{add | remove} { - ipv6_address – source IPv6 address;
tengigabitethernet te_port | te_port: (1..8/0/1..32); - ipv6_multicast_address – group IPv6 address;
port-channel group} group: (1..32) - add – prohibit adding ports to the source IPv6 address group;
- remove – disable port removal from the source IPv6 address
group.
no bridge multicast ipv6 Restore the default value.
forbidden source ipv6_address
group ipv6_multicast_address
ETS-1-10G-A 5. Device management. Command line interface 163
ETS-1-10G-A 5. Device management. Command line interface 164

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console# configure
console(config)# interface {tengigabitethernet te_port | port-channel
group | range {…}}
console(config-if)#
Table 116 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Description

bridge multicast unregistered Sets a forwarding rule for packets received from unregistered
{forwarding | filtering} multicast addresses.
- forwarding – forward unregistered multicast packets;
-/forwarding
- filtering – filter unregistered multicast packets.
no bridge multicast Sets the default value.
unregistered

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 117 – Global mode configuration commands

Command Value/Default value Description

bridge multicast filtering Enables multicast address filtering.
-/disabled
no bridge multicast filtering Disables multicast address filtering.
mac address-table aging­time Specifies MAC address aging time globally in the table.
seconds seconds: (10..400)/300
no mac address-table aging- seconds Sets the default value.
time
mac address-table learning Enables MAC address learning in the current VLAN.
vlan vlan_id vlan_id: (1..4094,
no mac address-table learning all)/Enabled by default Disables MAC address learning in the current VLAN.
vlan vlan_id
ETS-1-10G-A 5. Device management. Command line interface 165

mac address-table static Adds the source MAC address into the multicast addressing
mac_address vlan vlan_id table.
interface { tengigabitethernet - mac_address – MAC address;
te_port | port-channel group} - vlan_id – VLAN number;
[permanent | - permanent – this MAC address can only
delete­on­reset | be deleted with the no bridge address
delete­on­timeout | secure] vlan_id: (1..4094);
command;
te_port: (1..8/0/1..32);
- delete-on-reset – the address will be
group: (1..32)
deleted after the switch is restarted;
- delete-on-timeout – the address will be deleted after a
timeout;
- secure – the address can only be deleted with the no
bridge address command or when the port returns to
the learning mode (no port security).
no mac address-table static Removes a MAC address from the multicast addressing table.
[mac_address] vlan vlan_id
bridge multicast Specifies what will be done with multicast packets from the
reserved­address reserved address.
mac_multicast_address - mac_multicast_address – multicast MAC address;
{ethernet-v2 ethtype | llc sap | - ethtype – Ethernet v2 packet type;
llc-snap pid ] {discard | bridge} - sap – LLC packet type;
ethtype:
(0x0600..0xFFFF);
- pid – LLC-Snap packet type;
sap: (0..0xFFFF); - discard – drop packets;
pid: (0..0xFFFFFFFFFF) - bridge – bridge packet transmission mode.
no bridge multicast Sets the default value.
reserved­address
mac_multicast_address
[ethernet-v2 ethtype | llc sap |
llc-snap pid]

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 118 – Privileged EXEC mode commands

Command Value/Default value Description

clear mac address-table Removes static/dynamic entries from the multicast addressing
te_port: (1..8/0/1..32);
{dynamic | secure} [interface { table.
group: (1..32)
tengigabitethernet te_port | - dynamic – remove dynamic entries;
port-channel group}] - secure – remove static entries.
ETS-1-10G-A 5. Device management. Command line interface 166

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 119 – EXEC mode commands

Command Value/Default value Description

show mac address-table Shows the MAC address table for the selected interface or for all
[dynamic | static | secure] interfaces.
[vlan vlan_id] [interface { - dynamic – show dynamic entries only;
te_port: (1..8/0/1..32);
tengigabitethernet te_port | - static – show static entries only;
group: (1..32);
port-channel group} ] [address - secure – show secure entries only;
vlan_id: (1..4094)
mac_address] - vlan_id – VLAN ID.
- mac-address – MAC address
show mac address-table count Shows the number of entries in the MAC address table for the
te_port: (1..8/0/1..32);
[vlan vlan_id] [interface { selected interface or for all interfaces.
group: (1..32);
tengigabitethernet te_port | - vlan_id – VLAN ID.
vlan_id: (1..4094)
port-channel group} ]
show bridge multicast Shows the multicast address table for the selected interface or for
address­table [vlan vlan_id] all VLAN interfaces (this command is available to privileged users
[address only).
{mac_multicast_address | - vlan_id – VLAN ID.
ipv4_multicast_address | - mac_multicast_address – multicast MAC address;
ipv6_multicast_address}] vlan_id: (1..4094) - ipv4_multicast_address – group IPv4 address;
[format {ip | mac}] [source - ipv6_multicast_address – group IPv6 address;
{ipv4_source_address | - ip – show by IP addresses;
ipv6_source_address}] - mac – show by MAC addresses;
- ipv4_source_address – source IPv4 address;
- ipv6_source_address – source IPv6 address.
show bridge multicast Shows the static multicast address table for the selected interface
address­table static [vlan or for all VLAN interfaces.
vlan_id] [address - vlan_id – VLAN ID.
{mac_multicast_address | - mac_multicast_address – multicast MAC address;
ipv4_multicast_address | - ipv4_multicast_address – group IPv4 address;
ipv6_multicast_address] vlan_id: (1..4094) - ipv6_multicast_address – group IPv6 address;
[source ipv4_source_address | - ipv4_source_address – source IPv4 address;
ipv6_source_address] [all | - ipv6_source_address – source IPv6 address;
mac | ip] - ip – show by IP addresses;
- mac – show by MAC addresses;
- all – show the entire table.
show bridge multicast filtering Shows multicast address filter configuration for the selected VLAN.
vlan_id: (1..4094)
vlan_id - vlan_id – VLAN ID.
ETS-1-10G-A 5. Device management. Command line interface 167

show bridge multicast Shows filter configuration for unregistered multicast addresses.
te_port: (1..8/0/1..32);
unregistered
group: (1..32);
[tengigabitethernet te_port |
vlan_id: (1..4094)
port-channel group]
show bridge multicast mode Shows multicast addressing mode for the selected interface or for
[vlan vlan_id] vlan_id: (1..4094) all VLAN interfaces.
- vlan_id – VLAN ID.
show bridge multicast Shows the rules defined for multicast reserved addresses.
-
reserved-addresses

Command execution example

 Enable multicast address filtering on the switch. Set the MAC address aging time to 400 seconds,
enable forwarding of unregistered multicast packets on the switch port 11.

console # configure
console(config) # mac address-table aging-time 400
console(config) # bridge multicast filtering
console(config) # interface tengigabitethernet 1/0/11
console(config-if) # bridge multicast unregistered forwarding

console# show bridge multicast address-table format ip

Vlan IP/MAC Address type Ports

---- ----------------------- ----- -------------------
1 224-239.130|2.2.3 dynamic te0/1, te0/2
19 224-239.130|2.2.8 static te0/1-8
19 224-239.130|2.2.8 dynamic te0/9-11

Forbidden ports for multicast addresses:

Vlan IP/MAC Address Ports

---- ------------------- -------------------
1 224-239.130|2.2.3 te0/8
19 224-239.130|2.2.8 te0/8

MLD snooping – multicast traffic in IPv6 control protocol

MLD snooping is the mechanism of multicast dispatch of messages, allowing to minimize multicast
traffic in IPv6-networks.
ETS-1-10G-A 5. Device management. Command line interface 168

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 120 – Global configuration mode commands

Command Value/Default value Action

ipv6 mld snooping [vlan Enables MLD snooping.
vlan_id] vlan_id: (1..4094)
no ipv6 mld snooping [vlan -/disabled Disables MLD snooping.
vlan_id]
ipv6 mld snooping vlan vlan_id Registers multicast IPv6 address in the multicast addressing table
static ipv6_multicast_address and statically adds/removes group interfaces for the current VLAN.
[interface {tengigabitethernet - ipv6_multicast_address – group IPv6 address;
te_port | port-channel group}] vlan_id: (1..4094); Interfaces must be separated by “–” and “,”.
no ipv6 mld snooping vlan te_port: (1..8/0/1..32); Removes a multicast IP address from the table.
vlan_id static group: (1..32)
ipv6_multicast_address
[interface {tengigabitethernet
te_port | port-channel group}]
ipv6 mld snooping vlan vlan_id Adds a rule that prohibits ports on the list from registering as MLD-
forbidden mrouter interface { mrouter.
tengigabitethernet te_port |
vlan_id: (1..4094);
port-channel group}
te_port: (1..8/0/1..32);
no ipv6 mld snooping vlan Removes a rule that prohibits ports on the list from registering as
group: (1..32)
vlan_id forbidden mrouter MLD-mrouter.
interface { tengigabitethernet
te_port | port-channel group}
ipv6 mld snooping vlan vlan_id Examine the ports connected to the mrouter via MLD-query
mrouter learn pim­dvmrp packets.
vlan_id: (1..4094);
no ipv6 mld snooping vlan Do not examine the ports connected to the mrouter via MLD-query
/enabled
vlan_id mrouter learn packets.
pim­dvmrp
ipv6 mld snooping vlan vlan_id Adds a list of mrouter ports.
mrouter interface
{tengigabitethernet te_port |
vlan_id: (1..4094);
port-channel group}
te_port: (1..8/0/1..32);
no ipv6 mld snooping vlan Deletes mrouter ports.
group: (1..32)
vlan_id mrouter interface
{tengigabitethernet te_port |
port-channel group}
ipv6 mld snooping vlan vlan_id vlan_id: (1..4094) Enables MLD Snooping Immediate-Leave on the current
immediate-leave -/disabled VLAN.
ETS-1-10G-A 5. Device management. Command line interface 169

no ipv6 mld snooping vlan Disables MLD Snooping Immediate-Leave on the current
vlan_id immediate-leave VLAN.
ipv6 mld snooping querier Enables support for issuing igmp-query requests.
-/disabled
no ipv6 mld snooping querier Disables support for issuing igmp-query requests.

Ethernet, port group, VLAN interface (interface range) configuration mode commands

Command line prompt in the Ethernet, port group, VLAN configuration mode is as follows:
console(config-if)#

Table 121 – Ethernet, port group, VLAN interface (interface range) configuration mode commands

Command Value/Default value Action

ipv6 mld Sets the maximum response delay of the last group member,
last­member­query­interval which is used to calculate the maximum response delay code
interval:
interval (Max Response Code)
(100..25500)/1000 ms
no ipv6 mld Restores the default value.
last­member­query-interval
ipv6 mld Sets number of queries sent before switch will determine that
last­member­query­count there are no multicast group members.
count (1..7)/robustness value
no ipv6 mld Sets the default value.
last­member­query-count
ipv6 mld query­interval value value: (30..18000)/125 Defines the interval for sending out basic MLD requests.
no ipv6 mld query-interval seconds Restore the default value.
ipv6 mld Defines the maximum response delay that is used to calculate the
query­max­response­time maximum response delay code
value: (5..20)/10
value
seconds
no ipv6 mld Restores the default value.
query­max­response-time
ipv6 mld robustness value Sets the fault tolerance factor. If there is data loss on the channel,
value: (1..7)/2 the fault tolerance factor should be increased.
no ipv6 mld robustness Restores the default value.
ipv6 mld version version Sets the version of the protocol that is valid on this interface.
version: (1..2)/2
no ipv6 mld version Restores the default value.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 170

Table 122 – EXEC mode commands

Command Value/Default value Action

show ipv6 mld snooping Displays information about registered groups according to the
groups [vlan vlan_id] [address filtering parameters specified in the command.
vlan_id: (1..4094)
ipv6_multicast_address] - ipv6_multicast_address – group IPv6 address;
[source ipv6 _address] - ipv6_address – source IPv6 address.
show ipv6 mld snooping Displays the MLD-snooping configuration information for this
vlan_id: (1..4094)
interface vlan_id VLAN.
show ipv6 mld snooping Displays information about mrouter ports.
vlan_id: (1..4094)
mrouter [interface vlan_id]

IGMP Proxy multicast routing function

The IGMP Proxy multicast routing function is designed for simplified routing of multicast data
between IGMP managed networks. With the help of IGMP Proxy devices that are not in the same network
as the multicast server can connect to multicast groups.
Routing is performed between the uplink interface and the downlink interfaces. At the same time,
on the uplink-interface the switch behaves like an ordinary recipient of multicast traffic (multicast client)
and generates its own IGMP messages. On downlink interfaces the switch acts as a multicast server and
processes IGMP messages from devices connected to these interfaces.

The number of multicast groups supported by IGMP Proxy is given in the table .

IGMP Proxy supports up to 512 downlink interfaces.

Limitations of the IGMP Proxy function implementation:

- IGMP Proxy is not supported on LAG aggregation groups;

- only one interface of the uplink network can be defined;
- When using IGMPv3 on the interfaces to the downlink network, only requests of the
exclude (*,G) and include (*,G) types are processed.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 171

Table 123 – Global mode configuration commands

Command Value/Default value Action

ip multicast-routing
-/By default, the Enables multicast data routing on configured interfaces.
igmp­proxy
function is disabled
no ip multicast-routing Disables multicast data routing on configured interfaces.

Ethernet, VLAN or port group interface configuration mode commands

Command line prompt in the Ethernet, VLAN, port group interface configuration mode is as follows:

console(config-if)#

Table 124 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

ip igmp-proxy The configurable interface is the interface to the
te_port: (1..8/0/1..32);
{tengigabitethernet te_port | downstream network. The command assigns an assigned
group: (1..32);
port-channel group | vlan uplink interface to the routing.
vlan_id: (1..4094)
vlan_id}
ip igmp-proxy downstream Enable downlink interface protection. IPv4 multicast traffic
protected interface { enable | arriving at the interface will not be redirected.
disable } -
no ip igmp-proxy downstream Disable downlink interface protection.
protected interface

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 125 – EXEC mode commands

Command Value/Default value Action

show ip mroute - The command is designed for viewing the lists of
[ip_multicast_address multicast groups. It is possible to select groups by group
[ip_address]] [summary] address or by multicast data source address.
- ip_multicast_address – IP address of the group;
- ip_address – source IP address;
- summary – summary of each entry in the multicast routing
table.
show ip igmp-proxy interface te_port: (1..8/0/1..32); IGMP-proxy status information for interfaces.
[vlan vlan_id | group: (1..32);
ETS-1-10G-A 5. Device management. Command line interface 172

tengigabitethernet te_port | vlan_id: (1..4094)

port-channel group]

Command execution example

console#show ip igmp-proxy interface

* - the switch is the Querier on the interface

IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downstream interfaces protection is enabled
SSM Access List Name: -

Interface Type Interface Protection CoS DSCP

vlan5 upstream - -
vlan30 downstream default - -

5.18 Multicast routing. PIM protocol

The Protocol-Independent Multicast protocols for IP networks were created to address the problem
of multicast routing. PIM relies on traditional routing protocols (such as, Border Gateway Protocol) rather
than creates its own network topology. It uses unicast routing to verify RPF. Routers perform this
verification to ensure loop-free forwarding of multicast traffic.

RP (rendezvous point) – rendezvous point where multicast sources will be logged and a route
created from the source S (itself) to the group G: (S, G).

BSR (bootsrtap router) – mechanism for collecting information about RP candidates, forming an RP
list for each multicast group and sending the list within the domain. Multicast routing configuration based
on IPv4.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 126 – Global configuration mode commands

ETS-1-10G-A 5. Device management. Command line interface 173

Command Value/Default value Action

ip multicast-routing pim -/By default, the Enable multicast routing, PIM protocol on all interfaces.
no ip multicast-routing pim function is disabled Disable multicast routing and PIM protocol.
ipv6 multicast-routing pim Enable multicast routing, PIM protocol for IPv6 on all
-/By default, the
interfaces.
function is disabled
no ipv6 multicast-routing pim Disable multicast routing and PIM protocol for IPv6.
ip pim accept-register list Application of PIM registration message filtering.
acc_list - acc_list – list of multicast prefixes, defined using the standard
acc_list: (0..32) symbols
ACL.
no ip pim accept-register list Disabling this parameter.
ipv6 pim accept-register list Application of PIM registration message filtering for IPv6.
acc_list - acc_list – list of multicast prefixes, defined using the standard
acc_list: (0..32) symbols
ACL.
no ipv6 pim accept-register list Disabling this parameter.
ip pim bsr-candidate Specify the device as a candidate in the BSR (bootstrap router).
ip_address [mask] [priority mask: (8..32)/30; - ip_address – valid switch IP address;
priority_num] priority_num: - mask – subnet mask;
(0..192)/0 - priority_num – priority.
no ip pim bsr-candidate Disabling this parameter.
ipv6 pim bsr-candidate Specify the device as a candidate in the BSR (bootstrap router).
ipv6_address [mask] [priority mask: (8..128)/126; - ipv6_address – valid switch IPv6 address;
priority_num] priority_num: - mask – subnet mask;
(0..192)/0 - priority_num – priority.
no ipv6 pim bsr-candidate Disabling this parameter.
ip pim rp-address Creating a static Rendezvous Point (RP), you can optionally specify
unicast_address a multicast subnet for that RP.
[multicast_subnet] - unicast_addr – IP address;
- - multicast_subnet – multicast subnet.
no ip pim rp-address Remove static RP or remove RP for a specified subnet.
unicast_address
[multicast_subnet]
ipv6 pim rp-address Creating a static Rendezvous Point (RP), you can optionally specify
ipv6_unicast_address a multicast subnet for that RP.
[ipv6_multicast_subnet] - ipv6_unicast_ addr – IPv6 address;
- - ipv6_multicast_ subnet – multicast subnet.
no ipv6 pim rp-address Remove static RP or remove RP for a specified subnet.
ipv6_unicast_address
[ipv6_multicast_subnet]
ip pim rp-candidate Create a candidate for Rendezvous Point (RP)
unicast_address [group-list acc_list: (0..32) symbols - unicast_addr – IP address;
acc_list] [priority priority] priority: (0..192)/192; - acc_list – list of multicast prefixes, defined using the standard
[interval secs] secs: (1..16383)/60 ACL.
seconds - priority – candidate priority;
- secs – message transmission interval.
ETS-1-10G-A 5. Device management. Command line interface 174

no ip pim rp-candidate Disabling this parameter.

unicast_address
ipv6 pim rp-candidate Create a candidate for Rendezvous Point (RP)
ipv6_unicast_address - ipv6_unicast_addr –IPv6 address;
[group­list acc_list] [priority acc_list: (0..32) symbols - acc_list – list of multicast prefixes, defined using the standard
priority] [interval secs] priority: (0..192)/192; ACL.
secs: (1..16383)/60 - priority – candidate priority;
seconds - secs – message transmission interval.
no ipv6 pim rp-candidate Disabling this parameter.
ipv6_unicast_address
ip pim ssm {range Specify a multicast subnet
multicast_subnet | default} - range – specify a multicast subnet;
- multicast_subnet – multicast subnet;
-
- default – set the range in 232.0.0.0/8.
no ip pim ssm [range Disabling this parameter.
multicast_subnet | default]
ipv6 pim ssm {range Specify a multicast subnet
ipv6_multicast_subnet | - range – specify a multicast subnet;
-
default} - ipv6_multicast_subnet – multicast subnet;
- default – set the range in FF3E::/32.
no ipv6 pim ssm [range Disabling this parameter.
ipv6_multicast_subnet | -
default]
ipv6 pim rp-embedded Enable advanced rendezvous point (RP) functionality.
/enabled
no ipv6 pim rp-embedded Disable advanced rendezvous point (RP) functionality.

Ethernet interface configuration mode commands

Type of command line query:

console(config-if)#

Table 127 – Commands of Ethernet interface configuration mode

Command Value/Defaul value Action

Enable PIM for the interface.
ip (ipv6) pim
/enabled
Disable PIM for the interface.
no ip (ipv6) pim

Stop sending BSR messages from the interface.

ip (ipv6) pim bsr-border
-/disabled
Disabling this parameter.
no ip pim bsr-border
ETS-1-10G-A 5. Device management. Command line interface 175

Specifies the priority for selecting the DR router.

ip (ipv6) pim dr-priority priority
- priority – the priority of the DR router determines which of the
priority: switches will become the DR router. The switch with the highest
(0..4294967294)/1 value will become a DR router.
Returns the default value.
no ip (ipv6) pim dr-priority

Specifies the period for sending hello packs.

ip ip (ipv6) pim hello­interval
- sec – hello packet transmission interval.
secs
secs: (1..18000)/30 sec
Returns the default value.
no ip (ipv6) pim hello­interval

Specify the interval within which the switch sends join or prune
ip (ipv6) pim
messages.
join­prune­interval interval
interval: (1..18000)/60 - interval – join, prune messages transmission interval.
seconds Returns the default value.
no ip (ipv6) pim
join­prune­interval

Incoming PIM messages filtering.

ip (ipv6) pim neighbor­filter
- acc_list – the list of addresses from which the filtering is
acc_list
acc_list: (0..32) symbols performed.
Disabling this parameter.
no ip (ipv6) pim neighbor­filter

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 128 – EXEC mode commands

Command Value/Default value Action

show ip (ipv6) pim rp Displays active RPs associated with route information.
- - RP_addr – IP address.
mapping [RP_addr]
show ip (ipv6) pim neighbor Displays information about PIM neighbors.
te_port: (1..8/0/1..32);
[detail] [tengigabitethernet
group: (1..32);
te_port | port-channel
vlan_id: (1..4094).
group| vlan vlan_id]
show ip (ipv6) pim interface Displays information on PIM interfaces:
te_port: (1..8/0/1..32); - state-on – displays all interfaces where PIM is enabled;
[tengigabitethernet te_port
group: (1..32);
| port-channel group| vlan - state-off – displays all interfaces where PIM is disabled;
vlan_id: (1..4094).
vlan_id |state-on | state­off]
show ip (ipv6) pim group- Displays the mapping table for multicast groups.
- - group-address – group address.
map [group_address]
ETS-1-10G-A 5. Device management. Command line interface 176

show ip (ipv6) pim counters

- Displays the contents of PIM counters.

show ip (ipv6) pim bsr

- Displays BSR information.
election
show ip (ipv6) pim bsr rp-cache - Displays information about the candidates learnt at RP.

show ip (ipv6) pim bsr Displays the status of candidates in RP.

-
candidate-rp

clear ip (ipv6) pim counters

- Resets PIM counters.

Command usage example

 Basic configuration of PIM SM with static RP (1.1.1.1). The routing protocol must be configured
previously.

console# configure
console(config)# ip multicast-routing
console(config)# ip pim rp-address 1.1.1.1

5.19 Control functions

AAA mechanism
To ensure system security, the switch uses AAA mechanism (Authentication, Authorization,
Accounting).
− Authentication – the process of matching with the existing account in the security system.
− Authorization (access level verification) – the process of defining specific privileges for the
existing account (already authorized) in the system.
− Accounting – user resource consumption monitoring.
The SSH mechanism is used for data encryption.

Global mode configuration commands

Command line prompt in the global configuration mode:

ETS-1-10G-A 5. Device management. Command line interface 177

console(config)#

Table 129 – Global mode configuration commands

Command Value/Default value Action

aaa authentication Specifies authentication mode for logging in.
login - authorization – allows to authorize using the methods
{authorization | described below;
default | list_name} - default – use the following authentication methods;
method_list - list_name – the name of authentication method list that is
activated when user logs in.
Method description (method_list):
- enable – use a password for authentication;
- line – use a terminal password for authentication;
- local – use a local username database for authentication;
- none – do not use authentication;
list_name: (1..12) - radius – use a RADIUS server list for authentication;
characters; - tacacs – use a TACACS server list for authentication.
method_list: (enable, line, If an authentication method is not defined, the
local, none, tacacs, radius). access to console is always open.
-/Local database check is
performed by default (aaa The list is created with by following command:
authentication login aaa authentication login
authorization default list_name method_list.
local) List usage:
aaa authentication login list-
name

To prevent the loss of access you should enter the

required minimum of the settings for the
specified authentication method.
Sets the default value.
no aaa
authentication
login {default |
list_name}
list_name: (1..12) Specifies authentication method for logging inwhen privileged
aaa authentication
enable characters; level is escalated.
authorization method_list: (enable, line, - authorization – allows to authorize using the methods
{default | list_name} local, none, tacacs, radius). described below;
method_list -/Local database check is - default – use the following authentication methods;
performed by default (aaa - list_name – the name of authentication method list that is
authentication enable activated when user logs in.
authorization default Method description (method_list):
local) - enable – use a password for authentication;
- line – use a terminal password for authentication;
- local – use a local username database for authentication;
- none – do not use authentication;
ETS-1-10G-A 5. Device management. Command line interface 178

- radius – use a RADIUS server list for authentication;

- tacacs – use a TACACS server list for authentication.
If an authentication method is not defined, the
access to console is always open.

The list is created with by following command:

aaa authentication login list-
name method_list.
List usage:
aaa authentication login list-
name
To prevent the loss of access you should enter
the required minimum of the settings for the
specified authentication method.
Sets the default value.
no aaa
authentication
enable
authorization
{default | list_name}
level: (1..15)/1; Sets the password to control user access privilege.
enable password
password: (0..159) - level – privilege level;
password [encrypted]
characters - password – password;
[level level]
- encrypted – encrypted password (for example, an
encrypted password copied from another device).
Removes the password for the corresponding privilege level.
no enable password
[level level]
name: (1..20) characters; Adds a user to the local database.
username name
password: (1..64) - level – privilege level;
{nopassword |
password password | characters; - password – password;
password encrypted encrypted_password: - name – user name;
encrypted_password} (1..64) characters; - encrypted_password – encrypted password (for
[priveliged level] level: (1..15) example, an encrypted password copied from another
device).
Removes a user from the local database.
no username name
-/Accounting is disabled by
aaa accounting Enables accounting for control sessions.
login start­stop default.
group {radius | Accounting is enabled only for the users logged in
tacacs+} with their username and password; for the users
logged in with a terminal password, accounting is disabled.
Accounting will be enabled when the user logs in,
and will be disabled when the user logs out,
corresponding to the start and stop values in
RADIUS messages (for RADIUS protocol message
parameters, see Table 130).
ETS-1-10G-A 5. Device management. Command line interface 179

no aaa accounting Disables accounting for CLI commands.

login start-stop

aaa accounting
-/Accounting is disabled by Enables accounting for 802.1x sessions.
default.
dot1x start­stop Accounting will be enabled when the user logs in,
group radius and will be disabled when the user logs out,
corresponding to the start and stop values in
RADIUS messages (for RADIUS protocol message
parameters, see Table 130).
In the multiple sessions mode, start/stop messages
are sent for all users; in the multiple hosts mode –
only for authenticated users (see 802.1x Section).

no aaa accounting Sets the default value.

dot1x start-stop
group radius

aaa accounting commands -/by default, accounting Enables accounting CLI commands via TACACS+ protocol.
stop-only group tacacs+ the commands is disabled

no aaa accounting Sets the default value.

commands stop-only group

To grant the client access to the device, even if all authentication methods failed, use the
'none' method.

Table 130 – RADIUS protocol accounting message attributes for control sessions

Attribute Attribute
Attribute presence in presence in Description
Start message Stop message
User-Name (1) Yes Yes User identification.
The IP address of the switch used for Radius server
NAS-IP-Address (4) Yes Yes
sessions.
An arbitrary value included in all session
Class (25) Yes Yes
accounting messages.
The IP address of the switch used for control
Called-Station-ID (30) Yes Yes
sessions.
Calling-Station-ID (31) Yes Yes User IP address.
Acct-Session-ID (44) Yes Yes Unique accounting identifier.
Acct-Authentic (45) Yes Yes Specify the method for client authentication.
ETS-1-10G-A 5. Device management. Command line interface 180

Show how long the user is connected to the

Acct-Session-Time (46) No Yes
system.
Acct-Terminate-Cause (49) No Yes The reason why the session is closed.

Table 131 – RADIUS protocol accounting message attributes for 802.1x sessions

Attribute Attribute
Attribute presence in presence in Description
Start message Stop message
User-Name (1) Yes Yes User identification.
The IP address of the switch used for Radius server
NAS-IP-Address (4) Yes Yes
sessions.
NAS-Port (5) Yes Yes The switch port the user is connected to.
An arbitrary value included in all session
Class (25) Yes Yes
accounting messages.
Called-Station-ID (30) Yes Yes IP address of the switch.
Calling-Station-ID (31) Yes Yes User IP address.
Acct-Session-ID (44) Yes Yes Unique accounting identifier.
Acct-Authentic (45) Yes Yes Specify the method for client authentication.
Show how long the user is connected to the
Acct-Session-Time (46) No Yes
system.
Acct-Terminate-Cause (49) No Yes The reason why the session is closed.
Nas-Port-Type (61) Yes Yes Show the client port type.

Terminal configuration mode commands

Command line prompt in the terminal configuration mode is as follows:

console(config-line)#
ETS-1-10G-A 5. Device management. Command line interface 181

Table 132 – Commands of terminal sessions configuration mode

Command Value/Default value Action

login authentication Specifies the log-in authentication method for console,
{default | list_name} telnet, ssh.
- default – use the default list created by the 'aaa
authentication login default' command.
list_name: (1..12)
characters - list_name – use the list created by the 'aaa
authentication login list_name' command.
no login Sets the default value.
authentication

enable authentication Specifies the user authentication method when privilege

{default | list_name} level is escalated for console, telnet, ssh.
- default – use the default list created by the 'aaa
authentication login default' command.
list_name: (1..12)
characters - list_name – use the list created by the 'aaa
authentication login list_name' command.
no enable Sets the default value.
authentication

password password
Specifies the terminal password.
- encrypted – encrypted password (for example, an
[encrypted] password: (0..159)
characters
encrypted password copied from another device).
no password Removes the terminal password.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 133 – Privileged EXEC mode commands

Command Value/Default value Action

show authentication Shows information about switch authentication methods.
methods -

show users accounts - Shows local user database and their privileges.
ETS-1-10G-A 5. Device management. Command line interface 182

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

All commands from this section are available to the privileged users only.

Table 134 – EXEC mode commands

Command Value/Default value Action

show accounting - Shows information about configured accounting methods.

RADIUS
RADIUS is used for authentication, authorization and accounting. RADIUS server uses a user
database that contains authentication data for each user. Thus, RADIUS provides more secure access to
network resources and the switch itself.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 135 – Global mode configuration commands

Command Value/Default value Action

Adds the selected server into the list of RADIUS servers used.
radius-server host hostname: (1..158)
{ipv4­address | ipv6-address characters
- ip_address – IPv4 or IPv6 address of the RADIUS server;
| hostname} [auth­port auth_port: - hostname – RADIUS server network name;
auth_port] [acct­port (0..65535)/1812; - auth_port – port number for sending authentication data;
acct_port] [timeout acct_port: - acct_port – port number for sending accounting data;
timeout] [retransmit (0..65535)/1813; - timeout – server response timeout;
retries] [deadtime time] timeout: (1..30) - retries – number of attempts to search for a RADIUS server;
[key secret_key] seconds - time – time in minutes the RADIUS client of the switch will
[priority priority] retries: (1..15); not poll unavailable servers;
[usage type] time (0..2000) minutes
ETS-1-10G-A 5. Device management. Command line interface 183

encrypted radius-
secret_key: (0..128) - secret_key – authentication and encryption key for RADIUS
characters; data exchange;
server host {ipv4­address
priority: (0..65535)/0; - priority – RADIUS server priority (the lower the value, the
| ipv6-address | hostname}
type: (login, dot1.x, all)/
[auth­port auth_port] higher the server priority);
all
[acct­port acct_port] - type – the type of usage of the RADIUS server;
[timeout timeout] - encrypted – set the key in the encrypted form.
[retransmit retries] If timeout, retries, time, secret_key parameters are not specified in
[deadtime time] [key the command, the current RADIUS server uses the values
secret_key] [priority configured with the following commands.
priority] [usage type]

no radius-server host Removes the selected server from the list of RADIUS servers
{ipv4­address | ipv6-address | used.
hostname}

[encrypted] radius- Specifies the default authentication and encryption key for
server key [key] RADIUS data exchange between the device and RADIUS
key: (0..128)
environment.
characters/default key
is an empty string - encrypted – set the key in the encrypted form.
no radius-server key Sets the default value.

radius-server timeout Specifies the default server response interval.

timeout
timeout: (1..30)/3 sec
no radius-server Sets the default value.
timeout

radius-server Specifies the default number of attempts to discover a

retransmit retries RADIUS server from the list of servers. If the server is not
found, a search for the next priority server from the server
retries: (1..15)/3 list will be performed.
no radius-server Sets the default value.
retransmit

radius-server Optimizes RADIUS server query time when some servers are
deadtime deadtime unavailable. Set the default time in minutes the RADIUS
deadtime: (0..2000)/0 client of the switch will not poll unavailable servers.
min Sets the default value.
no radius-server
deadtime
ETS-1-10G-A 5. Device management. Command line interface 184

Specifies a device interface whose IP address will be used as the

radius-server host
source­interface { default source address in the RADIUS messages.
tengigabitethernet
te_port | port-channel vlan_id: (1..4094);
group | loopback te_port: (1..8/0/1..32);
loopback_id | vlan vlan loopback_id: (1..64);
id} group: (1..32)
Deletes a device interface.
no radius-server host
source­interface

Specifies a device interface whose IPv6 address will be used as the

radius-server host
source­interface-ipv6 default source address in the RADIUS messages.
{ tengigabitethernet
te_port | port-channel vlan_id: (1..4094);
group | loopback te_port: (1..8/0/1..32);
loopback_id | vlan vlan loopback_id: (1..64);
id} group: (1..32)
Deletes a device interface.
no radius-server host
source­interface-ipv6

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 136 – Privileged EXEC mode commands

Command Value/Default value Action

show radius- Shows RADIUS server configuration parameters (this
servers[key] - command is available for privileged users only).

show radius server Shows RADIUS statistics, user information, RADIUS server
{statistics | group | configuration.
accounting |
configuration | nas | -
rejected | secret |
user}
ETS-1-10G-A 5. Device management. Command line interface 185

Example use of commands

 Set global values for the following parameters: server reply interval - 5 seconds, RADIUS server
discovery attempts - 5, time the switch RADIUS client will not poll unavailable servers - 10
minutes, secret key - secret. Add a RADIUS server located in the network node with the following
parameters: IP address 192.168.16.3, server authentication port 1645, server access attempts -
2.

console# configure
console (config)# radius-server timeout 5
console (config)# radius-server retransmit 5
console (config)# radius-server deadtime 10
console (config)# radius-server key secret
console (config)# radius-server host 196.168.16.3 auth-port 1645
retransmit 2

 Show RADIUS server configuration parameters

console# show radius-servers

IP address Port port Time- Ret- Dead- Prio. Usage

Auth Acct Out rans Time
--------------- ----- ----- ------ ------ ------ ----- -----
192.168.16.3 1645 1813 Global 2 Global 0 all

Global values
--------------

TimeOut : 5
Retransmit : 5
Deadtime : 10
Source IPv4 interface :
Source IPv6 interface :

TACACS+ protocol
The TACACS+ protocol provides a centralized security system that handles user authentication and
a centralized management system to ensure compatibility with RADIUS and other authentication
mechanisms. TACACS+ provides the following services:
− Authentication. Provided during login by user names and user-defined passwords.
− Authorization. Provided at login time. After the authentication session is complete, an
authentication session is started using a validated username, and user privileges are also
checked by the server.
ETS-1-10G-A 5. Device management. Command line interface 186

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 137 – Global mode configuration commands

Command Value/Default value Action

tacacs-server host Adds the selected server into the list of TACACS servers used.
{ip_address | hostname} - ip_address – TACACS server IP address;
[single-connection] - hostname – TACACS server network name;
[port­number port] [timeout - single-connection – have no more than one connection at any
timeout] [key secret_key] given time to exchange data with the TACACS server;
[priority priority] hostname: (1..158) - port – port number for data exchange with the TACACS server;
encrypted tacacs-server host characters - timeout – server response timeout;
{ip_address | hostname} port: (0..65535)/49; - secret_key – authentication and encryption key for TACACS data
[single-connection] timeout: (1..30) exchange;
[port­number port] [timeout seconds - priority – TACACS server priority (the lower the value, the higher
timeout] [key secret_key] secret_key: (0..128) the server priority);
[priority priority] characters; - encrypted – set the secret_key value in the encrypted form.
priority: (0..65535)/0;
If timeout, secret_key parameters are not specified in the
command, the current TACACS server uses the values
configured with the following commands.
no tacacs-server host
Removes the selected server from the list of TACACS servers used.
{ip_address | hostname}
tacacs-server key key Specifies the default authentication and encryption key for TACACS
key: (0..128)
encrypted tacacs-server key data exchange between the device and TACACS environment.
characters/default key
key - encrypted – set the secret_key value in the encrypted form.
is an empty string
no tacacs-server key Sets the default value.
tacacs-server timeout timeout Specifies the default server response interval.
timeout: (1..30)/5 sec
no tacacs-server timeout Set the default value.
tacacs-server host Specifies a device interface whose IP address will be used as the
source­interface { default source address for message exchange with TACACS server.
vlan_id: (1..4094);
tengigabitethernet te_port |
te_port: (1..8/0/1..32);
port-channel group | loopback
loopback_id (1..64);
loopback_id | tunnel tunnel |
tunnel (1-16);
vlan vlan id}
group: (1..32)
no tacacs-server host Deletes a device interface.
source­interface

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 187

Table 138 – EXEC mode commands

Command Value/Default value Action

show tacacs [ip_address | Displays configuration and statistics for the TACACS+ server.
hostname] host_name: (1..158)
- ip_address – TACACS+ server IP address;
characters
- hostname – server name.

Simple network management protocol (SNMP)

SNMP is a technology designed to manage and control devices and applications in a
communications network by exchanging management data between agents located on network devices
and managers located on management stations. SNMP defines a network as a collection of network
management stations and network elements (host machines, gateways and routers, terminal servers) that
together provide administrative communications between network management stations and network
agents.

Switches allow you to configure the SNMP protocol for remote monitoring and device management.
The device supports SNMPv1, SNMPv2 and SNMPv3 protocol version.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 188

Table 139 – Global mode configuration commands

Command Value/Default value Action

Enable SNMP protocol support.
snmp-server server
SNMP protocol support
is disabled by default Disable SNMP protocol support.
no snmp-server server

community: (1..20) Sets the value of community string for data exchange via SNMP
snmp-server community
characters; protocol.
community [ro | rw |
su] [ipv4_address | encrypted_community: - community – community string (password) for the access via SNMP;
(1..20) characters; - encrypted – set the community string in the encrypted form;
ipv6_address | ipv6z_address]
формат ipv4_address: - ro – read-only access;
[mask mask | prefix
A.B.C.D; - rw – read and write access;
prefix_length]] [view
ipv6_address format: - su – admin access;
view_name]
X:X:X:X::X. - view_name – defines a name for the SNMP view rule, which must
ipv6z_address format: be pre-defined with the snmp-server view command. Identifies the
snmp-server objects available to the community;
X:X:X:X::X%<ID>;
community­group
mask: - - ipv4_address, ipv6_address, ipv6z_address – device IP address;
community group_name - mask – IPv4 address mask, which determines which bits of the
/255.255.255.255;
[ipv4_address | ipv6_address | packet source address are compared with the specified IP address;
prefix_length:
ipv6z_address] [mask mask | - prefix_length – the number of bits that are prefix of IPv4 address;
(1..32)/32;
prefix prefix_length] - group_name – defines a group name to be pre-defined with the
view_name: (1..30)
characters; snmp-server group command. Identifies the objects available to the
group_name: (1..30) community.
characters
snmp-server view Creates or edits a review rule for SNMP – allowing rule or
view_name OID {included restricting browser server access to OID.
| excluded} - OID – MIB object identifier, represented in the form of an
ASN.1 tree (string of the form 1.3.6.2.4 may include reserved
words, for example: system, dod). With the symbol *, you can
view_name: (1..30)
characters designate a family of subtrees: 1.3.*.2);
- include – OID is included in the rule for review;
- exclude – OID is excluded from the rule for review.
no snmp-server view Removes the review rule for SNMP.
viewname [OID]
ETS-1-10G-A 5. Device management. Command line interface 189

encrypted snmp-server
username: (1..20) Creates an SNMPv3 user.
user username characters - username - username;
groupname {v3 | groupname: (1..30) - groupname – group name;
characters
remote host v3 - engineid-string – ID of the remote SNMP device to which the
engineid-string: (5..32)
[encrypted] [auth user belongs;
{md5|sha} auth- characters
password] } password: (1..32) - auth–password – password for authentication and key
symbols generation;
md5: - md5 – md5 key;
16 or 32 bytes - sha– sha key;
sha: - host – host IP address/name.
20 or 36 Removes the SNMP-v3 user.
no snmp-server user bytes
username [remote format
engineid-string]
IPv4: A.B.C.D
IPv6: X:X:X:X::X
IPv6z:
X:X:X:X::X%<ID>
Creates an SNMP group or table of SNMP users and SNMP view rules.
snmp-server group
- v1, v2, v3 – SNMP v1, v2, v3 security model;
group_name {v1 | v2 |
v3 {noauth | auth | - noauth, auth, priv – authentication type used by SNMP v3 protocol
priv} [notify (noauth – no authentication, auth – unencrypted authentication,
notify_view]} [read priv – encrypted authentication);
group_name: (1..30) - notify_view – the name of the browsing rule that is allowed
read_view] [write characters;
write_view] to define SNMP agent messages - inform and trap;
notify_view: (1..32)
characters;
- read_view – the name of the view rule that is only allowed
read_view: (1..32) to read the contents of the switch's SNMP agent;
characters; write_view: - write_view – the name of the view rule that is allowed to enter data
(1..32 characters) and configure the contents of the switch's SNMP agent.
no snmp-server group Deletes the SNMP group
groupname {v1 | v2 |
v3 [noauth | auth |
priv]}

snmp-server user user_name Creates the SNMPv3 user.

group_name {v1 | v2c | v3 user_name: (1..20) - user_name – user name;
[remote {ip_address | host}]} characters; - group_name – group name.
no snmp-server user group_name: (1..30) Removes the SNMPv3 user.
user_name {v1 | v2c | v3 characters
[remote {ip_address | host}]}
ETS-1-10G-A 5. Device management. Command line interface 190

snmp-server filter filter_name Creates or edits an SNMP filter rule that filters inform and trap
OID {included | excluded} messages sent to the SNMP server.
- filter_name – SNMP filter name;
- OID – MIB object identifier, represented in the form of an
ASN.1 tree (string of the form 1.3.6.2.4 may include reserved
filter_name: (1..30)
characters
words, for example: system, dod. With the symbol *, you can
designate a family of subtrees: 1.3.*.2);
- include – OID is included in the rule for filtering;
- exclude – OID is excluded from the rule for filtering.
no snmp-server filter Removes the SNMP filter rule.
filter_name [OID]
snmp-server host Defines settings for sending notification messages to inform
{ipv4_address | ipv6_address | and trap SNMP server.
hostname} [traps | informs] - community – SNMPv1/2c community string for sending
[version {1 | 2c | 3 {noauth |
notification messages;
auth | priv}] {community | hostname: (1..158) - username – SNMPv3 user name for authentication;
username} [udp-port port] characters
[filter filter_name] [timeout - version – defines the message type trap - trap SNMPv1, trap
community: (1..20) SNMPv2, trap SNMPv3;
seconds] [retries retries] characters;
- auth – specifies the authenticity of the unencrypted package;
username: (1..20)
characters
- noauth – does not specifies the authenticity of the package;
port: (1..65535)/162; - priv – specifies the authenticity of the encrypted package;
filter_name: (1..30) - port – SNMP server UDP port
characters; - seconds – the waiting period for confirmations before
seconds: (1..300)/15; resending inform messages;
retries: (0..255)/3 - retries – the number of attempts to transmit inform
messages, in the absence of confirmation.
no snmp-server host Removes the settings for sending notification messages
{ipv4_address | ipv6_address | inform and trap SNMPv1/v2/v3 to the server.
hostname} [traps | informs]
snmp-server engineid local Creates the local SNMP device identifier – engineID.
{engineid_string | default} - engineid_string – SNMP device name;
engineid_string: (5..32) - default – when using this setting, the engine ID will be
characters automatically created based on the MAC address of the
device.
no snmp-server engineid local Removes local SNMP device ID – engine ID
snmp-server source­interface Specifies a device interface whose IP address will be used as the
{traps | informs} { default source address for message exchange with SNMP server.
tengigabitethernet te_port |
te_port: (1..8/0/1..32);
port-channel group | loopback
loopback_id: (1..64);
loopback_id | vlan vlan id}
group: (1..32)
no snmp-server Deletes a device interface.
source­interface [traps |
informs]
ETS-1-10G-A 5. Device management. Command line interface 191

snmp-server Same for IPv6.

source­interface­ipv6 {traps |
informs} { tengigabitethernet
te_port | port-channel group | te_port: (1..8/0/1..32);
loopback loopback_id | vlan loopback_id: (1..64);
vlan id} group: (1..32)
no snmp-server Deletes a device interface.
source­interface-ipv6 [traps |
informs]
snmp-server engineid remote Creates remote SNMP device ID – engine ID
{ipv4_address | ipv6_address | hostname: (1..158) - engineid_string – SNMP device ID.
hostname} engineid_string characters
no snmp-server engineID engineid_string: Removes remote SNMP device ID – engine ID
remote {ipv4_address | (5..32) characters
ipv6_address | hostname}
snmp-server enable traps Enables SNMP trap message support.
/enabled
no snmp-server enable traps Disables SNMP trap message support.
snmp-server enable traps ospf Enables sending SNMP trap messages of the OSPF protocol.
no snmp-server enable traps /enabled Disables SNMP trap-message transmission.
ospf
snmp-server enable traps ipv6 Enables sending SNMP trap messages of the OSPF protocol
ospf (IPv6).
/enabled
no snmp-server enable traps Disables SNMP trap-message transmission.
ipv6 ospf
snmp-server enable traps erps Enables sending SNMP trap messages of the ERPS protocol
no snmp-server enable traps /enabled Enables sending SNMP trap messages of the ERPS protocol
erps
snmp-server trap Allows to send messages to a trap server that has not been
authentication authenticated.
-/enabled
no snmp-server trap Denies to send messages to a trap server that has not been
authentication authenticated.
snmp-server contact text text: (1..160) Identifies the contact information of the device.
no snmp-server contact characters Removes the contact information of the device.
snmp-server location text text: (1..160) Determines the information on location of the device.
no snmp-server location characters Removes the information on location of the device.
snmp-server set variable_name variable_name, name, Allows to set the values of variables in the switch MIB database.
name1 value1 [name2 value2 the value should be set - variable_name – variable name;
[…]] according to the - name, value – name – value matching pairs.
specification

Ethernet interface (interfaces range) configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

ETS-1-10G-A 5. Device management. Command line interface 192

console(config-if)#

Table 140 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

snmp trap link-status Enables sending SNMP trap messages when the state of
the custom port changes.
/enabled
no snmp trap link- Disables sending SNMP trap messages when the state
status of the custom port changes.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

Table 141 – Privileged EXEC mode commands

Command Value/Default value Action

Shows the status of SNMP connections.
show snmp -
Shows the local SNMP device identifier – engineID.
show snmp engineID -

show snmp views view_name: (1..30) Shows the SNMP review rules.
[view_name] characters
show snmp groups group_name: (1..30) Shows the SNMP groups.
[group_name] characters
show snmp filters [filter_name] filter_name: (1..30) Shows the SNMP filters.
characters
show snmp users [user_name] user_name: (1..30) Shows the SNMP users.
characters

Remote Network Monitoring (RMON)

Remote Network Monitoring Protocol (RMON) is an extension of the SNMP to provide greater
control over network traffic. The difference between RMON and SNMP is in the nature of the information
collected - data collected by RMON primarily characterize the traffic between network nodes. The
information collected by the agent is transmitted to the network management application.
ETS-1-10G-A 5. Device management. Command line interface 193

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 142 – Global mode configuration commands

Command Value/Default value Action

rmon event index type index: (1..65535); Configures the events used in the remote monitoring
[community com_text] type: (none, log, trap, system.
[description log-trap); - index – event index;
desc_text] [owner name] com_text: (0..127)
- type – the type of notification the device generates for
characters;
this event:
desc_text: (0..127)
none – do not generate notifications,
characters;
log – generate table entry,
name: string
trap – send SNMP trap,
log-trap – generate a table entry and send SNMP trap;
- com_text – SNMP community string to forward trap;
- desc_text – event description;
- name – event creator name.
no rmon event index
Removes the event used in the remote monitoring system.

rmon alarm index

index: (1..65535); Adjusts the conditions for issuing alarms.
mib_object_id: valid OID; - index – alarm event index;
mib_object_id interval
interval: (1..2147483647) - mib_object_id – variable OID part identifier;
rthreshold fthreshold revent
sec - interval – the interval during which data are selected and
fevent [type type] [startup
rthreshold: compared with uplink and downlink boundaries;
direction] [owner name]
(0..2147483647); - rthreshold – uplink border;
fthreshold: - fthreshold – downlink border;
(0..2147483647); - revent – the event index used when crossing an uplink order;
revent: (1..65535); - fevent – the event index used when crossing the downlink
fevent: (0..65535);
border;
type: (absolute,
- type – method of selecting the specified variables and
delta)/absolute;
calculating the value for comparison with the boundaries:
startup: (rising, falling,
absolute method – the absolute value of the selected variable will
rising-falling)/rising-
be compared to the boundary at the end of the investigated
falling;
interval;
name: string
delta method– the value of the selected variable at the last
selection will be subtracted from the current value and the
difference will be compared with the borders (difference
between the variable values at the end and at the beginning of
the control interval);
- startup – instructions for generating events in the first control
interval. Defines the rules of generating emergency events for the
ETS-1-10G-A 5. Device management. Command line interface 194

first control interval by comparing the selected variable with one

or both boundaries:
- rising – generate a single uplink border emergency event if the
value of the selected variable in the first control interval is greater
than or equal to this border;
- falling – generate a single downlink border emergency event if
the value of the selected variable in the first control interval is less
than or equal to this border;
- rising-falling – generate a single uplink and/or downlink
emergency event if the value of the selected variable in the first
control interval is greater than or equal to the uplink and/or
downlink border;
- owner – the name of the creator of the emergency event.
no rmon alarm index
Removes the condition of issuing emergency events.

rmon table-size
hist_entries: Sets the maximum size of RMON tables.
(20..32767)/270; - history – maximum number of rows in the history table;
{history hist_entries |
log_entries: - log – maximum number of rows in the table of entries.
log log_entries}
(20..32767)/100 Value change will take effect after the switch is
restarted.
no rmon table-size Sets the default value.
{history | log}

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console(config-if)#

Table 143 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

rmon collection stats Enables history generation by groups of statistics for the
index [owner name] remote monitoring database (MIB).
index: (1..65535); - index – index of the required statistics group;
[buckets bucket_num]
name: (0..160)
[interval interval] - name – statistics group owner;
characters;
- bucket_num – value associated with the number of cells to
bucket-num:
(1..50)/50; collect history by statistics group;
interval: - interval – polling period to form a history.
no rmon collection (1..3600)/1800 sec Disables history generation by groups of statistics for the
stats index remote monitoring database (MIB).
ETS-1-10G-A 5. Device management. Command line interface 195

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 144 – EXEC mode commands

Command Value/Default value Action

show rmon statistics Displays the Ethernet interface or port group statistics used
{ tengigabitethernet for remote monitoring.
te_port | port-channel
group}
te_port: (1..8/0/1..32);
show rmon collection group: (1..32) Displays information by requested statistics groups.
stats
[tengigabitethernet
te_port | port-channel
group]

show rmon history index

Shows the Ethernet history of RMON statistics.
{throughput | errors - index – requested statistics group;
| other} [period index: (1..65535); - throughput – shows the performance (throughput)
period] period: counters;
(1..2147483647) sec - errors – shows error counters;
- other – shows the breakage and collision counters;
- period – shows the history for the requested period of time.
show rmon alarm-table - Shows a summary table of alarm events.
show rmon alarm index Shows the configuration of alarm event settings.
index: (1..65535)
-index – alarm event index.
show rmon events -
Shows the RMON event table.

Shows the RMON entry table.

show rmon log [index] index: (0..65535)
- index – event index.

Command execution example

 Show statistics of 10 Ethernet interface:

сonsole# show rmon statistics tengigabitethernet 1/0/10

Port te0/10
Dropped: 8
Octets: 878128 Packets: 978
Broadcast: 7 Multicast: 1
ETS-1-10G-A 5. Device management. Command line interface 196

CRC Align Errors: 0 Collisions: 0

Undersize Pkts: 0 Oversize Pkts: 0
Fragments: 0 Jabbers: 0
64 Octets: 98 65 to 127 Octets: 0
128 to 255 Octets: 0 256 to 511 Octets: 0
512 to 1023 Octets: 491 1024 to 1518 Octets: 389

Table 145 – Result description

Parameter Description
Dropped Number of detected events when packets were discarded.
The number of data bytes (including bad packet bytes) received from the network
Octets
(excluding frame bits but including checksum bits).
Packets The number of packets received (including bad, broadcast and multicast packets).
Broadcast The number of broadcast packets received (correct packets only).
Multicast The number of multicast packets received (correct packets only).
The number of packets received that have an incorrect checksum, either with an integer
CRC Align Errors number of bytes (FCS checksum error) or an uninteger number of bytes (Alignment error),
ranging from 64 to 1,518 bytes inclusive.
Collisions Estimates the number of collisions on a given Ethernet segment.
The number of packets received is less than 64 bytes long (excluding frame bits but
Undersize Pkts
including checksum bits) but otherwise correctly generated.
The number of packets received is more than 1518 bytes long (excluding frame bits but
Oversize Pkts
including checksum bits) but otherwise correctly generated.
The number of packets received that are less than 64 bytes long (excluding frame bits, but
Fragments including checksum bits) that have an invalid checksum either with an integer number of
bytes (FCS checksum errors) or an uninteger number of bytes (Alignment errors).
The number of packets received that are more than 1518 bytes long (excluding frame bits,
Jabbers but including checksum bits) that have an invalid checksum either with an integer number
of bytes (FCS checksum errors) or an uninteger number of bytes (Alignment errors).
The number of packets received (including bad packets) that are 64 bytes long (excluding
64 Octet
frame bits, but including checksum bits).
The number of packets received (including bad packets) that are from 65 to 127 bytes long
65 to 127 Octets
inclusive (excluding frame bits, but including checksum bits).
The number of packets received (including bad packets) that are from 128 to 255 bytes
128 to 255 Octets
long inclusive (excluding frame bits, but including checksum bits).
The number of packets received (including bad packets) that are from 256 to 511 bytes
256 to 511 Octets
long inclusive (excluding frame bits, but including checksum bits).
ETS-1-10G-A 5. Device management. Command line interface 197

The number of packets received (including bad packets) that are from 512 to 1023 bytes
512 to 1023 Octets
long inclusive (excluding frame bits, but including checksum bits).
The number of packets received (including bad packets) that are from 1024 to 1518 bytes
1024 to 1518 Octets
long inclusive (excluding frame bits, but including checksum bits).

 Show information by statistical groups for Port 8:

сonsole# show rmon collection stats tengigabitethernet 1/0/8

Index Interface Interval Requested Samples Granted Samples Owner
----- --------- -------- ----------------- --------------- -------------------
1 te0/8 300 50 50 RAD

Table 146 – Result description

Parameter Description
Index An index that uniquely identifies an entry.
Interface The Ethernet interface on which the polling is running.
Interval The interval in seconds between surveys.
Requested Samples Requested number of counts that can be saved.
Granted Samples Allowed (remaining) number of counts that can be saved.
Owner The owner of current entry.

 Show bandwidth counters for statistical group 1:

console# show rmon history 1 throughput

Sample set: 1 Owner: MES

Interface: te1/0/1 Interval: 1800
Requested samples: 50 Granted samples: 50

Maximum table size: 100

Time Octets Packets Broadcast Multicast %
Nov 10 2009 18:38:00 204595549 278562 2893 675218.67%

Table 147 – Result description

Parameter Description
Time Date and time of entry creation.
ETS-1-10G-A 5. Device management. Command line interface 198

The number of data bytes (including bad packet bytes) received from the network
Octets
(excluding frame bits but including checksum bits).
Packets The number of packets received (including bad packets) during the entry formation period.
The number of good packets received during the formation period of the broadcast
Broadcast
address entry.
The number of good packets received during the formation period of the multicast address
Multicast
entry.
Estimate the average bandwidth of the physical layer on a given interface during the entry
Utilization
formation period. Throughput is estimated at up to a thousand percent.
The number of packets received during the entry formation period that have an incorrect
CRC Align checksum, either with an integer number of bytes (FCS checksum error) or an uninteger
number of bytes (Alignment error), ranging from 64 to 1,518 bytes inclusive.
Estimate the number of conflicts on a given Ethernet segment during the entry formation
Collisions
period.
The number of packets received during the entry formation period is less than 64 bytes
Undersize Pkts
long (excluding frame bits but including checksum bits) but otherwise correctly generated.
The number of packets received during the entry formation period is more than 1518 bytes
Oversize Pkts
long (excluding frame bits but including checksum bits) but otherwise correctly generated.
The number of packets received during the entry formation period that are less than 64
bytes long (excluding frame bits, but including checksum bits) that have an invalid
Fragments
checksum either with an integer number of bytes (FCS checksum errors) or an uninteger
number of bytes (Alignment errors).
The number of packets received during the entry formation period that are more than
1518 bytes long (excluding frame bits, but including checksum bits) that have an invalid
Jabbers checksum either with an integer number of bytes (FCS checksum errors) or an uninteger
number of bytes (Alignment errors).

The number of events detected when packets were discarded during the entry formation
Dropped
period.

 Show a summary table of alarms:

console# show rmon alarm-table

Index OID Owner
----- -------------------------- -------
1 1.3.6.1.2.1.2.2.1.10.1 CLI
2 1.3.6.1.2.1.2.2.1.10.1 Manager
ETS-1-10G-A 5. Device management. Command line interface 199

Table 148 – Result description

Parameter Description
Index An index that uniquely identifies an entry
OID Controlled variable OID
Owner The user that created the entry.

 Show configuration of alarm events with index 1:

console# show rmon alarm 1

Alarm 1
-------
OID: 1.3.6.1.2.1.2.2.1.10.1
Last sample Value: 878128
Interval: 30
Sample Type: delta
Startup Alarm: rising
Rising Threshold: 8700000
Falling Threshold: 78
Rising Event: 1
Falling Event: 1
Owner: CLI

Table 149 – Result description

Parameter Description
OID Controlled variable OID.
The value of the variable in the last control interval. If the method of selecting variables is
Last Sample Value absolute – it is an absolute value of the variable, if delta – it is the difference between the
values of the variable at the end and beginning of the control interval.
The interval in seconds during which data are sampled and compared to the upper and
Interval
lower limits.
Method of selecting the specified variables and calculating the value for comparison with
the boundaries. Absolute method – the absolute value of the selected variable will be
compared to the boundary at the end of the investigated interval. Delta method– the
Sample Type
value of the selected variable at the last selection will be subtracted from the current value
and the difference will be compared with the borders (difference between the variable
values at the end and at the beginning of the control interval).
ETS-1-10G-A 5. Device management. Command line interface 200

Instructions for generating events in the first control interval. Defines the rules of
generating emergency events for the first control interval by comparing the selected
variable with one or both boundaries.
rising – generate a single uplink border emergency event if the value of the selected
variable in the first control interval is greater than or equal to this border.
Startup Alarm
falling – generate a single downlink border emergency event if the value of the selected
variable in the first control interval is less than or equal to this border.
rising-falling – generate a single uplink and/or downlink emergency event if the value of
the selected variable in the first control interval is greater than or equal to the uplink
and/or downlink border.
The value of the uplink border. When the value of the selected variable in the previous
rising threshold control interval was less than the given boundary, and in the current control interval is
greater than or equal to the boundary value, then a single event is generated.
The value of the downlink border. When the value of the selected variable in the previous
falling threshold control interval was greater than the given boundary, and in the current control interval is
less than or equal to the boundary value, then a single event is generated.
Rising Event The index of the event used when the uplink border is crossed.
Falling Event The index of the event used when the downlink border is crossed.
Owner The user that created the entry.

 Show the RMON event table:

сonsole# show rmon events

Index Description Type Community Owner Last time sent

----- ----------- ---------- ---------- -------- -------------------
1 Errors Log CLI Nov 10 2009 18:47:17
2 High Broadcast Log-Trap router Manager Nov 10 2009 18:48:48

Table 150 – Result description

Parameter Description
Index An index that uniquely identifies an event.
Description A comment describing the event.
The type of notification the device generates for this event:
none – do not generate notifications,
Type log – generate table entry,
trap – send SNMP trap,
log-trap – generate a table entry and send SNMP trap.
Community SNMP community string to forward trap.
Owner The user that created the event.
ETS-1-10G-A 5. Device management. Command line interface 201

Time and date of generation of the last event. If no events were generated, this value will
Last time sent
be zero.

Show the RMON entry table.

console# show rmon log

ETS-1-10G-A 5. Device management. Command line interface 202

Maximum table size: 100

Event Description Time
----- ----------- --------------------
1 Errors Nov 10 2009 18:48:33

Table 151 – Result description

Parameter Description
Index An index that uniquely identifies an entry.
Description A comment describing the event.
Time Time at which the entry is generated.

ACL access lists for device management

Switch firmware allows enabling and disabling access to device management via specific ports or
VLAN groups. This is achieved by creating access control lists (Access Control List, ACL).

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 152 – Global mode configuration commands

Command Value/Default value Action

management access-list name Creates an access control list. Enter the access control list
configuration mode.
name: (1..32) symbols
no management access-list Removes an access control list.
name
management access- Restricts device management by a specific access list.
class {console-only | Activate a specific access list.
name} - console-only – device management is available via the
name: (1..32) symbols console only.
no management Removes a device management restriction defined by a
access­class specific access list.
ETS-1-10G-A 5. Device management. Command line interface 203

Access control list configuration mode commands

Command line prompt in the access control list configuration mode is as follows:

console(config)# management access-list RAD_manag

console (config-macl)#

Table 153 – Access control list configuration mode commands

Command Value/Default value Action

permit [tengigabitethernet Defines the ‘permit’ condition for the access control list.
te_port | port-channel group | - service – access type.
oob | vlan vlan_id] [service
te_port: (1..8/0/1..32);
service ]
group: (1..32);
permit ip-source
vlan_id: (1..4094)
{ipv4_address |
service: (telnet, snmp,
ipv6_address/prefix_length}
http, https, ssh);
[mask {mask | prefix_length}]
[tengigabitethernet te_port |
port-channel group | oob |
vlan vlan_id] [service service]
deny [tengigabitethernet Specifies a restricting criterion for an ACL.
te_port: (1..8/0/1..32);
te_port | port-channel group | - service – access type,
group: (1..32);
oob | vlan vlan_id] [service
vlan_id: (1..4094);
service] [ace-priority index]
service: (telnet, snmp,
deny ip-source {ipv4_address | http, https, ssh);
ipv6_address/prefix_length}
[mask {mask | prefix_length}]
[tengigabitethernet te_port |
port-channel group | oob |
vlan vlan_id] [service service]

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 154 – Privileged EXEC mode commands

Command Value/Default value Action

Shows access control lists.
show management
name: (1..32) symbols
access-list [name]
 ETS-1-10G-A 5. Device management. Command line interface 204

Shows information on the active access control lists.

show management
access­class -

Access configuration

Telnet, SSH, HTTP and FTP

These commands are used to configure access servers that manage switches. TELNET and SSH
support allows remote connection to the switch for monitoring and configuration purposes.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 155 – Global mode configuration commands

Command Value/Default value Action

Enables remote device configuration via Telnet.
ip telnet server
Telnet server is enabled
by default. Disables remote device configuration via Telnet.
no ip telnet server

Enables remote device configuration via SSH.

ip ssh server
SSH server will be kept in stand-by condition until the
encryption key is generated. After the key has been
SSH server is disabled by generated (by the 'crypto key generate rsa' and 'crypto key
default. generate dsa' commands), the server will return to the
operation mode.
Disables remote device configuration via SSH.
no ip ssh server

TCP port used by the SSH server.

ip ssh port port_number
port_number:
(1..65535)/22 Sets the default value.
no ip ssh port
 ETS-1-10G-A 5. Device management. Command line interface 205

Sets the interface for SSH session using IPv6.

ip ssh-client
source­interface {
tengigabitethernet
te_port | port-channel te_port: (1..8/0/1..32);
group | loopback loopback_id: (1..64);
loopback_id | vlan group: (1..32);
vlan_id} vlan_id: (1..4094)
Deletes the interface.
no ip ssh-client
source­interface

Sets the interface for IPv6 ssh session.

ipv6 ssh-client
source­interface {
tengigabitethernet
te_port | port-channel te_port: (1..8/0/1..32);
group | loopback loopback_id: (1..64);
loopback_id | vlan group: (1..32);
vlan_id} vlan_id: (1..4094)
Deletes the interface.
no ipv6 ssh-client
source­interface

Enables the use of a public key for incoming SSH sessions.

ip ssh pubkey-auth
By default, public key is
not allowed. Disables the use of a public key for incoming SSH sessions.
no ip ssh pubkey-auth

Enables password authentication mode.

ip ssh password-auth
By default is enabled Disables password authentication mode.
no ip ssh password-
auth

Enters the public key configuration mode.

crypto key pubkey- By default, the key is not
chain ssh created.
Generates a DSA public- and private-key pair for SSH service.
crypto key generate
If one of the keys has been already created, the system will
dsa -
prompt to overwrite it.

Generates an RSA public- and private-key pair for SSH service.

crypto key generate
rsa - If one of the keys has been already created, the system
will prompt to overwrite it.
Importing a pair of DSA keys
crypto key import dsa
- encrypted – in encrypted form.
-
encrypted crypto key
import dsa

Importing a pair of RSA keys

crypto key import rsa -
- encrypted – in encrypted form.
 ETS-1-10G-A 5. Device management. Command line interface 206

encrypted crypto key

import rsa

Generates SSL certificate.

crypto certificate {1
| 2} generate
-
Restores the default SSL certificate for the specified certificate.
no crypto certificate
{1 | 2}

The keys generated by the crypto key generate rsa and crypto key generate dsa commands
are stored in a closed configuration file.

Public key configuration mode commands

Command line prompt in the public key configuration mode is as follows:

console# configure
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)#

Table 156 – Public key configuration mode commands

Command Value/Default value Action

user-key username {rsa
Enters the individual public key generation mode.
| dsa} - rsa – generate an RSA key;
username: (1..48)
- dsa – generate a DSA key.
characters
no user-key username
Removes the public key for a specific user.

Command line prompt in the individual public key generation mode is as follows:

console# configure
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key RAD rsa
console(config-pubkey-key)#

Table 157 – Individual public key generation mode commands

Command Value/Default value Action

key-string - Creates the public key for a specific user.
ETS-1-10G-A 5. Device management. Command line interface 207

key-string row Creates the public key for a specific user. The key is
key_string entered line by line.
- - key_string – key part.
To notify the system that the key is entered, type the
“key-string row” command without any characters.

EXEC mode commands

Commands given in this section are available to the privileged users only.

Command line prompt in the EXEC mode is as follows:

console#

Table 158 – EXEC mode commands

Command Value/Default value Action

Shows SSH server configuration and active incoming SSH
show ip ssh -
sessions.
show crypto key Shows public SSH keys saved on the switch.
username: (1..48) - username – remote client name;
pubkey­chain ssh
characters - bubble-babble – key fingerprint in Bubble Babble code;
[username username]
By default, key - hex – key fingerprint in hex format.
[fingerprint
{bubble­babble | fingerprint is in hex
hex}] format.

show crypto key Shows public SSH keys of the switch.

mypubkey [rsa | dsa] -

show crypto Shows SSL certificates for the HTTPS server.

certificate [1 | 2] -

Command execution example

Enable SSH server on the switch. Enable the use of public keys. Create an RSA key for the RAD user:

console# configure
console(config)# ip ssh server
console(config)# ip ssh pubkey-auth
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key RAD rsa
console(config-pubkey-key)# key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWlAl4kpqIw9GBRonZQZxjHKcqKL6rMlQ+ZNX
fZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1gkTwml7
ETS-1-10G-A 5. Device management. Command line interface 208

5QR9gHujS6KwGN2QWXgh3ub8gDjTSqmuSn/Wd05iDX2IExQWu08licglk02LYciz+Z4TrEU/9
FJxwPiVQOjc+KBXuR0juNg5nFYsY0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA6w9o44t6+AIN
EICBCCA4YcF6zMzaT1wefWwX6f+Rmt5nhhqdAtN/4oJfce166DqVX1gWmNzNR4DYDvSzg0lDn
wCAC8Qh
Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9

Terminal configuration commands

Terminal configuration commands are used for the local and remote console configuration.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 159 – Global mode configuration commands

Command Value/Default value Action

line {console | Enter the mode of the corresponding terminal (local
telnet | ssh} - console, remote console, Telnet or secure remote
console, SSH).

Terminal configuration mode commands

Command line prompt in the terminal configuration mode is as follows

console# configure
console(config)# line {console|telnet|ssh}
console(config-line)#

Table 160 – Terminal configuration mode commands

Command Value/Default value Action

speed bps
Specify the local console access rate (the command is
bps: (4800, 9600,
available only in local console configuration mode).
19200, 38400, 57600,
no speed 115200)/115200 baud Sets the default value.
autobaud Enable automatic configuration of the local console
access rate (the command is available only in local console
/enabled configuration mode).
no autobaud Disable automatic configuration of the local console
access rate.
ETS-1-10G-A 5. Device management. Command line interface 209

exec-timeout minutes minutes: (0..65535)/10 Specify the interval the system waits for user input. If the user
[seconds] min; does not input anything during this interval, the console exits.
no exec-timeout seconds: (0..59)/0 sec Sets the default value.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 161 – EXEC mode commands

Command Value/Default value Action

show line [console | Show the terminal parameters.
telnet | ssh] -

5.20 Alarm log, SYSLOG protocol

System logs allow you to keep a history of events that have occurred on the device, as well as
monitor the events that have occurred in real time. Seven types of events are logged: emergencies,
alarms, critical and non-critical errors, warnings, notifications, information and debugging.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 210

Table 162 – Global mode configuration commands

Command Value/Default value Action

logging on Enables logging of debug messages and error messages.

no logging on -/logging is enabled Disables logging of debug messages and error messages.
When registration is disabled, debug and error messages
will be sent to the console.
logging host {ip_address | Enables transmission of alarm and debug messages to the
host} [port port] [severity remote SYSLOG server.
level] [facility facility] - ip_address– IPv4 or IPv6 address of the SYSLOG server;
[description text] host: (1..158) characters - host – SYSLOG server network name;
port: (1..65535)/514;
- port – port number for SYSLOG messages;
level: (see Table 163);
- level – importance level of messages sent to the SYSLOG
facility:
server;
(local0..7)/local7;
text: (1..64) characters
- facility – service sent in messages;
- text – SYSLOG server description.
no logging host {ip_address | Removes the selected server from the list of SYSLOG
host} servers used.
logging console [level]
Enables the transmission of alarm or debug messages of a
level: (Table selected importance level to the console.
163)/informational
no logging console Disables sending alarm or debug messages to the console.

logging buffered Enables the transmission of alarm or debug messages of a

[severity_level] severity_level: (Table selected importance level to the internal buffer.
163)/informational
no logging buffered Disables the transmission of alarm or debug messages to
the internal buffer.
logging buffered size Changes the number of messages stored in the internal
size buffer. The new buffer size value will be applied after
size: (20..1000)/200 rebooting the device.
no logging buffered
size Sets the default value.

logging file [level] Enables the transmission of alarm or debug messages of a

level: (Table 163) /errors selected importance level to the log file.
no logging file Disables sending alarm or debug messages to a log file.
aaa logging login Log authentication, authorization and accounting (AAA) events.
no aaa logging login /enabled Do not log authentication, authorization and accounting (AAA)
events.
file-system logging {copy | Enables logging of file system events.
delete-rename} By default, logging is -copy – logging messages related to file copying operations;
enabled -delete-rename – logging messages related to deleting files and
renaming operations.
ETS-1-10G-A 5. Device management. Command line interface 211

no file-system logging {copy |

Disables logging of file system events.
delete-rename}
logging aggregation on Enables syslog message aggregation monitoring.
-/disabled
no logging aggregation on Disables syslog message aggregation monitoring.
logging aggregation aging-
Sets the storage time of grouped syslog messages.
time sec sec: (15..3600)/300
no logging aggregation seconds Sets the default value.
aging­time
logging service cpu-rate-limits Enables control of incoming frames rate limitation for a
traffic: (http, telnet, ssh,
traffic certain type of traffic.
snmp, ip, link-local, arp-
no logging service switch-mode, arp- Disables logging.
cpu­rate­limits traffic inspection, stp-bpdu,
other-bpdu, dhcp-
snooping, dhcpv6-
snooping, igmp-snooping,
mld-snooping, sflow, log-
deny-aces, vrrp)/-

logging origin-id {string | Defines the parameter to be used as the host identifier in
hostname | ip | ipv6} -/no syslog messages.
no logging origin-id Use the default value.
logging source-interface { Use the IP address of the specified interface as a source in
tengigabitethernet te_port te_port: (1..8/0/1..32);
loopback_id: (1..64);
SYSLOG IP packets.
| port-channel group |
group: (1..32);
loopback loopback_id | vlan
vlan_id} vlan_id: (1..4094)
no logging source-interface Use the IP address of the outgoing interface.
logging source-interface-ipv6 { Use the IPv6 address of the specified interface as a source
tengigabitethernet te_port te_port: (1..8/0/1..32); in SYSLOG IP packets.
| port-channel group | loopback_id: (1..64);
loopback loopback_id | vlan group: (1..32);
vlan_id}
vlan_id: (1..4094)
no logging source-interface- Use the IPv6 address of the outgoing interface.
ipv6

Each message has its own importance level; the table 163 shows the types of messages in
descending order of their importance.

Table 163 – Types of message importance

Message importance level Description

A critical error has occurred in the system, the system may not work
Emergencies
properly.
Alerts Immediate intervention is required.
ETS-1-10G-A 5. Device management. Command line interface 212

Critical A critical error has occurred on the system.

Errors An error has occurred on the system.
Warnings Warning, non-emergency message.
Notifications System notice, non-emergency message.
Informational Informational system messages.
Debugging messages provide the user with information to correctly
Debugging
configure the system.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 164 – Privileged EXEC mode command to view the log file

Command Value/Default value Action

clear logging - Removes all messages from the internal buffer.

clear logging file - Removes all messages from the log file.
show logging file Displays log status, alarms and debug messages recorded in the log
-
file.
show logging Displays log status, alarms and debug messages recorded in the
-
internal buffer.
show syslog-servers - Displays settings for remote syslog servers.

Example use of commands

 Enable erroneous messages to be registered in the console:

console# configure
console (config)# logging on
console (config)# logging console errors
 Clear log file:
console# clear logging file
Clear Logging File [y/n]y
ETS-1-10G-A 5. Device management. Command line interface 213

5.21 Port mirroring (monitoring)

The port mirroring function is designed to control network traffic by sending copies of incoming
and/or outgoing packets from one or more monitored ports to one monitoring port.

If more than one physical interface is mirrored, traffic may be lost. No loss is guaranteed only
when mirroring one physical interface

The following restrictions apply to the control port:

– A port cannot be a control port and a controlled port at the same time;
– A port cannot be a member of a port group;
– There must be no IP interface for this port;
– The GVRP shall be disabled on this port.

The following restrictions apply to the controlled port:

– A port cannot be a control port and a controlled port at the same time.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 165 – Global mode configuration commands

Command Value/Default value Action

monitor session session_id Specifies the mirror port for the selected monitoring session.
destination interface network – enables data exchange
tengigabitethernet te_port session_id: (1..7);
[network] te_port: (1..8/0/1..32):
no monitor session session_id Disables the monitoring function for the interface.
destination
monitor session session_id Specifies a service vlan for mirroring traffic from a specified reflector
destination remote vlan port for the selected session.
vlan_id reflector-port vlan_id: (1..4094); remote vlan – service vlan for traffic mirroring;
tengigabitethernet te_port session_id: (1..7); reflector-port – the physical port for transmitting mirrored traffic,
network te_port: (1..8/0/1..32): this interface should not have had a remote vlan.
no monitor session session_id Disables the monitoring function for the interface.
destination
ETS-1-10G-A 5. Device management. Command line interface 214

monitor session session_id Adds the specified mirror port for the selected monitoring session.
source interface rx – copy the packets received by the controlled port;
tengigabitethernet te_port session_id: (1..7); tx – copy the packets transmitted by the controlled port;
[rx | tx | both] te_port: (1..8/0/1..32): both – copy all packets from a controlled port.
monitor session session_id Disables the monitoring function for the interface.
source interface
tengigabitethernet te_port
monitor session session_id Adds the specified mirror vlan for the selected monitoring session.
source vlan vlan_id

vlan_id: (1..4094);
session_id: (1..7) Disables the monitoring function for the interface.
no monitor session session_id
source vlan vlan_id
monitor session session_id Adds as a source vlan with previously mirrored traffic for the selected
source remote vlan vlan_id monitoring session.
vlan_id: (1..4094);
session_id: (1..7)
no monitor session session_id Disables the monitoring function for the interface.
source remote vlan vlan_id

5.22 sFlow function

sFlow is a technology that allows monitoring traffic in packet data networks by partially sampling
traffic for subsequent encapsulation into special messages sent to the statistics collection server.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 166 – Global mode configuration commands

Command Value/Default value Action

sflow receiver id Defines the address of the sflow statistics collection server.
id: (1..8);
{ipv4_address | ipv6_address | - id – sflow server address;
port: (1.. 5535)/6343;
ipv6z_address | url} [port port] - ipv4_address, ipv6_address, ipv6z_address – IP address;
byte: positive
[max-datagram-size byte] - url – host domain name;
integer/1400;
- port – port number;
format ipv4_address:
- byte – maximum number of bytes that can be sent in one data
A.B.C.D;
packet.
ETS-1-10G-A 5. Device management. Command line interface 215

no sflow receiver id ipv6_address format: Removes the address of the sflow statistics collection server.
X:X:X:X::X.
ipv6z_address format:
X:X:X:X::X%<ID>;
url: (1..158) characters
sflow receiver Specifies a device interface whose IP address will be used as the
{source­interface | default source statistics collection address.
source­interface-ipv6} {
vlan_id: (1..4094)
tengigabitethernet te_port |
te_port: (1..8/0/1..32);
port-channel l group |
loopback_id: (1..64);
loopback loopback_id | vlan
group: (1..32)
vlan_id | oob}
no sflow receiver Removes the explicit specification of the interface from which sflow
source­interface statistics will be sent

Ethernet interface configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

console# configure
console(config)# interface { tengigabitethernet te_port | }
console(config-if)#

Table 167 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

sflow flow-sampling Defines the average packet sampling rate. The total sampling
rate id [max-header- rate is calculated as 1/rate*current_speed (current_speed is
size bytes] rate: the current average speed).
(1024..107374823); - rate – average packet sampling rate;
id: (1..8);
- id – sflow server number;
bytes: (20..256)/128
bytes - bytes – maximum number of bytes that will be copied from
a sample packet.
no sflow flow-sampling Disables sampling counters at the port.
sflow counters- Defines the maximum interval between successful packet
sampling sec id samples.
sec: (15..86400) - sec – maximum sampling interval in seconds.
seconds;
- id – sflow server number (set by the sflow receiver
id: (0..8)
command in the global configuration mode).
no sflow counters­sampling Disables sampling counters at the port.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:
ETS-1-10G-A 5. Device management. Command line interface 216

console>

Table 168 – Commands available in the EXEC mode

Command Value/Default value Action

Displays the sflow settings.
show sflow
configuration
[tengigabitethernet
te_port |]

Clears the sFlow statistics. If no interface is specified, the

clear sflow
statistics te_port: (1..8/0/1..32); command clears all sFlow statistics counters.
[tengigabitethernet
te_port |]

Displays the sFlow statistics.

show sflow statistics
[tengigabitethernet
te_port |]

Command execution example

 Set the IP address 10.0.80.1 of server 1 to collect sflow statistics. For the te1/0/1-te1/0/24
Ethernet interfaces, set the average packet sampling rate to 10240 kbps and the maximum
interval between successful packet sampling to 240 s.

console# configure
console(config)# sflow receiver 1 10.0.80.1
console(config)# interface range tengigabitethernet 1/0/1-24
console(config-if-range)# sflow flowing-sample 1 10240
console (config-if)# sflow counters-sampling 240 1

5.23 Physical layer diagnostic functions

Network switches contain hardware and software for diagnosing physical interfaces and
communication lines. The list of parameters to be tested includes the following:

For electrical interfaces:

− cable length;
− the distance to the fault location – open or short circuit.
ETS-1-10G-A 5. Device management. Command line interface 217

For 1G and 10G optical interfaces:

− power parameters – voltage and current;
− output optical power;
− input optical power.

Optical transceiver diagnostics

The diagnostic function allows assessing the current status of the optical transceiver and optical
line.

It is possible to automatically control the state of communication lines. For this purpose, the switch
periodically polls the optical interface parameters and compares them with the thresholds set by the
transceiver manufacturers. The switch generates warning and alarm messages when parameters are out
of acceptable limits.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console>

Table 169 – Optical transceiver diagnostic command

Command Value/Default value Action

show fiber-ports Displays the diagnostic results of the optical transceiver.
optical­transceiver
[interface te_port: (1..8/0/1..32);
tengigabitethernet
te_port | t]

Example of command execution:

sw1# show fiber-ports optical-transceiver interface

TengigabitEthernet1/0/5

Port Temp Voltage Current

Output Input LOS Transceiver
[C] [Volt] [mA] Power Power Type
[mW / dBm] [mW / dBm]
----------- ------ ------- ------- ------------- ------------- --- -------------
te1/0/5 33 3.28 11.45 0.28 / -5.52 0.24 / -6.11 No Fiber

Temp - Internally measured transceiver temperature

Voltage - Internally measured supply voltage
ETS-1-10G-A 5. Device management. Command line interface 218

Current - Measured TX bias current

Output Power - Measured TX output power in milliWatts/dBm
Input Power - Measured RX received power in milliWatts/dBm
LOS - Loss of signal
N/A - Not Available, N/S - Not Supported, W - Warning, E - Error

Transceiver information:
Vendor name: OEM
Serial number: S1C53253701833
Connector type: SC
Type: SFP/SFP+
Compliance code: BaseBX10
Laser wavelength: 1550 nm
Transfer distance: 20000 m
Diagnostic: supported

Table 170 – Optical transceiver diagnostic parameters

Parameter Value
Temp Transceiver temperature.
Voltage Transceiver power supply voltage.
Current Current deflection on the transmission.
Output Power Output power on the transmission (mW).
Input Power Input power on the reception (mW).
LOS Loss of signal.

The values of the diagnostic results:

− N/A – not available,

− N/S – not supported.

5.24 Security features

Port security functions

To improve security, it is possible to configure a switch port so that only specified devices can access
the switch through that port. The port protection function is based on identifying the MAC addresses that
are allowed access. MAC addresses can be configured manually or learned by the switch. After learning
ETS-1-10G-A 5. Device management. Command line interface 219

the required addresses, the port should be locked, protecting it from receiving packets with unexplored
MAC addresses. Thus, when a blocked port receives a packet and the MAC address of the packet source
is not associated with that port, the protection mechanism is activated, depending on which the following
measures can be taken: unauthorized packets arriving at the blocked port are forwarded, discarded, or
the port that received the packet is disabled. The Locked Port security feature allows to save a list of
learned MAC addresses in a configuration file, so that this list can be restored after the device reboots.

There is a limit on the number of MAC addresses that can be learned by a port that uses
the security feature.

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console(config-if)#
Table 171 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

port security Enables protection function on the interface. Blocks the function
of learning new addresses for the interface. Packets with
-/disabled unlearned source MAC addresses are discarded. The command is
similar to the port security discard command.
no port security Disables protection function on the interface.

port security max num

Defines the maximum number of addresses that a port can
examine.
num: (0..256)/1
no port security max Sets the default value.

port security routed Sets a secure MAC address.

secure­address
mac_address МАС address format:
H.H.H, H:H:H:H:H:H,
no port security H­H­H­H­H­H Removes a secure MAC address.
routed secure­address
mac_address
ETS-1-10G-A 5. Device management. Command line interface 220

port security Enables protection function on the interface. Blocks the

{forward | discard | function of learning new addresses for the interface.
discard­shutdown} - forward – packets with unlearned source MAC addresses
[trap freq] are forwarded.
- discard – packets with unlearned source MAC addresses
freq: (1..1000000) s
are discarded.
- discard-shutdown – packets with unlearned source MAC
addresses are discarded, port disables.
- freq – frequency of generated SNMP trap messages when
unauthorized packets are received.
Sets the frequency of generated SNMP trap messages when
port security trap
freq: (1..1000000) s unauthorized packets are received.
freq

Specifies the MAC address learning restriction mode for the

port security mode
{secure | custom interface.
max­addresses | lock} - secure – sets a static limit to learn MAC addresses at the port.
- max-addresses – removes the current dynamically
learned addresses related to the interface. It is allowed to
study the maximum number of addresses at the port.
-/lock Relearning and aging are allowed.
- lock – saves in the file the current dynamically learned
addresses related to the interface and prohibits learning
new addresses and aging of already studied addresses.
Sets the default value.
no port security mode

EXEC mode commands

Command line prompt in the EXEC mode is as follows:
console>

Table 172 – EXEC mode commands

Command Value/Default value Action

show ports security { Shows the security function settings on the selected
tengigabitethernet te_port: (1..8/0/1..32); interface.
te_port | port-channel group: (1..32)
group | detailed}

show ports security Shows current dynamic addresses for blocked ports.
addresses {
tengigabitethernet te_port: (1..8/0/1..32);
te_port | port-channel group: (1..32)
group | detailed}
ETS-1-10G-A 5. Device management. Command line interface 221

set interface active Activates the interface disabled by the port protection
{ tengigabitethernet te_port: (1..8/0/1..32); function (the command is available only to the privileged
te_port | port-channel group: (1..32) user).
group}

Command execution example

 Enable protection function on 15th Ethernet interface. Set an address limit of 1 address. After
learning the MAC address, block the new address learning function for the interface in order to
discard packets with unlearned source MAC addresses. Save the learned address to a file.

console# configure
console(config)# interface tengigabitethernet 1/0/15
console(config-if)# port security
console(config-if)# port security max 1

 Connect the client to the port and learn the MAC address.
console(config-if)# port security discard
console(config-if)# port security mode lock

Port based client authentication (802.1x standard)

1.1.1.1 Basic authentication

Authentication based on 802.1x standard provides switch users authentication through an external
server based on the port to which the client is connected. Only authenticated and authorized users can
transmit and receive data. Authentication of port users is performed by the RADIUS server via the EAP
(Extensible Authentication Protocol).

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 222

Table 173 – Global mode configuration commands

Command Value/Default value Action

Enables 802.1X switch authentication mode.
dot1x
system­auth­control
-/disabled
Disables 802.1X switch authentication mode.
no dot1x
system­auth­control

aaa authentication Defines one or two authentication, authorization and

dot1x default {none | accounting (AAA) methods for use on IEEE 802.1X
radius} [none | interfaces.
radius] - none – do not use authentication.
-/radius - radius – use a RADIUS server list for authentication;
The second authentication method is only used if the
first authentication was unsuccessful.

no aaa authentication Sets the default value.

dot1x default

Ethernet interface configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#

EAP (Extensible Authentication Protocol) performs tasks to authenticate the remote client,
while defining the authentication mechanism.
ETS-1-10G-A 5. Device management. Command line interface 223

Table 174 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

dot1x port-control Configures 802.1X authentication on the interface.
{auto | force- Enables manual monitoring of the port authorization
authorized | status.
force­unauthorized} - auto – use 802.1X to change the client state between
[time­range time] authorized and unauthorized;
- force-authorized – disables 802.1X authentication on
the interface. The port switches to an authorized state
-/force-authorized; without authentication;
time: (1..32) - force-unauthorized – switches the port to an
unauthorized state. All client authentication attempts
are ignored and the switch does not provide an
authentication service for this port;
- time – time interval. If this parameter is not defined, the
port is not authorized.
no dot1x port-control Sets the default value.

dot1x Enables periodic re-authentication of the client.

reauthentication -/periodic re-
authentication is
no dot1x disabled Disables periodic re-authentication of the client.
reauthentication

dot1x timeout eap- Defines the time interval in seconds during which the EAP
timeout period server waits for a response from the EAP client before
resending the request.

period: (1..65535) /30

no dot1x timeout eap- Set the default value.

timeout

dot1x timeout Defines the period of time that the requestor waits until
supplicant-held- authentication is restarted after receiving a FAIL
period period response from the Radius server.
period: (1..65535) /60

No dot1x timeout Set the default value.

supplicat-held-period
ETS-1-10G-A 5. Device management. Command line interface 224

Dot1x timeout Sets the period between re-authentications.

reauth­period period period:
(300..4294967295)/
No dot1x timeout 3600 sec Sets the default value.
reauth­period

Dot1x timeout quiet- Sets the period during which the switch remains silent
period period after unsuccessful authentication.
During the silent period, the switch does not accept or
period: (10..65535)/60
sec initiate any authentication messages.
No dot1x timeout Sets the default value.
quiet­period

dot1x timeout tx- Sets the period during which the switch waits for a
period period response or EAP identification from the client before
period: (30..65535)/30 resending the request.
sec Sets the default value.
No dot1x timeout tx-
period

Dot1x max-req count

Sets the maximum number of attempts to transmit EAP
requests to the client before restarting the
count: (1..10)/2 authentication process.
No dot1x max-req Sets the default value.

Dot1x timeout Sets the period between repeated transmissions of

supp­timeout period protocol requests to the EAP client.
period: (1..65535)/30
seconds Sets the default value.
No dot1x timeout
supp­timeout

Dot1x timeout Sets the period during which the switch expects a
server­timeout period response from the authentication server.
period: (1..65535)/30
seconds Sets the default value.
No dot1x timeout
server­timeout

Dot1x timeout Sets the time period of inactivity of the client, after which
silence­period period the client becomes unauthorized.
period: (60..65535)
sec/not specified Sets the default value.
No dot1x timeout
silence­period
ETS-1-10G-A 5. Device management. Command line interface 225

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 175 – Privileged EXEC mode commands

Value/Default
Command Action
value

dot1x re-authenticate te_port: Manually re-authenticates the specified port in the

[tengigabitethernet (1..8/0/1..24) command, or all ports supporting 802.1X.
te_port | oob]

dot1x unlock client Block the client with the specified MAC-address on the port
tengigabitethernet te_port: at achievement of a threshold of the maximum possible
(1..8/0/1..32); attempts of authentification.
te_port mac_address

show dot1x interface Shows 802.1X status for the switch or the specified
{tengigabitethernet te_port: interface.
te_port | (1..8/0/1..32);

oob}

show dot1x users username: (1..160)

Shows active authenticated 802.1X switch users.
[username username] characters

show dot1x statistics Shows 802.1X statistics for the selected interface.
te_port:
interface {
tengigabitethernet (1..8/0/1..32);
te_port | oob}

Command execution example

 Enable 802.1x switch authentication mode. Use a RADIUS server to authenticate clients on IEEE
802.1X interfaces. For 8th Ethernet interface use 802.1x authentication mode.
console# configure
console(config)# dot1x system-auth-control
console(config)# aaa authentication dot1x default radius
console(config)# interface tengigabitethernet 1/0/8
console(config-if)# dot1x port-control auto
ETS-1-10G-A 5. Device management. Command line interface 226

 Show 802.1x status for the switch, for 8th Ethernet interface.

console# show dot1x interface tengigabitethernet 1/0/8

Authentication is enabled
Authenticating Servers: Radius
Unauthenticated VLANs:
Authentication failure traps are disabled
Authentication success traps are disabled
Authentication quiet traps are disabled

te1/0/8
Host mode: multi-host
Port Administrated Status: auto
Guest VLAN: disabled
Open access: disabled
Server timeout: 30 sec
Port Operational Status: unauthorized*
* Port is down or not present
Reauthentication is disabled
Reauthentication period: 3600 sec
Silence period: 0 sec
Quiet period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
Max req: 2
Authentication success: 0
Authentication fails: 0

Table 176 – Description of command execution results

Parameter Description
Port Port number.
Admin mode 802.1X authentication mode: Force-auth, Force-unauth, Auto.
Oper mode Port operation mode: Authorized, Unauthorized, Down.
Reauth Control Reauthentication control.
Reauth Period Period between re-authentications.
Username when using 802.1X. If the port is authorized, the current user name is displayed.
Username If the port is not authorized, the name of the last successfully authorized user on the port
is displayed.
Quiet period Period during which the switch remains silent after unsuccessful authentication.
Period during which the switch waits for a response or EAP identification from the client
Tx period
before resending the request.
ETS-1-10G-A 5. Device management. Command line interface 227

Maximum number of attempts to transmit EAP requests to the client before restarting the
Max req
authentication process.
Supplicant timeout Period between repeated transmissions of protocol requests to the EAP client.
Server timeout Period during which the switch expects a response from the authentication server.
Session Time The time it takes the user to connect to the device.
Mac address User MAC address.
Authentication Method Method of authentication of the established session.
Termination Cause The reason why the session is closed.
The current value of the state automaton of the authenticator and the state output
State
automaton.
Authentication success The number of successful authentication messages received from the server.
Authentication fails The number of unsuccessful authentication messages received from the server.
VLAN The VLAN group is assigned to the user.
Filter ID Identifier of the filtering group.

 Show 802.1x statistics for the Ethernet 8 interface.

console# show dot1x statistics interface tengigabitethernet 1/0/8

EapolFramesRx: 12
EapolFramesTx: 8
EapolStartFramesRx: 1
EapolLogoffFramesRx: 1
EapolRespIdFramesRx: 4
EapolRespFramesRx: 6
EapolReqIdFramesTx: 3
EapolReqFramesTx: 5
InvalidEapolFramesRx: 0
EapLengthErrorFramesRx: 0
LastEapolFrameVersion: 1
LastEapolFrameSource: 00:00:02:56:54:38

Table 177 – Description of command execution results

Parameter Description
The number of valid packets of any type of EAPOL (Extensible Authentication Protocol
EapolFramesRx
over LAN) accepted by the given authenticator.
The number of correct packets of any type of EAPOL protocol transmitted by the data
EapolFramesTx
authenticator.
EapolStartFramesRx The number of EAPOL Start packets received by the given authenticator.
ETS-1-10G-A 5. Device management. Command line interface 228

EapolLogoffFramesRx The number of EAPOL Logoff packets received by the given authenticator.
EapolRespIdFramesRx The number of EAPOL Resp/Id packets received by the given authenticator.
The number of response packets (except Resp/Id) of the EAPOL received by this
EapolRespFramesRx
authenticator.
EapolReqIdFramesTx The number of EAPOL Resp/Id packets transmitted by the given authenticator.
The number of request packets (except Resp/Id) of the EAPOL transmitted by this
EapolReqFramesTx
authenticator.
The number of EAPOL packets of the unrecognized type received by this
InvalidEapolFramesRx
authenticator.
The number of EAPOL packets of incorrect length received by the given
EapLengthErrorFramesRx
authenticator.
The version of the EAPOL protocol received in the most recent package at the
LastEapolFrameVersion
moment.
LastEapolFrameSource Source MAC address accepted in the most recent package at the moment.

1.1.1.2 Advanced authentication

Advanced dot1x settings allow authentication for multiple clients connected to the port. There are
two options for authentication: The first, when port-based authentication requires authentication of only
one client so that all clients have access to the system (Multiple hosts mode). The second, when port-
based authentication requires authentication of all clients connected to the port (Multiple sessions mode).
If a port in Multiple hosts mode is not authenticated, then all connected hosts will be denied access to
network resources.

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 178 – Global mode configuration commands

Command Value/Default value Action

dot1x traps Enables trap messages to be sent when the client
authentication successfully authenticates.
success [802.1x | mac -/disabled
| web]
ETS-1-10G-A 5. Device management. Command line interface 229

no dot1x traps Sets the default value.

authentication
success

dot1x traps Enables trap messages to be sent when the client is not
authentication authenticated.
failure [802.1x | mac
| web]
-/disabled
no dot1x traps Sets the default value.
authentication
failure

dot1x traps Enables sending trap messages when the user has exceeded
authentication quiet the maximum allowed number of unsuccessful
-/disabled authentication attempts.
no dot1x traps Sets the default value.
authentication quiet

Ethernet interface configuration mode commands

Command line prompt in the Ethernet interface configuration mode is as follows:

console(config-if)#

Table 179 – Commands of Ethernet interface configuration mode

Command Value/Default value Action

dot1x host-mode Permits one or more clients on an 802.1X authorized port.
{multi­host | single- - multi-host – several clients;
host | multi- -/multi-host - single-host – one client;
sessions} - multi-sessions – several sessions.
ETS-1-10G-A 5. Device management. Command line interface 230

dot1x violation-mode Sets the action to be performed when a device whose MAC
{restrict | protect | address is different from the client's MAC address attempts
shutdown} [trap freq] to access the interface.
- restrict – packets with a different MAC address than the
client's MAC address are forwarded without the source
address being learned;
- protect – packets with a different MAC
-/protect; address than the client's MAC address are
freq: (1..1000000)/1 rejected;
sec - shutdown – port disables, packets with a different MAC
address than the client's MAC address are rejected;
- freq – frequency of generated SNMP trap messages
when unauthorized packets are received.
The command is ignored in Multiple hosts mode.
no dot1x Sets the default value.
single­host­violation

dot1x authentication Enables authentication

[mac | 802.1x | web] - mac – enables MAC-based authentication;
- 802.1x – enables 802.1x-based authentication;
- web –enables Web-based authentication.
-/disabled - There should be no static MAC address matchs.
- Re-authentication should be enabled.
no dot1x Disables MAC-based authentication.
authentication

dot1x max-hosts hosts Sets the maximum number of hosts that have been
authenticated.
hosts: (1..4294967295)
no dot1x max-hosts Returns the default value.

dot1x max-login- Sets the number of unsuccessful login attempts, after which
attempts num the client is blocked.
num: (0, 3..10)/0 0 – infinite number of attempts
no dot1x Returns the default value.
max­login­attempts

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 180 – Privileged EXEC mode commands

ETS-1-10G-A 5. Device management. Command line interface 231

Command Value/Default value Action

show dot1x interface { 802.1x protocol settings on the interface (the command is available
te_port: (1..8/0/1..32);
tengigabitethernet te_port | only to the privileged user).
oob}
Shows advanced 802.1x protocol settings.
show dot1x detailed -

The data accounting structure displays the parameters of

show dot1x
credentials - authorized clients.

show dot1x users [username] username: string Shows authorized clients.

show dot1x locked clients - Shows unauthorized clients locked out by timeout.
show dot1x statistics interface Shows 802.1X statistics on interfaces.
te_port: (1..8/0/1..32);
{ tengigabitethernet
te_port | oob}

DHCP control and option 82

DHCP (Dynamic Host Configuration Protocol) is a network protocol that allows the client to obtain
an IP address and other required parameters on request to work in a TCP/IP network.
DHCP can be used by attackers to attack a device, either from the client side, forcing the DHCP
server to give out all available addresses, or from the server side by spoofing it. The switch software allows
to protect the device from attacks using DHCP, for which the control function of DHCP – DHCP snooping.
The device is able to monitor the appearance of DHCP servers in the network, allowing their use
only on 'trusted' interfaces, as well as to control client access to DHCP servers by means of a compliance
table.
The DHCP protocol option 82 is used to inform the DHCP server which DHCP repeater (Relay Agent)
was sent from and which port the request was received. It is used to match IP addresses and ports on the
switch, and to protect against DHCP attacks. Option 82 is additional information (device name, port
number) added by a switch that operates in DHCP Relay agent mode as a DHCP request received from the
client. Based on this option, the DHCP server allocates the IP address (IP address range) and other
parameters to the switch port. Having received the necessary data from the server, the DHCP Relay agent
assigns the IP address to the client and also sends other necessary parameters to it.

Table 181 – Option 82 fields format

Field Transmitted information

Device host name.
String in format: eth <stacked/slotid/interfaceid>:<vlan>
Circuit ID
The last byte is the port number to which the device is connected, sending a dhcp
request.
ETS-1-10G-A 5. Device management. Command line interface 232

Enterprise number – 0089c1

Remote agent ID
MAC address of the device.

To use Option 82, the DHCP relay agent function must be enabled on the device. The IP dhcp
relay enable command in global configuration mode is used to enable the DHCP relay agent
(see the corresponding documentation section).

For the DHCP Snooping function to work correctly, all used DHCP servers must be connected
to 'trusted' switch ports. To add a port to the list of 'trusted' uses the IP dhcp snooping trust
command in the interface configuration mode. For safety reasons, all other switch ports must
be 'untrusted'.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 182 – Global mode configuration commands

Command Value/Default value Action

ip dhcp snooping Enables DHCP control by
maintaining a DHCP snooping table and sending
-/disabled DHCP client broadcast requests to 'trusted'
ports.
no ip dhcp snooping Disables DHCP control.
ip dhcp snooping vlan vlan_id Enables DHCP control within the specified VLAN.
vlan_id:
no ip dhcp snooping vlan Disables DHCP control within the specified VLAN.
(1..4094)/disabled
vlan_id
ip dhcp snooping information Allows receiving DHCP packets with option 82 from 'untrusted'
By default, DHCP
option allowed­untrusted ports.
packets with option 82
no ip dhcp snooping Denies receiving DHCP packets with option 82 from 'untrusted'
from 'untrusted' ports
information option ports.
are prohibited.
allowed­untrusted
ip dhcp snooping verify Enables verification of the client's MAC address and the source
By default,
MAC address accepted in a DHCP packet on 'untrusted' ports.
authentication is
no ip dhcp snooping verify Disables verification of the client's MAC address and the source
enabled
MAC address accepted in a DHCP packet on 'untrusted' ports.
ip dhcp snooping database Enables the use of a backup file (database) for DHCP protocol
control.
Backup file is not used
no ip dhcp snooping database Disables the use of a backup file (database) for DHCP protocol
control.
ip dhcp information option -/enabled Enables the device to add option 82 when running DHCP.
ETS-1-10G-A 5. Device management. Command line interface 233

no ip dhcp information option Disables the device to add option 82 when running DHCP.

Table 183 – Option 82 field format as per TR-101 recommendations

Field Transmitted information

Device host name.
string in format: eth <stacked/slotid/interfaceid>: <vlan>
Circuit ID
The last byte is the port number to which the device is connected, sending a DHCP
request.
Enterprise number – 0089c1
Remote agent ID
MAC address of the device.

Table 184 – Option 82 of custom mode fields format

Field Transmitted information

Length (1 byte)
Circuit ID type
Length (1 byte)
Circuit ID
VLAN (2 bytes)
Module number (1 byte)
Port number (1 byte)
Length (1 byte)
Remote ID Type (1 byte)
Remote agent ID
Length (1 byte)
Switch MAC address

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console(config-if)#

Table 185 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

Adds the interface to the list of 'trusted' when using DHCP
ip dhcp snooping
trust control. The DHCP traffic of the 'trusted' interface is considered
By default, the safe and is not monitored.
interface is not trusted Removes the interface from the list of 'trusted' when using DHCP
no ip dhcp snooping
trust control.
ETS-1-10G-A 5. Device management. Command line interface 234

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 186 – Privileged EXEC mode commands

Command Value/Default value Action

ip dhcp snooping binding Adds the client's MAC address, VLAN group and IP address for
mac_address vlan_id the specified interface to the DHCP control file (database).
ip_address { This entry will be valid for the lifetime of the record specified in
tengigabitethernet te_port | the command unless the client sends a request to the DHCP
te_port: (1..8/0/1..32);
port-channel group} expiry server for an update. The timer is reset if the client receives an
group: (1..32);
{seconds | infinite} update request (the command is available only to the privileged
seconds:
user).
(10..4294967295) sec
- seconds – entry lifetime;
- infinity – entry lifetime is unlimited.
no ip dhcp snooping binding Removes the correspondence between the client MAC address
mac_address vlan_id and the VLAN group from the DHCP control file (database).
clear ip dhcp snooping Clears the DHCP control file (database).
-
database

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 187 – EXEC mode commands

Command Value/Default value Action

show ip dhcp information Shows information about using DHCP option 82.
-
option
show ip dhcp snooping te_port: (1..8/0/1..32); Shows the configuration of the DHCP monitoring function.
[tengigabitethernet te_port | group: (1..32);
port-channel group]
show ip dhcp snooping binding Shows matches from the DHCP control file (database).
[mac­address mac_address] te_port: (1..8/0/1..32);
[ip­address ip_address ] [vlan group: (1..32);
vlan_id] [tengigabitethernet vlan_id: (1..4094)
te_port |port­channel group]
ETS-1-10G-A 5. Device management. Command line interface 235

Command execution example

 Allow DHCP option 82:

console# configure
console(config)# ip dhcp relay enable
console(config)# ip dhcp information option

 Show all matches from the DHCP control file (database).

console# show ip dhcp snooping

DHCP snooping is globally enabled

DHCP snooping is configured on following VLANs: 2, 5
DHCP snooping database: enabled
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled

Interface Trusted
----------- ------------
te0/17 yes

IP-source Guard
The IP Source Guard function is designed to filter the traffic received from the interface based on
the DHCP snooping table and static IP Source Guard matches. Thus, IP Source Guard allows to prevent IP
address spoofing in packets.

Since the IP address protection control function uses DHCP snooping tables, it makes sense
to use this function by pre-configuring and enabling DHCP snooping.

The IP Source Guard function must be enabled globally for the interface as well.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 188 – Global mode configuration commands

ETS-1-10G-A 5. Device management. Command line interface 236

Command Value/Default value Action

ip source-guard Enables the client IP address protection feature for the entire
By default, the function switch.
is disabled Disables the client IP address protection feature for the
no ip source-guard
entire switch.
ip source-guard Create a static match table entry between the client's IP
binding mac_address address, its MAC address and the VLAN group for the
vlan_id ip_address { interface specified in the command.
tengigabitethernet
te_port | port-channel te_port: (1..8/0/1..32);
group} group: (1..32);
vlan_id: (1..4094);
no ip source-guard Create a static match table entry.
binding mac_address
vlan_id

ip source-guard tcam Defines how often the device accesses internal resources in
retries­freq {seconds | order to write inactive protected IP addresses to the
never} memory.
seconds: (10..600)/60 - never – prohibits recording inactive protected IP addresses
sec to the memory.
no ip source-guard Sets the default value.
tcam retries-freq

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console(config-if)#

Table 189 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

ip source-guard Enables the client IP address protection feature for the
By default, the function configured interface.
is disabled. Disables the client IP address protection feature for the
no ip source-guard
configured interface.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

ETS-1-10G-A 5. Device management. Command line interface 237

console#

Table 190 – Privileged EXEC mode commands

Command Value/Default value Action

ip source-guard tcam Manually starts the process of accessing internal
locate resources of the device to write inactive protected IP
-
addresses to the memory. The command is available for
privileged user only.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 191 – EXEC mode commands

Command Value/Default value Action

show ip source-guard The command displays the setting of the IP address
configuration te_port: (1..8/0/1..32); protection function on the specified or all interfaces of
[tengigabitethernet group: (1..32); the device.
te_port | ort-channel
group]

show ip source-guard The command displays the statistics of the IP address

statistics [vlan vlan_id: (1..4094); protection function on the specified or all VLANs.
vlan_id]

show ip source-guard The command displays the status of the IP address

status [mac-address protection function for the specified interface, IP
mac_address] [ip- address, MAC address or VLAN group.
te_port: (1..8/0/1..32);
address ip_address ]
group: (1..32);
[vlan vlan_id]
[tengigabitethernet vlan_id: (1..4094);
te_port | port-channel
group]

show ip source-guard The command displays the sender's IP addresses that are
inactive - not active.
ETS-1-10G-A 5. Device management. Command line interface 238

Command execution example

 Show setting of IP address protection function for all interfaces:

console# show ip source-guard configuration

IP source guard is globally enabled.

Interface State
--------- ------
te0/4 Enabled
te0/21 Enabled
te0/22 Enabled

 Enable IP address protection to filter traffic based on DHCP snooping table and static IP Source
Guard matches. Create a static table entry for the Ethernet 12 interface: Client IP address –
192.168.16.14, MAC address – 00:60:70:4A:AB:AF. Interface in the 3rd VLAN group:

console# configure
console(config)# ip dhcp snooping
console(config)# ip source-guard
console(config)# ip source-guard binding 0060.704A.ABAF 3 192.168.16.14
tengigabitethernet 1/0/12

ARP Inspection
The ARP Inspection function is dedicated to defense against attacks which use ARP (for instance,
ARP-spoofing – ARP traffic interception). ARP Inspection is implemented on the basis of static
correspondence between IP and MAC addresses defined for VLAN group.

The port configured as 'untrusted' for the ARP Inspection function must also be 'untrusted' for
the DHCP snooping function or the MAC address and IP address matching for this port must be
configured statically. Otherwise, this port will not respond to ARP requests.
For untrusted ports, IP and MAC address matches are checked.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
ETS-1-10G-A 5. Device management. Command line interface 239

Table 192 – Global mode configuration commands

Command Value/Default value Action

ip arp inspection Enables ARP Inspection.
By default, the function
is disabled Disables ARP Inspection.
no ip arp inspection

ip arp inspection Enables ARP Inspection based on DHCP snooping matches in

vlan vlan_id vlan_id: (1..4094);
the selected VLAN group.
By default, the function
no ip arp inspection is disabled Disables ARP Inspection based on DHCP snooping matches in
vlan vlan_id the selected VLAN group.

ip arp inspection Provides specific checks for monitoring the ARP protocol.
validate Source MAC address: For ARP queries and responses, the
MAC address in the Ethernet header of the MAC source
address in the ARP content is verified.
Destination MAC address: For ARP responses, the
correspondence of the MAC address in the Ethernet header
- to the destination MAC address in the ARP content is
checked.
IP address: The contents of the ARP packet are checked for
incorrect IP addresses.
no ip arp inspection Prohibits specific checks for monitoring the ARP protocol.
validate

ip arp inspection 1. Create a list of static ARP matches.

list create name 2. Enter the ARP list configuration mode.
name: (1..32) symbols
no ip arp inspection Remove a list of static ARP matches.
list create name

ip arp inspection Assigns a list of static ARP matches for the specified VLAN.
list assign vlan_id
vlan_id: (1..4094)
no ip arp inspection Removes the list of static ARP matches for the specified VLAN.
list assign vlan_id

Defines the minimum interval between messages containing ARP

ip arp inspection
logging interval information sent to the log.
{seconds | infinite} - a value of 0 indicates that the messages will be generated
seconds: (0..86400)/5 immediately;
sec - infinite – do not generate log messages.
Sets the default value.
no ip arp inspection
logging interval
ETS-1-10G-A 5. Device management. Command line interface 240

Ethernet or port group interface (interface range) configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:
console(config-if)#
Table 193 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

ip arp inspection Adds the interface to the list of 'trusted' when using ARP
trust control. The ARP traffic of the 'trusted' interface is considered
By default, the safe and is not monitored.
interface is not trusted Removes the interface from the list of 'trusted' when using
no ip arp inspection
trust ARP control.

ARP list configuration mode commands

Command line prompt in the ARP list configuration mode is as follows:

console# configure
console(config)# ip arp inspection list create spisok
console(config-arp-list)#

Table 194 – ARP list configuration mode commands

Command Value/Default value Action

ip ip_address mac-
Adds static matching of IP and MAC addresses.
address mac_address
-
Removes static matching of IP and MAC addresses.
no ip ip_address
mac­address mac_address

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#
ETS-1-10G-A 5. Device management. Command line interface 241

Table 195 – EXEC mode commands

Command Value/Default value Action

Shows the configuration of the ARP Inspection function on the
show ip arp
inspection selected interface/interfaces.
[tengigabitethernet te_port: (1..8/0/1..32);
te_port | port-channel group: (1..32)
group]

Shows lists of static IP and MAC address matches (the command is

show ip arp
inspection list - available only to the privileged user).

Shows statistics for the following types of packets that have been
show ip arp
inspection statistics processed using the ARP function:
[vlan vlan_id] vlan_id: (1..4094) - forwarded packets;
- dropped packets;
- IP/MAC Failures.
Clears the ARP Inspection control statistics.
clear ip arp
inspection statistics vlan_id: (1..4094)
[vlan vlan_id]

Command execution example

 Enable ARP control and add static compliance to the spisok list: МАС address: 00:60:70:AB:CC:CD,
IP address: 192.168.16.98. Assign the spisok list of static ARP matches for VLAN 11:

console# configure
console(config)# ip arp inspection list create spisok
console(config-ARP-list)# ip 192.168.16.98 mac-address 0060.70AB.CCCD
console(config-ARP-list)# exit
console(config)# ip arp inspection list assign 11 spisok

 Show lists of static IP and MAC address matches:

console# show ip arp inspection list

List name: servers

Assigned to VLANs: 11
IP ARP
----------- --------------------------
192.168.16.98 0060.70AB.CCCD
ETS-1-10G-A 5. Device management. Command line interface 242

5.25 Functions of the DHCP Relay Agent

Switches support DHCP Relay agent functions. The task of the DHCP Relay agent is to transfer DHCP
packets from the client to the server and back in case the DHCP server is on one network and the client is
on another. Another function is to add additional options to client DHCP requests (e.g. options 82).
How the DHCP Relay agent operates on the switch: The switch accepts DHCP requests from the
client, forwards these requests to the server on behalf of the client (leaving the options in the request
with the parameters required by the client and, depending on the configuration, adding its own options).
After receiving a response from the server, the switch transmits it to the client.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 196 – Global mode configuration commands

Command Value/Default value Action

ip dhcp relay enable Enabling DHCP Relay agent functions on the switch.
By default agent is
no ip dhcp relay disabled. Disabling DHCP Relay agent functions on the switch.
enable

ip dhcp relay address Specifies the IP address of an available DHCP server for the
ip_address DHCP Relay agent.
Up to eight servers can
be specified Removes the IP address from the list of DHCP servers for the
no ip dhcp relay
address [ip_address]
DHCP Relay agent.

VLAN interface configuration mode commands

Command line prompt in the VLAN interface configuration mode is as follows:

console# configure
console(config)# interface vlan vlan_id
console(config-if)#
ETS-1-10G-A 5. Device management. Command line interface 243

Table 197 – Commands of the Ethernet interface configuration mode

Command Value/Default value Action

ip dhcp relay enable Enabling DHCP Relay agent functions on the configured
interface.
By default agent is
no ip dhcp relay disabled. Disabling DHCP Relay agent functions on the configured
enable interface.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 198 – EXEC mode commands

Command Value/Default value Action

show ip dhcp relay Displays the configuration of the configured DHCP Relay
- agent function for the switch and separately for the
interfaces, as well as a list of available servers.

Command execution example

 Show status of the DHCP Relay agent function:

console# show ip dhcp relay

DHCP relay is Enabled

DHCP relay is not configured on any vlan.
Servers: 192.168.16.38
Relay agent Information option is Enabled

5.26 DHCP Server Configuration

DHCP server performs centralised management of network addresses and corresponding
configuration parameters, and automatically provides them to subscribers. This avoids manual
configuration of network devices and reduces errors.
ETS-1-10G-A 5. Device management. Command line interface 244

Ethernet switches can operate as a DHCP client (obtaining its own IP address from a DHCP server)
or as a DHCP server. In case the DHCP server is disabled, the switch can work with DHCP Relay.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 199 – Global mode configuration commands

Command Value/Default value Action

Enabling the DHCP server function on the switch.
ip dhcp server
-/disabled
Disabling the DHCP server function on the switch.
no ip dhcp server

Enter the DHCP server static address configuration mode.

ip dhcp pool host name
name: (1..32
characters) Removes the configuration of a DHCP client with a
no ip dhcp pool host name
specified name.
Enter the DHCP address pool configuration mode of the
ip dhcp pool network name
DHCP server.
name: (1..32
- name – name of the address DHCP pool.
characters)
Removes a DHCP pool with a specified name.
no ip dhcp pool network name

Specifies IP addresses that the DHCP server will not assign

ip dhcp excluded-address
low_address [high_address] to DHCP clients.
- low-address – range starting IP address;
- - high-address – range ending IP address.
Removing an IP address from the exception list for
no ip dhcp excluded­address
low_address [high_address] assigning it to DHCP clients.

Static address configuration mode commands of the DHCP server

A type of command line query in the DHCP server static address configuration mode:

console# configure
console(config)# ip dhcp pool host name
console(config-dhcp)#
ETS-1-10G-A 5. Device management. Command line interface 245

Table 200 – configuration mode commands

Command Value/Default value Action

address ip_address Manual IP address reservation for DHCP client.
{mask | - ip_address – The IP address to be mapped to the
prefix_length} physical address of the client;
{client­identifier id - mask/prefix_length – subnet mask/prefix length;
-
| hardware-address - id – physical address (identifier) of the network card;
mac_address}
- mac_address – MAC address.
no address Removes reserved IP addresses.

client-name name Defines the name of the DHCP client.

name: (1..32
characters) Removes the name of the DHCP client.
no client-name

DHCP pool configuration mode commands

A type of command line query in the DHCP pool configuration mode:

console# configure
console(config)# ip dhcp pool network name
console(config-dhcp)#
Table 201 – configuration mode commands

Command Value/Default value Action

address Sets the subnet number and subnet mask for the DHCP
{network_number | low server address pool.
low_address high - network_number – IP address of the subnet number;
high_address} {mask | - low_address – range staring IP address;
-
prefix_length} - high_address – range ending IP address.
- mask/prefix_length – subnet mask/prefix length;
no address Removes the configuration of the DHCP address pool

lease {days [hours The lease time of the IP address that is assigned from
[minutes]] | DHCP.
infinite} - infinite – lease time is unlimited;
- days – amount of days;
-/1 day
- hours – amount of hours;
- minutes – amount of minutes.
no lease Set the default value.
ETS-1-10G-A 5. Device management. Command line interface 246

Configuration mode commands for DHCP server pool and static DHCP server addresses

Type of command line query:

console(config-dhcp)#

Table 202 – configuration mode commands

Command Value/Default value Action

default-router Defines a list of default routers for the DHCP client:
ip_address_list - ip_address_list – a list of router IP addresses, can
contain up to 8 entries separated by a space.
By default, the list of
routers is not defined.
The IP address of the router must be on the
same subnet as the client.
no default-router Sets the default value.

dns-server Defines a list of DNS servers available for DHCP clients.

ip_address_list By default, the list of - ip_address_list – a list of DNS server IP addresses, can
DNS servers is not contain up to 8 entries separated by a space.
defined. Sets the default value.
no dns-server

domain-name domain Defines the domain name for DHCP clients.

domain: (1..32
characters) Sets the default value.
no domain-name

netbios-name-server Defines a list of WINS servers available for DHCP clients.

- ip_address_list – a list of WINS server IP addresses, can
ip_address_list By default, the list of
WINS servers is not contain up to 8 entries separated by a space.
no netbios-name- defined. Sets the default value.
server

netbios-node-type {b- Defines the Microsoft NetBIOS host type for DHCP
node | p­node | m- clients:
node | h-node} - b-node – broadcast;
By default, the type of
- p-node – point-to-point;
NetBIOS host is not
defined. - m-node – combined;
- h-node – hybrid.
no netbios-node-type Sets the default value.

next-server It is used to specify to a DHCP client the address of a

ip_address server (usually a TFTP server) from which a download file
- is to be obtained.
no next-server Sets the default value.
ETS-1-10G-A 5. Device management. Command line interface 247

next-server-name name It is used to specify to a DHCP client the server name from
name: (1..64) which a download file is to be obtained.
characters Sets the default value.
no next-server-name

bootfile filename Specifies the name of the file used to start up the DHCP
filename: (1..128) client.
characters Sets the default value.
no bootfile

time-server Defines a list of time servers available for DHCP clients.

ip_address_list - ip_address_list – a list of time server IP addresses, can
By default, the list of
servers is not defined.
contain up to 8 entries separated by a space.
no time-server Sets the default value.

option code {boolean Configures the DHCP server options.

bool_val | integer code: (0..255); - code – DHCP server option code;
int_val | ascii bool_val: (true, false); - bool_val – logic value;
ascii_string | ip[- int_val: - integer – positive integer;
list] ip_address_list (0..4294967295); - ascii_string – string in the ASCII format;
| hex {hex_string | ascii_string: (1..160) - ip_address_list – list of IP addresses;
none}} [description characters;
desc] - hex_string – string in the hexadecimal format;
desc: (1..160)
characters Removes the DHCP server options.
no option code

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#
Table 203 – Privileged EXEC mode commands

Command Value/Default value Action

clear ip dhcp binding Removal of records from the physical address matching
table and addresses issued from the DHCP pool server:
{ip_address | *} -
- ip_address – The IP address assigned by the DHCP server;
- * – delete all entries.
show ip dhcp - View the DHCP server configuration.

show ip dhcp View the IP addresses that the DHCP server will not assign
excluded­addresses - to DHCP clients.
ETS-1-10G-A 5. Device management. Command line interface 248

show ip dhcp pool View the configuration for static DHCP server addresses:
name: (1..32 - ip_address – client IP address;
host [ip_address |
name] characters) - name – name of the address DHCP pool.
View the DHCP address pool configuration of the DHCP
show ip dhcp pool name: (1..32
server:
network [name] characters)
- name – name of the address DHCP pool.
show ip dhcp binding Viewing IP addresses that are mapped to physical
[ip_address] - addresses of clients, as well as lease time, destination
method and status of IP addresses.
show ip dhcp server View the DHCP server statistics.
statistics -

show ip dhcp View the active IP addresses issued by the DHCP server.
allocated -

Command execution example

 Configure a DHCP pool named test and specify for DHCP clients: domain name – test.ru, default
gateway – 192.168.45.1 and DNS server – 192.168.45.112.

console#
console# configure
console(config)# ip dhcp pool network test
console(config-dhcp)# address 192.168.45.0 255.255.255.0
console(config-dhcp)# domain-name test.ru
console(config-dhcp)# dns-server 192.168.45.112
console(config-dhcp)# default-router 192.168.45.1

5.27 ACL configuration (Access Control List)

ACL (Access Control List) – the table which defined filtering rules for incoming and outgoing traffic
according to data transmitted in the incoming packets: protocols, TCP/UDP ports, IP address or MAC
address.

The ACL based on IPv6, IPv4 and MAC addresses should have different names.
IPv6 and IPv4 lists can work together on the same physical interface. An ACL list based on
MAC addressing cannot be matched with lists for IPv4 or IPv6. Two lists of the same type
cannot work together on the interface.
ETS-1-10G-A 5. Device management. Command line interface 249

Commands for creating and editing ACL lists are available in global configuration mode.

Global mode configuration commands

The command line in the global configuration mode has the form:

console (config)#

Table 204 – Commands for creating and configuring ACL lists

Command Value/Default value Action

ip access-list Create a standard ACL list.
access_list {deny | - deny – prohibit the passage of packages with the specified
permit} {any | parameters;
ip_address - permit – enable the passage of packages with the specified
[ip_address_mask]} parameters.

no ip access-list Delete the standard ACL list.

access_list

ip access-list Create a new advanced ACL list for IPv4 addressing and enter
extended access_list the configuration mode (if the list with this name has not
been created yet), or enter the configuration mode of the
previously created list.
no ip access-list Deleting the extended ACL list for IPv4 addressing.
extended access_list
access_list: (0..32)
symbols Create a new standard ACL list for IPv6 addressing.
ipv6 access-list
access_list {deny | - deny – prohibit the passage of packages with the specified
permit} {any | parameters;
ipv6_address - permit – enable the passage of packages with the specified
[ipv6_address_prefix]} parameters.

no ipv6 access-list Remove a new standard ACL list for IPv6 addressing.
access_list

ipv6 access-list Create a new advanced ACL list for IPv6 addressing and enter
extended access_list the configuration mode (if the list with this name has not
been created yet), or enter the configuration mode of the
previously created list.
no ipv6 access-list Deleting the extended ACL list for IPv6 addressing.
extended access_list
ETS-1-10G-A 5. Device management. Command line interface 250

mac access-list Create a new ACL list for MAC addressing and enter the
extended access_list configuration mode (if the list with this name has not been
created yet), or enter the configuration mode of the
previously created list.
no mac access-list Deleting the ACL list for MAC addressing.
extended access_list

time-range time_name Enter the time-range configuration mode and define time
intervals for the access list.
- time_name – time-range configuration
time_name: (0..32)
symbols
profile name.
no time-range Deletion of the set timerange configuration.
time_name

In order to activate the ACL list, you must link it to the interface. The interface using the list can be
either an Ethernet interface or a port group.

Ethernet, VLAN or port group interface configuration mode commands

The command line in the Ethernet, VLAN, port group configuration mode looks like:

console(config-if)#

Table 205 – ACL list assignment command.

Command Value/Default value Action

service-acl input In the settings of a certain physical interface the command
access_list access_list: (0..32) binds the specified list to this interface.
symbols
no service-acl input Deleting the list from the interface.

Privileged EXEC mode commands

The command line in the Priveleged Exec mode has the form:
console#

Table 206 – Commands to view ACL lists

Command Value/Default value Action

ETS-1-10G-A 5. Device management. Command line interface 251

Shows the ACL lists created on the switch.

show access-lists [access_list]
access_list: (0..32)
symbols Shows the ACL lists created on the switch, which are
show access-lists
time­range­active [access_list] currently active.

Shows the ACL lists assigned to the interfaces.

show interfaces access-lists
te_port: (1..8/0/1..32);
[tengigabitethernet te_port |
group: (1..32);
port-channel group | vlan
vlan_id: (1..4094);
vlan_id]

Zero all ACL list counters, or counters for ACL lists of a given
clear access-lists counters
te_port: (1..8/0/1..32); interface.
[tengigabitethernet te_port |
group: (1..32);
port-channel group | vlan
vlan_id: (1..4094);
vlan_id]

Shows the access list counters.

show interfaces access-lists
trapped packets te_port: (1..8/0/1..32);
[tengigabitethernet te_port | group: (1..32);
port-channel group | vlan vlan_id: (1..4094);
vlan_id]

EXEC mode commands

The command line in the EXEC mode has the form:

console#

Table 207 – Commands to view ACL lists

Command Value/Default value Action

Shows the time-range configuration
show time-range [time_name] -

Configuring IPv4-based ACL

This section contains the values and descriptions of the main parameters used in the ACL list
configuration commands based on IPv4 addressing. Creating and entering the mode of editing ACL lists
based on IPv4 addressing is done using the command: ip access-list extended access-list. For
example, to create an ACL list called RADAL, the following commands must be run:

console#
ETS-1-10G-A 5. Device management. Command line interface 252

console# configure
console(config)# ip access-list extended RADAL
console(config-ip-al)#
Table 208 – Basic parameters used in commands

Parameter Value Action

permit 'Permit' action Creates an allowable filter rule in the ACL list.
deny 'Deny' action Creates a deny filter rule in the ACL list.
protocol The field is intended for specifying the protocol (or all protocols)
on the basis of which the filtering will be performed. When
selecting a protocol, the following options are possible: icmp,
igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
Protocol
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim,
l2tp, isis, ipip, or the numerical value of the protocol, in the range
(0 - 255).
The IP value is used to match any protocol.
source Source address Specifies the IP address of the packet source.
source_wildcard The bitmap applied to the source IP address of a packet. The mask
determines the bits of the IP address that should be ignored. Units
should be written to the values of the ignored bits. For example,
Source address mask using a mask, you can define an IP network filtering rule. To add an
IP network 195.165.0.0 to the filtering rule, you must set the mask
value to 0.0.255.255, i.e. according to this mask the last 16 bits of
IP addresses will be ignored.
destination Destination address Defines the destination IP address of the packet
destination_wildcard The bitmap applied to the destination IP address of a packet. The
mask determines the bits of the IP address that should be ignored.
Destination address mask
Units should be written to the values of the ignored bits. The mask
is used similarly to the source_wildcard mask.
vlan VLAN ID Defines the Vlan for which the rule will be applied.
dscp Defines the value of diffserv's DSCP field. Possible message codes
DSCP field in L3 header
of dscp field: (0 – 63).
precedence IP priority Defines the IP traffic priority: (0-7).
time_name Profile name of Defines the configuration of time intervals.
configuration time-range
ETS-1-10G-A 5. Device management. Command line interface 253

icmp_type The type of ICMP messages used to filter ICMP packets. Possible
types of messages in icmp_type field: echo-reply, destination-
unreachable, source-quench, redirect, alternate-host-address,
echo-request, router-advertisement, router-solicitation, time-
exceeded, parameter-problem, timestamp, timestamp-reply,
- information-request, information-reply, address-mask-request,
address-mask-reply, traceroute, datagram-conversion-error,
mobile-host-redirect, mobile-registration-request, mobile-
registration-reply, domain_name-request, domain_name-reply,
skip, photuris, or the numeric value of the message type, in the
range (0 - 255).
icmp_code The code of ICMP protocol messages used to filter ICMP packets.
ICMP message code
Possible message codes of the icmp_code field: (0 – 255).
igmp_type The type of IGMP messages used to filter IGMP packets. Possible
types of messages in the igmp_type field: host-query, host-report,
IGMP message type dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-
report-v3, or the numeric value of the message type, in the range
(0 - 255).
destination_port Destination UDP/TCP port Possible TCP port field values: bgp (179), chargen (19), daytime
source_port (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp
(21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin
(543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110),
smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517),
telnet (23), time (37), uucp (117), whois (43), www (80);
For UDP port: biff (512), bootpc (68), bootps (67), discard (9), dnsix
Source UDP/TCP port (90), domain (53), echo (7), mobile-ip (434), nameserver (42),
netbios-dgm (138), netbios-ns (137), on500-isakmp (4500), ntp
(123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513),
xdmcp (177).
Either a numeric value (0 – 65535).
list_of_flags If the flag must be set for the filtering condition, a '+' sign is placed
in front of it, if not, a '-' sign is placed. Possible flags: +urg, +ack,
TCP flags +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn и -fin. When using
multiple flags in a filter condition, the flags are merged into one
line without spaces, for example: +fin-ack.
disable_port Disables the port from which the package was received that meets
Port disabling
the conditions of any deny command with the field described in it.
log_input Enables sending information messages to the system log when a
Sending messages
package that matches a record is received.
offset_list_name Name of the list of user Sets the list of user templates to be used to recognize packages. A
templates template list can be defined for each ACL list.
ace-priority The index specifies the position of a rule in the list and its priority.
Entry priority The smaller the index, the higher the priority rule. The range of
permissible values (1...2147483647).
ETS-1-10G-A 5. Device management. Command line interface 254

The parameter 'any' is used to select the entire parameter range except for dscp and IP-
precedence.

Once at least one entry has been added to the ACL list, the last deny any any any entry is
added by default, which means ignoring all packets that do not meet the ACL conditions.

Table 209 – Commands used to configure the ACLs based on IP addressing

Command Action
Adds an allowing filtering record for the protocol. Packets that
permit protocol {any | source source_wildcard}
meet the entry conditions will be processed by the switch.
{any | destination destination_wildcard} [dscp
dscp | precedence precedence] [time­range
time_name] [ace­priority index]

Removes a previously created record.

no permit protocol {any | source
source_wildcard} {any | destination
destination_wildcard} [dscp dscp | precedence
precedence] [time­range time_name]

Adds an allowing filtering record for the IP. Packets that meet the
permit ip {any | source_ip source_ip_wildcard}
entry conditions will be processed by the switch.
{any | destination_ip destination_ip_wildcard}
[dscp dscp | precedence precedence]
[time­range range_name] [ace priority index]

Removes a previously created record.

no permit ip {any | source_ip
source_ip_wildcard} {any | destination_ip
destination_ip_wildcard} [dscp dscp |
precedence precedence] [time­range range_name]

Adds an allowing filtering record for the ICMP. Packets that meet
permit icmp {any | source source_wildcard}
the entry conditions will be processed by the switch.
{any | destination destination_wildcard}
{any | icmp_type} {any | icmp_code} [dscp
dscp | ip­precedence precedence]
[time­range time_name] [ace-priority
index] [offset­list offset_list_name]
[vlan vlan_id]
ETS-1-10G-A 5. Device management. Command line interface 255

Removes a previously created record.

no permit icmp {any | source
source_wildcard} {any | destination
destination_wildcard} {any | icmp_type} {any |
icmp_code} [dscp dscp | ip­precedence
precedence] [time­range time_name]
[offset­list offset_list_name] [vlan
vlan_id]

Adds an allowing filtering record for the IGMP. Packets that meet
permit igmp {any | source source_wildcard}
the entry conditions will be processed by the switch.
{any | destination destination_wildcard}
[igmp_type] [dscp dscp | precedence
precedence] [time­range time_name]
[ace­priority index]

Removes a previously created record.

no permit igmp {any | source source_wildcard}
{any | destination destination_wildcard}
[igmp_type] [dscp dscp | precedence
precedence] [time­range time_name]

permit tcp {any | source source_wildcard} {any | Adds an allowing filtering record for the TCP. Packets that meet
source_port} {any | destination destination_wildcard} the entry conditions will be processed by the switch.
{any | destination_port} [dscp dscp | precedence
precedence] [match­all list_of_flags] [time­range
time_name] [ace­priority index]
no permit tcp {any | source source_wildcard } {any | Removes a previously created record.
source_port} {any | destination destination_wildcard}
{any | destination_port} [dscp dscp | precedence
precedence] [match­all list_of_flags] [time-range
time_name]
permit udp {any | source source_wildcard} {any | Adds an allowing filtering record for the UDP. Packets that meet
source_port} {any | destination destination_wildcard} the entry conditions will be processed by the switch.
{any | destination_port} [dscp dscp | precedence
precedence] [time­range time_name] [ace-
priority index]
no permit udp {any | source source_wildcard} {any | Removes a previously created record.
source_port} {any | destination destination_wildcard}
{any | destination_port} [dscp dscp | precedence
precedence] [time­range time_name]
deny protocol {any | source source_wildcard} {any | Adds a deny filtering record for the protocol. Packets that meet
destination destination_wildcard} [dscp dscp | the entry conditions will be blocked by the switch. If the disable-
precedence precedence] [time­range time_name] port keyword is used, the physical interface that receives the
[disable­port | log­input] [ace-priority index] package will be disabled. When using the log-input keyword, a
message will be sent to the system log.
no deny protocol {any | source source_wildcard} {any | Removes a previously created record.
destination destination_wildcard} [dscp dscp |
precedence precedence] [time­range time_name]
[disable­port | log­input]
ETS-1-10G-A 5. Device management. Command line interface 256

Adds a deny filtering record for the IP. Packets that meet the
deny ip {any | source_ip source_ip_wildcard} {any |
entry conditions will be blocked by the switch. If the disable-port
destination_ip destination_ip_wildcard} [dscp dscp |
keyword is used, the physical interface that receives the package
precedence precedence] [time­range range_name]
will be disabled. When using the log-input keyword, a message
[disable­port | log­input] [ace-priority index] will be sent to the system log.
Removes a previously created record.
no deny ip {any | source_ip source_ip_wildcard} {any |
destination_ip destination_ip_wildcard} [dscp dscp |
precedence precedence] [time­range range_name]
[disable­port | log­input]

deny icmp {any | source source_wildcard} {any | Adds a deny filtering record for the ICMP. Packets that meet the
destination destination_wildcard} {any | icmp_type} entry conditions will be blocked by the switch. If the disable-port
{any | icmp_code} [dscp dscp | precedence keyword is used, the physical interface that receives the package
precedence] [time­range time_name] will be disabled. When using the log-input keyword, a message
[disable­port | log­input] [ace­priority index] will be sent to the system log.
no deny icmp {any | source source_wildcard} {any | Removes a previously created record.
destination destination_wildcard} {any | icmp_type}
{any | icmp_code} [dscp dscp | precedence
precedence] [time­range time_name]
[disable­port | log­input]
deny igmp {any | source source_wildcard} {any | Adds a deny filtering record for the IGMP. Packets that meet the
destination destination_wildcard} [igmp_type] [dscp entry conditions will be blocked by the switch. If the disable-port
dscp | precedence precedence] [time­range keyword is used, the physical interface that receives the package
time_name] [ace-priority index] [disable-port | log- will be disabled. When using the log-input keyword, a message
input] will be sent to the system log.
no deny igmp {any | source source_wildcard} {any | Removes a previously created record.
destination destination_wildcard} [igmp_type] [dscp
dscp | precedence precedence] [time­range
time_name] [disable-port | log-input]
Adds a deny filtering record for the TCP. Packets that meet the
deny tcp {any | source source_wildcard}
entry conditions will be blocked by the switch. If the disable-port
{any | source_port} {any | destination
keyword is used, the physical interface that receives the package
destination_wildcard} {any | destination_port}
will be disabled. When using the log-input keyword, a message
[dscp dscp | precedence precedence] will be sent to the system log.
[match­all list_of_flags] [time-range
time_name] [ace­priority index]
[disable-port | log-input]

Removes a previously created record.

no deny tcp {any | source source_wildcard}
{any | source_port} {any | destination
destination_wildcard} {any | destination_port}
[dscp dscp | precedence precedence]
[match­all list_of_flags] [time-range
time_name] [disable-port | log-input]
ETS-1-10G-A 5. Device management. Command line interface 257

deny udp {any | source source_wildcard} {any | Adds a deny filtering record for the UDP. Packets that meet the
source_port} {any | destination destination_wildcard} entry conditions will be blocked by the switch. If the disable-port
{any | destination_port} [dscp dscp | precedence keyword is used, the physical interface that receives the package
precedence] [time­range time_name] [ace-priority will be disabled. When using the log-input keyword, a message
index] [disable-port | log-input] will be sent to the system log.
no deny udp {any | source source_wildcard} {any | Removes a previously created record.
source_port} {any | destination destination_wildcard}
{any | destination_port} [dscp dscp | precedence
precedence] [time­range time_name] [disable-port
| log-input]
Creates a list of user templates with the username name. The
offset-list offset_list_name {offset_base offset mask
name can be from 1 to 32 characters. One command can contain
value} …
up to thirteen templates depending on the selected access list
configuration mode (set system mode command), including the
following parameters:
- offset_base – base offset. Possible values:
l3 – start of the offset from the beginning of the IP header;
l4 – start of the offset from the end of the IP header.
- offset – data byte offset within a package. The base offset is
taken as the beginning of the countdown;
- mask – mask. Only those byte bits for which '1' is set in the
corresponding mask bits take part in the packet analysis;
- value – required value.
Deletes the previously created list.
no offset-list offset_list_name

Configuring IPv6-based ACL

This section contains the values and descriptions of the main parameters used in the ACL list
configuration commands based on IPv6 addressing.
Creating and entering the mode of editing ACL lists based on IPv6 addressing is done using the
command: ipv6 access-list access-list. For example, to create an ACL list called MESipv6, the
following commands must be run:

console#
console# configure
console(config)# ipv6 access-list MESipv6
console(config-ipv6-al)#

Table 210 – Basic parameters used in commands

Parameter Value Action

permit Allow action Creates an allowable filter rule in the ACL list.
ETS-1-10G-A 5. Device management. Command line interface 258

deny Deny action Creates a deny filter rule in the ACL list.
protocol The field is intended for specifying the protocol (or all protocols)
on the basis of which the filtering will be performed. When
selecting a protocol, the following options are possible: icmp, tcp,
Protocol
udp, or the numerical value of the protocol – icmp (58), tcp (6),
udp (17).
The IPv6 value is used to match any protocol.
source_prefix/length Specifies the IPv6 address and the length of the network prefix (0-
Source address and length
128) (number of high bits of address) of the packet source.
destination_prefix/length Destination address and Specifies the IPv6 address and the length of the network prefix (0-
length 128) (number of high bits of address) of the packet destination.
dscp Defines the value of diffserv's DSCP field. Possible message codes
DSCP field in L3 header
of dscp field: (0 – 63).
precedence IP priority Defines the IP traffic priority: (0-7).
time_name Profile name of Defines the configuration of time intervals.
configuration time-range
icmp_type It is used to filter ICMP packets. Possible types and numerical
values of the icmp_type field messages: destination-unreachable
(1), packet-too-big (2), time-exceeded (3), parameter-problem
ICMP message type (4), echo-request (128), echo-reply (129), mld-query (130), mld-
report (131), mldv2-report (143), mld-done (132), router-
solicitation (133), router-advertisement (134), nd-ns (135), nd-na
(136).
icmp_code ICMP message code It is used to filter ICMP packets. Possible field values (0 – 255).
destination_port Destination UDP/TCP port Possible TCP port field values: bgp (179), chargen (19), daytime
source_port (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp
(21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin
(543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110),
smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517),
telnet (23), time (37), uucp (117), whois (43), www (80);
For UDP port: biff (512), bootpc (68), bootps (67), discard (9), dnsix
Source UDP/TCP port
(90), domain (53), echo (7), mobile-ip (434), nameserver (42),
netbios-dgm (138), netbios-ns (137), on500­isakmp (4500), ntp
(123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513),
xdmcp (177).
Either a numeric value (0 – 65535).
list_of_flags If the flag must be set for the filtering condition, a '+' sign is placed
TCP flags in front of it, if not, a '-' sign is placed. Possible flags: +urg, +ack,
+psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn и -fin.
disable-port Disables the port from which the package was received that meets
Port disabling
the conditions of any deny command with the field described in it.
log-input Enables sending information messages to the system log when a
Sending messages
package that matches a record is received.
ace-priority Rule index in the table, the smaller is the index, the higher is the
Rule index
priority rule: (1..2147483647).
ETS-1-10G-A 5. Device management. Command line interface 259

The parameter 'any' is used to select the entire parameter range except for dscp and IP-
precedence.
Once at least one entry has been added to the ACL list, the last entry added to the list is the
entry
permit-icmp any any nd-ns any
permit-icmp any any nd-na any
deny ipv6 any any
The first two allow searching for neighboring IPv6 devices using ICMPv6, and the last two
allow ignoring all packets that do not meet the ACL conditions.
Table 211 – Commands used to configure the ACLs based on IPv6 addressing

Command Action
permit protocol {any | source_prefix/length} {any | Adds an allowing filtering record for the protocol. Packets that
destination_prefix/length} [dscp dscp | precedence meet the entry conditions will be processed by the switch.
precedence] [time-range time_name] [ace-priority index]
no permit protocol {any | source_prefix/length} {any | Removes a previously created record.
destination_prefix/length} [dscp dscp | precedence
precedence] [time-range time_name]
permit icmp {any | source_prefix/length} {any | Adds an allowing filtering record for the ICMP. Packets that
destination_prefix/length} {any | icmp_type} {any | meet the entry conditions will be processed by the switch.
icmp_code} [dscp dscp | precedence precedence]
[time­range time_name] [ace-priority index]
no permit icmp {any | source_prefix/length} {any | Removes a previously created record.
destination_prefix/length} {any | icmp_type} {any |
icmp_code} [dscp dscp | precedence precedence]
[time­range time_name]
permit tcp {any | source_prefix/length} {any | Adds an allowing filtering record for the TCP. Packets that meet
source_port} {any | destination_prefix/length} {any | the entry conditions will be processed by the switch.
destination_port} [dscp dscp | precedence precedence]
[time­range time_name] [match­all list_of_flags]
[ace­priority index]
no permit tcp {any | source_prefix/length} {any | Removes a previously created record.
source_port} {any | destination_prefix/length} {any |
destination_port} [dscp dscp | precedence precedence]
[time­range time_name] [match­all list_of_flags]
permit udp {any | source_prefix/length} {any | Adds an allowing filtering record for the UDP. Packets that meet
source_port} {any | destination_prefix/length} {any | the entry conditions will be processed by the switch.
destination_port} [dscp dscp | precedence precedence]
[time­range time_name] [ace-priority index]
no permit udp {any | source_prefix/length} {any | Removes a previously created record.
source_port} {any | destination_prefix/length} {any |
destination_port} [dscp dscp | precedence precedence]
[time­range time_name]
ETS-1-10G-A 5. Device management. Command line interface 260

deny protocol {any | source_prefix/length} {any | Adds a deny filtering record for the protocol. Packets that meet
destination_prefix/length} [dscp dscp | precedence the entry conditions will be blocked by the switch. If the disable-
precedence] [time­range time_name] [disable­port | port keyword is used, the physical interface that receives the
log­input] [ace-priority index] package will be disabled. When using the log-input keyword, a
message will be sent to the system log.
no deny protocol {any | source_prefix/length} {any | Removes a previously created record.
destination_prefix/length} [dscp dscp | precedence
precedence] [time­range time_name] [disable­port |
log­input]
deny icmp {any | source_prefix/length} {any | Adds a deny filtering record for the ICMP. Packets that meet the
destination_prefix/length} {any | icmp_type} {any | entry conditions will be blocked by the switch. If the disable-
icmp_code} [dscp dscp | precedence precedence] port keyword is used, the physical interface that receives the
[time­range time_name] [disable­port | log­input] package will be disabled. When using the log-input keyword, a
[ace­priority index] message will be sent to the system log.
no deny icmp {any | source_prefix/length} {any | Removes a previously created record.
destination_prefix/length} {any | icmp_type} {any |
icmp_code} [dscp dscp | precedence precedence]
[time­range time_name] [disable­port | log­input]
deny tcp {any | source_prefix/length} {any | source_port} Adds a deny filtering record for the TCP. Packets that meet the
{any | destination_prefix/length} {any | destination_port} entry conditions will be blocked by the switch. If the disable-
[dscp dscp | precedence precedence] [match­all port keyword is used, the physical interface that receives the
list_of_flags] [time­range time_name] [disable­port | package will be disabled. When using the log-input keyword, a
log­input] [ace-priority index] message will be sent to the system log.
no deny tcp {any | source_prefix/length} {any | Removes a previously created record.
source_port} {any | destination_prefix/length} {any |
destination_port} [dscp dscp | precedence precedence]
[match­all list_of_flags] [time­range time_name]
[disable­port | log­input]
deny udp {any | source_prefix/length} {any | Adds a deny filtering record for the UDP. Packets that meet the
source_port} {any | destination_prefix/length} {any | entry conditions will be blocked by the switch. If the disable-
destination_port} [dscp dscp | precedence precedence] port keyword is used, the physical interface that receives the
[match­all list_of_flags] [time­range time_name] package will be disabled. When using the log-input keyword, a
[disable­port | log­input] [ace-priority index] message will be sent to the system log.
no deny udp {any | source_prefix/length} {any | Removes a previously created record.
source_port} {any | destination_prefix/length} {any |
destination_port} [dscp dscp | precedence precedence]
[match­all list_of_flags] [time­range time_name]
[disable­port | log­input]
ETS-1-10G-A 5. Device management. Command line interface 261

Creates a list of user templates with the username name. The

offset-list offset_list_name {offset_base offset mask
name can be from 1 to 32 characters. One command can contain
value} …
up to thirteen templates depending on the selected access list
configuration mode (set system mode command), including the
following parameters:
- offset_base – base offset. Possible values:
l3 – start of the offset from the beginning of the IPv6
header;
l4 – start of the offset from the end of the IPv6 header.
- offset – data byte offset within a package. The base offset is
taken as the beginning of the countdown;
- mask – mask. Only those byte bits for which '1' is set in the
corresponding mask bits take part in the packet analysis;
- value – required value.
Deletes the previously created list.
no offset-list offset_list_name

Configuring MAC-based ACL

This section contains the values and descriptions of the main parameters used in the ACL list
configuration commands based on MAC addressing.
Creating and entering the mode of editing ACL lists based on MAC addressing is done using the
command: mac access-list extended access-list. For example, to create an ACL list called
MESmac, the following commands must be run:

console#
console# configure
console(config)# mac access-list extended MESmac
console(config-mac-al)#

Table 212 – Basic parameters used in commands

Parameter Value Action

permit Allow action Creates an allowable filter rule in the ACL list.
deny Deny action Creates a deny filter rule in the ACL list.
source Source address Specifies the MAC address of the packet source.
source_wildcard The mask determines the bits of the MAC addresses that should
be ignored. Units should be written to the values of the ignored
The bitmap applied to the bits. For example, using a mask, you can define a MAC address
source MAC address of a range filtering rule. To add all MAC addresses beginning with
packet. 00:00:02:AA.xx.xx to the filtering rule, you need to specify the
mask value 0.0.0.0.FF.FF, i.e. according to this mask, the last 32 bits
of MAC addresses will not be important for analysis.
ETS-1-10G-A 5. Device management. Command line interface 262

destination Destination address Specifies the MAC address of the packet destination.
destination_wildcard The bitmap applied to the The mask determines the bits of the MAC addresses that should
destination MAC address of be ignored. Units should be written to the values of the ignored
a packet. bits. The mask is used similarly to the source_wildcard mask.
vlan_id vlan_id: (0..4095) A VLAN subnet of filtered packets.
cos cos: (0..7) Class of Service (CoS) of filtered packages.
cos_wildcard The mask determines the bits of the CoS that should be ignored.
Units should be written to the values of the ignored bits. For
Bitmask applicable to the
example, to use CoS 6 and 7 in a filter rule, you need to specify the
Class of Sservice (CoS) of
value of 6 or 7 in the CoS field, and the value of 1 in the mask field
the packets being filtered
(7 in binary representation - 111, 1 - 001, it turns out that the last
bit will be ignored, ie CoS can be either 110 (6) or 111 (7)).
eth_type eth_type: (0..0xFFFF) Ethernet type of packet filtered in hexadecimal record.
disable-port Disables the port from which a package meeting the deny
-
command conditions was received.
log-input Enables sending information messages to the system log when a
Sending messages
package that matches a record is received.
time_name Profile name of Defines the configuration of time intervals.
configuration time-range
offset_list_name Sets the list of user templates to be used to recognize packages. A
Byte offset from key point
template list can be defined for each ACL list.
ace-priority Rule index in the table, the smaller is the index, the higher is the
Rule index
priority rule: 1-2147483647.

The parameter 'any' is used to select the entire parameter range except for dscp and IP-
precedence.

Once at least one entry has been added to the ACL list, the last deny any any entry is added
by default, which means ignoring all packets that do not meet the ACL conditions.

Table 213 – Commands used to configure the ACLs based on MAC addressing

Command Action
permit {any | source source-wildcard} {any |
Adds an allowing filtering record. Packets that meet the
destination destination_wildcard} [vlan vlan_id] entry conditions will be processed by the switch.
[cos cos cos_wildcard] [eth_type] [time-range
time_name] [ace­priority index] [offset-
list offset_list_name]

Removes a previously created record.

no permit {any | source source-wildcard} {any |
destination destination_wildcard} [vlan vlan_id]
[cos cos cos_wildcard] [eth_type] [time-range
time_name] [offset-list offset_list_name]
ETS-1-10G-A 5. Device management. Command line interface 263

deny {any | source source-wildcard} {any |

Adds a deny filtering record. Packets that meet the entry
destination destination_wildcard} [vlan vlan_id] conditions will be blocked by the switch. If the disable-
[cos cos cos_wildcard] [eth_type] [time-range port keyword is used, the physical interface that receives
time_name] [disable-port | log­input] the package will be disabled.
[ace­priorityindex] [offset-list When using the log-input keyword, a message will be sent to
offset_list_name] the system log.

Removes a previously created record.

no deny {any | source source-wildcard} {any |
destination destination_wildcard} [vlan vlan_id]
[cos cos cos_wildcard] [eth_type] [time-range
time_name] [disable-port | log­input]
[offset-list offset_list_name]

Creates a list of user templates with the username name. The

offset-list offset_list_name {offset_base offset mask value}
name can be from 1 to 32 characters. One command can
…
contain up to thirteen templates depending on the selected
access list configuration mode (set system mode command),
including the following parameters:
- offset_base – base offset. Possible values:
l2 – start of the offset from EtherType;
outer-tag – start of the offset from STAG;
inner-tag – start of the offset from CTAG;
src-mac – start of the offset from the source MAC address;
dst-mac – start of the offset from the destination MAC
address.
- offset – data byte offset within a package. The base offset is
taken as the beginning of the countdown;
- mask – mask. Only those byte bits for which '1' is set in the
corresponding mask bits take part in the packet analysis;
- value – required value.
Deletes the previously created list.
no offset-list offset_list_name

5.28 Configuration of protection against DoS attacks

This command class allows to block some common classes of DoS attacks.

Global mode configuration commands

The command line in the global configuration mode has the form:

console (config)#
ETS-1-10G-A 5. Device management. Command line interface 264

Table 214 – Commands to configure protection against DoS attacks

Command Value/Default value Action

security-suite deny martian- Prohibits passing through frames with invalid ('Martian') source IP
addresses [reserved] {add | ip_address: ip address addresses (loopback, broadcast, multicast).
remove} ip_address
security-suite deny syn-fin - Rejects tcp packets with both SYN and FIN flags installed.
security-suite dos protect Prohibits/allows the passage of certain types of traffic
{add | remove} {stacheldraht | characteristic of malicious programs:
invasor­trojan | - stacheldraht – rejects TCP packets with source port 16660;
back­orifice­trojan} ­ - invasor-trojan – rejects TCP packets with destination port 2140
and source port 1024;
- back-orifice-trojan – rejects UDP packets with destination port
31337 and source port 1024.
security-suite enable Enables security-suite command class.
-/disabled
no security-suite enable Disables security-suite command class.

Ethernet, port group interface configuration mode commands

The command line in the Ethernet, port group configuration mode looks like:
console (config-if)#

Table 215 – Configuration command for interface protection against DoS attacks

Command Value/Default value Action

Creates a rule that prohibits traffic that meets the criteria.
security-suite deny
- fragmented – fragmented packets
{fragmented | icmp | syn}
ip_address: IP address; - icmp – ICMP traffic
{add | remove} {any |
mask: mask in the - syn – syn packets
ip_address [mask]}
format of IP address or
prefix Removes the deny rule.
no security-suite deny
{fragmented | icmp | syn}

rate: (199..2000) Sets the threshold of syn-requests for a certain IP

security-suite dos syn­attack
packets per second; address/network, if it is exceeded, the extra frames will be
rate {any | ip_address [mask]}
ip_address: – IP discarded.
address; Restore the default value.
no security-suite dos mask: mask in the
syn­attack {any | ip_address format of IP address or
[mask]} prefix
ETS-1-10G-A 5. Device management. Command line interface 265

5.29 Quality of Service – QoS

By default, all switch ports use the FIFO method of organizing the packet queue: First In – First Out.
During intensive traffic transfer using this method, problems can occur because the device ignores all
packets that have not entered the FIFO queue buffer and therefore are lost irretrievably. The method that
organizes queues by traffic priority solves this problem. QoS (Quality of service) mechanism implemented
in switches allows organizing eight queues of packet priority depending on the type of transmitted data.

QoS configuration
Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 216 – Global mode configuration commands

Command Value/Default value Action

Enables the switch to use QoS.
qos [basic |
advanced - basic – basic QoS mode;
[ports­trusted | - advanced – advanced QoS Configuration mode, which includes a
ports­not­trusted]] complete list of QoS configuration commands;
- ports-trusted – in this submode, the packets are sent to the
-/basic
output queue based on the fields in those packets;
- ports-not-trusted – in this submode, all packets are routed to the
zero default output queue; to send them to other queues you need
to assign a traffic classification strategy (policy-map) to the input
interface.
Set the port trust method when running in advanced QoS
qos advanced-mode
trust {cos | dscp | configuration mode and in the ports-trusted submode.
cos-dscp} - cos – port trusts 802.1p User priority value;
- dscp – port trusts DSCP value in IPv4/IPv6 packets;
-/disabled - cos-dscp – The port trusts both levels, but DSCP has priority over
802.1p.
no qos advanced-mode Sets the default method.
trust
ETS-1-10G-A 5. Device management. Command line interface 266

class-map 1. Creates a list of traffic classification criteria.

class_map_name [match- 2. Enters into the mode of editing the list of traffic
all | match-any] classification criteria.
- match-all – all criteria on this list must be met;
- match-any – one, any criterion for this list must be met.
class_map_name: (1..32) The list of criteria can have one or two rules. If there are
characters; two rules, and both of them point to different ACL types
By default the match-all (IP, MAC), then the classification will be done by the first correct
option is used rule in the list.

Only valid for qos advanced mode

no class-map Removes the list of traffic classification criteria.

class_map_name

policy-map 1. Creates a traffic classification strategy.

policy_map_name 2. Enters into the mode of editing the strategy of traffic
classification.
Only one traffic classification strategy is supported in one
direction.
policy_map_name: (1..32 By default, policy-map sets DSCP = 0 for IP packets and
characters) CoS = 0 for tagged packets.

Only valid for qos advanced mode.

no policy-map Removes the traffic classification rule.

policy_map_name
ETS-1-10G-A 5. Device management. Command line interface 267

qos aggregate-policer
Defines a configuration template that allows to limit the
aggregate_policer_name channel bandwidth while at the same time guaranteeing a
committed_rate_kbps certain data rate.
excess_burst_byte When operating with bandwidth, the algorithm of the
[exceed­action {drop marked 'basket' is used. The task of the algorithm is to make
| policed-dscp- a decision: to transmit the packet or reject it. The
transmit}]
parameters of the algorithm are the rate of receipt (CIR) of
markers in the 'basket' and volume (CBS) of the 'basket'.
- committed-rate-kbps – the average traffic speed. This
speed is guaranteed when transmitting information;
aggregate_policer_name: - committed-burst-byte – the size of the restraining
(1..32) characters; threshold in bytes;
committed_rate_kbps: - drop – the package will be rejected when the 'basket' is
(3..57982058) kbps; overflowing;
excess_burst_byte: - policed-dscp-transmit – if the 'basket' is overflowing, the DSCP
(3000..19173960) bytes value will be overridden.
You cannot delete a strategy template if it is used in a
strategy map; you must remove the strategy template
assignment before deleting it: no police aggregate aggregate-
policer-name.

Only valid for qos advanced mode.

no qos aggregate-
Removes the channel speed control setting template.
policer
aggregate_policer_name

wrr-queue cos-map
queue_id: (1..8); Defines CoS values for outbound traffic queues.
cos1…cos8: (0..7);
queue_id cos1…cos8
Default CoS values for
no wrr-queue cos-map queues: Sets the default value.
[queue_id] CoS = 1 – queue 1
CoS = 2 – queue 2
CoS = 0 – queue 3
CoS = 3 – queue 4
CoS = 4 – queue 5
CoS = 5 – queue 6
CoS = 6 – queue 7
CoS = 7 – queue 8
wrr-queue bandwidth weight: (0..255)/1 Assigns weight to outgoing queues used by the WRR
weight1..weight8 By default, the weight of (Weighted Round Robin) mechanism.
no wrr-queue bandwidth each queue is 1 Sets the default value.
ETS-1-10G-A 5. Device management. Command line interface 268

priority-queue out Sets the amount of priority queues.

num­of­queues For priority queue, the weight of WRR will be ignored.
number_of_queues If a value other than '0' is set to N, the higher N queues
number_of_queues:
will be prioritized (will not participate in WRR).
(0..8)
Example:
By default, all queues are
0: all queues are equal;
processed using the
1: seven junior queues participate in WRR, 8th does not;
'strict priority' algorithm.
2: six junior queues participate in WRR, 7, 8 do not participate.
no priority-queue out Sets the default value.
num­of­queues
qos wrr-queue wrtd
Enables WRTD (Weighted Random Tail Drop) weighting
mechanism to remove packets from queues.
By default, WRTD is
disabled The changes will take effect after rebooting the device.

no qos wrr-queue wrtd

Disables WRTD.

qos map enable {cos-dscp |

Use the specified remarking table for the switch's trusted ports.
dscp-cos}
-
no qos map enable
Do not use a remarking table.
{cos­dscp | dscp-cos}
qos map dscp-mutation
Fills the DSCP remarking table. For incoming packets with
in_dscp to out_dscp
specified values, DSCP sets new DSCP values.
in_dscp: (0..63),
- in-dscp – defines up to 8 DSCP values, values are separated by a
out_dscp: (0..63)
space character.
By default the change
map is empty, i.e. the - out-dscp – defines up to 8 new DSCP values, values are
DSCP values for all separated by a space character.
incoming packets remain
Only valid for qos basic mode.
unchanged
no qos map dscp-mutation
Sets the default value.
[in_dscp]
qos map policed-dscp
Fills the DSCP remarking table. For incoming packets with
dscp_list to dscp_mark_down
specified values, DSCP sets new DSCP value.
dscp_list: (0..63)
dscp_mark_down: (0..63) - dscp_list – defines up to 8 DSCP values, values are separated by
By default the remarking a space character.
table is empty, i.e. the
DSCP values for all - dscp_mark_down – defines new DSCP value.
incoming packets remain Only valid for qos advanced mode.
unchanged
no qos map policed-dscp
Sets the default value.
[dscp_list]
ETS-1-10G-A 5. Device management. Command line interface 269

qos map dscp-queue dscp_list dscp_list: (0..63)

Sets the match between the DSCP values of incoming packets and
to queue_id queue_id: (1..8)
the queues.
Default:
DSCP: (0-7), queue 1 - dscp_list – defines up to 8 DSCP values, values are separated by
DSCP: (8-15), queue 2 a space character.
DSCP: (16-23), queue 3
no qos map dscp-queue DSCP: (24-31), queue 4 Sets the default values
[dscp_list] DSCP: (32-39), queue 5
DSCP: (40-47), queue 6
DSCP: (48-55), queue 7
DSCP: (56-63), queue 8
qos trust {cos | dscp |
Sets the switch trust mode in basic QoS mode (CoS or DSCP).
cos­dscp}
- cos – sets the classification of incoming packets by CoS values.
For non-tagged packets, the default CoS value is used;
- dscp – sets the classification of incoming packets by DSCP values.

-/cos - cos-dscp – sets the classification of incoming packets by DSCP

values for IP packets and by CoS values for non-IP packets.

Only valid for qos basic mode.

no qos trust
Sets the default value.

Allows to apply the dscp change table to the dscp-server ports

qos dscp-mutation
population. The use of the change table allows to overwrite dscp
values in IP packets with new values.
The DSCP change table can only be applied to incoming
- traffic on trusted ports.

Only valid for qos basic mode.

no qos dscp-mutation Cancels the use of dscp change map.

qos map dscp- Fills the DSCP remarking table. For incoming packets with
mutation in_dscp to specified values, DSCP sets new DSCP values.
out_dscp in_dscp: (0..63);
out_dscp: (0..63) - in-dscp – defines up to 8 DSCP values, values are separated by a
By default the change space character.
map is empty, i.e. the
- out-dscp – defines up to 8 new DSCP values, values are
DSCP values for all
separated by a space character.
incoming packets remain
unchanged
Only valid for qos basic mode.
ETS-1-10G-A 5. Device management. Command line interface 270

no qos map dscp- Sets the default value.

-
mutation [in_dscp]

rate-limit vlan vlan_id rate Sets the speed limit for incoming traffic for a given VLAN.
vlan_id: (1..4094);
burst - vlan_id – VLAN number:
rate: (3..57982058) kbps; - rate – average traffic rate (CIR);
burst: (3000..19173960) - burst – the size of the limiting threshold (speed limit) in bytes.
bytes/128 kB
no rate-limit vlan vlan_id Removes the incoming traffic rate limiting.

Edit mode commands for the traffic classification criteria list

The type of request from the command line of the mode of editing the list of traffic classification
criteria:
console# configure
console(config)# class-map class-map-name [match-all | match-any]
console(config-cmap)#

Table 217 – Edit mode commands for the traffic classification criteria list

Command Value/Default value Action

match access-group Adds a traffic classification criterion. Defines rules for
acl_name filtering traffic by ACL list for classification.
Only valid for qos advanced mode.
acl_name: (1..32
characters)
no match access-group Removes the traffic classification criterion.
acl_name

Edit mode commands for the traffic classification strategy

The type of request from the command line of the mode of editing the strategy of traffic
classification:

console# configure
console(config)# policy-map policy-map-name
console(config-pmap)#
ETS-1-10G-A 5. Device management. Command line interface 271

Table 218 – Edit mode commands for the traffic classification strategy

Command Value/Default value Action

Defines the traffic classification rule and enters the configuration
class class_map_name
mode of the classification rule – policy-map class.
[access­group acl_name]
- acl_name – defines rules for filtering traffic by ACL list for
classification. When creating a new classification rule, the
class_map_name: optional parameter access-group is mandatory.
(1..32) characters; To use the policy-map strategy settings for the interface,
acl_name: (1..32 use the service-policy command in the interface
characters) configuration mode.

Only valid for qos advanced mode.

no class class_map_name
Removes the class-map traffic classification rule from the
strategy.

Commands of the classification rule configuration mode

Command line prompt in the classification rule configuration mode is as follows:

console# configure
console(config)# policy-map policy-map-name
console(config-pmap)# class class-map-name [access-group acl-name]
console(config-pmap-c)#

Table 219 – Commands of the classification rule configuration mode

Command Value/Default value Action

Defines the trust mode for a certain type of traffic according to
trust
By default, the trust mode the global trust mode.
is not set Sets the default value.
no trust

Sets the new values for the IP packet.

set {dscp new_dscp |
The set command is mutually exclusive with the trust
queue queue_id | cos
command for the same police-map strategy.
new_cos | vlan vlan_id}
new_dscp: (0..63); Policy-map strategies that use set, trust or ACL-categorized
queue_id: (1..8); commands are assigned to outgoing interfaces only.
new_cos: (0..7);
vlan_id: (1..4094) Only valid for qos advanced mode.

Removes the new values for the IP packet.

no set
ETS-1-10G-A 5. Device management. Command line interface 272

Forwards packets that match a traffic classification rule to the

redirect { tengigabitethernet
specified port.
te_port | port-channel group} te_port: (1..8/0/1..32);
group: (1..32)
Sets the default value.
no redirect

Allows to limit the channel bandwidth while at the same time

police
guaranteeing a certain data rate.
committed_rate_kbps
When operating with bandwidth, the algorithm of the marked
committed_burst_byte
'basket' is used. The task of the algorithm is to make a decision:
[exceed-action {drop |
policed-dscp- to transmit the packet or reject it. The parameters of the
transmit}] algorithm are the rate of receipt (CIR) of markers in the 'basket'
and volume (CBS) of the 'basket'.
- committed_rate_kbps – average traffic speed. This speed is
guaranteed when transmitting information;
committed_rate_kbps: - committed_burst_byte – size of the limiting threshold in bytes;
(3..12582912) kbps; - drop – the package will be rejected when the 'basket' is
committed_burst_byte: overflowing;
(3000..19173960) bytes; - policed-dscp-transmit – if the 'basket' is overflowing, the
aggregate_policer_name: DSCP value will be overridden.
(1..32 characters)
Only valid for qos advanced mode.

police aggregate Assigns a traffic classification rule to a configuration template

aggregate_policer_name that allows you to limit the channel bandwidth and at the same
time guarantee a certain data rate.
Only valid for qos advanced mode.

no police Removes the channel rate control settings template from the
traffic classification rule.

Ethernet, port group interface configuration mode commands

Command line prompt in the Ethernet or port group interface configuration mode is as follows:

console(config-if)#

Table 220 – Ethernet, VLAN, port group interface configuration mode commands

Command Value/Default value Action

service-policy {input | output} Assigns a traffic classification strategy to the interface.
policy_map_name [default-
action {deny-any | permit- policy_map_name:
any}] (1..32 characters)
no service-policy {input | Removes the traffic classification strategy from the interface.
output}
ETS-1-10G-A 5. Device management. Command line interface 273

traffic-shape committed_rate Sets the speed limit for outgoing traffic through the interface.
committed_rate:
[committed_burst] - committed_rate – average traffic speed, kbps;
(64..1000000) kbps;
- committed_burst – the size of the limiting threshold (speed limit)
committed_burst:
in bytes.
(4096..16762902) bytes
no traffic-shape Removes the speed limit for outgoing traffic through the interface.
traffic-shape queue queue_id Sets the traffic speed limit for the outbound queue interface.
queue_id: (0..8);
committed_rate - committed_rate – average traffic speed, kbps;
committed_rate:
[committed_burst] - committed_burst – the size of the limiting threshold (speed limit)
(36..1000000) kbps;
in bytes.
committed_burst:
no traffic-shape queue Removes the traffic speed limit for the outbound queue interface.
(4096..16769020) bytes
queue_id
qos trust [cos | dscp | Enables the basic qos mechanism for the interface.
cos­dscp] - cos – port trusts 802.1p User priority value;
- dscp – port trusts DSCP value in IPv4/IPv6 packets;
/enabled
- cos-dscp – The port trusts both levels, but DSCP has priority over
802.1p.
no qos trust Disables the basic qos mechanism for the interface.
rate-limit rate [burst burst] rate: (64..10000000) Sets the incoming traffic rate limiting.
no rate-limit kbps; Removes the incoming traffic rate limiting.
burst:
(3000..19173960)
bytes/128 kB
qos cos default_cos Sets the default CoS value for the port (CoS applied to all non-
default_cos: (0..7)/0 tagged traffic passing through the interface).
no qos cos Sets the default value.

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 221 – EXEC mode commands

Command Value/Default value Action

Shows the QOS mode configured on the device. In basic
show qos -
mode shows 'trust mode'.
Shows lists of traffic classification criteria.
show class-map class_map_name:
Only valid for qos advanced mode.
[class_map_name] (1..32) symbols

show policy-map policy_map_name:

Shows traffic classification rules.
Only valid for qos advanced mode.
[policy_map_name] (1..32) symbols
ETS-1-10G-A 5. Device management. Command line interface 274

show qos aggregate­policer Shows average speed settings and bandwidth limits
[aggregate_policer_name] aggregate_policer_name:
(1..32) symbols
for traffic classification rules.
Only valid for qos advanced mode.
show qos interface [buffers | Shows QoS parameters for the interface.
queuing | policers | shapers] - vlan_id – VLAN number;
[tengigabitethernet te_port | - te_port – Ethernet XG1-XG12 interfaces number;
port-channel group | vlan - group – port group number;
te_port: (1..8/0/1..32);
vlan_id] - buffers – buffer settings for interface queues;
group: (1..32);
- queueing – queue processing algorithm (WRR or EF), weight for
vlan_id: (1..4094)
WRR queues, service classes for queues and priority for EF;
- policers – configured traffic classification strategies for the
interface;
- shapers – speed limit for outgoing traffic.
show qos map [dscp­queue | Shows information about replacing fields in packets used by QOS.
dscp-dp | policed-dscp | - dscp-queue – DSCP and queue matching table;
dscp­mutation] - - dscp-dp – DSCP and Reset Priority (DP) mark matching table;
- policed-dscp – DSCP remarking table;
- dscp-mutation – DSCP-to-DSCP changes table.

Command execution example

 Enable QoS advanced mode. Distribute traffic by queue, packets with DSCP 12 first, packets with
DSCP 16 second. 8th queue is a priority. Create a strategy to classify traffic by list of ACL, allowing
the transfer of TCP-packets with DSCP 12 and 16 and limiting the speed – the average speed is
1000 kbps, the limit threshold is 200000 bytes. Use this strategy on Ethernet interfaces 14 and
16.

console#
console# configure
console(config)# ip access-list tcp_ena
console(config-ip-al)# permit tcp any any any any dscp 12
console(config-ip-al)# permit tcp any any any any dscp 16
console(config-ip-al)# exit
console(config)# qos advanced
console(config)# qos map dscp-queue 12 to 1
console(config)# qos map dscp-queue 16 to 2
console(config)# priority-queue out num-of-queues 1
console(config)# policy-map traffic
console(config-pmap)# class class1 access-group tcp_ena
console(config-pmap-c)# police 1000 200000 exceed-action drop
console(config-pmap-c)# exit
console(config-pmap)# exit
console(config)# interface tengigabitethernet 1/0/14
console(config-if)# service-policy input traffic
console(config-if)# exit
console(config)# interface tengigabitethernet 1/0/16
ETS-1-10G-A 5. Device management. Command line interface 275

console(config-if)# service-policy input traffic

console(config-if)# exit
console(config)#

QoS statistics
Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#
Table 222 – Global mode configuration commands.

Command Value/Default value Action

qos statistics Enables QoS statistics on bandwidth limitation.
aggregate­policer
aggregate_policer_name aggregate_policer_name:
(1..32) characters;
By default, QoS statistics Disables QoS statistics on bandwidth limitation.
no qos statistics
is disabled
aggregate­policer
aggregate_policer_name

EXEC mode commands

Command line prompt in the EXEC mode is as follows:
console#

Table 223 – EXEC mode commands.

Command Value/Defaul value Action

clear qos statistics - Clears the QoS statistics.

show qos statistics - Shows QoS statistics.

ETS-1-10G-A 5. Device management. Command line interface 276

5.30 Routing protocols configuration

Static route configuration

Static routing is a type of routing in which routes are defined explicitly during the router
configuration. All routing in this case occurs without any routing protocols.

Global mode configuration commands

Command line prompt in the global configuration mode:

console(config)#

Table 224 – Global mode configuration commands

Command Value/Defaul value Action

ip route prefix {mask |
Creates a static routing rule.
prefix_length} {gateway - prefix – destination network (for example 172.7.0.0);
[metric distance] | - mask – network mask (in decimal format);
reject­route} - prefix_length – network mask prefix (number of units per
mask);
prefix_length: (0..32); - gateway – gateway to the destination network;
distance (1..255)/1 - distance – route weight;
- reject-route – prohibits routing to the destination network
through all gateways.
ip route prefix {mask | Removes the rule from the static routing table.
prefix_length} {gateway |
reject­route}

EXEC mode commands

Command line prompt in the EXEC mode is as follows:

console#

Table 225 – EXEC mode commands

ETS-1-10G-A 5. Device management. Command line interface 277

Command Value/Defaul value Action

show ip route Shows the routing table that meets the specified criteria.
[connected | static | – connected – connected route, i.e. a route taken from a
address ip_address [mask - directly connected and functioning interface;
| prefix_length] – static – a static route listed in the routing table.
[longer­prefixes]]

Example of command execution

 Show routing table:

console# show ip route

Maximum Parallel Paths: 2 (4 after reset)
Codes: C - connected, S - static
C 10.0.1.0/24 is directly connected, Vlan 1
S 10.9.1.0/24 [5/2] via 10.0.1.2, 17:19:18, Vlan 12
S 10.9.1.0/24 [5/3] via 10.0.2.2, Backup Not Active
S 172.1.1.1/32 [5/3] via 10.0.3.1, 19:51:18, Vlan 12

Table 226 – Description of command execution results

Field Description
Shows the origin of the route:
C C – Сonnected (route taken from directly connected and functioning interface),
S – Static (static route listed in the routing table).
10.9.1.0/24 Network address.
The first value in brackets is the administrative distance (the more trust the router has, the
[5/2]
less trust the source has), the second number is the route metric.
via 10.0.1.2 Specifies the IP address of the next router through which the route to the network passes.
00:39:08 Defines the time when the route was last updated (hours, minutes, seconds).
Vlan 1 Defines the interface through which the route to the network passes.

RIP configuration
RIP ( Routing Information Protocol) — internal protocol that allows routers to dynamically update
routing information from neighboring routers. This is a very simple protocol based on the application of a
remote routing vector. As a remote vector protocol, RIP periodically sends updates between neighbors,
thus building the network topology. Each update transmits information about the distance to all networks
to a nearby router. The switch supports RIP version 2.
ETS-1-10G-A 5. Device management. Command line interface 278

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 227 – Global mode configuration commands

Command Value/Default value Action

router rip Enters the RIP configuration mode.
-
no router rip Deletion of the global RIP configuration.

RIP configuration mode commands

Type of command line query:

console(config-rip)#
ETS-1-10G-A 5. Device management. Command line interface 279

Table 228 – RIP configuration mode commands

Command Value/Default value Action

Sets the value of metric from which routes received by other
default-metric
[metric] routing protocols will be advertised. Without this option, it sets
metric: (1..15)/1 the default value.
no default-metric Sets the default value.

Sets the IP address of the interface that will participate in the

network A.B.C.D
A.B.C.D: Interface IP routing process.
address Removes the IP address of the interface that will participate in
no network A.B.C.D
the routing process.
Enables routes to be advertised via RIP.
redistribute {static
| connected } [metric - without parameters – default-metric will be used
transparent] when advertising routes;
- metric transparent – metrics from the
- routing table will be used.
no redistribute Disables static routes to be advertised via RIP.
{static | connected} - metric transparent – prohibits using
[metric transparent] the metrics from the routing table.
metric: (1..15, Enable OSPF routes to be advertised via RIP.
redistribute ospf
[metric metric | transparent)/1; - type – advertise only the specified types of OSPF routes;
match type | match: (internal, - route-map_name – advertise the routes
route­map external­1, external-2); after filtering them through the
route_map_name] route_map_name: specified route-map;
(1..32) symbols
shutdown Disables the RIP routing process.
/enabled
no shutdown Enables the RIP routing process.

passive-interface Disable routing updates.

/enabled
no passive-interface Enable routing updates.

Generate default route

default-information
originate
-/no route is generated
Restore the default value.
no default-
information originate

IP interface configuration mode commands

Type of command line query:

ETS-1-10G-A 5. Device management. Command line interface 280

console(config-ip)#
Table 229 – IP interface configuration mode commands

Command Value/Defaul value Action

Disables RIP routing on this interface.
ip rip shutdown
/enabled
Enables RIP routing on this interface.
no ip rip shutdown

ip rip passive- Disables sending updates on the interface.

interface
By default, sending
updates is enabled Sets the default value.
no ip rip passive-
interface

ip rip offset offset Adds an offset to the metric.

offset: (1..15)/1
no ip rip offset Sets the default value.

ip rip default- Sets the metric for the default route broadcast via RIP.
information originate
metric metric: (1..15)/1;
By default, the function Sets the default value.
no ip rip is disabled
default­information
originate

ip rip authentication Enables authentication in RIP and defines its type:

mode {text | md5} - text – clear text authentication;
By default, the
authentication is - md5 – MD5 authentication.
no ip rip disabled Sets the default value.
authentication mode

ip rip authentication Defines a set of keys that can be used for authentication.
key­chain key_chain
key_chain: (1..32
no ip rip characters) Sets the default value.
authentication
key­chain

ip rip Defines the key for clear text authentication.

authentication-key
clear_text clear_text: (1..16)
characters
no ip rip Sets the default value.
authentication­key
ETS-1-10G-A 5. Device management. Command line interface 281

ip rip distribute- Sets a standard IP ACL to filter advertised routes.

list access acl_name
acl_name: (1..32
characters) Sets the default value.
no ip rip distribute-
list

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 230 – Privileged EXEC mode commands

Command Value/Default value Action

show ip rip [database View RIP routing information:
| statistics | peers] - database – information about RIP settings;
-
- statistics – statistical data;
- peers – network member information.

Example use of commands

Enable RIP for the 172.16.23.0 subnet (switch IP address 172.16.23.1) and MD5 authentication
using the mykeys set of keys:
сonsole#
сonsole# configure
сonsole(config)# router rip
сonsole(config-rip)# network 172.16.23.1
сonsole(config-rip)# interface ip 172.16.23.1
сonsole(config-if)# ip rip authentication mode md5
сonsole(config-if)# ip rip authentication key-chain mykeys

OSPF and OSPFv3 configuration

OSPF (Open Shortest Path First) is a dynamic routing protocol, based on link-state technology and
using shortest path first Dijkstra algorithm. OSPF is an internal gateway protocol (IGP). OSPF protocol
distributes information on available routes between routers in a single autonomous system.
The device supports simultaneous operation of several independent instances of OSPF processes.
OSPF instance parameters are set by specifying the instance identifier (process_id).
ETS-1-10G-A 5. Device management. Command line interface 282

Global mode configuration commands

Command line prompt in the mode of global configuration is as follows:

console(config)#

Table 231 – Global mode configuration commands

Command Value/Default value Action

router ospf Enables OSPF routing.
[process_id] Defines the process identifier.
process_id:
(1..65535)/1 Disables OSPF routing.
no router ospf
[process_id]

ipv6 router ospf Enables OSPFv3 routing.

[process_id] Defines the process identifier.
process_id:
(1..65535)/1 Disables OSPFv3 routing.
no ipv6 router ospf
[process_id]

ipv6 distance ospf Sets the administrative distance for OSPF, OSPFv3 routes.
{inter­as | intra-as} - inter-as – for autonomous external systems
distance - intra-as – into the autonomous system
distance: (1..255)
no ipv6 distance ospf Returns the default values.
{inter­as | intra-as}

OSPF process mode commands

Command line prompt in the OSPF process configuration mode is as follows:

console(router_ospf_process)#
console(ipv6 router_ospf_process)#

Table 232 – OSPF process configuration mode commands

Command Value/Default value Action

ETS-1-10G-A 5. Device management. Command line interface 283

redistribute connected [metric Allows connected routes to be advertised:

metric] [route-map name] - metric – the metric value for the imported routes;
[subnets]
- name – the name of the import policy that
metric: (1..65535); allows to filter and make changes to the routes you
are importing;
name: (1..255)
characters - subnets – allows to import subnets.

no redistribute connected Prohibits the specified function.

[metric metric] [route-map
name] [subnets]

redistribute static [metric Import of static routes into OSPF.

metric] [route-map name] - metric – sets the metric value for the imported
[subnets] routes;
- name – applies the import policy that allows to
metric: (1..65535); filter and make changes to the routes you are
name: (1..255) importing;
characters - subnets – allows to import subnets.

no redistribute static [metric Prohibits the specified function.

metric ] [route-map name]
[subnets]

redistribute ospf id Importing routes from the OSPF process to the

[nssa­only] [metric metric] OSPF process:
[metric-type {type-1 | type- - nssa-only – sets nssa-only for all imported
2}] [route-map name] [match routes;
{internal | external-1 | - metric-type type-1 – imports marked as OSPF
external-2}] [subnets]
external 1;
- metric-type type-2 imports marked as
OSPF external 2;
id: (1..65535);
- match internal – imports routes within the
metric: (1..65535); area;
name: (0..32)
- match external-1 – imports OSPF external 1
characters. type routes;
- match external-2 – imports OSPF external 2
type routes;
- subnets – allows to import subnets;
- name – applies the specified import policy that
allows to filter and make changes to the routes
you are importing;
- metric – sets the metric value for the imported
routes.
ETS-1-10G-A 5. Device management. Command line interface 284

no redistribute ospf [id] Prohibits the specified function.

[nssa­only] [metric metric]
[metric-type {type-1 | type-
2}] [route-map name] [match
{internal | external-1 |
external-2}] [subnets]

redistribute rip [metric Import routes from RIP to OSPF.

metric] [route-map name] - metric – the metric value for the imported routes;
[subnets]
- name – the name of the import policy that
metric: (1..65535); allows to filter and make changes to the routes you
are importing;
name: (1..255)
characters - subnets – allows to import subnets.
no redistribute rip [metric Prohibits the specified function.
metric] [route-map name]
[subnets]

router-id A.B.C.D Sets the router ID that uniquely identifies the

A.B.C.D: router id in the router within a single autonomous system.
format of ipv4 address Sets the default value.
no router-id A.B.C.D

network ip_addr area A.B.C.D Enable (disable) OSPF instance on IP interface

[shutdown] (for IPv4).
ip_addr: A.B.C.D
Removes interface IP address.
no network ip addr

default-metric metric Sets the OSPF route metric.

metric: (1..65535)
no default-metric Disabling function.

area A.B.C.D stub [no­summary] Sets the stub type for the specified zone. Zone
is a set of networks and routers with the same
identifier.
A.B.C.D: router ID in
- no-summary – do not send
the format of IPv4
information on aggregated
address
external routes.
no area A.B.C.D stub Sets the default value.
ETS-1-10G-A 5. Device management. Command line interface 285

area A.B.C.D nssa [no­summary] Sets the NSSA type for the specified zone.
[translator­stability­interval - no-summary – do not accept information on
interval] [translator-role aggregated external routes within the NSSA area;
{always | candidate}] - interval – specifies the time
interval (per second) during
which the translator will perform
A.B.C.D: router ID in its functions after it discovers
the format of IPv4 that the translator is another
address; edge router.
- translator-role – determines how the
interval: positive
integer; router will operate in the Translator mode
(Type-7 LSA to Type-5 LSA):
- always – in forced permanent mode;
- candidate – in the translator selection
mode.
no area A.B.C.D nssa Sets the default value.

area A.B.C.D virtual-link Create a virtual connection between the

A.B.C.D [hello-interval secs] primary and other remote areas that have areas
[retransmit-interval secs] between them.
[transmit-delay secs] - hello-interval – specify the hello interval;
[dead­interval secs] [null | - retransmit-interval – specify the retransmit
message-digest] [key-chain
word] interval;
A.B.C.D: router ID in - transmit-delay – specify the delay time;
the format of IPv4 - dead-interval – specify the dead interval;
address; - null – without authentication;
secs: (1..65535) - message-digest – authentication with
seconds; encryption;
word: (1..256) - word – password for authentication.
no area A.B.C.D virtual-link
characters Removes the virtual connection.
A.B.C.D [hello-interval secs]
[retransmit-interval secs]
[transmit-delay secs]
[dead­interval secs] [null |
message-digest] [key-chain
word]

Sets the value of the total route used for the

area A.B.C.D default-cost cost A.B.C.D: router ID in
the format of IPv4 stub and NSSA zones (for IPv4).
no area A.B.C.D default-cost address; Sets the default value.
cost: positive integer
ETS-1-10G-A 5. Device management. Command line interface 286

area A.B.C.D authentication Enables authentication for all interfaces in the

A.B.C.D: router ID in zone (for IPv4):
[message-digest]
the format of IPv4 - message-digest – with MD5 encryption.
address;
no area A.B.C.D authentication Disables the authentication.
[message­digest] -/disabled

area A.B.C.D range Creates a summary route at the zone boundary

A.B.C.D: router ID in (for IPv4).
network_address mask
the format of IPv4
[advertise | not-advertise] - advertise – advertise the created route;
address;
- not-advertise – do not advertise the created
network_address: route.
A.B.C.D;
no area A.B.C.D range Delete the summary route.
network_address mask mask: E.F.G.H

Sets a filter for routes advertised to the

area A.B.C.D filter-list A.B.C.D: router ID in
prefix prefix_list in the format of IPv4 specified zone from other zones (for IPv4).
address;
no area A.B.C.D filter-list Removes the filter for routes advertised to the
prefix prefix_list in prefix_list: (1..32) specified zone from other zones (for IPv4).
symbols

Sets a filter for routes advertised from the

area A.B.C.D filter-list A.B.C.D: router ID in
prefix prefix_list out the format of IPv4 specified zone to other zones (for IPv4).
address;
no area A.B.C.D filter-list Removes the filter for routes advertised from
prefix prefix_list out prefix_list: (1..32) the specified zone to other zones (for IPv4).
symbols

Disables the OSPF process for the zone.

area A.B.C.D shutdown A.B.C.D: router ID in
the format of IPv4
no area A.B.C.D shutdown address; Enables the OSPF process for the zone.

/enabled

shutdown Disables the OSPF process.

/enabled
no shutdown Enables the OSPF process.

IP interface configuration mode commands

Type of command line query:

console(config-ip)#

Table 233 – IP interface configuration mode commands

ETS-1-10G-A 5. Device management. Command line interface 287

Command Value/Default value Action

ip ospf shutdown Disables the routing via OSFP on the interface.
/enabled
no ip ospf shutdown Enables the routing via OSFP on the interface.
ip ospf authentication Enables authentication in OSPF and defines its type:
[key­chain key_chain | null | key_chain: (1..32) - key_chain – the name of the key set created by the key chain
message-digest] characters; command;
By default, the - null – do not use authentication;
authentication is - message-digest – MD5 authentication.
no ip ospf authentication disabled Sets the default value.
[key­chain]
ip ospf authentication-key key Assigns a password to authenticate neighbors accessible
through the current interface. The password so specified will be
key: (1..8) characters embedded in the header of each OSPF packet that leaves the
network as an authentication key.
no ip ospf authentication­key Removes the password.
ip ospf cost cost Sets the metric of the channel state, which is a conventional
cost: (1..65535)/10 indicator of the 'cost' of sending data through the channel.
no ip ospf cost Sets the default value.
ip ospf dead-interval {interval | Sets the time interval in seconds after which the neighbor is
minimal} interval: (1..65535) considered to be idle. This interval should be a multiple of the
seconds; ‘hello interval’ value. As a rule, dead-interval is equal to 4
minimal – 1 sec intervals of sending hello-packets.
no ip ospf dead-interval Sets the default value.
ip ospf hello-interval interval Sets the time interval in seconds after which the router sends
interval: (1..65535)/10
the next hello packet from the interface.
seconds
no ip ospf hello-interval Sets the default value.
ip ospf mtu-ignore Disabling MTU check.
-/enabled
no ip ospf mtu-ignore Sets the default value.
ip ospf passive-interface Disables the IP interface to exchange protocol messages with
neighbors via the specified physical interface.
-/disabled
no ip ospf passive-interface Enables the IP interface to exchange protocol messages with
neighbors.
ip ospf priority priority Sets the router priority that is used for DR and BDR selection.
priority: (0..255)/1
no ip ospf priority Sets the default value.

Ethernet, VLAN interface configuration mode commands:

Type of command line query:

console(config-if)#

Table 234 – Ethernet, VLAN interface configuration mode commands

ETS-1-10G-A 5. Device management. Command line interface 288

Command Value/Default value Action

ipv6 ospf shutdown Disables the routing via OSFPv3 on the interface.
/enabled
no ipv6 ospf shutdown Enables the routing via OSFPv3 on the interface.
ipv6 ospf process area area process: (1..65536); Enable (disable) the OSPF process for a specific zone.
[shutdown] area: router ID in the
format of IPv4 address
ipv6 ospf cost cost Sets the metric of the channel state, which is a conventional
cost: (1..65535)/10 indicator of the 'cost' of sending data through the channel.
no ipv6 ospf cost Sets the default value.
ipv6 ospf dead-interval interval Sets the time interval in seconds after which the neighbor is
considered to be idle. This interval should be a multiple of the
interval: (1..65535)
‘hello interval’ value. As a rule, dead-interval is equal to 4 intervals
seconds
of sending hello-packets.
no ipv6 ospf dead-interval Sets the default value.
ipv6 ospf hello-interval interval Sets the time interval in seconds after which the router sends the
interval: (1..65535)/10
next hello packet from the interface.
seconds
no ipv6 ospf hello-interval Sets the default value.
ipv6 ospf mtu-ignore Disabling MTU check.
-/disabled
no ipv6 ospf mtu-ignore Sets the default value.
ipv6 ospf neighbor Defines the IPv6 address of the neighbor.
{ipv6_address}
-
ipv6 ospf neighbor Deletes the IPv6 address of the neighbor.
{ipv6_address}
ipv6 ospf priority priority Sets the router priority that is used for DR and BDR selection.
priority: (0..255)/1
no ipv6 ospf priority Sets the default value.
ipv6 ospf retransmit-interval Sets the time interval in seconds after which the router will re-
interval send a packet to which it has not received receiption confirmation
interval: (1..65535)/5 (for example, Database Description packet or Link State Request
seconds packets).
no ipv6 ospf Sets the default value.
retransmit­interval
ipv6 ospf transmit-delay delay Sets the approximate time in seconds required to transmit the
delay: (1..65535)/1
channel state packet.
seconds
no ip ospf transmit-delay Sets the default value.

Privileged EXEC mode commands

Command line prompt in the Privileged EXEC mode is as follows:

console#

Table 235 – Privileged EXEC mode commands

ETS-1-10G-A 5. Device management. Command line interface 289

Command Value/Default value Action

show {ip | ipv6} ospf process_id: Displays OSPF configurations.
[process_id] (1..65536)

show {ip | ipv6} ospf process_id: Displays OSPF neighbor information.

[process_id] neighbor (1..65536)

show ip ospf
process_id: Displays information about the OSPF neighbor with the
[process_id] neighbor
(1..65536); specified address.
A.B.C.D: The IP
A.B.C.D address of the
neighbor
show {ip | ipv6} ospf Displays configurations for all OSPF interfaces.
process_id:
[process_id]
(1..65536)
interface

show {ip | ipv6} ospf Displays configuration for a specific OSPF interfaces.
process_id:
[process_id]
(1..65535);
interface [ip_int |
brief]

show {ip | ipv6} ospf process_id: Displays the status of the OSPF protocol database.
[process_id] database (1..65535)

show {ip | ipv6} ospf Displays the parameters and current status of virtual links.
process_id:
virtual­links
(1..65535)
[process_id]

Virtual Router Redundancy Protocol (VRRP) configuration

VRRP is designed for backup of routers acting as default gateways. This is achieved by joining IP
interfaces of the group of routers into one virtual interface which will be used as the default gateway for
the computers of the network. On the channel level, redundant interfaces have a MAC address of
00:00:5E:00:01:XX, where XX is the VRRP group number (VRID).
Only one of the physical routers can perform traffic routing on the virtual IP-interface (VRRP
master), the rest of the routers in the group are designed for redundancy (VRRP backup). The VRRP master
is selected according to RFC 5798. If the current master becomes unavailable, the selection of the master
is repeated. The highest priority is given to the router with its own IP address that matches the virtual
one. When available, it always becomes a VRRP master. The maximum number of VRRP processes is 50.

Ethernet, VLAN or port group interface configuration mode commands

Command line prompt in the Ethernet, VLAN, port group interface configuration mode is as follows:
ETS-1-10G-A 5. Device management. Command line interface 290

console(config-if)#

Table 236 – Ethernet, VLAN or port group interface configuration mode commands

Command Value/Default value Action

Adding a description of the purpose or use for a VRRP router with a
vrrp vrid description text vrid: (1..255); vrid identifier.
text: (1..160
Deleting the description of the VRRP router.
no vrrp vrid description characters).

vrrp vrid ip ip_address Specify the IP address of the VRRP router

no vrrp vrid ip [ip_address] Delete the IP address of the VRRP router. If an IP address is not
vrid: (1..255) specified as a parameter, all IP addresses of the virtual router will
be deleted, and therefore the vrid virtual router on this device will
be deleted.
Enabling the mode, in which the higher priority Backup router
vrrp vrid preempt
would try to take the Master role from the current lower priority
Master router.
vrid: (1..255); The router that owns the IP address of the router will take
By default is enabled over the master role regardless of the settings of this
command.
Sets the default value:
no vrrp vrid preempt
vrid: (1..255); Assigning the priority to the VRRP router.
vrrp vrid priority priority
priority: (1..254);
Sets the default value:
no vrrp vrid priority Default: 255 for owner
of IP address, 100 for
others
Disabling VRRP protocol on this interface.
vrrp vrid shutdown
vrid: (1..255);
Default: disabled Enabling VRRP protocol on this interface.
no vrrp vrid shutdown

Define the actual VRRP address to be used as the sender IP

vrrp vrid source-ip ip_address
vrid: (1..255); address for VRRP messages.
Default: 0.0.0.0 Sets the default value:
no vrrp vrid source-ip

Set the number of trackings for the specified VRRP group.

vrrp vrid track track_number
[decrement - decrement_priority – decreasing the priority of the router
decrement_priority] vrid: (1..255); when the object of observation becomes unavailable
track_number: (1..64);
decrement: (1..253)

Cancel the set number of trackings for the specified VRRP

no vrrp vrid track
group.
ETS-1-10G-A 5. Device management. Command line interface 291

Determining the interval between master router

vrrp vrid timers advertise
{seconds | msec milliseconds} advertisement. If the interval is set in milliseconds, it is
seconds: (1..40); rounded down to the nearest second for VRRP Version 2 and
milliseconds: to the nearest hundredth of a second (10 milliseconds) for
(50..40950); VRRP Version 3.
Default: 1 sec Sets the default value:
no vrrp vrid timers advertise
[msec]
Define the supported version of the VRRP protocol.
vrrp vrid version {2 | 3 | 2&3}
- 2 – VRRPv2 is supported as defined in RFC3768. VRRPv3 messages
received are discarded by the router. Only VRRPv2 advertisements
are sent.
- 3 – VRRPv3 is supported as defined in RFC5798, without
compatibility with VRRPv2 (8.4, RFC5798). VRRPv2 messages
received are discarded by the router. Only VRRPv2 advertisements
are sent.
-/3
- 2&3 – VRRPv3 is supported as defined in RFC5798, with
compatibility with VRRPv2 VRRPv2 messages received are
processed by the router. VRRPv2 and VRRPv3 advertisements are
sent.
Supported only in VRRPv3. Modes 2 and 2&3 will be supported in
future versions of the frimware.
Sets the default value:
no vrrp vrid version

Privileged EXEC mode commands

All commands are available for privileged user.

Command line prompt in the Privileged EXEC mode is as follows:

console#
Table 237 – Privileged EXEC mode commands

Command Value/Default value Action

show vrrp [all | View brief or detailed information for all or one VRRP
brief | counters virtual router configured.
interface { te_port: (1..8/0/1..32); - all — view information about all virtual routers,
tengigabitethernet group: (1..32); including those disabled;
te_port | port-channel vlan_id: (1..4094)
group | vlan vlan_id}] - brief — view a summary of all virtual routers;
- counters - displays counters for VRRP.
ETS-1-10G-A 5. Device management. Command line interface 292

Command execution example

 Configure the IP address 10.10.10.1 on VLAN 10, use this address as the virtual router address.
Enable VRRP protocol on VLAN interface.

console(config-vlan)# interface vlan 10

console(config-if)# ip address 10.10.10.1 /24
console(config-if)# vrrp 1 ip 10.10.10.1
console(config-if)# no vrrp 1 shutdown

 View VRRP configuration:

console# show vrrp

Interface: vlan 10
Virtual Router 1
Virtual Router name
Supported version VRRPv3
State is Initializing
Virtual IP addresses are 10.10.10.1(down)
Source IP address is 0.0.0.0(default)
Virtual MAC address is 00:00:5e:00:01:01
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 255
ETS-1-10G-A 6. Service Menu, Change of Firmware 293

6 Service Menu, Change of Firmware

6.1 Startup menu

The Startup menu is used to perform special procedures, such as restoring to factory settings and
recovering a password.

To enter the Startup menu, you must interrupt the download by pressing the <Esc> or <Enter> key
within the first two seconds after the autoBOOT message appears (after the POST procedure is
completed).

Startup Menu
[1] Restore Factory Defaults
[2] Password Recovery Procedure
[3] Back
Enter your choice or press 'ESC' to exit:

To exit the menu and load the device press <5>, or <Esc>.

If no menu item is selected within 15 seconds (default), the device will continue booting. You
can increase the waiting time by using console commands.

Table 238 – Startup menu description

№ Name Description

Restore Factory Defaults This procedure is used to delete the device configuration. Restores the default
<1> Restore factory defaults configuration.

This procedure is used to recover the lost password, it allows you to connect to the
device without password.
To restore the password, press the <2> key, the password will be ignored when
Password Recovery Procedure connecting to the device later.
<2> Password recovery Current password will be ignored!
Press the [enter] key to return to the Startup menu.
==== Press Enter To Continue ====
Back To exit the menu and load the device press <Enter>, or <Esc>.
<3> Exit from the menu
ETS-1-10G-A 6. Service Menu, Change of Firmware 294

6.2 Firmware update from TFTP server

The TFTP server must be started and set up on the computer from which the firmware will
be downloaded. The server must have permission to read the bootloader and/or system
firmware files. The computer with the TFTP server running must be available for the switch
(you can control it by executing the ping A.B.C.D command on the switch, where A.B.C.D
is the IP address of the computer).

Firmware can only be updated by a privileged user.

Firmware update
The device is loaded from a file of system software, which is stored in flash memory. When updating
a new system software file is stored in a dedicated memory area. When booting, the device launches the
active system software file.

If no device number is specified, this command applies to the master.

To view the current version of system firmware running on your device, enter the show version
command:

console# show version

Active-image: flash://system/images/image1.ros
Version: 5.5.4
Commit: 25503143
MD5 Digest: 6f3757fab5b6ae3d20418e4d20a68c4c
Date: 03-Jun-2016
Time: 19:54:26
Inactive-image: flash://system/images/_image1.ros
Version: 5.5.4
Commit: 16738956
MD5 Digest: d907f3b075e88e6a512cf730e2ad22f7
Date: 10-Jun-2016
Time: 11:05:50

Firmware update procedure:

ETS-1-10G-A 6. Service Menu, Change of Firmware 295

Copy the new firmware file to the device in the dedicated

memory area. Command format:

boot system tftp://tftp_ip_address/[directory/]filename

Example of command execution:

console# boot system tftp://10.10.10.1/image1.ros

26-Feb-2016 11:07:54 %COPY-I-FILECPY: Files Copy - source URL

tftp://10.10.10.1/image.ros destination URL flash://
system/images/mes5324-401.ros
26-Feb-2016 11:08:53 %COPY-N-TRAP: The copy operation was completed successfully

Copy: 20644469 bytes copied in 00:00:59 [hh:mm:ss]

The new firmware version will become active after the switch is rebooted.

To view data on software versions and their activity, enter the show bootvar command:

console#show bootvar

Active-image: flash://system/images/image1.ros
Version: 5.5.4
MD5 Digest: 0534f43d80df854179f5b2b9007ca886
Date: 01-Mar-2016
Time: 17:17:31
Inactive-image: flash://system/images/_image1.ros
Version: 5.5.4
MD5 Digest: b66fd2211e4ff7790308bafa45d92572
Date: 26-Feb-2016
Time: 11:08:56

console# reload

This command will reset the whole system and disconnect your current
session. Do you want to continue (y/n) [n]?

Confirm reboot by entering 'y'.

A Examples of Application and Device
Configuration

Multiple Spanning Tree Protocol (MSTP) configuration

The MSTP allows you to build many interconnecting trees for individual VLAN groups on the LAN
switches, which allows you to load balance. For simplicity, consider the case of three switches combined
in a ring topology.

Vlan 10, 20, 30 should be combined in the first instance of MSTP, vlan 40, 50, 60 should be
combined in the second instance. It is necessary that VLAN traffic 10, 20, 30 between the first and
second switches is transmitted directly and VLAN traffic 40, 50, 60 is transmitted in transit through
switch 3. Switch 2 is to be assigned to the root of the Internal Spanning Tree (IST) in which service
information is transmitted. Switches are combined in a ring using te1 and te2 ports. Below is a diagram
depicting a logical network topology.

Figure A.1 – Configuring the protocol for the multiple spanning trees
ETS-1-10G-A A. Examples of Application and Device Configuration 297

When one of the switches fails or a channel breaks, many MSTP trees are rebuilt to minimize the
impact of a failure. Below is the switch configuration process. For faster setup, a common configuration
template is created, which is uploaded to the TFTP server and subsequently used to configure all
switches.

1. Template creation and configuration of the first switch

console# configure
console(config)# vlan database
console(config-vlan)# vlan 10,20,30,40,50,60
console(config-vlan)# exit
console(config)# interface vlan 1
console(config-if)# ip address 192.168.16.1 /24
console(config-if)# exit
console(config)# spanning-tree mode mst
console(config)# interface range TengigabitEthernet 1/0/1-2
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 10,20,30,40,50,60
console(config-if)# exit
console(config)# spanning-tree mst configuration
console(config-mst)# name sandbox
console(config-mst)# instance 1 vlan 10,20,30
console(config-mst)# instance 2 vlan 40,50,60
console(config-mst)# exit
console(config)# do write
console(config)# spanning-tree mst 1 priority 0
console(config)# exit
console#copy running-config tftp://10.10.10.1/mstp.conf

Multicast-TV VLAN configuration

The 'MulticastTV VLAN' feature allows you to use a single VLAN on the carrier's network to transmit
multicast traffic and deliver that traffic to users even if they are not members of that VLAN. With the
'Multicast TV VLAN' function, the load on the operator's network can be reduced by not duplicating
multicast data, for example when providing an IPTV service.

The application scheme of the function assumes that the user ports work in 'access' or 'customer'
mode and belong to any VLAN except the multicast-tv VLAN. Users can only receive multicast traffic from
a multicast-tv VLAN and cannot transmit data on that VLAN. In addition, the switch must be configured
with a source port for multicast traffic, which must be a member of the multicast-tv VLAN.

Example setting for port in the access operation mode

1. Enable multicast data filtering:

ETS-1-10G-A A. Examples of Application and Device Configuration 298

console(config)# bridge multicast filtering

2. Configure VLAN users (VID 100-124), multicast-tv VLAN (VID 1000), VLAN management (VID
1200):

console(config)# vlan database

console(config-vlan)# vlan 100-124,1000,1200
console(config-vlan)# exit

3. Configure user ports:

console(config)# interface range te1/0/10-24

console(config-if)# switchport mode access
console(config-if)# switchport access vlan 100
console(config-if)# switchport access multicast-tv vlan 1000
console(config-if)# bridge multicast unregistered filtering
console(config-if)# exit

4. Configure the uplink port by allowing multicast, user and management traffic:

console(config)# interface te1/0/1

console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 100-124,1000,1200
console(config-if)# exit

5. Configure IGMP snooping globally and on interfaces:

console(config)# ip igmp snooping

console(config)# ip igmp snooping vlan 1000
console(config)# ip igmp snooping vlan 1000 querier
console(config)# ip igmp snooping vlan 100
console(config)# ip igmp snooping vlan 101
console(config)# ip igmp snooping vlan 102
console(config)# ip igmp snooping vlan 103
…
console(config)# ip igmp snooping vlan 124
ETS-1-10G-A A. Examples of Application and Device Configuration 299

6. Configure the management interface:

console(config)# interface vlan 1200

console(config-if)# ip address 192.168.33.100 255.255.255.0
console(config-if)# exit

Selective-qinq configuration

Adding SVLAN

The switch configuration example shown here shows how to add a SVLAN 20 tag to all incoming
traffic except VLAN 27.

console# show running-config

vlan database
vlan 20,27
exit
!
interface tengigabitethernet1/0/5
switchport mode general
switchport general allowed vlan add 27 tagged
switchport general allowed vlan add 20 untagged
switchport general ingress-filtering disable
selective-qinq list ingress permit ingress_vlan 27
selective-qinq list ingress add_vlan 20
exit
!
!
end

CVLAN spoofing

VLAN spoofing tasks are quite common in data networks (e.g., there is a typical configuration for
access layer switches, but user traffic, VOIP and management traffic need to be transmitted in different
VLANs in different directions). In this case, it would be convenient to use the CVLAN substitution
function to replace typical VLANs with VLANs for the required direction. Below is the configuration of
the switch where VLAN 100, 101 and 102 are replaced by 200, 201 and 202. Reverse substitution should
be done on the same interface:

console# show running-config

vlan database
vlan 100-102,200-202
exit
ETS-1-10G-A A. Examples of Application and Device Configuration 300

!
interface tengigabitethernet 1/0/1
switchport mode trunk
switchport trunk allowed vlan add 200-202
selective-qinq list egress override_vlan 100 ingress_vlan 200
selective-qinq list egress override_vlan 101 ingress_vlan 201
selective-qinq list egress override_vlan 102 ingress_vlan 202
selective-qinq list ingress override_vlan 200 ingress_vlan 100
selective-qinq list ingress override_vlan 201 ingress_vlan 101
selective-qinq list ingress override_vlan 202 ingress_vlan 102
exit!end
ETS-1-10G-A B. Console Cable 301

B Console Cable

Figure B.1 – Connecting the console cable

ETS-1-10G-A C. Supported Ethertype Values 302

C Supported Ethertype Values

Table B.1 – Supported EtherType values

0x22DF 0x8145 0x889e 0x88cb 0x88e0 0x88f4 0x8808 0x881d 0x8832 0x8847

0x22E0 0x8146 0x88a8 0x88cc 0x88e1 0x88f5 0x8809 0x881e 0x8833 0x8848

0x22E1 0x8147 0x88ab 0x88cd 0x88e2 0x88f6 0x880a 0x881f 0x8834 0x8849

0x22E2 0x8203 0x88ad 0x88ce 0x88e3 0x88f7 0x880b 0x8820 0x8835 0x884A

0x22E3 0x8204 0x88af 0x88cf 0x88e4 0x88f8 0x880c 0x8822 0x8836 0x884B

0x22E6 0x8205 0x88b4 0x88d0 0x88e5 0x88f9 0x880d 0x8824 0x8837 0x884C

0x22E8 0x86DD 0x88b5 0x88d1 0x88e6 0x88fa 0x880f 0x8825 0x8838 0x884D

0x22EC 0x86DF 0x88b6 0x88d2 0x88e7 0x88fb 0x8810 0x8826 0x8839 0x884E

0x22ED 0x885b 0x88b7 0x88d3 0x88e8 0x88fc 0x8811 0x8827 0x883A 0x884F

0x22EE 0x885c 0x88b8 0x88d4 0x88e9 0x88fd 0x8812 0x8828 0x883B 0x8850

0x22EF 0x8869 0x88b9 0x88d5 0x88ea 0x88fe 0x8813 0x8829 0x883C 0x8851

0x22F0 0x886b 0x88ba 0x88d6 0x88eb 0x88ff 0x8814 0x882A 0x883D 0x8852

0x22F1 0x8881 0x88bf 0x88d7 0x88ec 0x8800 0x8815 0x882B 0x883E 0x9999

0x22F2 0x888b 0x88c4 0x88d8 0x88ed 0x8801 0x8816 0x882C 0x883F 0x9c40

0x22F3 0x888d 0x88c6 0x88d9 0x88ee 0x8803 0x8817 0x882D 0x8840

0x22F4 0x888e 0x88c7 0x88db 0x88ef 0x8804 0x8819 0x882E 0x8841

0x0800 0x8895 0x88c8 0x88dc 0x88f0 0x8805 0x881a 0x882F 0x8842

0x8086 0x8896 0x88c9 0x88dd 0x88f1 0x8806 0x881b 0x8830 0x8844

ETS-1-10G-A C. Supported Ethertype Values 303

0x8100 0x889b 0x88ca 0x88de 0x88f2 0x8807 0x881c 0x8831 0x8846

ETS-1-10G-A D. Description of the switch processes 304

D Description of the switch processes

Table D.1 – Description of the switch processes

Process
Process description
name

3SMA Aging for IP-multicast

3SWF Packet transmission between layer 2 and network level

3SWQ Software processing of ACL intercepted packets

AAAT Management and processing of AAA methods

AATT AAA simulator for testing AAA methods

ARPG ARP implementation

B_RS Stack device reboot control

BFD BFD protocol implementation

Additional actions in the stack (getting information about the stack, displaying,
BOXM
exchanging messages, changing Unit ID)

Stack state commands processing: Adding Master/Slave, studying topology, updating

BOXS
slave firmware version

BRGS Bridge Security – ARP Inspection, DHCP Snooping, DHCP Relay Agent, IP Source Guard

Bridge Management: STP, FDB operations (add, delete records), mirroring, port/VLAN
BRMN
configuration, GVRP, GARP, LLDP, IGMP Snooping, IP multicast

BSNC Master and slave synchronization machine in the stack

BTPC BOOTP client

ETS-1-10G-A D. Description of the switch processes 305

CDB_ Copying configuration files

CNLD Uploading/downloading configuration

COPY File copy management

CPUT CPU utilization

D_LM Link Manager – link tracking

D_SP Stacking Protocol

DDFG Operating with the file system

DFST Distributed file system (DFS). Used in stack operation

DH6C DHCPv6 client

DHCP DHCP server and Relay Agent

DHCp Ping

Dinstant Manager – obtaining information from remote units (firmware version, uptime,
DMNG
active firmware image installation)

DNSC DNS client

DNSS DNS server

DSND Data Set Delays Report

Dispatcher – processing events from remote units about changes in the status of fans,
DSPT power supplies, temperature sensors, SFP-transceivers. Receiving messages from remote
units about their firmware version, serial number, MD5.

DSYN Stack application

DTSA Stack application

ETS-1-10G-A D. Description of the switch processes 306

ECHO ECHO protocol

EPOE PoE (user interaction)

ESTC Logging of events about traffic exceeding thresholds on CPU (cpu input-rate detailed)

EVAP TRX Training – automatic adjustment of SERDES parameters

EVAU Address Update event processing, lower level, higher transmission

EVFB SFP status polling

EVLC Port state change event processing, lower level, higher transmission

EVRT RX Training

Processing packet receiving events from switch to CPU, lower layer, packet transfer to
EVRX
layer 2

EVTX Processing end of packet sending events from CPU to switch, lower level

exRX Processing lower-level packet output 2

FFTT Managing the routing table and routing packets

FHSF IPv6 First Hop Security (Timer processing)

GOAH GoAhead web server implementation

GRN_ Green Ethernet implementation

HCLT Receive and process lower level device configuration commands

HCPT PoE (interaction with the controller)

HLTX Sending packets from CPU to switch

HOST Main host flow, idle speed

HSCS Stack Config – switch configuration on a remote unit

ETS-1-10G-A D. Description of the switch processes 307

Stack Events – link changed event handling, address update from remote units in the
HSES
master

HSEU Stack event processing

ICMP ICMP implementation

IOTG Input/Output terminal management

IOTM Input/Output terminal management

IOUR Input/Output terminal management

IP6C IPv4 and IPv6 counters

IP6M IPv4 and IPv6 routing

IPAT IP address database management

IPG Processing intercepted fragmented IP packets

IPRD Support task for ARP, RIP, OSPF

IPMT IP multicast routing and IGMP Proxy management

IT60

IT61
Tasks for interrupt handling
IT64

IT99

IV11 Tasks for virtual interrupt handling

L2HU Transmitting packets to layer 3

Processing interface status/configuration events and sending messages to registered

L2PS
services

L2UT Port utilization (show interfaces utilization)

ETS-1-10G-A D. Description of the switch processes 308

LBDR Loopback Detection feature implementation

LBDT Loopback Detection packets sending

LTMR Common task for all timers

MACT FDB termination event processing (MAC addresses aging)

MLDP Marvell Link Layer Reliable Datagram Protocol, stack transport

MNGT Autotests

MRDP Marvell Reliable Datagram Protocol, stack transport

MROR Configuration file backup in non-volatile memory

MSCm A manager for operation with terminal sessions

MSRP Passing events in the stack to user tasks

MSSS Listening of IP sockets

MUXT Tracking changes in stack structure

NACT Virtual Cable Test (VCT)

NBBT N-Base

NINP Operation with combo ports

Setting the limit of packet interception speed on the CPU, maintaining statistics on
NSCT
intercepted packets

NSFP Tracking SFP-related events at the network level

NSTM Storm Control

Periodic signal generation for polling tables MAC, VLAN, ports, multicast, routing,
NTPL
prioritization

NTST Adding and removing units in the stack, resetting unit default state, at the network level
ETS-1-10G-A D. Description of the switch processes 309

NVCT Supporting task for VCT. Runs the test and tracks port state changes.

The task is to track and notify changes to the specific interface parameters required for
OBSR
LLDP, CDP and other protocols.

PLCR Processing stack device port state change events

PLCT Processing port state change events

PNGA Ping implementation

POLI Policy Management

PTPT Precise Time Protocol

RADS RADUIS server

RCDS Remote CLI client

RCLA
Remote CLI server
RCLB

RELY DHCPv6 Relay

ROOT Parental task for all tasks

RPTS Routing protocol

SCLC OOB port status tracking

SCPT Autoupdate and Autoprovisioning

SCRX Getting traffic from OOB port

SEAU Receiving Address Update events, lower level

SELC Receiving port state change events, lower level

SERT Tracking port events to start RX Training procedure

ETS-1-10G-A D. Description of the switch processes 310

SERX Getting packet events from switch to CPU, lower level

SETX Getting packet termination events from CPU to switch, lower level

SFMG sFlow Manager – processing IP address change events, CLI/SNMP requests, timers

SFSM sFlow Sampler

SFTR Sflow protocol

SNAD SNA database

SNAE SNA event processing

SNAS Saving the SNA database on ROM

SNMP SNMP implementation

SNTP SNTP implementation

SOCK Socket management

SQIN Selective QinQ configuration

SS2M Slave To Master – sending messages from slave to master

SSHP SSH server – setup, command handling, timer

SSHU SSH server – protocol

SSLP SSL implementation

SSTC Logging of events about traffic exceeding thresholds on CPU (cpu input-rate detailed)

STMB Processing SNMP stack status queries

STSA CLI session via COM port

STSB CLI session via VLAN

STSC CLI session via VLAN

ETS-1-10G-A D. Description of the switch processes 311

STSD CLI session via VLAN

STSE CLI session via VLAN

SW2M FDB Address Update event processing, port blocking in case of port errors

SYLG Output messages in syslog

TBI_ Table of time intervals for ACL

TCPP TCP implementation

TFTP TFTP implementation

TMNG Management of priorities

TNSL TELNET client

TNSR TELNET server

TRCE Traceroute implementation

TRIG Starting an action in FDB (MAC addresses aging)

TRMT Managing transactional units in the stack

TRNS File Transfer – file copying between stack units (FW)

UDPR UDP Relay

URGN Processing critical events (e.g. reboots)

VRRP VRRP implementation

WBAM Web-based Autentification

WBSO Interaction with web clients, bottom level

WBSR Web server management and timers

WNTT NAT support for WBA

ETS-1-10G-A D. Description of the switch processes 312

XMOD X-modem protocol implementation

International Headquarters North American Headquarters
24 Raoul Wallenberg St., Tel Aviv 6971923, Israel 900 Corporate Drive, Mahwah, NJ 07430, USA
Tel 972-3-6458181 | Fax 972-3-7604732 Tel 201-529-1100 | Toll Free: 800-444-7234 | Fax: 201-529-5777
Email [email protected] Email [email protected]

www.rad.com | radcare-online.rad.com
Publication No. 751-207-06/20