Foundry Networks EdgeIron 4802F and EdgeIron 10GC2F User Guide

Foundry Networks
EdgeIron 4802F and
EdgeIron 10GC2F
User Guide
Software Release 1.4.8.2
™
2100 Gold Street
P.O. Box 649100
San Jose, CA 95164-9100
Tel 408.586.1700
Fax 408.586.1900
March 2003
EdgeIron 4802F and EdgeIron 10GC2F User Guide
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Copyright © 2003 Foundry Networks, Inc. All rights reserved.
No part of this work may be reproduced in any form or by any means – graphic,
electronic or mechanical, including photocopying, recording, taping or storage in an
information retrieval system – without prior written permission of the copyright owner.
The trademarks, logos and service marks ("Marks") displayed herein are the property of
Foundry or other third parties. You are not permitted to use these Marks without the
prior written consent of Foundry or such appropriate third party.
Foundry Networks, BigIron, FastIron, IronView, JetCore, NetIron, ServerIron,
TurboIron, IronWare, EdgeIron, the Iron family of marks and the Foundry Logo are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and
other countries.
F-Secure is a trademark of F-Secure Corporation. All other trademarks mentioned in this
document are the property of their respective owners.
ii
March 2003
© 2003 Foundry Networks, Inc.
Table of Contents
Preface......................................................................................................................................................... 1
Introduction .................................................................................................................................................. 1
Summary of Features.................................................................................................................................... 1
Virtual LANs (VLANs) ............................................................................................................................2
Spanning Tree Protocol .............................................................................................................................2
Software Factory Defaults............................................................................................................................ 2
How To Get Help ......................................................................................................................................... 3
Web Access ...............................................................................................................................................3
Email Access .............................................................................................................................................3
Telephone Access ......................................................................................................................................3
Warranty Coverage....................................................................................................................................... 3
Accessing the EdgeIron 4802F and EdgeIron 10GC2F .......................................................................... 5
General ......................................................................................................................................................... 5
Getting Started with the CLI ........................................................................................................................ 5
Logging On to the Web-Based GUI............................................................................................................. 6
Planning the Configuration .......................................................................................................................... 7
Basic CLI Operating Conventions ............................................................................................................... 7
Special Keys................................................................................................................................................. 8
CLI Modes.................................................................................................................................................... 9
View Mode (user-level).............................................................................................................................9
Priv(ileged) Mode......................................................................................................................................9
Configure Mode.........................................................................................................................................9
Messages ...................................................................................................................................................... 9
Getting System Help .................................................................................................................................. 10
Using the List Command .........................................................................................................................10
Command History....................................................................................................................................10
Using Telnet ............................................................................................................................................... 10
Configuring EdgeIron Ethernet Switch IP Parameters............................................................................... 10
General Commands .................................................................................................................................... 11
View Mode................................................................................................................................................. 11
Privileged Mode ......................................................................................................................................... 12
Configure Mode ......................................................................................................................................... 14
Accessing Configure Mode .....................................................................................................................14
Configuration Command Types ..............................................................................................................15
Configure Mode Nodes ...........................................................................................................................17
Secure Shell (SSH).................................................................................................................................... 19
Supported SSH Clients............................................................................................................................... 19
Supported SSH Standards .......................................................................................................................... 19
Security Considerations ............................................................................................................................. 20
Commands for Managing the SSH Server ................................................................................................. 20
Physical Port Configuration.................................................................................................................... 23
Display Physical Interfaces Configuration................................................................................................. 23
Port Configuration Settings .....................................................................................................................24
March 2003
© 2003 Foundry Networks, Inc.
iii
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Port Security Settings ............................................................................................................................. 25
Link Aggregation Group (Trunk)........................................................................................................... 29
Overview .................................................................................................................................................... 29
LAG Configuration .................................................................................................................................... 29
LAG Configuration Example ................................................................................................................. 30
SNMP-Server Configuration................................................................................................................... 33
SNMP-Server Settings ............................................................................................................................... 33
Display SNMP-Server Settings .................................................................................................................. 34
The MAC Address Table (FDB) ............................................................................................................. 35
MAC-Table Entry Types............................................................................................................................ 35
How Entries Are Added to the FDB .......................................................................................................... 36
Adding FDB Table Entries with the CLI................................................................................................ 36
Deleting Entries ...................................................................................................................................... 36
Displaying FDB Table Entries ............................................................................................................... 37
Setting the MAC Address Aging Time .................................................................................................. 38
Spanning Tree Protocol (STP) ................................................................................................................ 39
Overview of the Spanning Tree Protocol ................................................................................................... 39
Configuring STP in Protocol Configuration Mode .................................................................................... 39
Configuring STP in Interface Configuration Mode ................................................................................... 41
Displaying STP Settings............................................................................................................................. 42
Command in the Protocol Configuration Mode or Interface Configuration Mode................................ 42
Commands in the View Mode ................................................................................................................ 43
Rapid Spanning Tree Protocol (RSTP).................................................................................................. 45
Overview .................................................................................................................................................... 45
Selection of the Root Bridge and Root Port ........................................................................................... 46
Selection of the Designated Bridge and Designated Port....................................................................... 47
Alternate and Backup Ports .................................................................................................................... 47
Point-To-Point Links .............................................................................................................................. 47
Changing Port States............................................................................................................................... 48
Configuring RSTP...................................................................................................................................... 49
Configuring Global RSTP Parameters.................................................................................................... 49
Configuring Interface RSTP Parameters ................................................................................................ 50
Displaying RSTP Settings .......................................................................................................................... 55
Commands in the Protocol Configuration Mode.................................................................................... 55
Commands in the View Mode ................................................................................................................ 56
Generic VLAN Registration Protocol .................................................................................................... 58
Displaying GVRP Settings......................................................................................................................... 58
Change GVRP Settings .............................................................................................................................. 58
Generic Multicast Registration Protocol ............................................................................................... 60
Displaying GMRP Settings ........................................................................................................................ 60
Change GMRP Settings.............................................................................................................................. 60
Virtual LANs (VLANs) ............................................................................................................................ 62
Overview of Virtual LANs......................................................................................................................... 62
iv
March 2003
© 2003 Foundry Networks, Inc.
Benefits....................................................................................................................................................62
Types of VLANs .....................................................................................................................................62
Port-Based VLANs..................................................................................................................................62
Default VLAN Concept...........................................................................................................................63
Uses of Tagged VLANs...........................................................................................................................63
Assigning a VLAN Tag.............................................................................................................................. 64
Configuring VLANs................................................................................................................................... 64
Displaying VLAN Information .................................................................................................................. 65
Accessing VLAN Configuration Mode...................................................................................................... 65
VLAN Commands...................................................................................................................................... 65
Overview..................................................................................................................................................65
Assigning the Default VLAN to Ports.....................................................................................................69
Configuring Dual-Mode VLAN Ports........................................................................................................ 70
Securing Management Access Based On VLAN ID.................................................................................. 71
Denying Management Access from a VLAN..........................................................................................71
Displaying VLAN Management Access Information .............................................................................72
Multicast VLAN Registration (MVR) .................................................................................................... 74
MVR Global Configuration Commands .................................................................................................... 75
Examples..................................................................................................................................................76
MVR Interface Configuration Commands ................................................................................................. 77
Examples..................................................................................................................................................78
MVR Show Commands.............................................................................................................................. 79
Transparent LAN Services (TLS)........................................................................................................... 82
TLS Configuration Commands .................................................................................................................. 82
Interface-Level TLS Commands .............................................................................................................82
Global TLS Commands ...........................................................................................................................84
Configuration Examples............................................................................................................................. 84
Configuring Interface-Level TLS ............................................................................................................84
Configuring Global TLS..........................................................................................................................86
Quality Of Service .................................................................................................................................... 88
Overview .................................................................................................................................................... 88
Conventions Used ...................................................................................................................................... 88
Queue Management.................................................................................................................................... 88
Configuring Strict Priority Scheduling....................................................................................................88
Configuring WRR Scheduling.................................................................................................................89
Verifying Queue Configuration...............................................................................................................89
Assigning QoS Rules to Traffic ................................................................................................................. 89
Auto Mapping of 802.1p Priorities to Transmit Queues .........................................................................89
Manual Mapping of 802.1p Priorities to Transmit Queues.....................................................................90
Manipulating 802.1p Priorities on Ingress ..............................................................................................90
Auto Remarking of 802.1p Priorities on Egress......................................................................................90
Remarking of 802.1p Priorities on Egress...............................................................................................90
Verifying 802.1p Priority Configuration .................................................................................................90
Manual QoS Assignment per Destination MAC Address (per VLAN) ..................................................91
Type-of-Service (ToS) Mapping ................................................................................................................ 91
Software Upgrade and Boot Options ..................................................................................................... 92
Displaying Configurations ......................................................................................................................... 92
March 2003
© 2003 Foundry Networks, Inc.
v
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Downloading a New Image and Java Application ..................................................................................... 92
Write Commands........................................................................................................................................ 93
Rebooting the Switch ................................................................................................................................. 93
Returning to Factory Defaults ................................................................................................................ 94
CLI for Configuration Scripts ................................................................................................................ 96
Command Summary ................................................................................................................................... 97
Status Monitoring and Statistics........................................................................................................... 100
System Information .................................................................................................................................. 100
Passwords ................................................................................................................................................. 100
Configure Application View Mode Password...................................................................................... 100
Configure Application Enable Mode Password ................................................................................... 101
Configure Boot Loader Password......................................................................................................... 101
Line VTY ................................................................................................................................................. 101
Accessing Line VTY Mode.................................................................................................................. 101
Line VTY Commands........................................................................................................................... 102
Banner................................................................................................................................................... 102
System Time and Date ............................................................................................................................. 103
Display the Current System Time......................................................................................................... 103
Configure System Time and Date......................................................................................................... 103
Remote System Time Synchronization................................................................................................. 103
Memory Statistics Information................................................................................................................. 104
Logging..................................................................................................................................................... 104
Remote Logging ....................................................................................................................................... 105
Debug Information ................................................................................................................................... 106
Debug Commands................................................................................................................................. 106
RMON ...................................................................................................................................................... 106
RMON Statistics................................................................................................................................... 106
RMON Alarms...................................................................................................................................... 107
Defining the Trap Destination .............................................................................................................. 107
Defining Event Descriptions ................................................................................................................ 108
Defining Alarm Conditions .................................................................................................................. 109
View RMON Definitions in Configuration List................................................................................... 110
Port Monitor ............................................................................................................................................. 110
Configuration Rules.............................................................................................................................. 110
Display Port Monitor Configuration..................................................................................................... 111
Configure Port Monitor ........................................................................................................................ 111
Temperature Commands .......................................................................................................................... 111
Temperature Control............................................................................................................................. 111
RADIUS................................................................................................................................................... 114
RADIUS Background............................................................................................................................... 114
RADIUS Operation .................................................................................................................................. 114
Features................................................................................................................................................. 114
User Configuration ............................................................................................................................... 115
Creating the Local Database .................................................................................................................... 115
Configuring Login Authentication Using RADIUS................................................................................. 115
RADIUS Configuration Example......................................................................................................... 116
Install a RADIUS server on Server 1 ....................................................................................................... 116
Configure the RADIUS server ................................................................................................................. 116
vi
March 2003
© 2003 Foundry Networks, Inc.
Edit RADIUS Server's Clients File and add the switch IP address with a distinctive key: ..................... 116
Resilient Links ........................................................................................................................................ 120
Resilient Link CLI Commands................................................................................................................. 120
NTP Client Description.......................................................................................................................... 124
Why Use the NTP Protocol? .................................................................................................................... 124
Configuring for NTP ................................................................................................................................ 124
Example 1 – Setting the NTP Client (authentication disabled).............................................................125
Example 2 – Setting the NTP Client (authentication enabled) .............................................................126
IGMP Snooping ...................................................................................................................................... 128
Understanding IGMP Snooping ............................................................................................................... 128
General...................................................................................................................................................128
Joining a Multicast Group .....................................................................................................................128
Leaving a Multicast Group ....................................................................................................................128
Immediate-Leave Processing.................................................................................................................129
Configuring IGMP Snooping ................................................................................................................... 129
Enabling or Disabling IGMP Snooping.................................................................................................129
Configuring a Multicast Router Port .....................................................................................................130
Configuring a Host Statically to Join a Group ......................................................................................130
Enabling IGMP Immediate-Leave Processing.......................................................................................131
Enabling Forwarding for All Multicast Traffic On Specific Ports........................................................131
Prohibiting Forwarding for All Multicast Traffic On Specific Ports ....................................................131
Configuring Query Packet Intervals ......................................................................................................132
Configuring the Query Generator..........................................................................................................133
Displaying IGMP Snooping Information ................................................................................................. 134
Viewing Snooping Configuration..........................................................................................................134
Viewing Multicast Router Interfaces.....................................................................................................135
Viewing MAC Address Multicast Entries.............................................................................................136
Setting IGMP Snooping Timers and Variables........................................................................................ 137
List of Timers and Default Values ........................................................................................................137
IGMP Statistics Counters ......................................................................................................................... 138
Multiple VLANs ...................................................................................................................................... 139
Dynamic Host Configuration Protocol (DHCP).................................................................................. 140
Overview .................................................................................................................................................. 141
When Should Clients Use DHCP............................................................................................................. 141
Configuring DHCP Client ........................................................................................................................ 142
Displaying the DHCP Client Configuration............................................................................................. 142
Configuration Example ............................................................................................................................ 143
Appendix A ............................................................................................................................................. 144
Boot Loader Commands........................................................................................................................ 144
Commands Summary ............................................................................................................................... 144
Downloading and Manual Starting of the Switch .................................................................................... 146
Configuration of the Switch from the Loader .......................................................................................... 147
Memory Management .............................................................................................................................. 148
Appendix B.............................................................................................................................................. 150
March 2003
© 2003 Foundry Networks, Inc.
vii
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Telnet Service.......................................................................................................................................... 150
The Telnet Client...................................................................................................................................... 150
Telnet Special Commands........................................................................................................................ 150
Moving Between Telnet Sessions......................................................................................................... 150
The session Command.......................................................................................................................... 150
Appendix C ............................................................................................................................................. 152
Syslog Messages in NVRAM ................................................................................................................. 152
Configuring the Trap Level for Stored System Messages ....................................................................... 152
Configuring the Message Format ............................................................................................................. 152
Clearing the System Message History...................................................................................................... 153
Displaying The System Message History ................................................................................................ 153
NVRAM Trap Logging Commands ......................................................................................................... 153
Appendix D ............................................................................................................................................. 156
Configuration History in NVRAM ....................................................................................................... 156
History Log Format and Generation ........................................................................................................ 156
Configuring History Settings.................................................................................................................... 156
Displaying the Configuration History ...................................................................................................... 157
viii
March 2003
© 2003 Foundry Networks, Inc.
Preface
The preface provides an overview of this guide, describes guide conventions, and
lists other publications that may be useful.
Introduction
This guide provides the required information to configure the EdgeIron 4802F Layer
2 Switch or the EdgeIron 10GC2F Layer 2 Switch.
The guide is intended for network administrators who are responsible for installing
and setting up network equipment. It assumes a basic working knowledge of the
following:
·
Local area networks (LANs)
·
Ethernet concepts
·
Ethernet switching and bridging concepts
·
Routing concepts
·
Internet Protocol (IP) concepts
·
IP Multicast concepts
Summary of Features
·
Virtual local area networks (VLANs) including support for IEEE
802.1Q and IEEE 802.1p
·
VLAN aggregation
·
Transparent LAN Services (TLS)
·
Spanning Tree Protocol (STP) (IEEE 802.1D) for all ports or
individual VLANs
·
Rapid STP (RSTP) (IEEE 802.1w)
·
Quality of Service (QoS)
·
IGMP snooping to control IP multicast traffic
·
Console Command-line Interface (CLI) connection
·
Secure Shell (SSH)
·
Telnet CLI connection
·
Java Web-based management interface
·
Simple Network Management Protocol (SNMP) support
·
Remote Monitoring (RMON)
·
Traffic mirroring for all ports
·
Back pressure and flow control support
October 2003
© 2003 Foundry Networks, Inc.
Page 1
EdgeIron 4802F and EdgeIron 10GC2F User Guide
·
802.3x flow control for full-duplex links
·
Line Trunking for broadening bandwidth between switches and
reduction of bottlenecks
·
Console timeout value
·
Remote Logging.
·
Remote time synchronization protocol (RFC 867, RFC 868).
·
Dynamic Host Configuration Protocol (DHCP)
Virtual LANs (VLANs)
The EdgeIron has a VLAN feature that enables you to construct your broadcast
domains without being restricted by physical connections. A VLAN is a group of
location and topology independent devices that communicate as if they were on the
same physical local area network (LAN).
Implementing VLANs on your network has the following three advantages:
·
They help to control broadcast traffic. If a device in VLAN Marketing
transmits a broadcast frame, only VLAN Marketing devices receive the
frame.
·
They provide extra security. Devices in VLAN Marketing can only
communicate with devices in the same VLAN.
·
They ease the change and movement of devices on networks.
For more information on VLANs, refer to page 62.
Spanning Tree Protocol
The EdgeIron Ethernet Switch supports the IEEE 802.1D Spanning Tree
Protocol (STP), which is a bridge-based mechanism for providing fault
tolerance on networks. STP enables you to implement parallel paths for
network traffic, and ensure the following:
·
Redundant paths are disabled when the main paths are operational.
·
Redundant paths are enabled if the main traffic paths fail.
You can run a single spanning tree on all ports or run separate spanning trees on
individual VLANs. For more information on STP, see page 39.
The EdgeIron Ethernet Switch also supports Rapid STP for faster convergence
following topology changes. See page 45.
Software Factory Defaults
The following are the unit's factory-shipped default settings.
Page 2
·
Serial or Telnet user account admin with password: foundry
·
Web Network Management: Enabled
·
Telnet: Enabled
·
SNMP: Enabled
October 2003
© 2003 Foundry Networks, Inc.
·
SNMP Read community string: public
·
SNMP Write community string: private
·
RMON: Enabled
·
802.1P Priority Recognition: Enabled
·
802.1Q Tagging: All packets are untagged on the default VLAN
·
Spanning Tree Protocol: Disabled
·
Rapid Spanning Tree Protocol: Disabled
·
SSH: Disabled
·
MVR: Disabled
·
TLS: Disabled
·
GVRP: Disabled
·
GMRP: Disabled
·
Port mirroring: Disabled
·
DHCP: Disabled
How To Get Help
Foundry Networks technical support will ensure that the fast and easy access that you
have come to expect from your Foundry Networks products will be maintained.
Web Access
http://www.foundrynetworks.com
Email Access
Technical requests can also be sent to the following email address:
support@foundrynet.com
Telephone Access
1.877.TURBOCALL (887.2622) – United States
1.408.586.1881 – Outside the United States
Warranty Coverage
Contact Foundry Networks using any of the methods listed above for information
about the standard and extended warranties.
October 2003
© 2003 Foundry Networks, Inc.
Page 3
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Page 4
October 2003
© 2003 Foundry Networks, Inc.
Accessing the EdgeIron 4802F and
EdgeIron 10GC2F
General
The configuration program uses a CLI (Command Line Interface) which enables you
to start using the EdgeIron 4802F and EdgeIron 10GC2F quickly and without
extensive background knowledge. It does this by prompting you for the information
required to perform basic configuration procedures.
Using the CLI, you will be able to do the following:
·
Establish host names and interfaces
·
Enable transparent Ethernet bridging
·
Configure Layer 2 switch protocols (GVRP, GMRP, Spanning Tree)
·
Configure VLANs
System parameters are stored in a non-volatile memory. They have to be set up only
once during initial setup.
From this point on, EdgeIron 4802CF and EdgeIron 10GC2F will be referred to as
the EdgeIron Ethernet Switch.
Getting Started with the CLI
Configuration of the EdgeIron Ethernet Switch is done by connecting a VT-100 (or
compatible terminal) to the front panel console port of the unit.
The CLI operates automatically when you power on the switch. Before you start
using the CLI command facility, you must do the following:
Step 1. Attach an RS-232 ASCII terminal to the Console port located on the unit's front panel.
Step 2. Configure the terminal to operate at:
·
9600 bps
·
8 data bits
·
1 stop bit
·
No parity
·
No flow control
·
25 lines and 80 columns window size
October 2003
© 2003 Foundry Networks, Inc.
Page 5
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Establish a session with the unit and power on the unit. After a few seconds, a
display such as the following appears on the terminal screen:
Note: This example shows the display for the EdgeIron 4802F. The switch model
can be EdgeIron 4802F or EdgeIron 10GC2F. The software version may different
from the one shown in this example.
Boot Loader
Switch model
: EdgeIron 4802F
Loader version : 3.2.1 created Jul 29 2001 - 14:42:13
MAC Address
: 00:A0:12:09:00:00
Press any key to stop auto-boot...
3 2 1 0
auto-booting...
Starting switch application, please wait...
////////////////////////////////////////////////////////////////////
//
//
//
//
// F o u n d r y N e t w o r k s
//
//
//
//
//
//
// Switch model
: EdgeIron 4802F
//
// SW version
: 01.0.00 created Aug 8 2001 - 14:04:16
//
//
//
//
//
////////////////////////////////////////////////////////////////////
User Access Verification
Password:
Step 3. Press the keyboard Return key. You are prompted to enter your password.
Step 4. Enter your password, which is foundry by default. The Device-Name> prompt is
displayed, allowing you to begin the configuration process.
Logging On to the Web-Based GUI
To manage the device through the Web-based GUI:
Step 1. Enter the IP address that you assigned the device into the Location or Address field
of your Web browser.
Step 2. Enter the device’s password as the Username in the login dialog that is displayed.
The default is “foundry”. There is no password.
Page 6
October 2003
© 2003 Foundry Networks, Inc.
Step 3. When the following dialog is displayed, select options under Display Configurations
or Manage Switch to begin configuring and managing the device.
Note: This example shows the opening management dialog for the EdgeIron 4802F.
Planning the Configuration
Before starting the configuration process, determine the following:
·
The protocols you plan to use and their specific parameters
·
The types of interfaces installed, Ethernet, Serial or Token Ring
·
Whether or not you plan to use bridging
Basic CLI Operating Conventions
Entering commands at the CLI prompt and then pressing the Return key initiates CLI
commands. Based on user input, the CLI returns various data in response.
You type all commands on one line and then press Enter. The CLI response is
displayed on your screen.
You can abbreviate commands to make them unique. For example, enter the letters
sho for the show command.
Certain commands display multiple screens with this prompt at the bottom of the
screen:
October 2003
© 2003 Foundry Networks, Inc.
Page 7
EdgeIron 4802F and EdgeIron 10GC2F User Guide
--More--
Press any key to continue.
Special Keys
The following special keys are relevant when entering data at the CLI prompt.
Table 1. CLI Entry Keys
Key
Action
Backspace
Erase characters
Ctrl-U
Delete line
Ctrl-W
Erase the last word
Exit
Escape current mode and go to previous mode
­
Scroll through previously entered commands
Ctrl-F
Move forward one character
Ctrl-B
Move backward one character
Esc and
then B
Move forward one word
Esc and
then F
Move forward one word
Ctrl-A
Move to the beginning of the line
Ctrl-E
Move to the end of the line
Ctrl-H
Delete the character before point
Ctrl-D
Delete the character after point
Esc and
then D
Forward kill word
Ctrl-K
Kill to the end of the line
Ctrl-C
Interrupt current input and moves to the next line
Ctrl-N
Move down to next line in the history buffer
Ctrl-P
Move up to previous line in the history buffer
Tab
Use command line completion by pressing the Tab
key.
You can use command line help by typing help at the
beginning of the line. Typing ? at any point in the line
will show possible completions.
Page 8
October 2003
© 2003 Foundry Networks, Inc.
CLI Modes
There are several CLI modes and associated prompt levels. The prompt is the string
that appears after the host name (Device_Name by default). The following are the
main CLI modes:
View Mode (user-level)
·
The View mode allows viewing capabilities only. Its prompt is an angle
bracket (>):
Device-Name>
·
View mode is password protected. The password is foundry by default.
You can change this password by using the password command in
Configure mode.
Priv(ileged) Mode
·
The Privileged mode allows advanced viewing unit capabilities and
limited configuration capabilities. Its prompt is a pound symbol (#):
Device-Name>#
·
By default, Privileged mode is not password protected. However, you can
configure password protection by using the password from the
Configure prompt.
·
To access Privileged mode from View mode, use the enable command.
Configure Mode
·
The Configure mode allows full configuration capabilities. Its prompt is
displayed as follows:
Device-Name>(config)#
·
Additional information can be displayed inside the round brackets,
before the # sign, to indicate the present configuration mode node.
For example:
Device-Name(cfg protocol)# indicates that you are in the configure
protocol node.
·
To access Configure mode from Privileged mode, use the configure
terminal command.
Messages
There are several messages that can be displayed in response to incorrect entries
(e.g., wrong syntax, or incomplete commands). The following are some of these
messages:
% Unknown command
Displayed when you enter a string that is not a command.
% Command incomplete
You entered a valid command but did not enter all required parameters. Press the Tab
key to display the possible options.
October 2003
© 2003 Foundry Networks, Inc.
Page 9
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Other messages include:
% Ambiguous command.
% Port 9 invalid, valid val: 1..8
Getting System Help
For system help, enter ? or the letter “l” (for list) to display a list of commands that
are available at either the User level or the Privileged level CLI prompt.
To get more information about certain commands, type ? after the command. For
more information, see the lists of commands that are displayed after entering ?
Using the List Command
The list command displays a complete list of the commands relevant to the prompt
displayed. If the list is larger than can be displayed on your screen, the following is
displayed.
--More--
Press the Space Bar or the Enter key to scroll the list of commands. Type q to
terminate the scrolling.
Command History
A memory buffer in the switch retains the last 20 commands you entered.
Using Telnet
Any workstation with a Telnet facility should be able to communicate with
the switch over a TCP/IP network. Up to five active Telnet sessions can
access the switch concurrently. The Telnet session will be disconnected after
a specified time of inactivity.
Before you can start a Telnet session, you must set up the IP parameters
described in Configuring EdgeIron Ethernet Switch IP Parameters on page
10. Telnet is enabled by default.
To open the Telnet session, you must specify the IP address of the device that
you want to manage. Check the user manual supplied with the Telnet facility
if you are unsure of how to do this.
Once the connection is established, you will be prompted to log in. VT100
emulation and VT100 keys must be used.
Configuring EdgeIron Ethernet Switch IP Parameters
To manage the switch by way of a Telnet connection or by using an SNMP Network
Manager, you must first configure the IP parameters of the EdgeIron Ethernet
Switch and the default gateway.
Select Configure mode by typing configure terminal from the Privileged mode
prompt.
Page 10
October 2003
© 2003 Foundry Networks, Inc.
Set the switch IP address as follows:
Device-Name(config)#ip address 100.1.2.3/16
The IP address of the EdgeIron Ethernet switch is 100.1.2.3 in network 100.1.0.0
Set the switch default gateway IP address as follows:
Device-Name(config)#ip route 0.0.0.0/16 100.1.1.1
The default gateway IP address is 100.1.1.1 in network 100.1.0.0
General Commands
The following table shows the commands you can use at all times, regardless of the
type of prompt displayed.
Table 2. General Commands
exit
Escape current mode and go to previous
mode
help
Display help information
list
Print command list
no
Negate a command or set its defaults
quit
Escape current mode and go to previous
mode
show
Show running system information
terminal
length
Terminal configuration setup (Only in View
and Privileged mode)
who
List the user that is on the terminal session
(Only in View and Privileged mode)
View Mode
The View mode allows viewing capabilities only. Its prompt is an angle bracket (>):
Device-Name>
View mode is password protected. The password is foundry by default. You can
change this password by using the password command in Configure mode.
View Mode Commands
The following commands are available at the View mode prompt (Device-Name>).
enable
Type this command to access the Privileged mode. After entering this command, the
cursor changes to the Privileged mode cursor (pound symbol).
terminal length <0-512>
Sets the number of lines that can be displayed after entering a command on the CLI.
October 2003
© 2003 Foundry Networks, Inc.
Page 11
EdgeIron 4802F and EdgeIron 10GC2F User Guide
For example:
Device-Name>terminal length 15
Sets a maximum of 15 lines that can be displayed in response to a CLI command.
After 15 lines have been displayed, the following string is displayed if there is more
data.
--More--
Press the Space Bar or the Enter key to continue.
show ip
This command displays the IP address of the EdgeIron Ethernet switch and its
subnet mask.
For example:
Device-Name>show ip
IP-ADDR : 212.29.220.136 NET-MASK : 255.255.255.192
show spanning-tree
This command displays the current STP configuration.
show rapid-spanning-tree
This command displays the current Rapid STP (RSTP) configuration.
Privileged Mode
The Privileged mode allows limited configuration and advanced view capabilities. Its
prompt is a pound sign (#):
Device-Name#
By default, Privileged mode is not password protected. However, you can configure
password protection using the enable password command from the Configure
prompt.
Page 12
October 2003
© 2003 Foundry Networks, Inc.
Table 3. Command Summary
clear
Clear a specified entry or entries from one
of the tables
configure
Configuration from VTY interface
configure
terminal
Terminal configuration setup
copy
File transfer to the target base
disable
Turn off privileged mode command
reload
Halt and perform a cold restart
service
Set up miscellaneous service
show
Show running system information
ping
Pings the EdgeIron Ethernet switch
traceroute
Trace routing path
configure terminal
Type the configure terminal command to access the Configure mode, for
configuration of VLANs and the interfaces.
The following prompt indicates you are in the Configure mode.
Device-Name(config)#
terminal length <0-512>
Specifies the number of lines the CLI displays, in response to a command, before
displaying the --More-- string.
terminal monitor
Displays logging information to the terminal.
traceroute <ip-addr> [<ttl>] [<timeout>]
Displays the routing path from the EdgeIron Ethernet switch to the targeted IP
address. This command can help determine how routing is done in the network. The
execution of the command can be stopped by pressing the ESC key.
<ttl> – This parameter defines the numbers of routers that allow the traceroute
command to pass when it looks for the specified IP address.
<timeout> – Defines the amount of time (in seconds) that an answer to a traceroute
request can be received (default is 2 seconds).
October 2003
© 2003 Foundry Networks, Inc.
Page 13
EdgeIron 4802F and EdgeIron 10GC2F User Guide
ping
Pings the unit.
ping <ip-addr> [<attempts>] [<delay>] [<length>]
For example, enter:
Device-Name# ping 212.29.220.136 5 30 20 80
This command sends 5 pings of 80 bytes with a 30sec wait for reply and a 20sec
delay between pings.
Sending 5, 80-byte ICMP Echos to 212.29.220.136, timeout is 1
seconds: !!!
The! symbols are displayed at the end of each successful packet. The CLI prompt is
displayed on your screen when the entire ping sequence has been completed. You
may stop command execution by pressing the ESC key.
Configure Mode
The Configure mode allows full configuration capabilities. Its prompt is as follows:
Device-Name(config)#
Additional information can be displayed inside the round brackets, before the #
symbol, to indicate the present configuration mode node.
For example:
Device-Name(cfg protocol)#
This indicates that you are in the Configure protocol node.
Accessing Configure Mode
To access the Configure mode:
Step 1. Type the enable command at the User level prompt:
Device-Name>enable
The system displays the privileged-level prompt:
Device-Name#
Step 2. To access configuration mode, type the configure terminal command at the
Privileged level prompt. The following prompt is displayed, indicating that you have
entered the Configuration mode.
Device-Name(config)#
Page 14
October 2003
© 2003 Foundry Networks, Inc.
Configuration Command Types
Configuration commands are categorized by these functions:
·
Global configuration commands – Define system-wide parameters.
·
Interface subcommands – Define the characteristics of an interface (for
example, a Serial or Ethernet interface). These commands must be
preceded by an interface command.
·
Line subcommands – Define the characteristics of a serial line. These
commands must be preceded by a line command.
·
Observe the following guidelines when you execute configuration
commands:
·
You can enter configuration subcommands in uppercase letters,
lowercase letters, or both. You also can shorten all commands
and other keywords to the fewest number of characters that
uniquely identify the word.
·
To add a comment, begin the line with an exclamation point (!).
Comments do not affect command processing.
October 2003
© 2003 Foundry Networks, Inc.
Page 15
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Table 4. Configure Mode Command Summary
banner
Set banner
debug
Debugging functions
enable
Modify enable password parameters
hostname
Set system's network name
interface
Select an interface to configure
ip
Show IP address
line
Configure VTY
log
Show log output device
mac-addresstable
Configure the MAC address table
mvr
Configure Multicast VLAN
Registration (MVR)
no
Negate a command or set its defaults
password
Assign a password for accessing
Privileged mode.
protocol
Protocol definitions
qos
Configure QoS
rapidspanning-tree
Rapid STP (RSTP) configuration
service
Set up miscellaneous service
show
Show running system information
shutdown
Disable network (Only in interface
configuration mode)
spanning-tree
STP configuration
ssh
SSH configuration
tls
TLS configuration
vlan
VLAN configuration
Page 16
October 2003
© 2003 Foundry Networks, Inc.
Configure Mode Nodes
Configure mode has several nodes which are each used to configure various entities
in the EdgeIron Ethernet switch. Each node has its own unique prompt and list of
commands. The following are the Configure modes.
Table 5. Configure Modes Summary
Node
Description
Prompt
Line
Configure VTY node, to
allow accessing the
EdgeIron Ethernet
switch via Telnet
Device-Name(config-VTY)#
Interfac
e
For configuration of
EdgeIron Ethernet
switch interface ports
Device-Name(config-if 1/1/1)#
VLAN
For configuration of
Virtual LANs (VLANs)
Device-Name(config vlan)#
Protocol
For configuration of
protocols
Device-Name(cfg protocol)#
October 2003
© 2003 Foundry Networks, Inc.
Page 17
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Page 18
October 2003
© 2003 Foundry Networks, Inc.
Secure Shell (SSH)
Secure Shell (SSH) is the standard authentication protocol used for protecting data
from malicious intruders through the Internet, prevention of password theft, and so
on. SSH Version 2 supports multiple public key algorithms, including DSA (Digital
Signature Algorithm).
The SSH server, using SSH Version 2, provides you with a more secure connection
to your EdgeIron Ethernet Switch. The SSH server supplies user authentication
service by a password authentication method. The SSH server does not support
SFTP, tunneling or any other method except for a remote secured login connection.
The SSH server supports only one channel per connection.
Supported SSH Clients
You can use the SSH server with SSH clients such as:
·
The SSH client of SSH Communications Security Corp.
·
The OpenSSH secure shell client.
·
The PuTTY terminal program.
·
The F-Secure SSH client
·
Any other client that supports SSH (version 2)
Supported SSH Standards
·
draft-ietf-secsh-architecture-07
·
draft-ietf-secsh-transport-09
·
draft-ietf-secsh-connect-09
·
draft-ietf-secsh-userauth-09
·
FIPS 186 (Digital Signature Standard)
·
FIPS 180-1 (Secure Hash Algorithm)
·
RFC 1851 3DES-CBC and BLOWFISH-CBC cipher
·
RFC 2792 DSA Key and Signature Encoding for the KeyNote Trust
Management System
·
HMAC-SHA1 MAC algorithm
October 2003
© 2003 Foundry Networks, Inc.
Page 19
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Security Considerations
When you log into the SSH server for the first time, the SSH client usually issues a
security alert message such as:
Regard this as a warning that the security and secrecy of the data on your computer
may be jeopardized. If in a later login the same message appears (even though you
have confirmed your trust on the initial connection), then either you are exposed to a
malicious intrusion, or the server administrator has reconfigured the keys.
The keys are configured using the ssh generate-key dsa command described Error!
Reference source not found.. When using an SSH client to log into an EdgeIron
Ethernet Switch, avoid using a Telnet client from that device to another host. This
precaution is required to prevent making the secure connection vulnerable to anyone
who may spy on both network connections.
Commands for Managing the SSH Server
The SSH commands are summarized in the following table. All commands for
managing the SSH server are available in the switch’s global Configuration mode.
Table 6. SSH Commands
ssh generatekey dsa
Generates the starting public
parameters for the DSS algorithm that
is used in the key-exchange phase of the
login.
ssh start
Initializes and starts the SSH server.
ssh stop
Stops the SSH server.
Note: Before you can use SSH, you must enable some kind of a user database on the
device. You can use the local database and locally create usernames and passwords,
or use the RADIUS client application.
ssh generate-key dsa
The generate-key dsa command generates the starting public parameters for the DSS
algorithm that is used in the key-exchange phase of the login. Remember that you
Page 20
October 2003
© 2003 Foundry Networks, Inc.
must enter this command before starting your SSH server for the first time.
Save the current configuration to avoid losing the parameters on reboot.
To change the parameters, use the same command. If at the moment of running the
command the SSH server is started, you must apply the ssh start and ssh stop
commands so the changes take effect.
For example:
Device-Name(config)# ssh generate-key dsa
ssh start
The ssh start command initializes and starts the SSH server. You can log safely into
the device only after running the ssh start command.
For example:
Device-Name(config)# ssh start
ssh stop
The ssh stop command stops the SSH server. Keep in mind that by stopping the
server, you close all current SSH connections to the device.
For example:
Device-Name(config)# ssh stop
October 2003
© 2003 Foundry Networks, Inc.
Page 21
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Page 22
October 2003
© 2003 Foundry Networks, Inc.
Physical Port Configuration
Display Physical Interfaces Configuration
show interface
Type show interface to display a list of the physical interfaces and the settings of all
interfaces in table format. For example:
Device-Name>show interface
===========================================================================
|Port |Name
|Type
|State
|Link|DuplSpeed |Flow |Backpres|Default vlan
--+-----+--------+--------+--------+----+----------+-----+--------+--------1/1/1
eth
enable down unknown
disable disable
0003
1/1/2
eth
enable down unknown
disable disable
0001
1/1/3
eth
enable down unknown
disable disable
0001
1/1/4
eth
enable down unknown
disable disable
0001
1/1/5
eth
enable down unknown
disable disable
0001
1/1/6
eth
enable down unknown
disable disable
0001
1/1/7
eth
enable down unknown
disable disable
0001
1/1/8
eth
enable down unknown
disable disable
0001
You can type in the name of a specific interface after entering the show interface
command. You will be able to view details regarding that specific interface only. For
example:
Device-Name>show interface 1/1/1
Name
=
Type
= 100BaseTX
EnableState
= enable
Link
= down
Duplex speed mode
= autonegotiate
Duplex speed status = unknown
Flow control state
= disable
Backpressure state
= disable
Default VLAN
= 1
October 2003
© 2003 Foundry Networks, Inc.
Page 23
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Configuring Physical Interfaces
To program a specific physical interface, type the following from the configuration
mode prompt:
interface <uu>/<ss>/<pp>
For example:
EdgeIron 4802F(config)#interface 1/1/2
EdgeIron 4802F(config-if 1/1/2)#
Table 7. Port Configuration Command Summary
disable
Disable port
enable
Enable port
backpressure
Set port backpressure mode.
duplex speed
Set port duplex-speed mode
end
End current mode and change to
enable mode
flow-control
Set port flow-control mode
interface
Select a different interface to
configure
name
Set port name
port-monitor
Enable port monitoring on a port
reset
Clear port statistics
spanning
tree
STP port settings
Port Configuration Settings
Enable | disable
Disables or enables the interface.
backpressure enable | disable
Turns the backpressure feature ON/OFF. Backpressure is a technique for ensuring
that a transmitting port does not sent too much data to a receiving port at a given
time. When the buffers allocated to a port exceed a certain size, a Jam message will
be sent to the transmitting port to stop transmission. Backpressure is available only if
the port transmits or receives in Half Duplex.
[no] name <name-string>
Adds a descriptive name to an interface.
<name-string> – Comment displayed in the configuration file.
For example:
EdgeIron 4802F(config-if 1/1/2)#name 3174 Controller for test lab
Page 24
October 2003
© 2003 Foundry Networks, Inc.
duplex-speed <speed>
Specifies the interface speed. The following are permissible values:
autonegotiate
When this option is selected, the port automatically finds the
highest speed that can be supported on the link
half-10
Half duplex at 10Mbps
full-10
Full duplex at 10Mbps
half-100
Half duplex at 100Mbps
full-100
Full duplex at 10Mbps
half-1000
Half duplex at 1Gbps
full-1000
Full duplex at 1Gbps
flow control enable | disable
Turns the flow control feature ON/OFF. Flow control is a technique for ensuring that
a transmitting port does not sent too much data to a receiving port at a given time.
When the buffers allocated to a port exceed a certain size, a Pause message will be
sent to the transmitting port to stop transmission. Flow control is available only if the
port transmits or receives in Full Duplex.
interface <uu>/<ss>/<pp>
Select another interface to configure.
For example, if you are in configuration mode and interface 1/1/1 is selected, and
you wish to configure interface 1/1/2.
Device-Name(config-if 1/1/1)#interface 1/1/2
Device-Name(config-if 1/1/2)#
Port Security Settings
Use the port security interface configuration command to enable port security on a
port and restrict the use of the port to a user-defined group of stations. Use the no
form of this command to return the port to its default value.
If port security option is activated on a port then only secured MAC addresses that
are configured to this port are permitted to connect to this port. A station with a
MAC address that was not configured in the MAC address table properly will
produce an address violation event. See the Section on How to add SECURED MAC
addresses to in the MAC Address Table on page 36.
port security
[action shutdown | trap
<max-mac-count-addresses>] no port security
October 2003
© 2003 Foundry Networks, Inc.
Page 25
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Table 8. Syntax Description
action
shutdown |
trap
(Optional) Action to take when an address violation occurs
on this port.
shutdown - Disable the port when a security violation
occurs
trap - Generate an SNMP trap when a security violation
occurs
<max-maccount
addresses>
(Optional) The maximum numbers of secure addresses that
this port can support. The range is from 1 to 132.
Defaults
Port security is disabled.
When enabled, the default action is to generate an SNMP trap.
Usage Guidelines
If you specify trap, use the SNMP-server trap commands to configure the SNMP trap
host to receive traps.
Examples
The following example shows how to enable port security and the action port 1/1/3
takes in case of an address violation (shutdown).
Device-Name(config-if 1/1/3)# port security action shutdown
You can verify the previous commands by entering the show port security or show
running-config command in EXEC mode.
Table 9. Related Commands
Command
Description
show port
security
Displays the port security settings defined for the port.
show
runningconfig
Displays the EdgeIron Ethernet switch running
configuration
The following example shows how to set the maximum number of addresses. The
system can learn up to three MAC addresses and send SNMP traps in the event of
overlearning.
Step 1. Configure the SNMP trap host to receive traps.
Device-Name(config)#snmp-server trap-community public
Device-Name(config)#snmp-server trap-dest Igor 10.2.0.2 public
Step 2. Configure the port to learn 3 MAC addresses.
Device-Name(config-if 1/2/1)#port security max-mac-count 3
Step 3. Define 3 MAC addresses to be learned.
Device-Name(config)#mac-address-table secure 00:00:00:00:01:09
interface 1/2/1 vlan 2
Page 26
October 2003
© 2003 Foundry Networks, Inc.
Device-Name(config)#mac-address-table secure 00:02:55:58:0d:8c
interface 1/2/1 vlan 2
Device-Name(config)#mac-address-table secure 00:02:55:98:52:f4
interface 1/2/1 vlan 2
Step 4. Display the MAC addresses table.
Device-Name#show mac
+==============+======================+===============+===========+==========+
|
VID
| Mac
| PORT
| STATUS
| PRIORITY |
+--------------+----------------------+---------------+-----------+----------+
|
0001
| 00:00:00:00:01:09
| 1/2/1
| dynamic | 0
|
|
0001
| 00:04:80:39:5f:00
| 1/1/47
| dynamic | 0
|
|
0001
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
|
0001
| 00:e0:52:00:00:18
| 1/1/47
| dynamic | 0
|
|
0001
| 00:e0:52:13:46:5f
| 1/1/47
| dynamic | 0
|
|
0100
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
|
4094
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
Static entries = 0
Dynamic entries = 4
Self entries = 3
Secure entries = 0
Filtered entries = 0
Total entries = 7
Step 5. Check port security definitions.
Device-Name#show port security
|*==========================================================*|
|port num
|action
|max-mac-count
|current mac-count|
|------------+------------+----------------+-----------------|
|1/2/1
|trap
|3
|1
|
show port security <uu>/<ss>/<pp>
Displays the security status of the specified port. A secured port is one to which only
secured MAC addresses can be attached.
To add secured MAC addresses to ports in the MAC-address-table commands in
Configure mode, follow the example:
Device-Name#show port security 1/1/1
The port is not secured
October 2003
© 2003 Foundry Networks, Inc.
Page 27
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Page 28
October 2003
© 2003 Foundry Networks, Inc.
Link Aggregation Group (Trunk)
Overview
The Link Aggregation Group (Trunk) feature is used to create Fast Ethernet and
Gigabit Ethernet port groups.
These LAGs act as single logical ports for high-bandwidth connections between
switches or between switches and servers.
4802F:
·
Up to seven port groups can be created on a switch.
·
Up to eight ports can belong to a port group.
·
A Fast Ethernet group can only be created from the ports of the same
port octet.
·
A Gigabit Ethernet group contains ports from the same unit.
10GC2F:
·
Up to 12 port groups can be created on a switch.
·
Up to 12 ports can belong to a port group. You can combine Copper and
Fiber ports in the same group.
The lowest port in the group is the master. It is used as the group communication port
for broadcasts, spanning tree and routing. If the lowest port link goes down, the next
lowest port in the trunk becomes the master. Any port can be the master for a group.
LAG Configuration
Use the trunk interface configuration command to assign a port to a Fast Ethernet or
Gigabit Ethernet port group.
trunk feth | giga <trunk-number>
The feth parameter is used to add a Fast Ethernet port to the trunk.
A Fast Ethernet trunk can be composed from ports of the same port octet.
The giga parameter is used to add a Gigabit Ethernet port to the trunk.
A Gigabit Ethernet trunk is created from ports of the same unit.
<trunk-number> – number of the trunk to which the port belongs.
The number range is:
4802F: 1 – 6 for the Fast Ethernet ports, 7 for the Gigabit ports.
10GC2F: 1 – 12 for all ports.
October 2003
© 2003 Foundry Networks, Inc.
Page 29
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Use the no form of this command to remove a port from the trunk.
no trunk
Use the show trunk command in Privileged mode to view the current trunk
configuration.
LAG Configuration Example
Step 1. Define Fast Ethernet trunk on all ports 1/1 – 1/8:
Device-Name#configure terminal
Device-Name(config)#interface 1/1/1
Device-Name(config-if 1/1/1)#trunk feth
Device-Name(config-if 1/1/1)#interface 1/1/2
Device-Name(config-if 1/1/2)#trunk feth
Device-Name(config-if 1/1/2)#interface 1/1/3
Device-Name(config-if 1/1/3)#trunk feth
Device-Name(config-if 1/1/3)#interface 1/1/4
Device-Name(config-if 1/1/4)#trunk feth
Device-Name(config-if 1/1/4)#interface 1/1/5
Device-Name(config-if 1/1/5)#trunk feth
Device-Name(config-if 1/1/5)#interface 1/1/6
Device-Name(config-if 1/1/6)#trunk feth
Device-Name(config-if 1/1/6)#interface 1/1/7
Device-Name(config-if 1/1/7)#trunk feth
Device-Name(config-if 1/1/7)#interface 1/1/8
Device-Name(config-if 1/1/8)#trunk feth
Device-Name(config-if 1/1/8)#
Device-Name(config)#
Device-Name #show trunk
=========================================================
Trunk |
Ports
-------+------------------------------------------------1
!
1/1/1-1/1/8
Step 2. Remove ports 1/1/7 and 1/1/8 from the trunk:
Device-Name#configure terminal
Device-Name(config)#interface 1/1/7
Device-Name(config-if 1/1/7)#no trunk
Device-Name(config-if 1/1/7)#interface 1/1/8
Device-Name(config-if 1/1/8)#no trunk
Device-Name(config-if 1/1/8)#
Device-Name(config)#
Device-Name#show trunk
=============================================================
Trunk |
Ports
-------+----------------------------------------------------1
|
1/1/1-1/1/6
Page 30
October 2003
© 2003 Foundry Networks, Inc.
Step 3. Create Gigabit trunk on ports 1/2/1 and 1/3/1:
Device-Name#configure terminal
Device-Name(config)#interface 1/2/1
Device-Name(config-if 1/2/1)#trunk giga 7
Device-Name(config-if 1/2/1)#interface 1/3/1
Device-Name(config-if 1/3/1)#trunk giga 7
Device-Name(config-if 1/3/1)#
Device-Name(config)#
Device-Name#show trunk
=========================================================
Trunk |
Ports
-------+------------------------------------------------1
|
1/1/1-1/1/6
7
|
1/2/1,1/3/1
Step 4. View the trunks in the running configuration:
Device-Name #show running-config
...
!
! Port configuration:
!
interface 1/1/1
trunk feth 1
!
interface 1/1/2
trunk feth 1
!
interface 1/1/3
trunk feth 1
!
interface 1/1/4
trunk feth 1
!
interface 1/1/5
trunk feth 1
!
interface 1/1/6
trunk feth 1
!
interface 1/2/1
trunk giga 7
!
interface 1/3/1
trunk giga 7
October 2003
© 2003 Foundry Networks, Inc.
Page 31
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Page 32
October 2003
© 2003 Foundry Networks, Inc.
SNMP-Server Configuration
SNMP-Server Settings
The EdgeIron Ethernet Switch is fully manageable via SNMP or the Web. Web
management is made possible by utilizing embedded Java-based management
technology.
The following commands are used to enable management of the unit by SNMP
managers and to set the management parameters:
snmp-server contact <contact-name>
This command specifies a contact name for the server. It can be used as a security
feature.
snmp-server location <location>
This command specifies a location name for the server. It can be used as a security
feature.
[no] snmp-server security
This command enables the SNMPV1 security feature.
[no] snmp-server community <string> ro | rw
This command is used to add SNMP community strings. The community strings are
an SNMP security feature.
For example:
Device-Name(config)#snmp-server community private2 ro
Adding community private2 with access ro
ro refers to Read-Only and rw refers to Read-Write. By default, the SNMP
community strings are “public” for ro and “private” for rw.
snmp-server trap-dest <host-name> <host-ip> <community-string>
Sets the destination for SNMP traps. The host name specified in the command is the
destination for SNMP traps.
snmp-server trap-community <community-string>
Sets the SNMP community string between the EdgeIron Ethernet switch and the
trap destination host.
snmp-server system name <system-name>
Sets the SNMP system name.
snmp-server user
Sets the SNMP authorized user name.
October 2003
© 2003 Foundry Networks, Inc.
Page 33
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Display SNMP-Server Settings
show snmp-server
Displays information regarding the SNMP settings of the unit.
For example:
Device-Name#show snmp-server
snmp-server security disable
snmp-server community public ro
snmp-server community private rw
snmp-server trap-community public cold-start link-down link-up
auth bridge rmon
private
There are two SNMP community settings, the ro (read-only) and the rw (read-write)
settings.
Page 34
October 2003
© 2003 Foundry Networks, Inc.
The MAC Address Table (FDB)
The MAC Address table contains the information that is in the forwarding database.
The switch uses the forwarding database to forward packets to the appropriate bridge
in the bridge group.
The database has both static entries, which are created by the user, and dynamic
entries or learned entries, which are added and removed by the learning process.
Static entries cannot be overwritten by the learning process, and are removed from
the table only when you explicitly delete them.
MAC-Table Entry Types
There are four types of entries in the FDB:
·
Dynamic entries - Initially, all entries in the database are dynamic.
Entries in the database are removed (aged-out) if, after a period of time
(aging time), the device has not transmitted. This prevents the database
from becoming full with obsolete entries by ensuring that when a device
is removed from the network, its entry is deleted from the database.
Dynamic entries are deleted from the database if the switch is reset or a
power Off/On cycle occurs. More information about setting the aging
time is provided further on in this section.
An aging time parameter determines how long a dynamic station remains in the
table.
·
Static entries - Permanent entries are retained in the database if
the switch is reset or a power off/on cycle occurs. The system
administrator must make entries permanent. A permanent entry
can either be a unicast or multicast MAC address. All entries
entered by way of the command-line interface are stored as
permanent.
·
Secure entries -A secure entry is configured to a secured port to
allow only secured MAC address to be learned by this port.
·
Self entries - Self entries are the MAC addresses learned by the
switch.
October 2003
© 2003 Foundry Networks, Inc.
Page 35
EdgeIron 4802F and EdgeIron 10GC2F User Guide
How Entries Are Added to the FDB
Entries can be added to the FDB in the following two ways:
·
The switch can learn entries. The system updates its FDB with
the source MAC address from a packet, the VLAN, and the port
identifier on which the source packet is received.
·
You can enter and update entries using a MIB browser, an SNMP
Network Manager, or the command-line interface (CLI).
Adding FDB Table Entries with the CLI
To add a station to the MAC address table, use the following command:
mac-address-table static | dynamic | secure | self <mac-addr> interface
<uu>/<ss>/<pp> vlan <vlan-id>
For example:
Device-Name(config)#mac-address-table static 00:0a:01:02:03:04
interface 1/1/1 vlan 2
Deleting Entries
The following are the CLI commands that you can use to delete entries from the FDB
table.
clear mac-address-table
Clears the entire MAC address table.
clear mac-address-table static | dynamic | secure
Clears a specific type of MAC address table entries. For example, use the following
command to clear dynamic MAC address table entries.
Device-Name# clear mac-address-table dynamic
clear mac-address-table address <mac-addr>
Clears a specific MAC address from the MAC address table.
For example:
Device-Name#clear mac-address-table address 00:01:1a:2c:0d:01
clear mac-address-table address <mac-addr> vlan <0-4095>
Clears a specific MAC address from a VLAN.
clear mac-address-table dynamic address <mac-addr>
Clears a specific dynamic MAC address.
clear mac-address-table dynamic address <mac-addr> vlan <1-4095>
Clears a specific dynamic MAC address from a VLAN.
Page 36
October 2003
© 2003 Foundry Networks, Inc.
clear mac-address-table dynamic vlan <2-4095>
Clears all dynamic MAC addresses from a specific VLAN ID.
clear mac-address-table secure address <mac-addr>
Clears a specific secure MAC address.
clear mac-address-table secure address <mac-addr> vlan <2-4095>
Clears a specific secure MAC address of VLAN ID.
clear mac-address-table secure vlan <2-4095>
Clears all secured MAC addresses from explicit VLAN ID.
clear mac-address-table static address <mac-addr>
Clears a specific static MAC address.
clear mac-address-table static address <mac-addr> vlan <2-4095>
Clears a specific static MAC address of VLAN ID.
clear mac-address-table static vlan <2-4095>
Clears all static MAC addresses from explicit VLAN ID.
clear mac-address-table vlan <0-4095>
Clears all MAC addresses of VLAN ID.
Displaying FDB Table Entries
To display the FDB entries stored in the switch, and other data pertaining to the FDB
table, use the following command:
show mac-address-table
To view MAC address entries of a specific type (Static, Dynamic, Self, Secure), type
in one of the following commands:
show mac-address-table static | dynamic | secure | self
show mac-address-table aging-time
Displays the aging time of the MAC address table dynamic entries.
show mac-address-table count
Display a summary of the MAC address table.
Examples:
To display the entire MAC address table and a summary of the entries in it:
Device-Name#show mac-address-table
October 2003
© 2003 Foundry Networks, Inc.
Page 37
EdgeIron 4802F and EdgeIron 10GC2F User Guide
+==============+======================+===============+===========+==========+
|
VID
| Mac
| PORT
| STATUS
| PRIORITY |
+--------------+----------------------+---------------+-----------+----------+
|
0001
| 00:00:00:00:01:09
| 1/2/1
| dynamic | 0
|
|
0001
| 00:04:80:39:5f:00
| 1/1/47
| dynamic | 0
|
|
0001
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
|
0001
| 00:e0:52:00:00:18
| 1/1/47
| dynamic | 0
|
|
0001
| 00:e0:52:13:46:5f
| 1/1/47
| dynamic | 0
|
|
0100
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
|
4094
| 00:a0:12:0a:01:b7
| 0/0/0
| self
| 0
|
Static entries = 0
Dynamic entries = 4
Self entries = 3
Secure entries = 0
Filtered entries = 0
Total entries = 7
Setting the MAC Address Aging Time
mac-address-table aging-time <secs>
<secs> – The aging time in seconds. You can specify from 10-816 seconds. The
default is 300 seconds.
The aging time specifies how many seconds the address of a learned network device
remains on the list of stations connected to the unit. The address is removed from the
list of stations if no frame is received from that station during the aging time interval.
For example:
To set the MAC Address aging time to 30 seconds:
Device-Name(config)#mac-address-table aging 30
Page 38
October 2003
© 2003 Foundry Networks, Inc.
Spanning Tree Protocol (STP)
STP is a part of the 802.1D bridge specification defined by the IEEE Computer
Society.
Overview of the Spanning Tree Protocol
STP is a bridge-based mechanism for providing fault tolerance on networks.
STP allows you to implement parallel paths for network traffic, and ensure
that:
·
Redundant paths are disabled when the main paths are operational
·
Redundant paths are enabled if the main path fails
Spanning Tree is disabled by default.
You can enable and configure STP globally (a single spanning tree runs on all
ports) or on an individual VLAN basis (Per-VLAN STP).
Note: When Per-VLAN STP is enabled, the BPDUs on untagged ports go out
untagged. You must enable tagging on a port for correct operation of Per-VLAN
STP.
Note: Standard STP (all ports), Per-VLAN STP, and Rapid STP (RSTP) are all
supported on Foundry EdgeIron Ethernet Switch. However, you can run only one of
these STP types at a time. If you change from one STP type to another, the new STP
type begins with the system defaults. The different STP types do not inherit
parameter settings from one another.
Configuring STP in Protocol Configuration Mode
To configure STP, access the Protocol Configuration mode from the Configuration
level. The following prompt indicates that you are in the Protocol Configuration
mode:
Device-Name(cfg protocol)#
spanning-tree [vlan <vlan-id>] [enable | disable]
Enable or disable STP.
If you specify a VLAN ID, STP is enabled or disabled only on the ports in that
VLAN. If you do not specify a VLAN ID, STP is enabled or disabled on all the
switch’s ports.
If you specify enable or disable, the command enables/disables the entire device or a
specific VLAN on the device to support STP and act as a node in the "tree". The
Spanning Tree algorithm dynamically creates a tree through the network used to
efficiently direct packets to their destinations. If the Spanning Tree option is
enabled, the unit acts as a node in the tree. If you do not specify enable or disable,
the current STP configuration is displayed.
Note: For Per-VLAN STP, STP is disabled in newly created VLANs, regardless of
the STP state of other VLANs.
October 2003
© 2003 Foundry Networks, Inc.
Page 39
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Note: If STP is disabled, the rest of the STP options are not applicable.
For example:
Device-Name(cfg protocol)#spanning-tree enable
This command enables STP globally, on all ports. To enable STP only on the ports
in a specific VLAN, enter a command such as the following:
Device-Name(cfg protocol)#spanning-tree VLAN2 enable
This command enables STP on the ports in a VLAN named “VLAN2”.
spanning-tree [vlan <vlan-id>] priority <0-65535>
Set STP bridge priority.
For example:
Device-Name(cfg protocol)#spanning-tree priority 1200
spanning-tree [vlan <vlan-id>] hello-time <100-1000>
Hello time (100-1000 hund sec), <= MaxAge/2-100
This command measures the number of seconds between configuration bridge PDU
transmissions from the ports of this unit. You use it when the unit is the root of the
Spanning Tree, or trying to become so.
spanning-tree [vlan <vlan-id>] forward-delay <400-3000>
Forward delay (400-3000 hund sec), >= MaxAge/2+100
This command measures the length of time that the unit stays in each of the Listening
and Learning states that precede the Forwarding State. In addition, when a topology
change is underway and has been detected, this parameter is used to age all dynamic
entries in the Forwarding database.
spanning-tree [vlan <vlan-id>] max-age <600-4000>
Max age (600-4000 hund sec), >(2*(HelloTime+100)) &<(2*(FwrdDelay-100)
This command measures the number of seconds learned Spanning Tree information
is kept before being discarded.
spanning-tree [vlan <vlan-id>] interface <uu>/<ss>/<pp> | all
Changes the CLI to the STP configuration mode for an individual interface. At the
interface level, you can configure the STP path-cost and STP priority of the interface.
Before changing the command prompt to the interface level, the command displays
the current STP configuration of the interface.
For example, to display the STP settings for interface 1/1/1/ and change the CLI to
the STP configuration level for the interface, enter the following command:
Device-Name(cfg protocol)#spanning-tree interface 1/1/1
PortPriority
= 128
PortState
= disabled
PortEnable
= disabled
Page 40
October 2003
© 2003 Foundry Networks, Inc.
PortPathCost
= N/A
DesignatedRoot
= 00 80 00 A0 12 07 13 51
DesignatedCost
= 0
DesignatedBridge = 00 80 00 A0 12 07 13 51
DesignatedPort
= 00 00
FrwrdTransitions = 0
Device-Name(config-if 1/1/1)#
spanning-tree [vlan <vlan-id>] path-cost <0-65535>
Changes the STP path cost for the interface. You can specify a cost from 0 – 65535.
The default depends on the port speed:
·
10 Mbps – 100
·
100 Mbps – 19
·
1000 Mbps – 4
For example:
Device-Name(config-if 1/1/1)#spanning-tree path-cost 10
spanning-tree [vlan <vlan-id>] priority <0-255>
Changes the STP priority of the interface. You can specify a priority from 0 – 255.
The default is 128.
For example:
Device-Name(config-if 1/1/1)#spanning-tree priority 100
Configuring STP in Interface Configuration Mode
To configure STP for an interface, access the Interface Configuration Mode:
Device-name(config-if UU/SS/PP)
spanning-tree [vlan <vlan-id>] all
Displays the current status of spanning-tree parameters for all the switch’s logical
interfaces. The command is equivalent to the spanning-tree interface all command
in Protocol Configuration mode.
For example:
device-name(config-if 1/1/1)#spanning-tree all
===============================================================================
Port
|Pri|State|PCost |
DCost
|Designated bridge |DPrt
|FwrdT|DtctTc
--------+---+-----+------+-------------+------------------+------+-----+-------01/01/01 128 listn
01/01/37 128 block
01/01/39 128 listn
19
19
19
October 2003
© 2003 Foundry Networks, Inc.
19
0
0
32768.00A012000003 128.01
32768.000002030405 128.63
32768.000002030405 128.62
2 Disabled
0 Enabled
2 Enabled
Page 41
EdgeIron 4802F and EdgeIron 10GC2F User Guide
spanning-tree path-cost [vlan <vlan-id>] <1-200000000>
Sets the STP port path-cost for the configured interface. The no form of this
command resets the default path-cost value of 10.
For example:
Device-name(config-if 1/1/1)#spanning-tree path-cost 2
spanning-tree priority [vlan <vlan-id>] <0-255>
Sets the STP priority for the configured interface
For example:
device-name(config-if 1/1/1)#spanning-tree priority 0
spanning-tree defaults [vlan <vlan-id>]
Restores the STP parameters to their defaults for the configured interface.
For example:
device-name(config-if 1/1/1)#spanning-tree defaults
NOTE: This command is replaces the command no spanning-tree on the Interface
Configuration mode.
spanning-tree detect-tc [vlan <vlan-id>]
Enables topology change detection on the configured interface. Use the no form of
the command to disable the topology change detection.
The ability to detect topology changes can be enabled or disabled on a per-port basis
by this command. The intent of this facility is to allow topology change detection to
be disabled on ports where it is known that a single end station is connected, and
where powering that end station on and off would cause the Topology Change
Notification mechanism to be triggered.
By default, the topology change detection is enabled.
For example:
device-name(config-if 1/1/1)#spanning-tree detect-tc
Displaying STP Settings
Command in the Protocol Configuration Mode or
Interface Configuration Mode
When the CLI is in the Protocol Configuration mode or Interface Configuration
mode, you can display STP settings by entering the following commands.
spanning-tree [vlan <vlan-id>]
Displays global STP settings.
Page 42
October 2003
© 2003 Foundry Networks, Inc.
When you enter the command in the Protocol Configuration mode, the output is the
same as the output of the show spanning-tree [vlan <vlan-id>] command (see
below).
When you enter the command in the Interface Configuration mode, the output is the
same as the output of the show spanning-tree [vlan <vlan-id>] interface
<uu>/<ss>/<pp> command (see below).
Commands in the View Mode
To display RSTP settings when the CLI is in the View mode, use the following
commands.
show spanning-tree [vlan <vlan-id>]
This command shows the spanning tree topology.
For example:
Device-Name>show spanning-tree
ProtocolSpecification
Priority
TimeSinceTopologyChange
TopChanges
DesignatedRoot
RootCost
RootPort
MaxAge
HelloTime
HoldTime
BridgeMaxAge
BridgeHelloTime
BridgeForwardDelay
=
=
=
=
=
=
=
=
=
=
=
=
=
ieee8021d
32768
50188 (in 100s)
1
00 80 00 A0 12 07 0F 76
0
0
2000 (in 100s)
200 (in 100s)
100 (in 100s)
2000 (in 100s)
200 (in 100s)
1500 (in 100s)
==============================================================================
Port|Prio|State|Enabl|PCost|DesgnRoot
|DCost|DesgnBridge
|DPrt|FwrdT
+---+----+-----+-----+-----+----------------+-----+----------------+----+----1/1/1 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/2 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/3 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/4 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/5 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/6 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/7 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
1/1/8 128 disbl disbl
N/A 008000A012070F76
0 008000A012070F76 0000
0
show spanning-tree [vlan <vlan-id>] interface <uu>/<ss>/<pp>
This command shows the spanning tree topology for the specified port. For example:
Device-Name#show spanning-tree interface 1/1/1
PortPriority
= 128
PortState
= disabled
PortEnable
= disabled
PortPathCost
= N/A
DesignatedRoot
= 00 80 00 A0 12 07 13 51
DesignatedCost
= 0
October 2003
© 2003 Foundry Networks, Inc.
Page 43
EdgeIron 4802F and EdgeIron 10GC2F User Guide
DesignatedBridge = 00 80 00 A0 12 07 13 51
DesignatedPort
= 00 00
FrwrdTransitions = 0
Page 44
October 2003
© 2003 Foundry Networks, Inc.
Rapid Spanning Tree Protocol
(RSTP)
Overview
RSTP (Rapid Spanning Tree Protocol) performs the roles of the STP protocol
considerably faster by enabling rapid transitions of ports from Alternate state to Root
state, and from Backup state to Designated state. In certain cases, RSTP enables
rapid transitions of ports to Forwarding states.
RSTP is based on IEEE Std 802.1w and is part of Amendment 2: Rapid
Reconfiguration to IEEE Std 802.1D and IEEE Std 802.1t-2001.
You can globally enable RSTP to run on all ports.
Note: Standard STP (all ports), Per-VLAN STP, and Rapid STP (RSTP) are all
supported on Foundry. However, you can run only one of these STP types at a time.
If you change from one STP type to another, the new STP type begins with the
system defaults. The different STP types do not inherit parameter settings from one
another.
RSTP assigns to each bridge port throughout the Bridged Local Area Network one of
the following roles:
·
Root Port – Port connected to the root bridge/switch. State: forwarding and
link enabled.
·
Designated Port – Port connected to the designated switch, which is the
switch closest to the root switch. Frames are forwarded to the root through
the designated switch.
·
Alternate Port – Port that offers a path to the root bridge/switch alternate to
the path provided by the Root Port. The Alternate Port can replace the
current root port if link failure or a configuration change such as port priority
change occurs. State: discarding and link enabled.
·
Backup Port – Backup for the path provided by a Designated Port in the
direction of the leaves of the Spanning Tree. A backup port points away
from the root. State: discarding and link enabled.
·
Disabled Port – Blocked port. State: discarding and link disabled.
October 2003
© 2003 Foundry Networks, Inc.
Page 45
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Figure 1 shows an example of the RSTP port roles.
Ports Roles
Designated Port
Bridge
Designated Port
Alternate Port
Root Port
Backup Port
Bridge
Disabled Port
Designated Port
Figure 1 – RSTP Port Roles
The RSTP port roles are determined automatically by the following parameters:
·
a unique Bridge Identifier associated to each bridge
·
a Path Cost associated to each bridge port
·
a unique Port Identifier associated with each bridge port
Selection of the Root Bridge and Root Port
RSTP automatically selects the bridge that has the best Bridge Identifier as the Root
Bridge. Each bridge has a unique Bridge Identifier that is derived from the Bridge
Address and from a manageable priority component (described in IEEE Std 802.1w2001, Part 3: Media Access Control (MAC) Bridges, Amendment 2: Rapid
Reconfiguration, Section 9.2.5: Encoding of Bridge Identifiers). The unique Bridge
Identifiers are compared numerically, assigning the highest priority to the lowest
identifier value (the best Bridge Identifier).
A Root Path Cost is associated with every Bridge, by summing up the path costs for
each Bridge Port receiving frames on the least cost path from the Root Bridge to that
Bridge. The path cost associated with the Root Bridge this is zero. The Path Cost
associated with all other ports may be manageable.
For each bridge except for the Root Bridge, RSTP automatically assigns the role of
Root Port to the Bridge Port that receives frames on the least cost path from the
Root Bridge. If two or more ports on a bridge have the same least Path Cost sum
from the Root, then RSTP selects the port that has the best Port Identifier as the
Root Port.
The Port Identifier comprises two parts. One part is fixed and unique for each Port
on a Bridge. The other part is a manageable priority component (as described in
IEEE Std 802.1w-2001, Part 3: Media Access Control (MAC) Bridges, Amendment 2:
Rapid Reconfiguration, Section 9.2.7: Encoding of Port Identifiers). The unique Port
Identifiers are compared numerically, assigning the highest priority to the lowest
identifier value (the best Port Identifier).
Page 46
October 2003
© 2003 Foundry Networks, Inc.
Selection of the Designated Bridge and Designated Port
RSTP associates a Root Path Cost to every LAN in the Bridged Local Area
Network. This is the Root Path Cost of the lowest cost Bridge with a Bridge Port
connected to that LAN. RSTP selects this Bridge as the Designated Bridge for that
LAN. If two or more Bridges have the same Root Path Cost, then the Bridge with the
best priority (least numerical value) is selected as the Designated Bridge. The Bridge
Port on the Designated Bridge that is connected to the LAN is assigned the role of
Designated Port for that LAN. If the Designated Bridge has two or more ports
connected to the LAN, then the Bridge Port with the best priority Port Identifier
(least numerical value) is selected as the Designated Port.
In a Bridged LAN with a stable physical topology (for example, the information
communicated by the RST Algorithm is consistent throughout the network), each
LAN has one single Designated Port, and each Bridge except for the Root Bridge has
a Root Port connected to a LAN. Any operational Bridge Port that is not assigned a
role of Root Port or Designated Port is either of the following:
·
Backup Port (if the Bridge is the Designated Bridge for the attached LAN)
·
Alternate Port
Alternate and Backup Ports
An Alternate Port offers a path in the direction of the Root Bridge alternate to that
provided by the Bridge’s Root Port.
A Backup Port acts as a backup for the path provided by a Designated Port in the
direction of the leaves of the Spanning Tree. Backup Ports exist only where a given
Bridge has two or more connections to a given LAN, Therefore, backup ports (and
the Designated Ports that they back up) can exist only where two ports are connected
together in loopback by a point to point link, or where the Bridge has two or more
connections to a shared media LAN segment.
The distinction between the Alternate and Backup Port Roles was introduced in
RSTP in order to describe the possibility of the rapid transition of an Alternate port
to forwarding if the Root Port fails.
Point-To-Point Links
Some of the rapid state transitions that are possible within RSTP depend on whether
the Port concerned can be connected to only one other Bridge (it is served by a pointto-point LAN segment), or to two or more Bridges (it is served by a shared medium
LAN segment).
Rapid transition of a Designated Port to Forwarding is possible only if the LAN
segment associated with the Port is point-to-point, or if the port is defined to be an
edge Port. Otherwise, the transition of a Designated Port from Discarding to
Learning and from learning to Forwarding occurs with a delay of Forward Delay.
October 2003
© 2003 Foundry Networks, Inc.
Page 47
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Changing Port States
The Port States are controlled by a state machine, designed to maximize connectivity
without introducing temporary data loops in the network. The state machine attempts
to transition Root Ports and Designated Ports to the Forwarding Port State, and
Alternate Ports and Backup Ports to the Discarding Port State, as rapidly as possible.
Transitions to the Discarding Port State can be simply effected without the risk of
data loops. Transition of a Port to the Forwarding Port State needs to be consistent
with the Port Roles assigned to other Ports in the region of the network.
A Bridge knows that the transition to the Forwarding Port State can be made if:
·
The Port Role has been Root Port or Designated Port long enough for:
§
Spanning Tree information supporting this role assignment to have
reached all Bridges in the network
AND FOR
§
contradictory information to be received from any Bridge following
the change in Spanning Tree information that first caused this Port to
be assigned the Root Port or Designated Port role.
OR
·
The Port is now a Root Port and:
§
any Ports on the Bridge that have been Root Port too recently for
Spanning Tree information to have definitely reached all Bridges in
the network
OR
§
any Ports have been contradicted if necessary, are not and will not be
put in the Forwarding Port State until that time has elapsed, (with the
exception of the following).
OR
·
The Port is:
§
a Designated Port and attaches to a LAN that has at most one other
Bridge attached
AND
§
the other Bridge’s Port Role assignments are consistent with this
port’s Bridge
AND
§
both Port States are known not to be Forwarding if they attach to
LANs that connect to Bridges whose Port Roles are not consistent
with that Bridge.
Page 48
October 2003
© 2003 Foundry Networks, Inc.
OR
·
The Port is a Designated Port, attached to a LAN that is known to not be
attached to any other Bridge Ports.
Note: The first condition above (“The Port Role has been Root Port or Designated
Port long enough for…”) makes use of the Forwarding Delay as the basis for
establishing that enough time has elapsed to allow the transition to Forwarding to
occur.
Configuring RSTP
You can configure RSTP globally and on an individual interface basis.
Global parameters:
·
RSTP state
·
RSTP bridge priority
·
BPDU transmission interval
·
Duration of Listening and Learning states
·
Age time for learned RSTP information
Interface parameters:
·
Edge port
·
Port point-to-point MAC value
·
Port path cost
·
Port priority
Configuring Global RSTP Parameters
To configure RSTP, access the Protocol Configuration mode from the Configuration
level. The following prompt indicates that you are in the Protocol Configuration
mode:
Device-Name(cfg protocol)#
rapid-spanning-tree
Enable RSTP.
If you specify enable or disable, the command enables/disables the entire device to
support RSTP. If you do not specify enable or disable, the current RSTP
configuration is displayed. RSTP is disabled by default.
When RSTP is disabled, you can still use the other commands to set the RSTP
configuration. These settings are preserved when RSTP is enabled.
October 2003
© 2003 Foundry Networks, Inc.
Page 49
EdgeIron 4802F and EdgeIron 10GC2F User Guide
For example:
Device-Name(cfg protocol)#rapid-spanning-tree enable
This command enables RSTP globally, on all ports.
rapid-spanning-tree priority <0-65535>
Changes the switch’s RSTP priority. The default value is 32768.
For example:
Device-Name(cfg protocol)#rapid-spanning-tree priority 1200
rapid-spanning-tree hello-time <100-1000>
Sets the time interval between BPDU transmissions from the ports of this unit. Use
this command when the unit is the root of the Rapid Spanning Tree, or trying to
become so. The default value is 200 (2 seconds) and the range is 100 – 1000 (1 – 10
seconds).
Note: You cannot assign hello-time a value greater than MaxAge/2-100.
For example:
Device-Name(cfg protocol)#rapid-spanning-tree hello-time 400
rapid-spanning-tree forward-delay <400-3000>
Sets the amount of time that the switch stays in each of the Listening and Learning
states that precede the Forwarding State. In addition, when a topology change is
underway and has been detected, this parameter is used to age all dynamic entries in
the Forwarding database. The default value is 1500 (15 seconds), and the range is
400 – 3000 (4 – 30 seconds).
Note: You cannot assign forward-delay a value less than MaxAge/2+100.
For example:
Device-Name(cfg protocol)#rapid-spanning-tree forward-delay 800
rapid-spanning-tree max-age <600-4000>
Sets the amount of time that learned Spanning Tree information is kept before being
discarded. The default value is 2000 (20 seconds), and the range is 600 – 4000 (6 –
40 seconds).
Note: You cannot assign MaxAge a value that is less than 2*(hello-time + 100) or
more than 2*(forward-delay – 100).
Configuring Interface RSTP Parameters
rapid-spanning-tree interface <uu>/<ss>/<pp> | all
Changes the CLI to the RSTP configuration mode for an individual interface.
Before changing the command prompt to the interface level, the command displays
the current RSTP configuration of the interface.
Page 50
October 2003
© 2003 Foundry Networks, Inc.
For example, to display the RSTP settings for interface 1/1/1/ and change the CLI to
the RSTP configuration level for the interface, enter the following command:
Device-Name(cfg protocol)#rapid-spanning-tree interface 1/1/1
PortPriority
= 128
PortState
= disabled
PortEnable
= disabled
PortPathCost
= 10
DesignatedRoot
= 80 00 00 A0 12 0F 18 4D
DesignatedCost
= 0
DesignatedBridge = 80 00 00 A0 12 0F 18 4D
DesignatedPort
= 80 01
FrwrdTransitions = 0
operEdge
= 0
PointToPointMAC = 0
MigrationTimer
= 3
Device-Name(config-if 1/1/1)#
rapid-spanning-tree edge-port
Changes the adminitration status of the port.
The edge-port parameter is controlled by the RSTP state machine and the Command
Line Interface (CLI):
Admin EdgePort
The admin EdgePort parameter can be set by the CLI on a per-port basis in order to
indicate that a given Port is permitted to transit directly to the Forwarding Port State
when a Port becomes Designated.
This functionality is provided in order to permit Bridge Ports that are
(administratively) known to be at the edge of the Bridged LAN to transition to
Forwarding without delay.
However, as the presence of a Bridge on a Port that has been marked as an edge Port
could potentially cause a loop in the active topology, it is necessary to qualify the
value of the administrative state variable according to the port's knowledge of
whether or not any BPDUs have been received on the Port.
EdgePort
The Bridge Detection state machine controls the value of the corresponding
operational state variable, operational EdgePort, which may be used in order to
determine whether a port that becomes Designated is permitted to transit directly
to Forwarding. A value of enabled in the show commands indicates that this state
transition is permitted to occur.
If a BPDU is received on the Port, then the value of operational EdgePort is set to
disabled. Following a port initialization, or following a link-up event, operational
EdgePort is set to the value of admin EdgePort.
Hence, if a Port that has been marked as an edge-port proves not to be one (due to the
presence of another Bridge), then it will cease to behave like an edge-port until such
a time as it is reinitialized (either by a link up/down event or by reissuing the CLI
command).
October 2003
© 2003 Foundry Networks, Inc.
Page 51
EdgeIron 4802F and EdgeIron 10GC2F User Guide
NOTES:
1. If a BPDU is received on a port defined as an edge port, it automatically
reverts to edge-port disabled status. After link up/down the port returns to
the admin status.
2. This command replaces the rapid-spanning-tree operEdge {0|1} command
which will be supported only in upgrading versions.
For example:
device-name(config-if 1/1/1)#rapid-spanning-tree edge-port
rapid-spanning-tree link-type [auto|point-to-point|shared]
Sets the RSTP port link-type administrative of the port. The no form of the
command resets the link type to its default value (auto).
The auto parameter indicates that the link type status is chosen dynamically according
to the link state.
Entering point-to-point indicates that the configured interface is connected to one
switch, which runs RSTP. In point to point rapid, transition to Forwarding state is
allowed in certain cases.
Selecting shared indicates that the interface is not connected to a single switch that is
running RSTP.
There are two statuses of link state: admin and operational:
Admin Link Type:
·
Auto
From the point of view of determining the value of the link-type, the switch is
considered to be connected to a point-to-point LAN segment if any of the
following conditions are true:
a) The switch concerned supports autonegotiation, and the autonegotiation
function has determined that the LAN segment is to be operated in
full duplex mode.
b) The switch entity has been configured by management means for full duplex
operation. Otherwise, the MAC is considered to be connected to a LAN
segment that is - not point-to-point (shared media).
·
Point to-point
Switch is considered to be connected to a point-to-point LAN segment which
forces the operational link-type to be point-to-point.
·
Shared
Switch is considered to be connected to a shared media LAN segment which
forces the operational link-type to be Shared.
Page 52
October 2003
© 2003 Foundry Networks, Inc.
Operational Link Type:
If Admin link-type is set to Auto, then the value of Operational link-type
is determined in accordance with the specific procedures defined for the switch entity
concerned, as defined in Admin link-type (auto).
If these procedures determine that the switch entity is connected to a point-topoint LAN segment, then Operational link-type is set to point-to-point, otherwise it
is set to Shared.
In the absence of a specific definition of how to determine whether the switch is
connected to a point-to-point LAN segment or not, the value of link-type shall be
Shared.
point-to-point mac
NOT a point-to-point mac
NOTES:
If a BPDU is received on a port defined as an edge port, it automatically reverts to
edge-port disabled satus. Aflter link up/down, the port returns to the admin status.
This command replaces the command rapid-spanning-tree point_to_point_mac
which will be supported only for upgrading versions.
For example:
device-name(config-if 1/1/1)#rapid-spanning-tree link-type auto
October 2003
© 2003 Foundry Networks, Inc.
Page 53
EdgeIron 4802F and EdgeIron 10GC2F User Guide
rapid-spanning-tree path-cost <1-200000000>
Sets the RSTP port path cost for the configured interface. . The no form of this
command resets the default path-cost as shown in the following table:
Default Path cost values (IEEE802.1w)
Link Speed
Recommended Value
Recommended Range
Range
<=100 Kb\s
200,000,000
20,000,000-200,000,000
1-200,000,000
1 Mb\s
20,000,000
2,000,000-20,000,000
1-200,000,000
10 Mb\s
2,000,000
200,000-2,000,000
1-200,000,000
100 Mb\s
200,000
20,000-200,000
1-200,000,000
1 Gb\s
20,000
2,000-200,000
1-200,000,000
10 Gb\s
2,000
200-20,000
1-200,000,000
100 Gb\s
200
20-2,000
1-200,000,000
1 Tb\s
20
2-200
1-200,000,000
10 Tb\s
2
1-20
1-200,000,000
rapid-spanning-tree priority <0-240>
Sets the RSTP port priority for the configured interface.
rapid-spanning-tree defaults
Restores the RSTP parameters to their defaults for the configured interface.
For example:
device-name(config-if 1/1/1)#rapid-spanning-tree defaults
NOTE: This command is replaces the command no rapid-spanning-tree on the
Interface Configuration mode.
rapid-spanning-tree detect-protocols
A switch running RSTP supports a built-in protocol migration mechanism that
enables RSTP to interoperate with legacy 802.1D STP.
When an RSTP switch receives a legacy 802.1D configuration BPDU (BPDU with
protocol version 0) it start transmitting legacy 802.1D BPDU (configuration
messages and TCN messages), however, when the switch stops receiving BPDU it
cannot automatically revert to the RSTP mode because the switch cannot determine
whether the legacy switch has been removed from that link unless the legacy switch
is a designated switch
Page 54
October 2003
© 2003 Foundry Networks, Inc.
The RSTP supports a mechanism that forces the port to restart protocol migration
process (force the renegotiation with neighboring switches) by mean of:
1. CLI command rapid-spanning-tree detect-protocols.
2. A link up event.
For example:
device-name(config-if 1/1/1)#rapid-spanning-tree detect-protocols
Displaying RSTP Settings
Commands in the Protocol Configuration Mode
When the CLI is in the Protocol Configuration mode, you can display RSTP settings
by entering the following commands.
rapid-spanning tree
Displays global RSTP settings.
For example:
Device-Name(cfg protocol)#rapid-spanning-tree
rapid spanning tree
= enabled
ProtocolSpecification
= ieee8021w
Priority
= 32768
TimeSinceTopologyChange = 0 (in 100s)
TopChanges
= 0
DesignatedRoot
= 80 00 00 a0 12 0f 18 4d
RootCost
= 0
RootPort
= 0
MaxAge
= 2000
HelloTime
= 200
ForwardDelay
= 1500
BridgeMaxAge
= 2000
BridgeHelloTime
= 200
BridgeForwardDelay
= 1500
TxHoldCount
= 3
MigrationTimer
= 3
rapid-spanning tree interface <uu>/<ss>/<pp> | all
Displays interface-level RSTP settings.
To display settings for all interfaces, enter the following command:
Device-Name(cfg protocol)#rapid-spanning-tree interface all
=============================================================================
Port|Prio|State|Enabl|PCost|DesgnRoot
|DCost |DesgnBridge
|DPrt|FwrdT
+----+---+-----+-----+-----+---------------+-----+----------------+----+----+
1/1/1 128 discr disbl
10 800000A0120F184D
0 800000A0120F184D 8001
0
1/1/2 128 discr disbl
10 800000A0120F184D
0 800000A0120F184D 8002
0
...
October 2003
© 2003 Foundry Networks, Inc.
Page 55
EdgeIron 4802F and EdgeIron 10GC2F User Guide
To display settings for an individual interface, enter a command such as the
following:
Device-Name(cfg protocol)#rapid-spanning-tree interface 1/1/1
PortPriority
= 128
PortState
= disabled
PortEnable
= disabled
PortPathCost
= 10
DesignatedRoot
= 80 00 00 A0 12 0F 18 4D
DesignatedCost
= 0
DesignatedBridge = 80 00 00 A0 12 0F 18 4D
DesignatedPort
= 80 01
FrwrdTransitions = 0
operEdge
= 0
PointToPointMAC = 0
MigrationTimer
= 3
Commands in the View Mode
To display RSTP settings when the CLI is in the View mode, use the following
commands.
show rapid-spanning-tree
This command shows the RSTP topology.
For example:
Device-Name>show rapid-spanning-tree
rapid spanning tree
= enabled
protocolspecification
= ieee8021w
priority
= 32768
timesincetopologychange = 0 (in 100s)
topchanges
= 0
designatedroot
= 80 00 00 a0 12 0f 18 4d
rootcost
= 0
rootport
= 0
maxage
= 2000
hellotime
= 200
forwarddelay
= 1500
bridgemaxage
= 2000
bridgehellotime
= 200
bridgeforwarddelay
= 1500
txholdcount
= 3
migrationtimer
= 3
======================================================================
port|prio|state|enabl|pcost|desgnroot |dcost|desgnbridge |dprt|fwrdt
+---+----+-----+----+----+----------------+--+----------------+---+--1/1/1 128 discr disbl 10 800000a0120f184d 0 800000a0120f184d 8001 0
1/1/2 128 discr disbl 10 800000a0120f184d 0 800000a0120f184d 8002 0
1/1/3 128 discr disbl 10 800000a0120f184d 0 800000a0120f184d 8003 0
--more--
show rapid-spanning-tree interface <uu>/<ss>/<pp>
This command shows the RSTP topology for the specified port. For example:
Page 56
October 2003
© 2003 Foundry Networks, Inc.
Device-Name>show
PortPriority
PortState
PortEnable
PortPathCost
DesignatedRoot
DesignatedCost
DesignatedBridge
DesignatedPort
FrwrdTransitions
operEdge
PointToPointMAC
MigrationTimer
October 2003
© 2003 Foundry Networks, Inc.
rapid-spanning-tree interface 1/1/1
= 128
= discarding
= disabled
= N/A
= 80 00 00 A0 12 0F 18 4D
= 0
= 80 00 00 A0 12 0F 18 4D
= 80 01
= 0
= 0
= 0
= 3
Page 57
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Generic VLAN Registration Protocol
The Generic VLAN Registration Protocol (GVRP) allows a LAN device to signal
other neighboring devices from which it wishes to receive packets, for one or more
VLANs. The GVRP protocol is defined as part of the IEEE 802.1Q Virtual LANs
draft standard. The main purpose of the protocol is to allow switches to automatically
discover some of the VLAN information that would otherwise have to be manually
configured in each switch. Network servers can also run GVRP. These servers are
usually configured to join several VLANs, and then signal the network switches of
the VLANs they want to join.
Displaying GVRP Settings
show gvrp
Displays the status of GVRP, which can be either enabled or disabled. For example:
Device-Name#show gvrp
GVRP enabled
Change GVRP Settings
To change GVRP settings, you need to be in Protocol Configuration mode.
The following prompt indicates that you are in the protocol configuration mode:
Device-Name(cfg protocol)#
gvrp [enable | disabled]
This command enables the General VLAN Registration Protocol to allow VLANs to
learn the details of neighboring VLANs, and to self-configure based on the learned
information.
For example:
Device-Name(cfg protocol)#gvrp enable
Page 58
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 59
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Generic Multicast Registration
Protocol
gmrp [enable | disabled]
GMRP is used in multicast communication network applications where one or more
servers, for example, video servers, generate multicast traffic. GMRP is configured
on the hosts, and the EdgeIron Ethernet Switch Ethernet switch is configured to
direct the multicast traffic only to the ports where needed, thereby saving bandwidth.
Displaying GMRP Settings
show gmrp
Displays the status of GMRP, which can be either enabled or disabled.
For example:
Device-Name#show gmrp
GMRP enabled
Change GMRP Settings
To change GMRP settings, you need to be in Protocol Configuration mode.
The following prompt indicates that you are in the Protocol Configuration mode:
Device-Name(cfg protocol)#
gmrp [enable | disabled]
This command changes GMRP settings
For example:
Device-Name(cfg protocol)#gmrp enable
Page 60
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 61
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Virtual LANs (VLANs)
Overview of Virtual LANs
The term VLAN is used to refer to a collection of devices that communicate as if
they were on the same physical LAN. Any set of ports (including all ports on the
switch) is considered a VLAN. LAN segments are not restricted by the hardware that
physically connects them. Flexible user groups that you create with the commandline interface define the segments.
Benefits
Implementing VLANs on your networks has the following advantages:
·
VLANs help to control traffic. With traditional networks, congestion can
be caused by broadcast traffic that is directed to all network devices,
regardless of whether they require it. VLANs increase the efficiency of
your network because each VLAN can be set up to contain only those
devices that must communicate with each other.
·
VLANs provide extra security. Devices within each VLAN can only
communicate with member devices in the same VLAN. If a device in
VLAN Marketing must communicate with devices in VLAN Sales, the
traffic must cross a routing device.
·
VLANs ease the change and movement of devices. With traditional
networks, network administrators spend much of their time dealing with
moves and changes. If users move to a different sub-network, the
addresses of each end station must be updated manually.
Types of VLANs
VLANs can be created according to the following criteria:
·
Physical port
·
802.1Q tag
·
MAC address
·
A combination of these criteria
Port-Based VLANs
In a port-based VLAN, a VLAN name is given to a group of one or more ports on the
switch. A port can be a member of only one port-based VLAN.
Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The
tag contains the identification number of a specific VLAN, called the VLAN ID.
The use of 802.1Q tagged packets may lead to the appearance of packets slightly
bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may
affect packet error counters in other devices, and may also lead to connectivity
problems if non-802.1Q bridges or routers are placed in the path.
Page 62
October 2003
© 2003 Foundry Networks, Inc.
Default VLAN Concept
In Port-based VLAN classification within a switch, the VLAN ID associated with an
untagged or priority-tagged frame (i.e., a frame with no tag header, or a frame with a tag
header that carries the null VLAN ID) is determined, based on the Port of arrival of the frame
into the Switch. This classification mechanism requires the association of a specific VLAN
ID, the Port VLAN Identifier, or PVID, with each of the Switch’s Ports.
The PVID for a given port provides the VID for untagged and priority-tagged frames received
through that port. The PVID for each port shall contain a valid VID value, and shall not
contain the value of the null VLAN ID.
If no PVID value has been explicitly configured for a port, the PVID shall assume the value
of the default PVID=1.
Important Note:
A port can be configured for more than one untagged VLAN, but only ONE of them will be
active. The active port VLAN is the default VLAN that is configured on that port. If a port
is a member of several VLANs, the current active VLAN can be changed with ‘default
vlan’ commands.
Uses of Tagged VLANs
Tagging is most commonly used to create VLANs that span switches; an example of this type
of VLAN is shown in Figure 2.
Figure 2 – VLAN Spanning Two Switches
The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs
can span multiple switches using one or more trunks. In a port-based VLAN, each VLAN
requires its own pair of trunk ports. Using tags, multiple VLANs can span two switches with
a single trunk. Another benefit of tagged VLANs is the ability to use multiple VLANs
through one port. This is particularly useful if you have a device (such as a server) that must
belong to multiple VLANs. The device must have a NIC that supports 802.1Q tagging. A
single port can be a member of only one port-based VLAN. Tags must accompany all
additional VLAN membership for the port. In addition to configuring the VLAN tag for the
port, the server must have a Network Interface Card (NIC) that supports 802.1Q tagging.
October 2003
© 2003 Foundry Networks, Inc.
Page 63
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Assigning a VLAN Tag
Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN
with an 802.1Q tag defined, you need to decide whether each port will have tagging
assigned for that VLAN.
The default mode of the switch is to have all ports assigned to the VLAN named
default with an 802.1Q VLAN tag (VLAN ID) of 1.
Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of
the switch, the switch determines (in real time) if each destination port should use
tagged or untagged packet formats for that VLAN. The switch adds and strips tags, as
required, by the port configuration for that VLAN. Packets arriving tagged with a
VLAN ID that is not configured on a port will be discarded.
Note: If you plan to attach the EdgeIron Ethernet Switch to another type of Foundry
device (a Foundry device other than an EdgeIron Ethernet Switch), you must tag the
port that connects to the other device.
Configuring VLANs
You can configure 802.1Q-compatible virtual LANs (VLANs). A port-based VLAN
is a group of switch ports designated by the switch as belonging to the same
broadcast domain. Compatibility with the 802.1Q standard lets you assign a single
switch port to two or more VLANs, while still allowing for interfacing with older
switches that require a separate port for each VLAN.
An example of a VLAN on one switch is shown in Figure 3.
Figure 3 – VLAN on One Switch
Page 64
October 2003
© 2003 Foundry Networks, Inc.
Displaying VLAN Information
Table 10. Commands to display VLAN information
show vlan
Displays information about the VLANs defined in
the system; valid at the Privileged (Enable) level
show
Displays information about the VLANs defined in
the system; valid at the global VLAN configuration
level and the VLAN configuration level for an
individual VLAN
show vlan
dynamic
Displays information about the Dynamic VLANs
created by GVRP; valid at the Privileged (Enable)
level
show vlan
management
Lists the VLANs that have management access to the
device; valid at the Privileged (Enable) level
Example:
Device-Name# show vlan
====================================================================
Name
| VTag | Tagged ports
| Untagged ports
----------------------+------+-------------------+-----------------Default
| 1
|
|1/1/1-1/3/1
Accessing VLAN Configuration Mode
To access VLAN configuration mode:
Type the vlan command from the Configure mode prompt. The following prompt
indicates that you are in the VLAN configuration mode:
Device-Name(config)#vlan
Device-Name(config-vlan)#
VLAN Commands
Overview
In Port-based VLAN classification within a switch, the VLAN ID associated with an
untagged or priority-tagged frame (i.e., a frame with no tag header, or a frame with a
tag header that carries the null VLAN ID) is determined, based on the port of arrival
of the frame into the Switch. This classification mechanism requires the association
of a specific VLAN ID, the Port VLAN Identifier, or PVID, with each of the Switch’s
ports.
The PVID for a given Port provides the VID for untagged and priority-tagged frames
received through that Port. The PVID for each Port shall contain a valid VID value,
and shall not contain the value of the null VLAN ID.
If no PVID value has been explicitly configured for a Port, the PVID shall assume
October 2003
© 2003 Foundry Networks, Inc.
Page 65
EdgeIron 4802F and EdgeIron 10GC2F User Guide
the value of the default PVID=1.
A port can be configured for more than one untagged VLANs but only ONE of those
will be active. The active port VLAN is the default VLAN that is configured on that
port. If a port is member of several VLANs you can change the current active VLAN
with default vlan commands.
Table 11. VLAN Commands at global VLAN configuration level
config
Configure VLAN; changes the CLI to the
configuration mode for the specified VLAN
configdynamic
Convert a dynamic VLAN created by GVRP into a
static VLAN, so that you can change its
configuration
create
Create VLAN; set its name and tag
create range
Create a range of VLANs
delete
Delete VLAN specified by its name
delete-id
Delete VLAN specified by its VLAN ID
delete range
Delete a range of VLANs
management
Deny management access to specific VLANs; see
“Securing Management Access Based On VLAN
ID”
show
Show VLAN configuration
create <vlan-name> <tag>
Creates a VLAN with the name and tag (i.e., serial number) specified after the create
command. For example:
Device-Name(config-vlan)#create accounting 2
This command creates a VLAN named “accounting” with a tag number of 2.
create range <vlan-name> <range> | all
The VLAN create range command enables the creation of a ‘range’ of VLANs in
the system in one command line.
Device-Name(config-vlan)#create range 2ndfloor 2-50
<vlan-name> – VLAN name. See used names & tags on 'show'/'show dynamic'
all – All VLANs (2-4094)
<range> – VLAN ID range
To create a range of VLANs, you must specify the Start VID and the End VID of the
range.
Page 66
October 2003
© 2003 Foundry Networks, Inc.
Example:
To create a VLAN with IDs from 15 to 22:
Device-Name(config-vlan)#create range 15 22
Device-Name(config-vlan)#show
===============================================================
Name
|VTag| Tagged ports
| Untagged ports
--------------------+----+---------------------+--------------default
|1
|
|1/1/1-1/3/1
Vlan_15
|15 |
|
Vlan_16
|16 |
|
Vlan_17
|17 |
|
Vlan_18
|18 |
|
Vlan_19
|19 |
|
Vlan_20
|20 |
|
Vlan_21
|21 |
|
Vlan_22
|22 |
|
delete <vlan-name>
Deletes a VLAN specified by its name. For example:
Device-Name(config-vlan)#delete accounting
delete-id <vlan-name>
Deletes a VLAN specified by its VLAN ID. For example:
Device-Name(config-vlan)#delete 12
delete range <vlan-name> <range> | all
The delete range command, in VLAN Configuration mode, deletes a sequence of
VLANs in the specified range.
<vlan-name> – VLAN name. See used names & tags on 'show'/'show dynamic'
all – All VLANs (2-4094)
<range> – VLAN ID range
Here is an example:
Device-Name(config-vlan)#delete range 15 20
device-name(config vlan)#show
=====================================================================
=
Name
|VTag| Rout If | Tagged ports
| Untagged ports
-----------------+----+---------+------------------+--------------default
|1
| sw0
|
|1/1/1-1/1/24
Vlan_21
|21 |
|
|
Vlan_22
|22 |
|
|
show
October 2003
© 2003 Foundry Networks, Inc.
Page 67
EdgeIron 4802F and EdgeIron 10GC2F User Guide
This command display the VLANs defined in the switch, and the configuration of
each. For example:
Device-Name(config-vlan)#config r&d
Device-Name(config-vlan r&d)#show
====================================================================
Name
|VTag| Tagged ports
| Untagged ports
--------------------+----+---------------------+-------------------default
|1
|
|1/1/1-1/3/1
Marketing
|2
|
|1/1/1-1/1/4
R&d
|3
|
|1/1/5-1/1/7
Uplink
|100 |1/1/48
|
config <vlan-name>
Configures the VLAN specified after the config command. After entering this
command, the name of the VLAN is displayed in the prompt to indicate that you are
in Configure VLAN mode.
For example:
Device-Name(config-vlan)#config accounting
Device-Name(config-vlan accounting)#
config-dynamic <vlan-name>
Changes the specified VLAN from a dynamic VLAN created by GVRP, into a static
VLAN that you can configure. The command also changes the CLI to the
configuration level for the VLAN.
Table 12. VLAN Commands at individual VLAN configuration level
add ports
Add ports to the VLAN
add ports
default
Makes this VLAN the default VLAN for the
specified ports
remove
ports
Removes ports from the VLAN
config
Changes the CLI to the configuration level for
another VLAN
configdynamic
Converts the VLAN from a dynamic VLAN created
by GVRP into a static VLAN, so that you can change
its configuration
add ports
Adds the specified port(s) as either tagged or untagged ports. Assigns the port the
ability to handle the VLAN tagging in the Ethernet packet in ingress and egress.
Tagged ports look for a VLAN tag that is assigned in ingress packets. In egress
packets, the VLAN is assigned to the packet according to configuration.
For example:
Device-Name(config-vlan r&d)#add ports 1/1/8 untagged
Page 68
October 2003
© 2003 Foundry Networks, Inc.
You can add a range of ports as follows:
Device-Name(config-vlan r&d)#add ports 1/1/1-1/1/8 untagged
This adds ports 1/1/1 through 1/1/8.
You can add a number of ports as follows:
Device-Name(config-vlan r&d)#add ports 1/1/1,1/2/1,1/3/1
untagged
This adds ports 1/1/1, 1/2/1 and 1/3/1.
Note: Do not use any spaces before or after the comma separating the ports.
remove ports
Removes the specified port from the VLAN.
For example:
Device-Name(config-vlan r&d)#remove ports 1/1/8
Assigning the Default VLAN to Ports
create <vlan-name> <vlan-id>
config <vlan-id>
add ports <port-list> tagged | untagged
add ports default <port-list>
Example:
Port 1/1/1 is a member of VLAN_2 (VID=2) , VLAN_3 (VID=3) and VLAN_4
(VID=4) and the configured default VLAN of this port is VLAN_3.
Device-Name(config-vlan)#create vlan_2 2
Device-Name(config-vlan)#config vlan_2
Device-Name(config-vlan vlan_2)#add ports 1/1/1-1/1/3 untagged
Device-Name(config-vlan vlan_2)#exit
Device-Name(config vlan)#create vlan_3 3
Device-Name(config vlan)#config vlan_3
Device-Name(config-vlan vlan_3)#add ports 1/1/1-1/1/5 untagged
Device-Name(config-vlan vlan_3)#add ports default 1/1/1
Device-Name(config-vlan vlan_3)#exit
Device-Name(config vlan)#create vlan_4 4
Device-Name(config vlan)#config vlan_4
Device-Name(config-vlan vlan_4)#add ports 1/1/1,1/1/5,1/1/7
untagged
Device-Name(config-vlan vlan_4)#exit
In the above configuration PVID of port 1/1/1 will be VID=3.
October 2003
© 2003 Foundry Networks, Inc.
Page 69
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Configuring Dual-Mode VLAN Ports
You can configure VLAN ports to be tagged, untagged, or both. A dual-mode
VLAN port is one that is both tagged and untagged. Dual-mode VLAN ports are
useful in configurations that require a port to receive and forward both tagged traffic
and untagged traffic.
To configure a dual-mode port, add the port as a tagged port to as many VLANs as
desired. Also add the port to a VLAN as an untagged port and set the default VLAN
for the port to this VLAN. Frames that come into the port with a VLAN tag will be
forwarded into the VLAN identified by the VLAN tag. If the port is not a member of
the identified VLAN, the frame is discarded. Frames that enter the port without a
VLAN tag will be forwarded into the port's default VLAN.
Figure 4 shows an example of a network that requires dual-mode VLAN ports.
VoIP
Server
Phone
Voice traffic = VLAN 10, tagged
VLAN 10, untagged
Port 1/1/1
Data traffic = VLAN 20, untagged
VLANs 10 and 20, tagged
VLAN 20, untagged
VLANs 20, untagged
Phone
File
Server
Figure 4 – Dual-Mode VLAN Ports Used for Voice over IP (VoIP)
The EdgeIron Ethernet Switch on the left receives voice and data traffic on the same
ports. The voice traffic is tagged while the data traffic is untagged. To configure the
VLAN ports on the EdgeIron Ethernet Switch on the left, enter the following
commands:
Device-Name(config)#vlan
Device-Name(config-vlan)#create vlan10 10
Device-Name(config-vlan)#config vlan10
Device-Name(config-vlan vlan10)#add ports 1/1/1 tagged
Device-Name(config-vlan vlan10)#exit
Device-Name(config-vlan)#create vlan20 20
Device-Name(config-vlan)#config vlan20
Device-Name(config-vlan vlan20)#add ports 1/1/1 untagged
Device-Name(config-vlan vlan20)#exit
Device-Name(config-vlan)#exit
Device-Name(config)#interface 1/1/1
Device-Name(config-if 1/1/1)#default vlan 20
Page 70
October 2003
© 2003 Foundry Networks, Inc.
Securing Management Access Based On VLAN ID
The management command, in global VLAN configuration mode, provides access
to the switch’s management on the specified VLANs. The no form of this command
blocks access to the switch’s management on the specified VLANs.
By default, management of the switch is accessible on all VLANs.
Use the management command to limit switch management access to VLANs that
you specify by a list of VLAN ID numbers. You may include VLANs that have not
been created yet and VLANs that were dynamically learned by the GVRP.
Before applying the management command, verify that the following conditions are
met:
·
You must be able to move your network management station to a switch
port assigned to the same VLAN as the management VLAN.
·
Connectivity through the network must exist from the network
management station to all switches involved in the management VLAN
change.
If VLAN management is disabled, the following will be disallowed:
·
Telnet to the switch
·
SSH to the switch
·
SNMP management
·
Ping to the switch
·
TFTP download or upload
Denying Management Access from a VLAN
management <vlan-list>
The <vlan-list> specifies the VLAN IDs you are prohibiting from management
access.
Express the list in the form {K|K1-K2} [, {L | L1-L2}[,{M|M1-M2}[,… ]]], where
commas are used as term separators and hyphenated terms represent ranges. For
example, the expression 2,4,8-32,64-512 represents VLAN IDs 2, 4, the range from 8
to 32 and the range from 64 to 512.
Example:
In the following example, the switch can be managed only by VLAN 2. VLAN 100,
101 and 102 were created but the switch cannot be managed from the workstations,
only from the management station.
October 2003
© 2003 Foundry Networks, Inc.
Page 71
EdgeIron 4802F and EdgeIron 10GC2F User Guide
VLAN 2
Management
Station
VLAN 102
VLAN 101
workstation
VLAN 100
workstation
workstation
Figure 5 – Secured Management Access Based on VLAN ID
Here are the commands to create this configuration.
device-name#configure terminal
device-name(config)#vlan
device-name(config vlan)#no management 1,3-4094
device-name(config vlan)#create manage 2
device-name(config vlan)#config manage
device-name(config-vlan manage)#add ports 1/1/2 untagged
device-name(config-vlan manage)#add ports default 1/1/2
device-name(config-vlan manage)#exit
device-name(config vlan)#create v100 100
device-name(config vlan)#config v100
device-name(config-vlan v100)#add ports 1/1/3 untagged
device-name(config-vlan v100)#add ports default 1/1/3
device-name(config-vlan v100)#add ports 1/3/1 tagged
device-name(config-vlan v100)#exit
device-name(config vlan)#create v101 101
device-name(config vlan)#config v101
device-name(config-vlan v101)#add ports 1/2/1 untagged
device-name(config-vlan v101)#add ports default 1/2/1
device-name(config-vlan v101)#add ports 1/3/1 tagged
device-name(config-vlan v101)#exit
device-name(config vlan)#create v102 102
device-name(config vlan)#config v102
device-name(config-vlan v102)#add ports 1/2/2 untagged
device-name(config-vlan v102)#add ports default 1/2/2
device-name(config-vlan v102)#add ports 1/3/1 tagged
device-name(config-vlan v102)#exit
device-name(config vlan)#config default
device-name(config-vlan default)#remove ports 1/1/2
-1/1/3,1/2/1-1/2/2, 1/3/1
device-name(config-vlan default)#exit
Displaying VLAN Management Access Information
show vlan management
Example:
The following example shows that by default, management is accessible on all
VLANs. After we apply the no management command to block access on a specific
list of VLANs, the response to the show vlan management command indicates that
management is accessible only on VLANs in the complementary list.
device-name #show vlan management
Management VLANs: 1-4094
device-name(config)#vlan
device-name(config vlan)#no management 1,5-7,21-4093
...
device-name#show vlan management
Management VLANs: 2-4,8-20,4094
device-name#
Page 72
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 73
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Multicast VLAN Registration (MVR)
Multicast VLAN Registration (MVR) is designed to serve two purposes:
·
To enable efficient, secure multicast data flow across VLANs and super
VLANs in a simple configuration.
·
To support dynamic join to multicast groups, in order to enable channel
zapping.
This will allow you to support multicast services, while keeping the user security
provided by the VLAN and Super-VLAN features. Users on different VLANs
cannot exchange any information between them, but multicast services are provided.
A maximum of 256 MVR multicast groups can be configured on a switch.
Any multicast data sent to a configured multicast address is sent to all receiver ports
that have registered to receive data on that multicast address, even if the source and
receiver ports are on different VLANs.
The device can force the multicast server to send all the configured multicast frames
to the switch, to allow quick zapping.
Note: To enable MVR, you must first enable IGMP snooping, using the ip igmp
snooping command, described in the “IGMP Snooping” chapter.
Note: The IP address range from 224.0.0.0 to 239.255.255.255 is reserved for
multicast host groups.
An example of an MVR configuration is shown in Figure 6.
Figure 6 – MVR configuration
Page 74
October 2003
© 2003 Foundry Networks, Inc.
This configuration allows cross-VLAN multicast frames to be sent from VLAN 2 to users
on other VLANs through registered receiver ports.
MVR Global Configuration Commands
All the following commands are available at the global configuration level.
Table 13. MVR global configuration commands
mvr
Enables MVR. The no form of this command
disables MVR.
mvr mode
Specifies whether the mode of operation is static or
dynamic.
mvr group
Statically configures an MVR group IP multicast
address or a sequence of MVR group IP multicast
addresses on the switch.
mvr
querytime
Sets the maximum time to wait for IGMP report
memberships on a receiver port.
mvr vlan
Specifies the VLAN on which MVR multicast data is
expected.
mvr
The mvr command enables MVR. The no form of this command disables MVR.
By default, MVR is disabled.
When you disable MVR, the entire MVR configuration is erased.
Device-Name(config)#mvr
mvr mode
The mvr mode command specifies the mode of operation, either static or dynamic.
The default MVR mode is dynamic.
Here is the complete syntax:
mvr mode dynamic [group <group-id> [<count>]] [querytime <value>] [vlan
<vlan-id>]
mvr static [vlan <vlan-id>]
where:
dynamic – Forces the multicast server to send all configured multicast-group data to
the source port, without waiting for join requests from receiver ports. When a user
on a receiver port sends a join to a multicast group, the user immediately starts
receiving the multicast data. The response to joins and channel zapping is quick, at
the expense of loading the switch with traffic from all the configured multicast
groups all the time. If no multicast group is defined the default will be 224.0.0.1.
October 2003
© 2003 Foundry Networks, Inc.
Page 75
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Under normal conditions, dynamic mode is preferable.
static – Multicast data is sent only after a request has been sent from a receiver port
to join that multicast group. The response in this mode is slower than the response in
dynamic mode, but the switch is not loaded with traffic from unused multicast
groups.
group <group-id> – The IP multicast address of the MVR group.
<count> – Configures multiple contiguous MVR group addresses. The default count
is 1. The valid range is 1 – 256.
querytime <value> – The response time in seconds. The default is 10 seconds. The
valid range is 1 – 25 seconds.
vlan <vlan-id> – The ID of the VLAN on which MVR multicast data is expected.
The default VLAN ID is 1.
mvr group <group-id> [<count>]
The optional mvr querytime command sets the maximum time to wait for IGMP
report memberships on a receiver port. This time applies only to receiver-ports and
affects leave processing. When an IGMP query is sent to a receiver port, the switch
waits for the default or configured MVR query-time for an IGMP group membership
report before removing the port from multicast group membership.
This command overrides the query response time indicated in the IGMP query
packets received from the query router.
Note: The mvr querytime command is relevant only in dynamic mode.
Note: The no form of this command restores the default setting of 10 seconds.
mvr querytime <value>
See the parameter description above.
mvr vlan <vlan-id>
The mvr querytime command specifies the ID of the VLAN on which reception of
MVR multicast data is expected (the source-port VLAN ID).
The default multicast VLAN ID for MVR is 1.
Examples
The following example shows how to enable MVR. Before using the mvr command,
make sure that IGMP snooping is enabled:
device-name(config)#ip igmp snooping
device-name(config)#mvr
The following example shows how to disable MVR:
Page 76
October 2003
© 2003 Foundry Networks, Inc.
device-name(config)#no mvr
Use the show mvr privileged EXEC command to display the current setting for
maximum multicast groups.
The following example shows how to configure 228.1.23.4 as an IP multicast
address:
device-name(config)#mvr group 228.1.23.4
The following command fails because of address aliasing:
device-name(config)#mvr group 230.1.23.4
Cannot add this IP address - aliases with previously configured
IP address 228.1.23.4.
The following example shows how to configure ten contiguous IP multicast groups
with multicast addresses from 228.1.23.1 to 228.1.23.10:
device-name(config)#mvr group 228.1.23.1 10
The following example shows how to delete the previously configured IP multicast
address:
device-name(config)#no mvr group 228.1.23.1
The following example shows how to delete all previously configured IP multicast
addresses:
device-name(config)# no mvr group
The following example shows how to set the maximum query response time to 15
seconds :
device-name(config)#mvr querytime 15
The following example shows how to reset the maximum query response time to the
default setting 10 seconds:
device-name(config)#no mvr querytime
The following example shows how to set VLAN 2 as the multicast VLAN:
device-name(config)#mvr vlan 2
MVR Interface Configuration Commands
All the following commands are available at the interface configuration level.
Table 14. MVR interface configuration commands
mvr type
Configures the port either as an MVR receiver port
or as a source port.
mvr
immediate
Enables or disables the Immediate Leave feature of
MVR on a port.
mvr group
Statically configures the specified MVR group IP
multicast address for the specified VLAN ID.
no mvr
Removes the configured port from the MVR ports
list.
October 2003
© 2003 Foundry Networks, Inc.
Page 77
EdgeIron 4802F and EdgeIron 10GC2F User Guide
mvr type source | receiver
The mvr type command configures the port either as an MVR receiver port or as a
source port.
source – Configures the port as an uplink port that can receive multicast data for the
configured multicast groups. There can be more than one source port in a switch.
See the note below.
receiver – Configures the port as a subscriber port that can receive multicast data.
Note: If MVR type is not specified, this port is a receiver port. If the queries and the
multicast data are received from different ports, configure the port from which the
queries are received as the source port.
mvr immediate
The mvr immediate command enables the Immediate Leave feature of MVR on a
port. The no mvr immediate command disables the feature.
By default, the Immediate Leave feature is enabled on all ports.
mvr group [<group-id>]
The mvr group command, configured on receiver ports, statically configures the
specified MVR group IP multicast address for the specified VLAN ID. This is the IP
address of the multicast group that the port is allowed to join.
The no form of this command, with an IP address specified, removes the configured
port from membership in the specified IP multicast address group. If no IP address is
specified, the no form of this command removes the configured port from
membership in all configured multicast groups.
By default (if this command is not used), no IP address will be allowed to join the
multicast group.
If the command is used without specifying an IP address, all groups are allowed to
join.
no mvr
The no mvr command removes the configured port from the MVR ports list.
Examples
The following example shows how to configure port 1/1/1 as an MVR receiver port:
device-name(config)#interface 1/1/1
device-name(config-if 1/1/1)#mvr type receiver
The following example shows how to configure Gigabit Ethernet port 1/2/1 as an
Page 78
October 2003
© 2003 Foundry Networks, Inc.
MVR source port:
device-name(config)#interface 1/2/1
device-name(config-if 1/2/1)#mvr type source
The following example shows how to remove port 1/2/1 as an MVR port:
device-name(config)#interface 1/2/1
device-name(config-if 1/2/1)#no mvr group
MVR Show Commands
All the following commands are available at the global configuration level.
Table 15. MVR show commands
show mvr
Displays configured MVR parameters with regard to
the switch.
show mvr
interface
Lists the current MVR configurations and status per
MVR ports.
show mvr
members
Lists the current MVR configurations and status per
MVR groups.
show mvr
The show mvr command, in global Configuration mode, displays the following
information, with regard to the switch:
·
MVR status (enabled or disabled)
·
MVR multicast vlan ID
·
Maximum number of MVR multicast groups
·
Current number of MVR multicast groups
·
Current MVR Query response time (configured or received online from the
query router)
·
Configured MVR mode (Static or Dynamic)
Example:
device-name#show mvr
MVR Status: enable
MVR multicast vlan: 1
MVR Max Multicast Groups: 256
MVR Current multicast groups: 256
MVR Global query response time: 5
MVR Mode: Dynamic
show mvr interface
October 2003
© 2003 Foundry Networks, Inc.
Page 79
EdgeIron 4802F and EdgeIron 10GC2F User Guide
The show mvr interface command, in global configuration mode, lists the current
MVR configurations of the switch’s MVR configured ports.
Example:
device-name#show mvr interface
===============================================================
Interface
| Type
| Status
| Immediate Leave
--------------+-----------+---------------+-------------------1/1/1
| Receiver | Active/up
| Enable
1/1/2
| Receiver | Inactive/up
| Disable
1/2/1
| Source
| Active/up
| -
show mvr members
The show mvr members command, in global configuration mode, lists the currently
active interfaces per MVR group.
Example:
device-name#show mvr members
=============================================================
MVR Group | Active Interface List
------------+-----------------------------------------------224.0.0.3
1/1/1, 1/1/2, 1/1/4
224.0.0.4
none
Page 80
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 81
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Transparent LAN Services (TLS)
Transparent LAN Services (TLS) implies Layer 2 connectivity offered by a service
provider to multiple customer sites in a manner that is transparent to the Customer
Edge (CE) devices.
The switch is positioned on the edge of the provider network. It is connected to CE
switches, and interfaces to the provider network.
To provide TLS, Ethernet frames originated by the source CE switch are received at
the Provider Edge (PE) switch, encapsulated, and transported across the provider
network, where the PE switch removes the encapsulation and delivers the unmodified
frame to the destination CE switch.
CE
CE
Switch
Switch
Provider
Network
PE
Switch
PE
Switch
CE
CE
Switch
Switch
Customer
Domain
Service Provider Domain
Customer
Domain
To implement TLS, the switch functions like a transparent switch, hiding the
topology of the provider network. This allows all the CE switches to behave as if
attached to a shared LAN.
The logical ports participating in TLS must be manually configured. On the access
side this simply requires identifying each participating link (between PE and CE). On
the network side this also requires adding a VLAN.
TLS Configuration Commands
Interface-Level TLS Commands
Table 16. TLS Commands – Interface Level
tls uplink
Assigns the TLS uplink and optionally the TLS
VLAN to the configured interface.
tls user
Assigns the TLS user to the configured interface.
Page 82
October 2003
© 2003 Foundry Networks, Inc.
no tls uplink
Removes the specified TLS uplink and the TLS
VLAN.
no tls user
Deletes the TLS user.
show tls
uplink
Displays the configured TLS uplinks.
show tls user
Displays the configured TLS users.
tls uplink <num> all [vlan-id <vlan-id>]
where:
<num> – is the uplink index, which can be a number from 1 – 32.
all – applies to all traffic.
vlan-id <vlan-id> – specifies a VLAN ID.
The tls uplink command, in interface configuration mode, assigns the TLS uplink
and optionally the TLS VLAN to the configured interface.
The no form of this command removes the specified TLS uplink and the TLS VLAN.
This no tls uplink command also deletes the TLS users with the same TLS number
and the access groups that were attached to the TLS uplink and to its users.
·
You can define several TLS uplinks on one interface.
·
The TLS uplink is configured at the Provider-network side of the PE switch.
tls user <num>
where:
<num> – is the user index, which can be a number from 1 – 32.
The tls user command, in interface configuration mode, assigns the TLS user to the
configured interface.
The no form of this command deletes the TLS user.
show tls uplink
The show tls uplink command, in Privileged (Enabled) mode, displays the
configured TLS uplinks.
show tls user
The show tls user command, in Privileged (Enabled) mode, displays the configured
TLS users.
October 2003
© 2003 Foundry Networks, Inc.
Page 83
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Global TLS Commands
Table 17. TLS Commands – Global
tls slot
Assigns the TLS slot number and determines the
VLAN EtherType number.
no tls slot
Removes the TLS slot.
show tls slots
Displays the configured TLS slots.
tls slot <slot-num> [ethertype <num>]
where:
<slot-num> – is the TLS slot number.
ethertype <num> – is a hexadecimal VLAN EtherType value. If not specified,
0x9000 is used.
The tls slot command, in global configuration mode, assigns the TLS slot number
and determines the VLAN EtherType number. The no form of this command, in
global configuration mode, removes the TLS slot.
When configuring the global TLS command, you must create the VLAN that will
participate in the TLS.
·
You can determine the VLAN EtherType number or use the default VLAN
EtherType number for TLS (0x9000).
·
The TLS VLAN that will be configured at the Provider network side of the
PE switch will be tagged.
The TLS VLAN at the CE side of the provider edge (PE) switch will be untagged.
Note: It is recommended NOT to define the TLS VLAN on non-TLS interfaces.
show tls slots
The show tls slots command, in Privileged (Enabled) mode, displays the configured
TLS slots.
Configuration Examples
Configuring Interface-Level TLS
Here is an example of interface-level TLS.
Page 84
October 2003
© 2003 Foundry Networks, Inc.
CE
CE
Switch
Switch
Interface 1/1/3
CE
PE
Switch
Interface
1/1/1
Provider
Network
Interface
1/1/1
1
PE
Switch
2
Switch
Customer
Domain
Interface 1/1/3
CE
Switch
Service Provider Domain
Customer
Domain
To configure TLS as shown in this example, enter the following commands on the
PE switches.
Device-Name#configure terminal
Device-Name(config)#interface 1/1/1
Device-Name(config-if 1/1/1)#tls uplink 1 all vlan-id 222
Device-Name(config-if 1/1/1)#interface 1/1/3
Device-Name(config-if 1/1/3)#tls user 1
Device-Name(config-if 1/1/3)#end
Device-Name#show tls uplink
interface 1/1/1
tls uplink 1 all vlan-id 222
Device-Name#sho tls user
interface 1/1/3
tls user 1
October 2003
© 2003 Foundry Networks, Inc.
Page 85
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Configuring Global TLS
Here is an example of global TLS.
CE
CE
Switch
Switch
CE
Interface
PE
1/1/3
Switch
1
Interface
1/1/1
Slot 1
Provider
Network
Interface
1/1/1:
Slot 1
PE
Switch
2
Interface
1/1/3
Switch
Customer
Domain
CE
Switch
Service Provider Domain
Customer
Domain
To configure TLS as shown in this example, enter the following commands on the
PE switches.
Device-Name#configure terminal
Device-Name(config)#tls slot 1
Device-Name(config)#vlan
Device-Name(config vlan)#create tls_vlan 222
Device-Name(config vlan)#config tls_vlan
Device-Name(config-vlan tls_vlan)#add ports 1/1/1 tagged
Device-Name(config-vlan tls_vlan)#add ports 1/1/3 untagged
Device-Name(config-vlan tls_vlan)#add ports default 1/1/3
Device-Name(config-vlan tls_vlan)#exit
Device-Name(config vlan)#config default
Device-Name(config-vlan default)#remove ports 1/1/1,1/1/3
Device-Name(config-vlan default)#end
Device-Name# show tls slots
tls slot 1
Device-Name#show vlan
===============================================
name
|vtag |tagged ports
|untagged ports
----------------+------+---------------+-------------default
|1
|
|1/1/2,1/1/4-1/2/1
tls_vlan
|222
|1/1/1
|1/1/3
Page 86
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 87
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Quality Of Service
Overview
This section describes how to apply Quality of Service rules. The building blocks for
applying QoS include elements such as the two transmit queues (Low and High,
named txq0 and txq1) with several weights, the ability to manipulate a packets
header by remarking the 802.1p priority, and more. Throughout this User’s Guide,
the term priority level refers to both IEEE 802.1p priorities and internal priority; the
internal priority actually maps the packets to one of the transmit queues, using the
priority-to-transmit queue mapping.
The following are some general rules regarding QoS:
·
All traffic gets the same service; i.e., the forwarding behavior by a network device is
FIFO
·
QoS prioritizes traffic into different service levels and provides preferential
forwarding treatment to some data traffic at the expense of lower priority traffic
·
QoS does not create bandwidth. It just gives better service to a well-provisioned class
with respect to another class
Conventions Used
If the command is issued in Configuration mode [Device-Name(config)# prompt],
then it will configure all the ports for that mode. If the command is issued in physical
interface configuration mode [Device-Name(config-if)# prompt], then it will only
configure the current physical interface.
Note:
The Interface configuration will override any global configurations made.
Queue Management
You can use Strict Priority (SP) or Weighted Round Robin (WRR). The scheduling
algorithm is configured for all ports. All the QoS related commands begin with the
word qos. If the command is issued in Configuration mode [Device-Name(config)#
prompt], then it will configure all the ports for the same scheduling. If the command
is issued in physical interface configuration mode [Device-Name(config-if)# prompt],
then it will only be done for the current physical interface.
Configuring Strict Priority Scheduling
The SP algorithm orders the two queues in a strict priority fashion where txq1 has the
highest priority and txq0 the lowest. The port scheduler will always service the high
priority queue that has packets waiting for transmission. This provides packets
queued in the high priority queue with a minimum delay (never waits for packets in
other queues) and maximum bandwidth (up to the capacity of the link). The risk with
strict priority queuing is that the low priority queue will be starved if the high priority
queue consumes all the bandwidth.
In order to configure SP scheduling, use the following command:
Page 88
October 2003
© 2003 Foundry Networks, Inc.
Device-Name(config)#qos scheduling sp
Configuring WRR Scheduling
As the name suggests, under the WRR algorithm the scheduler works in a round
robin fashion. Each of the high priority port's queues is assigned a relative weight
that determines how much it is permitted to transmit before giving up its turn and
allowing the low priority queue to transmit. The weight is specified in terms of the
ratio of the high priority queue to the low priority queue. The number selected
indicates how many packets from the high priority queue will be transmitted for one
packet transmitted from the low priority queue.
In order to configure WRR scheduling, use the following command:
Device-Name(config)#qos scheduling wrr <txq1-weight>
The weights values to select are:
1 – for low priority queue to high priority ratio of 1:1
2 – for low priority queue to high priority ratio of 1:2
4 – for low priority queue to high priority ratio of 1:4
6 – for low priority queue to high priority ratio of 1:6
8 – for low priority queue to high priority ratio of 1:8
10 – for low priority queue to high priority ratio of 1:10
12 – for low priority queue to high priority ratio of 1:12
Verifying Queue Configuration
In order to view the queue configuration, use the following command:
Device-Name#show qos scheduling
Assigning QoS Rules to Traffic
Auto Mapping of 802.1p Priorities to Transmit Queues
The 802.1q/p tagged packets are assigned to a queue based on the priority level (0 7) in the packet's tag. The assignment is for all ports. The default mapping of 802.1p
priority levels to queues is as follows.
Priorit
y Level
Transmit
Queue
4,5,6,7
Txq1 (High)
0,1,2,3
Txq0 (Low)
October 2003
© 2003 Foundry Networks, Inc.
Page 89
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Manual Mapping of 802.1p Priorities to Transmit Queues
In order to modify the mapping of 802.1p priority levels to queues, use the following
command:
qos map <0-7> txq0 | txq1
Manipulating 802.1p Priorities on Ingress
At each port, you can choose to override the 802.1p priority frames by assigning a
new one. Every incoming frame will be assigned the new priority level and then be
mapped to the appropriate output queue using the 802.1p level to queue mapping. If
you choose not to override the incoming frames’ 802.1p priority (using the nooverride option), then 802.1p tagged frames will be forwarded using their own
priority level. Untagged frames (those with no assigned priority) will be assigned the
priority assigned to them by this command.
qos priority <0-7> override | no-override
Auto Remarking of 802.1p Priorities on Egress
The default remarking of queues to 802.1p priority levels is as follows:
Priority
Level
Transmit
Queue
7
txq1
0
txq0
Remarking of 802.1p Priorities on Egress
In order to remark the 802.1p priority of a frame as it leaves the switch, you can
assign an 802.1p priority level to each txq. All frames leaving the switch through this
queue will be marked with that priority.
qos remark <0-7> txq0 | txq1
Verifying 802.1p Priority Configuration
In order to verify the 802.1p priority to queue configuration, use the following
commands:
The following command will display the assigned priority level (for remarking) per
each output queue.
show qos priority-txq-map remark
The following command will display the general priority to output queue map.
show qos priority-txq-map
The following command will display the priority assigned per port.
Page 90
October 2003
© 2003 Foundry Networks, Inc.
show qos priority-txq-map <uu>/<ss>/<pp> | all
Manual QoS Assignment per Destination MAC Address
(per VLAN)
All traffic destined to a specific MAC address, per all ports, can be assigned a
priority level (0-7) regardless of the 802.1p priority. The frame is then forwarded to a
transmit queue using the mapping of 802.1p to transmit queues.
qos mac static | secure <mac-addr> vlan <vlan-id> <uu>/<ss>/<pp> priority <0-7>
Type-of-Service (ToS) Mapping
You can map ToS/DSCP values to the EdgeIron Ethernet Switch’s transmit queues,
on an individual interface basis. To do so, use the following command at the
interface configuration level.
qos tos <tos-value> high | low
where:
<tos-value> – is the ToS value, which can be from 1 – 63.
high | low – specifies the device’s transmit queue.
By inspecting the ToS/DSCP field in the IP header, the device assigns ingress traffic
an internal priority level. The frame is then forwarded to a transmit queue using the
mapping of 802.1p to transmit queues.
no qos tos
The no qos tos command disables ToS/DSCP mapping on the interface.
show qos tos
The show qos tos-txq-map command, in interface configuration mode, displays the
ToS/DSCP mapping settings.
October 2003
© 2003 Foundry Networks, Inc.
Page 91
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Software Upgrade and Boot Options
Displaying Configurations
show startup-config
Displays the switch configuration saved to NVRAM.
Device-Name#show startup-config
show running-config
Displays information regarding the configuration of the switch. The data is displayed
in self-explanatory language.
Device-Name#show running-config
Downloading a New Image and Java Application
Copy commands can be used to perform the following operations:
·
Download new embedded software versions or Java applets to the Flash
memory component of the switch. Embedded software or Java applets
can be downloaded into the Flash memory. Download is via TFTP server.
·
Save the start-up configuration on a remote server.
·
Load a start-up configuration from a remote server.
·
Save the start-up configuration as the running configuration.
copy application <ip-addr> <source-file>
To download a new software version to the switch, enter the copy application
command followed by the IP address of the TFTP server, the path and name of the
file (located on the PC running the CLI console) and the section of the Flash
memory.
For example:
Device-Name#copy application 192.192.54.0 c:/file
This command downloads the file named file located on C:/ to Flash memory
using the TFTP server 192.192.54.0.
copy java <ip-addr> <source-file>
To download a new Java applet to the switch, enter the copy java command followed
by the IP address of the TFTP server, the path and name of the file (located on the PC
running the CLI console).
copy startup-config download-from <ip-addr> <source-file>
Loads a start-up configuration with the specified file name, from a remote server
with the specified IP address.
Page 92
October 2003
© 2003 Foundry Networks, Inc.
copy startup-config upload-to <ip-addr> <target-file>
Saves the start-up configuration on the remote server with the specified IP address, to
the specified file name.
copy running-config startup-config
Saves the running-configuration as the startup configuration.
copy running-config download-from <ip-addr> <source-file>
Loads a running-up configuration with the specified file name, from a remote server
with the specified IP address. The commands from the downloaded running-config
are executed and the result of it is a merge between the previous running-config and
the current switch configuration.
copy running-config upload-to <ip-addr> <target-file>
Saves the running configuration on the remove server with the specified IP address to
the specified file name.
Write Commands
write terminal
Displays detailed information regarding the current configuration of the unit on the
terminal monitor. The data is displayed in self-explanatory language.
Device-Name#write terminal
write erase
Erases the current configuration of the unit stored on the NVRAM of the switch.
The start-up config file is set to default values. This command is like reload todefault but without restarting the switch.
Device-Name#write erase
write memory
Stores the current configuration of the unit on the NVRAM of the switch. This is the
configuration that will be saved and loaded each time the unit is powered on.
Device-Name#write memory
The command is equal to the copy running-config to startup-config command.
Rebooting the Switch
reload
This command causes a cessation of unit operation and performs a cold restart of the
unit.
reload save
Save running configuration to the NVRAM and restart the switch.
October 2003
© 2003 Foundry Networks, Inc.
Page 93
EdgeIron 4802F and EdgeIron 10GC2F User Guide
reload no-save
Do not save current running configuration and restart the switch. After you enter this
command, the following message is displayed.
Save current configuration and reboot the Switch ? [y/n] :
Enter Y followed Enter to continue.
Returning to Factory Defaults
reload to-defaults
Set the switch configuration to its factory defaults and restart.
Page 94
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 95
EdgeIron 4802F and EdgeIron 10GC2F User Guide
CLI for Configuration Scripts
The CLI contains a collection of configuration script files. A script file is a text file
that includes a sequence of configuration CLI commands.
The script files may be downloaded from the TFTP server, uploaded to the TFTP
server, deleted from the TFTP server, renamed and executed. The contents of the
script file can also be viewed. There also is the capability to store running and startup
configurations of the switch into the file system.
There are capabilities to show a list of files stored in the file system and to clean the
entire file system.
When executing the command reload to-defaults, the contents of the file system
remain unchanged.
When running a script file, the result will be a merging of the current running
configuration of the switch and the new settings, caused by a sequence of
configuration commands in the script file.
The file system may store an unlimited number of configuration script files. The
maximum storage space of the file system is 64Kb. The Maximum size of a file is
16Kb.
Every file has a name up to 32 characters long with no spaces. Every file name is
unique in the file system.
To enter script-file-system node type:
Device_name(config)#script-file-system
Page 96
October 2003
© 2003 Foundry Networks, Inc.
Command Summary
copy-from
Copy configuration of switch to script file
delete
Delete configuration of script file
dir
List configuration of script file.
display
Display contents of configuration of script file
download-from
Download file by TFTP
end
End current mode and change to enable mode.
exit
Exit current mode and back to previous mode
format
Initial format or clear the file system
help
Description of the interactive help system
list
Print command list
quit
Disconnect and logout
rename
Rename configuration script file
run
Execute configuration script file
show
Show running system information
upload-to
Upload file by TFTP
dir
Prints names and length of all script files stored in the file system.
For example:
Device-Name(config script-file-system)#dir
====================================================
No |
Name
|
Size
------+--------------------------------------------1 | run_cnf1
|
861
2 | run_cnf2
|
861
3 | test1
|
187
====================================================
show script-file-system
The same as the command dir. This is a common command, accessible from any
mode where the command show is accessible.
display <file-name>
Displays contents of requested script file as a text.
October 2003
© 2003 Foundry Networks, Inc.
Page 97
EdgeIron 4802F and EdgeIron 10GC2F User Guide
For example:
Device-Name(config script-file-system)#display test1
============= START FILE ==============
password a1h8RRzG11d4U
log trap errors
no banner
ip address 10.4.0.10 255.255.0.0
mac-address-table aging-time 30
============= END FILE ==============
run <file-name>
Executes a script file with a requested name as a batch of CLI commands.
For example:
Device-Name(config script-file-system)#run test1
Configuration from file successful
copy-from running-config [<target-file>]
Copies the running configuration into a file. If no file name is entered, a default name
(running-config) is assigned to the created file.
For example:
Device-Name(config script-file-system)#copy-from running-config
Saving script file "running_config" to file system... Done
copy-from startup-config [<target-file>]
Copies the startup configuration into file with optionally requested file name. If no
file name is entered, a default name (startup-config) is given to a created file. To
execute this command, the startup configuration should be stored on the switch.
For example:
Device-Name(config script-file-system)#copy-from startup-config
Saving script file "startup_config" to file system... Done
delete <file-name>
Deletes a file from the file system.
For example:
Device-Name(config script-file-system)#del test1
download-from <ip-addr> <source-file> [<dest-file>]
Copies a file from a TFTP server to the file system on the switch. If an optional
destination name is entered, the file is stored in the file system with this name.
Otherwise, the file is stored with the source name.
For example:
Device-Name(config script-file-system)#download-from 10.4.0.4
test1.txt test1
TFTP receiving configuration ... 185
Page 98
October 2003
© 2003 Foundry Networks, Inc.
Saving script to file system...
%% Download complete
format file-system
Initializes the file system. If the file system was initialized previously and any files
have been stored, all the contents of the file system will be removed.
For example:
Device-Name(config script-file-system)#format file-system
All stored files will be removed. Format? [y/n] : y
Script file system formatted successfully
rename <old-name> <new-name>
Renames a script file.
For example:
Device-Name(config script-file-system)#rename test1 test1.scr
File renamed
upload-to <ip-addr> <source-file> [<dest-file>]
Copies a file from the file system on the switch to a TFTP server. If a destination
name is entered, the file is stored on the server with this name. Otherwise, the file is
stored with the source name.
For example:
Device-Name(config script-file-system)#upload-to 10.4.0.4 test1
%Upload complete
October 2003
© 2003 Foundry Networks, Inc.
Page 99
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Status Monitoring and Statistics
System Information
show version
Displays inventory information regarding the software and hardware versions of the
EdgeIron Ethernet switch. For example:
Device-Name>show version
F o u n d r y
N e t w o r k s
Switch model
: EdgeIron 4802F
SW version
: 1.1.0 created Nov 26 2001 - 14:59:12
Java version
: 2.1.1 created Wed Nov 14 18:11:24 IST 2001
Monitor version : 1.0.0 created Nov 7 2001 - 15:54:40
Up time
: 3 days, 23 hours, 1 min, 37 sec.
The (*) means that this is the current working version.
RUN TO REGISTER – means that the application in this bank exists and it must be
run to register itself in show version command.
The Up time displays the amount of time that the unit has been switched on.
who
Displays the name of the user currently logged in to the switch.
For example:
Device-Name>who
vty[0] connected.
Passwords
There are three password levels that can be configured on the switch.
·
View mode password
·
Privileged mode password
·
Boot Loader password
All passwords are encrypted. If you encounter problems in gaining access using the
passwords, please contact the factory.
Configure Application View Mode Password
password <string>
This command sets the password to enter the View mode. The password you set
Page 100
October 2003
© 2003 Foundry Networks, Inc.
through this command is the one you will be required to enter to log in to View
mode.
Example:
Device-Name(config)#password Switch123
Default:
The View Mode default password is: foundry.
Configure Application Enable Mode Password
enable password <string>
This command sets a password to enter the Privileged mode. By default, no password
is required to enter the privileged mode. The password you set through this command
is the one you will be required to enter in response to the enable command.
Example:
Device-Name(config)#enable password switch123enable
Default:
The Enable mode password is not configured.
Configure Boot Loader Password
password loader <string>
This command sets the password to enter the boot loader. The password you set
through this command is the one you will be required to enter.
Example:
Device-Name(config)#password loader switch123loaderPass.
Line VTY
VTY stands for Virtual Telnet TYpe interface. It means you can connect to the
switch via the Telnet protocol.
Accessing Line VTY Mode
To access Line VTY mode:
Enter the line vty command from the Privileged mode prompt. The following prompt
indicates that you are in the line VTY mode:
Device-Name(config-vty)#
October 2003
© 2003 Foundry Networks, Inc.
Page 101
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Line VTY Commands
exec-timeout <minutes>
Set the VTY connection timeout value. When only one argument is specified it is
used for the timeout value in minutes. Optional second argument is used for timeout
value in seconds. Default timeout value is 10 minutes. When timeout value is zero, it
means no timeout.
exec-timeout unlimited
Do not perform timeout at all. This command is the same as exec-timeout 0 0.
Banner
banner motd default
Set default motd string.
no banner motd
No motd banner string will be printed.
This command sets the motd banner (message-of-the-day). This is the hello string
that will be printed before the User Access Verification and password prompt appear.
banner set <motd-string>
Sets user string for motd.
configure vty node
In this node you can configure VTY parameters (e.g., exec timeout).
hostname <string>
Sets the name of the switch. For example:
default(config)#hostname FastEth_area1
FastEth_area1(config)#
The host name, displayed before the prompt, changes to the specified name. No
spaces are allowed in host name.
service advanced-vty
Enable advanced mode VTY.
In advanced mode the CLI is getting into Privileged mode after entering the switch
password. The VIEW mode is passed when advanced-vty is used.
The default value of advanced-vty is DISABLED.
Page 102
October 2003
© 2003 Foundry Networks, Inc.
no service advanced-vty
Disable advanced mode VTY.
service terminal-length <0-512>
Set system wide line configuration. This configuration command applies to all VTY
interfaces.
System Time and Date
This section describes settings of the system time and date. The correct setting of the
system time and date allows the events in logging messages to be correct.
Display the Current System Time
To show the current system time, type the following from Privileged mode:
Device-Name#show date
Current system time TUE APR 10 13:45:04 2001
Configure System Time and Date
To set system time and date and go to the Config mode.
date <hh>:<mm>:<ss> <day> <month> <year>
Example:
The following example sets the system time to 12:30:00 and the date to 1 April 2001:
Device Name(config)#date 12:30:00 1 apr 2001
Remote System Time Synchronization
Remote time synchronization allows the system to accurately keep the correct time
and date.
To use these features:
§
Choose the remote time synchronization protocol. Supported protocols are "Daytime
protocol" (RFC 867) and "Time protocol”(RFC 868).
§
Configure time host serves chosen protocol.
§
Set device for remote time synchronization.
The Server for remote synchronization may be any host running Windows NT/2000
or the UNIX operating system. For configuration of the Daytime or Time server,
please refer to your system documentation. To set the device for remote date and
time synchronization, go to Config mode.
time-server <ip-addr> time <refresh> <zone>
This command will set the device to synchronize its system time with host
October 2003
© 2003 Foundry Networks, Inc.
Page 103
EdgeIron 4802F and EdgeIron 10GC2F User Guide
192.168.0.1 serves Time protocol. Synchronization will be performed every 10
seconds. System time will be shifted by -2 hours.
Device-Name(config)#time-server 192.168.0.1 time 10 -2
Memory Statistics Information
show memory cli
These commands show the memory area of the CLI.
Device-Name>show memory cli
This is memory of CLI
String vector
: 45010
Vector
: 9143
Vector index
: 9143
Vty
: 2
Vty history
: 20
Route table
: 0
Route node
: 1
Command desc
: 22523
--------------------Buffer
: 2
Buffer data
: 2
Stream
: 0
Logging
These commands are accessible in the Configure node.
log cli-console
Output to CLI Console.
This command enables log output to the CLI console attached to the COM port.
log telnet-console
Output to Telnet Console.
This command enables log output to the Telnet console, if you are connected through
a Telnet client.
no log cli-console
This command stops Output to CLI Console.
no log telnet-console
This command stops Output to Telnet Console.
Page 104
October 2003
© 2003 Foundry Networks, Inc.
log telnet-console
Entering no log cli-console followed by log telnet-console makes the CLI log appear
only to Telnet users.
log trap emergencies | alerts | critical | errors | warnings | notifications |
informational | debugging
This command sets logging output filtering to one of the following (last has highest
priority).
·
emergencies (only emergency logs are shown)
·
alerts
·
critical
·
errors
·
warnings
·
notifications
·
informational
·
debugging (all log messages are shown)
Remote Logging
In addition to maintaining an internal log, the switch supports remote logging by way
of the UNIX syslog host facility. To enable remote logging, do the following:
·
Configure the syslog host to accept and log messages.
·
Enable remote logging by using the following command in Config mode:
log remote <ip-addr>
Enable output to a remote host.
no log remote <ip-addr>
Disable output to a remote host.
Refer to your syslog application documentation for more information about the
syslog host facility.
Example:
Device-Name(config)# log remote 192.1.22.14
Enable remote logging to HOST 192.1.22.14
October 2003
© 2003 Foundry Networks, Inc.
Page 105
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Debug Information
show debug [snmp-server]
This command displays the status of the debug actions that are currently activated in
the switch. Debug commands, which are activated in the Privileged mode, can be
used by support personnel to monitor a certain process taking place at the switch.
Debug Commands
These commands can be used by support personnel to monitor a certain process
taking place at the switch.
Table 18. Debug Commands
debug snmp-server
oem-trap new-ip portindex <number> macaddress <mac-addr> ipaddress <ip-addr>
Used by Foundry Technical Support.
debug snmp-server trap
cold-start | link-down |
link-up | authentication
Used by Foundry Technical Support.
RMON
Remote Monitoring (RMON) is a standard monitoring specification that enables
various network monitors and console systems to exchange network-monitoring data.
RMON provides network administrators with more freedom in selecting networkmonitoring probes and consoles with features that meet their particular networking
needs. This section provides a brief overview of the RMON specification, focusing
on RMON groups.
The RMON specification defines a set of statistics and functions that can be
exchanged between RMON-compliant console managers and network probes. As
such, RMON provides network administrators with comprehensive network-fault
diagnosis, planning, and performance-tuning information.
There are two RMON groups that can be used from the CLI:
·
Statistics monitoring
·
Alarm definitions
RMON Statistics
show rmon statistics
This command displays statistics of all available ports in the switch. For example:
interface 1/1/1
Octets
Collisions
Broadcast
Multicast
2422964
0
487
0
Jabbers
Pkts
Pkts <=64
Pkts 65-127
0
26266
270559
109304
Page 106
October 2003
© 2003 Foundry Networks, Inc.
CRCAlignErrors
Undersize
Oversize
Fragments
DropEvents
128-255
256-511
512-1023
1024-1518
62673
36316
1491
2507
Jabbers
Pkts
Pkts <=64
Pkts 65-127
Pkts 128-255
Pkts 256-511
Pkts 512-1023
Pkts 1024-1518
0
57
39
22
12
10
0
0
Device-Name#show rmon statistics 1/1/3
Octets
2430596
Jabbers
Collisions
0
Pkts
Broadcast
488
Pkts <=64
Multicast
0
Pkts 65-127
CRCAlignErrors
5
Pkts 128-255
Undersize
1
Pkts 256-511
Oversize
0
Pkts 512-1023
Fragments
36
Pkts 1024-1518
DropEvents
0
0
26357
271222
110050
63053
36452
1491
2507
interface 1/1/2
Octets
Collisions
Broadcast
Multicast
CRCAlignErrors
Undersize
Oversize
Fragments
DropEvents
5
1
0
36
0
9048
0
0
0
0
0
0
0
0
Pkts
Pkts
Pkts
Pkts
-- More --
show rmon statistics uu/ss/pp
To view statistics for one port:
RMON Alarms
Using CLI commands, you can define specific alarms indicating that some counters
have passed the critical threshold. In this case the switch sends traps that can be
displayed in network management platforms such as HP OV or SNMPc. To define
these kinds of events, perform the following steps:
Step 1. Define the trap destination.
Step 2. Define event descriptions.
Step 3. Define alarm conditions.
Step 4. View RMON definitions in the configuration list.
Defining the Trap Destination
Define a trap community string as shown in the following example:
Device-Name(config)#snmp-server trap-community public
where public is the community string. The same trap community string must be
defined at the HPOV or SNMPc manager.
October 2003
© 2003 Foundry Networks, Inc.
Page 107
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Define the trap destination address as shown in the following example:
Device-Name(config)#snmp-server trap-dest STN1 10.2.0.2 public
where STN1 is the name of the management station with HPOV or SNMPc, and
10.2.0.2 is the IP address of the station. public is the same community string
defined in the previous command.
To view the current trap destination, use the following show command:
Device-Name#show snmp-server
snmp-server security enable
snmp-server community public ro
snmp-server community private rw
snmp-server user STN1 private 10.2.0.2
snmp-server user STN1 public 10.2.0.2
snmp-server trap-community public cold-start link-down link-up
auth bridge rmon private
snmp-server trap-dest STN1 10.2.0.2 public
To stop the traps use the following no command:
Device-Name(config)#no snmp-server trap-dest
10.2.0.2 public
Defining Event Descriptions
For example:
Device-Name(config)#rmon event 1 The_tank_is_full snmp-trap
public STN1
where:
1 – event index. If it is a new index, the event is created. If the index already exists,
the event is updated.
The_tank_is_full – event text, without spaces
snmp-trap – event notification, which can be one the following: none | log | snmp-trap
| trap-and-log
public – community string as defined previously
STN1 – event owner
To view currently defined events, use the following show command:
Device-Name#show rmon event
Event 1, status active, owned by STN1
Description : The_tank_is_full
Type
: snmp-trap, LastTimeSent: 01:36:29
Community
: public
Enter the following command to view the desired event.
Device-Name#show rmon event 1
To remove an event, use the following no command:
Device-Name(config)#no rmon event
Remove all defined RMON events ? [y/n] : y
Enter the following command to remove the event.
Page 108
October 2003
© 2003 Foundry Networks, Inc.
Device-Name#show rmon event 1
Defining Alarm Conditions
Device-Name(config)#rmon alarm 1 counter 2 1/1/3 5 absolute
20000 0 1 0 STN1
where:
1 – alarm index. If it is a new index, the alarm is created. If the index already exists,
the alarm is updated.
2 – counter number, which can be one of the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
DropEvents
Octets
Pkts
BroadcastPkts
MulticastPkts
CRCAlignErrors
UndersizePkts
OversizePkts
Fragments
Jabbers
Collisions
Pkts64Octets
Pkts65to127Octets
Pkts128to255Octets
Pkts256to511Octets
Pkts512to1023Octets
Pkts1024to1518Octets
1/1/3 – port number in format unit/slot/port
5 – time interval between checks in seconds
absolute – type threshold, which can be absolute or delta
·
If absolute is chosen as the threshold's type the trap will be sent only once
when the rising threshold value is met.
·
If delta is chosen the agent will send the trap whenever the delta between the
last and the current value reaches the rising value.
In the case of delta you should define two events: one for the case when the
rising value is met and one for the case when the falling value is met.
20000 – rising threshold value
0 – falling threshold value. For the absolute value, this is not required.
1 – event for rising index
0 – event for falling index
In this example the threshold type is absolute, so the falling event is not essential and
that is why the index is zero.
October 2003
© 2003 Foundry Networks, Inc.
Page 109
EdgeIron 4802F and EdgeIron 10GC2F User Guide
If the threshold type is delta, the index should be the number of the event of the
falling value.
STN1 – alarm owner
To view the currently defined alarms, use the following show command.
Device-Name#show rmon alarm
Alarm 1, status active, owned by STN1
Counter Octets, interface 1/1/3
Sampling interval (h:m:s) 00:00:05, SampleType absolute
Current value
5986918
Startup : rising
RisingThreshold
20000
FallingThreshold
RisingEventIndex
1
FallingEventIndex
0
0
To view a specific alarm:
Device-Name#show rmon alarm 1
To remove an alarm, use the following no command:
Device-Name(config)#no rmon alarm
Remove all defined RMON alarms ? [y/n] : y
View RMON Definitions in Configuration List
RMON definitions in the running or startup configuration displayed by the show
running or show startup command look like this:
Device-Name#show startup-config
!
! Snmp-server configuration:
!
snmp-server security
snmp-server user STN1 private 10.2.0.2
snmp-server user STN1 public 10.2.0.2
snmp-server trap-dest STN1 10.2.0.2 public
!
! RMON configuration:
rmon event 1 The_tank_is_full snmp-trap public STN1
rmon alarm 1 counter 2 1/1/3 5 absolute 20000 0 1 0 STN1
!
Port Monitor
Use the port monitor interface configuration command to enable Switch Port
Analyzer (SPAN) port monitoring on a port. Use the no form of this command to
return the port to its default value.
Configuration Rules
·
Each port can monitor one mirror source port.
·
10/100 ports can monitor Gigabit ports and vice versa.
Page 110
October 2003
© 2003 Foundry Networks, Inc.
·
There is a limit of eight mirror source ports and eight monitor ports.
·
There can be only one mirror source port per "virtual slot". Each virtual slot
consists of eight 10/100 ports or one Gigabit port.
You can have port 1/1/1 monitor port 1/1/2, but you can't also have 1/1/10
monitor 1/1/3 because 1/1/2 and 1/1/3 reside in the same block of 8 ports.
You can have multiple monitor ports in the same block. For example 1/1/1
can monitor 1/1/2 and 1/1/3 can monitor 1/1/10.
·
Only one monitor port can be configured for a mirror source port. If you try
to configure another monitor port, the new one takes over and the previous
one is cancelled.
·
Both inbound and outbound traffic is mirrored.
Display Port Monitor Configuration
show port-monitor
Device-Name# show port-monitor
Configure Port Monitor
port monitor <uu>/<ss>/<pp>
no port monitor <uu>/<ss>/<pp>
Table 14. Syntax Description
<uu>/<ss>/<pp>
Unit, slot, and port number for the
SPAN to be enabled. The interface
specified is the port to be monitored.
Defaults
Port does not monitor any other ports.
Command Modes
Interface configuration:
Device-Name(config)#interface 1/1/1
Device-Name(config-if 1/1/1)#port-monitor 1/1/8
Device-Name(config-if 1/1/1)#no port-monitor 1/1/8
Device-Name(config-if 1/1/1)#
Temperature Commands
Temperature Control
To see the current temperature of the CPU area of the unit, use the show
temperature command in Enable mode:
EdgeIron 4802F#show temperature
CPU Temperature = 24C / 75F
EdgeIron 4802F#
October 2003
© 2003 Foundry Networks, Inc.
Page 111
EdgeIron 4802F and EdgeIron 10GC2F User Guide
If the temperature reaches its high level the switch can send an SNMP trap to the trap
destination.
The default temperature high limit is 55C ( 131F ).
To view the temperature high limit use the appropriate command:
EdgeIron 4802F#show temperature high-limit
CPU Temperature high limit = 55C / 131F
EdgeIron 4802F#
The temperature high limit can be changed in Config mode:
temperature high-limit <20-70>
This command sets the CPU temperature high limit in Centigrade.
EdgeIron 4802F(config)#temperature high-limit 30
EdgeIron 4802F(config)#
The SNMP trap for exceeding a temperature limit looks like this:
6/19/101 09:52:22 10.4.1.55
Trap: P3 3,
ent=sysProductsOids.3, comm=public,
reportsHardwareTemperature=32
10.4.1.55
To return the temperature to the default value, use the following command:
EdgeIron 4802F(config)#no temperature high-limit
EdgeIron 4802F (config)#exit
EdgeIron 4802F #show temperature high-limit
CPU Temperature high limit = 55C / 131F
EdgeIron 4802F#
Page 112
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 113
EdgeIron 4802F and EdgeIron 10GC2F User Guide
RADIUS
RADIUS Background
Remote Authentication Dial In User Service (RADIUS) is a protocol for carrying authentication,
authorization, and configuration information between a Network Access Server (Foundry Networks
Switch) which desires to authenticate its links, and a shared Authentication Server. The current
EdgeIron 4802F RADIUS client supports login-type authentication only.
RADIUS communication uses UDP with an assigned port number of 1812.
2. Access Request for
User
RADIUS
3. Access Ack
1. Telnet request from
User
EdgeI r on 4802F
User
Figure 7 – RADIUS Communication Example
Transactions between the switch and a RADIUS server are authenticated through the use of a
shared secret, which is never sent over the network. In addition, any user passwords sent
between the client and the RADIUS server are encrypted, to eliminate the possibility that
someone snooping on an insecure network could determine a user's password. (It is hidden
using a method based on the RSA Message Digest Algorithm, MD5.)
Once the RADIUS server receives a request, it validates the sending client. A request from a
client for which the RADIUS server does not have a shared secret will be silently discarded.
If the client is valid, the RADIUS server consults a database of users to find the user whose
name matches the request. The user entry in the database contains a list of requirements that
must be met to allow access for the user. This always includes verification of the password,
but can also specify the client(s) or port(s) to which the user is allowed access.
RADIUS Operation
Features
When a user attempts to log in and authenticate to an access server using RADIUS, the
following steps occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
·
ACCEPT – The user is authenticated.
·
REJECT – The user is not authenticated and is prompted to reenter the username and
password, or access is denied.
The additional data included with the ACCEPT or REJECT packets consists of the
following:
Page 114
October 2003
© 2003 Foundry Networks, Inc.
Reply message and user timeout, session timeout, and idle timeout.
User Configuration
To specify a RADIUS server host and shared secret text string, perform the following
tasks in global Configure mode:
Task
Command
Specify the IP address or host name of the
remote RADIUS server host and assign
authentication port numbers.
radius-server host <ip-addr>
[<portnum>]
Specify the shared secret text string used
between the switch and the RADIUS server.
radius-server key <string>
To customize communication between the switch and the RADIUS server, use the following
optional radius-server global configuration commands:
Task
Command
Specify the number of times the switch
transmits each RADIUS request to the server
before giving up (default is three).
radius-server retransmit
<retries>
Specify the number of seconds a switch waits
for a reply to a RADIUS request before
retransmitting the request.
radius-server timeout <secs>
Specify the number of minutes a RADIUS
server, which is not responding to
authentication requests, is passed over by
requests for RADIUS authentication.
radius-server deadtime
<minutes>
Note: The configured RADIUS server is
presumed dead, if the timeout time is reached in
three authentication sessions.
Creating the Local Database
A Local authentication database is used for authentication if the configured RADIUS
server is not responding.
Task
Command
Add user and password in local authentication
database.
user <username>
password <password>
Configuring Login Authentication Using RADIUS
Use the aaa authentication login command with the radius method keyword to specify
RADIUS as the login authentication method.
October 2003
© 2003 Foundry Networks, Inc.
Page 115
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Task
Command
Set primary and secondary login method for
authentication.
Primary/secondary method can be RADIUS or
local database.
aaa authentication login
default [ radius | local]
Local authentication is tried only if there is no response from the RADIUS server.
* Note. In the current implementation, the local database is always the second authentication
method.
RADIUS Configuration Example
10.2.42.137/16
Server 1
10.2.200.200/16
EdgeIron 4802F
SW1
Figure 8 RADIUS Configuration Example
Install a RADIUS server on Server 1
Configure the RADIUS server
Edit RADIUS Server's Clients File and add the switch IP address with a distinctive key:
Add the line
10.2.200.200
123456
Edit the RADIUS Server’s Users file:
Page 116
October 2003
© 2003 Foundry Networks, Inc.
Add two users as follows
user
Auth-Type = Local, Password = "edgeiron"
Reply-Message = "user is in"
cheapiron
Auth-Type = Reject
Reply-Message = "Not authorized"
Configure the Switch
In the switch’s CLI, configure the RADIUS Server host and key as follows:
Device-Name(config)# radius-server host 10.2.42.137
Device-Name(config)# radius-server key 123456
Add local user with username of localUser and password MyPass:
Device-Name(config)# username localUser password MyPass
Note: The local authentication database is used for authentication if the configured RADIUS
Server is not responding
Begin authentication option using the command:
Device-Name(config)# aaa authentication login default radius
local
Add retransmit, timeout and deadtime parameters as follows:
Device-Name(config)# radius-server retransmit 3
Device-Name(config)# radius-server timeout 10
Device-Name(config)# radius-server deadtime 3
Save the configuration and restart the switch.
The results of the above configuration will be as shown in the examples below.
If you try to access the switch using Username “cheapiron”, the result will be REJECT.
Username: cheapiron
Password: Not authorized
Username:
If you try to access the switch using Username “user” and Password “edgeiron”, the result will be
ACCEPT.
Username: user
Password: edgeiron
Device-Name#
October 2003
© 2003 Foundry Networks, Inc.
Page 117
EdgeIron 4802F and EdgeIron 10GC2F User Guide
If you try to access the switch using username “localUser” and password “MyPass, the result will be
an Authentication Failure from the RADIUS Server.
If the RADIUS Server is shut down or disconnected from the switch and you try to access the switch
with username “localUser” and password “MyPass”, the result will be ACCEPT. After the last three
queries, the switch will log in successfully using the local authentication database.
Page 118
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 119
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Resilient Links
Resilient links protect a network against an individual link or device failure by
providing a secondary backup link that is inactive until it is needed. A resilient link
comprises a resilient link pair that contains a main link and a standby link. If the
main link fails, the standby link immediately takes over the task of the main link.
Under normal network conditions, the main link carries network traffic. If a signal
loss is detected, the device immediately enables the standby link so that it carries the
data. The standby port assumes the profile and carries the network traffic of the main
port.
If the main link has a higher bandwidth than its standby link, or if the main link is
configured as a preferable one, traffic is switched back to the main link as soon as its
connection is recovered. Otherwise, you must manually switch traffic back to the
main link.
Switchover time to the backup link is less than 1 second, ensuring that no session
timeouts take place and avoiding system timeouts.
Resilient links are incompatible with the Spanning Tree Protocol (STP).
Both links of the resilient link must be included in the same VLANs, if there are any.
A Resilient link may not include trunks and its links may not be included in any
trunk.
Resilient Link CLI Commands
In Enable CLI mode:
show resilient-links
Displays list of configured resilient links.
Device-Name#show resilient-links
===========================================
| RLink | Port1 | Port2 | Prefer | Active |
+-------+-------+-------+--------+--------+
|
1
| 1/1/1 | 1/1/2 | Port 1 | Port 2 |
|
2
| 1/1/5 | 1/1/6 |
| Port 1 |
===========================================
In Config CLI mode:
resilient-link <n>
Opens a config–resil-link CLI mode and allows editing settings of a resilient link
<n>. This command is disallowed if Spanning Tree is enabled.
Page 120
October 2003
© 2003 Foundry Networks, Inc.
Device-Name(config)#resilient-link 1
Device-Name(config-resil-link 1)#
In config–resil-link CLI mode:
resilient-link <n>
Changes editing focus from current resilient link to a resilient link <n>.
Device-Name(config-resil-link 1)#resilient-link 2
Device-Name(config-resil-link 2)#
no resilient-link <n>
Removes resilient link <n> from list of defined resilient links. The <n> must be the
link you are currently editing. Upon execution of this operation, the CLI returns to
the Config mode.
Device-Name(config-resil-link 1)#no resilient-link 1
Device-Name(config)#
show
Displays list of configured resilient links.
Device-Name(config-resil-link 1)#show
===========================================
| RLink | Port1 | Port2 | Prefer | Active |
+-------+-------+-------+--------+--------+
|
1
| 1/1/1 | 1/1/2 | Port 1 | Port 2 |
|
2
| 1/1/5 | 1/1/6 |
| Port 1 |
===========================================
ports <port1> <port2>
Adds a port pair as a resilient link. This adds a new resilient link to a list of already
defined resilient links. Ports are defined in unit/slot/port notation.
The operation is allowed if the new resilient link hasn’t been configured yet.
Otherwise, if ports of an existing resilient link are to be replaced, first remove the
defined resilient link by entering the no resilient-link command. Then define the
link with a new port.
If one of the added ports belongs to a VLAN, an additional port will be included in
the same VLAN with the same tagging. Similarly, if any of the ports belonging to a
resilient link are to be included in any VLAN in the future, then another port of the
resilient link will be included in the VLAN as well. If one of the added resilient ports
is included in a VLAN as tagged, and the other port is included in the same VLAN as
untagged, the CLI will not complete the operation.
If any of the added ports belongs to a trunk, the CLI will not complete the operation.
Similarly, if you attempt to include any port of a resilient link into a trunk, the CLI
October 2003
© 2003 Foundry Networks, Inc.
Page 121
EdgeIron 4802F and EdgeIron 10GC2F User Guide
will not complete the operation.
Device-Name(config-resil-link 1)#ports 1/1/1 1/1/2
prefer port <port>
Sets one of the ports of the resilient link as preferred. In case one of the ports in the
resilient link is faster than the other, it is assumed to be a preferred one by default
upon definition of the resilient link, and the preference cannot be changed.
Device-Name(config-resil-link 1)#prefer port 1/1/1
no prefer port
Cancels the preference of either of the ports in the resilient link. In case one of ports
in the resilient link is faster than the other, it is assumed to be a preferred port by
default upon definition of the resilient link, and the preference cannot be cancelled.
Device-Name(config-resil-link 1)#no prefer port
active port <port>
Switches the active port of a resilient link. If the currently active port is a preferred
one, or if the requested port has no available connection, the command has no effect.
Device-Name(config-resil-link 1)#active port 1/1/2
Page 122
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 123
EdgeIron 4802F and EdgeIron 10GC2F User Guide
NTP Client Description
The EdgeIron 4802F NTP Client supports all features described in RFC 1059
(Version 1), RFC 1119 (Version 2), and RFC 1305 (Version 3), except for the DES
and RSA authentication mechanism. Support of these RFCs means that the NTP
Client can synchronize its local clock with NTP servers that support any of these
documents. The maximal number of remote NTP servers is restricted to 5. NTP has
become a standard for Internet time synchronization. Most importantly, there are
more than 100000 free NTP time servers in the world. Using the NTP protocol, the
Foundry Networks Switch can be time synchronized by the network administrator
almost anywhere in the world with a minimal effort. Because of its mode of
operation (a complicated election algorithm and MD5 authentication) and the
Foundry Networks Switch capabilities, the NTP Client is immune to almost any kind
of network attack. In addition to this, the NTP Client guarantees high precision time
synchronization.
In brief the NTP Client features are:
·
Can synchronize from NTP Servers compatible with RFC 1059 (Version 1),
RFC 1119 (Version 2) or RFC 1305 (Version 3)
·
MD5 authentication algorithm
·
Up to 5 remote NTP time servers for polling
Why Use the NTP Protocol?
The NTP protocol is the most reliable of all the time synchronization protocols. The
advantages of the NTP protocol are its high redundancy, which is achieved with a
complicated mechanism of processing incoming data; authentication of incoming
data; widespread distribution of free, highly accurate NTP time servers around the
world; and highly accurate time synchronization.
Configuring for NTP
In order to run this type of synchronization it is necessary to set some parameters
before starting the polling of server(s). Two of the above services use only one server
for synchronization.
An NTP client can use more than one server up to a maximum of five servers.
Because of this, the system administrator must define the desired NTP servers’ IP
addresses. The command is as follows:
To add an NTP Server, use the following command:
time-server ntp add <ip-addr>
where <ip-addr> is the IP address of an NTP protocol server
To show defined NTP servers, use the following command:
time-server ntp show
Page 124
October 2003
© 2003 Foundry Networks, Inc.
To delete an existing NTP server, use the following command:
time-server ntp delete <ip-addr>
Note: If the IP address is omitted, all the IP addresses will be deleted
The NTP protocol also supports the MD5 authentication mechanism. If it is being
used the first time it must be assigned a key. This is in 2 parts: a key ID and a plain
text key.
The key ID is a digit within a range between 1 and 65535. The plain text key is a
string with a length between 1 and 20. Once the key has been defined, it will be used
to authenticate incoming data until it is deleted for all defined servers.
Those servers that don't use authentication, or use an incorrect NTP key for an
associated NTP client will be discarded.
To define a key, use the following command:
time-server ntp key add <key-id> <string>
where:
<key-id> – A number from 1-65535
<string> – A plain text key
To delete a key, use the following command:
time-server ntp key delete
To show the existing key, use this command:
time-server ntp key show
To start the NTP Server, use this command:
time-server ntp start <minutes> <zone>
where:
<minutes> – is the poll time in minutes, which can be from 10-44640
<zone> – optional parameter, signed digit, which represents the relative shift of local
time against the time on the server
To stop the currently running time-server client, use this command:
no time-server
Example 1 – Setting the NTP Client (authentication
disabled)
Device-Name(config)# time-server ntp add 192.168.0.2
October 2003
© 2003 Foundry Networks, Inc.
Page 125
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Device-Name(config)# time-server ntp start 10 3
The first row adds an NTP server to the current list.
The second row starts the NTP client.
The example shows NTP client utilization without an authentication mechanism.
Example 2 – Setting the NTP Client (authentication
enabled)
Device-Name(config)# time-server ntp add 192.168.0.2
Device-Name(config)# time-server ntp key add 1 pass
Device-Name(config)# time-server ntp start 10 3
For an NTP server to operate properly and with stability, it will be necessary to
configure a few IP addresses of some actively working NTP time servers.
An updated list of public primary and secondary NTP servers is available as well on
the www.ntp.org site.
Note: Please read the information in the www.ntp.org site carefully to achieve
efficient results in tuning and running an NTP server. This is important in
order to fully test the NTP client of the switches.
Page 126
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 127
EdgeIron 4802F and EdgeIron 10GC2F User Guide
IGMP Snooping
Understanding IGMP Snooping
General
Layer 2 switches can use IGMP snooping to constrain the flooding of multicast
traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is
forwarded only to those interfaces associated with IP multicast devices. As the name
implies, IGMP snooping requires the LAN switch to snoop on the IGMP
transmissions between the host and the multicast router and to keep track of multicast
groups and member ports. When the switch receives an IGMP report from a host for
a particular multicast group, the switch adds the host port number to the forwarding
table entry; when it receives an IGMP Leave Group message from a host, it removes
the host port from the table entry. It also deletes entries periodically if it does not
receive IGMP membership reports from the multicast clients.
The multicast router sends out periodic general queries to all VLANs. All hosts
interested in this multicast traffic send join requests and are added to the forwarding
table entry. The switch forwards only one join request per IP multicast group to the
multicast router. It creates one entry per VLAN in the Layer 2 forwarding table for
each MAC group from which it receives an IGMP join request.
Layer 2 multicast groups learned through IGMP snooping are dynamic. However,
you can statically configure MAC multicast groups by using the ip igmp snooping
vlan static configuration command (see below). If you specify group membership for
a multicast group address statically, your setting supersedes any automatic
manipulation by IGMP snooping. Multicast group membership lists can consist of
both user-defined and IGMP snooping-learned settings.
Joining a Multicast Group
When a host connected to the switch wants to join an IP multicast group, it sends an
unsolicited IGMP join message, specifying the IP multicast group to join.
Alternatively, when the switch receives a general query from the multicast router, it
forwards the query to all ports in the VLAN. Hosts wanting to join the multicast
group respond by sending a join message to the switch. The switch CPU creates a
multicast forwarding-table entry for the group if it is not already present. The CPU
also adds the interface where the join message was received to the forwarding-table
entry. The host associated with that interface receives multicast traffic for that
multicast group.
Leaving a Multicast Group
The multicast router sends periodic multicast general queries and the switch forwards
these queries through all ports in the VLAN. Interested hosts respond to the queries.
If at least one host in the VLAN wishes to receive multicast traffic, the router
continues forwarding the multicast traffic to the VLAN. The switch forwards
multicast group traffic only to those hosts listed in the forwarding table for that
Layer 2 multicast group.
Page 128
October 2003
© 2003 Foundry Networks, Inc.
When hosts want to leave a multicast group, they can either silently leave, or they
can send a leave message. When the switch receives a leave message from a host, it
sends out a MAC-based general query to determine if any other devices connected to
that interface are interested in traffic for the specific multicast group. The switch
then updates the forwarding table for that MAC group so that only those hosts
interested in receiving multicast traffic for the group are listed in the forwarding
table. If the switch receives no reports from a VLAN, it removes the group for the
VLAN from its IGMP cache.
Immediate-Leave Processing
IGMP snooping Immediate-Leave processing allows the switch to remove an
interface that sends a leave message from the forwarding table without first sending
out MAC-based general queries to the interface. The VLAN interface is pruned from
the multicast tree for the multicast group specified in the original leave message.
Immediate-Leave processing ensures optimal bandwidth management for all hosts on
a switched network, even when multiple multicast groups are in use simultaneously.
Configuring IGMP Snooping
Enabling or Disabling IGMP Snooping
By default, IGMP snooping is globally disabled on the switch. When enabled or
disabled globally, it is also enabled or disabled on all existing VLAN interfaces.
IGMP snooping is by default enabled on all VLANs, but can be enabled or disabled
on a per-VLAN basis. After you configure a VLAN interface for multicast routing,
no configuration is needed for the switch to access external multicast routers
dynamically by using IGMP snooping.
Global IGMP snooping overrides VLAN IGMP snooping. If global snooping is
disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can
enable or disable VLAN snooping.
Command
Task
ip igmp snooping
Globally enable IGMP snooping on all
existing VLAN interfaces
no ip igmp
snooping
Globally disable IGMP snooping in all
existing VLAN interfaces
To globally disable IGMP snooping on all existing VLAN interfaces, use the no ip
igmp snooping global configuration command. The command is performed in the
Configure mode.
Example:
October 2003
© 2003 Foundry Networks, Inc.
Page 129
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Device-Name(config)# ip igmp snooping
This command enables the IGMP Snooping task.
Configuring a Multicast Router Port
To add a multicast router port (add a static connection to a multicast router), use the
ip igmp snooping vlan mrouter configuration command on the switch.
Command
Task
ip igmp snooping vlan
<vlan-id> mrouter
interface
<uu>/<ss>/<pp>
Specify the multicast router VLAN
ID (1 to 4094), and specify the
interface to the multicast router.
Example:
Device-Name(config)# ip igmp snooping vlan 200 mrouter
interface 1/1/1
Configuring a Host Statically to Join a Group
Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also
statically configure a host on an interface.
Command
Task
ip igmp snooping
vlan <vlan-id>
static <mac-addr>
interface
<uu>/<ss>/<pp>
Statically configure a Layer 2
port as a member of a multicast
group:
<vlan-id> – is the multicast group
VLAN ID.
<mac-addr> – is the group MAC
address.
<uu>/<ss>/<pp> – is the member
port.
Example:
Device-Name(config)# ip igmp snooping vlan 1 static
01:00:5e:00:01:29 interface 1/1/1
Page 130
October 2003
© 2003 Foundry Networks, Inc.
Enabling IGMP Immediate-Leave Processing
When you enable IGMP Immediate-Leave processing, the switch immediately
removes a port when it detects an IGMP version 2 leave message on that port. You
should use the Immediate-Leave feature only when there is a single receiver
present on every port in the VLAN.
Command
Task
ip igmp snooping vlan
<vlan-id> immediate-leave
Enable IGMP Immediate-Leave
processing on the VLAN interface.
Example:
Device-Name(config)# ip igmp snooping vlan 1 immediate-leave
(*) To disable Immediate-Leave processing, use the no ip igmp snooping vlan
<vlan-id> immediate-leave command.
Enabling Forwarding for All Multicast Traffic On Specific
Ports
The ip igmp snooping for-all command, in global Configuration mode, enables
forwarding of the entire multicast traffic on the specified port list. By default,
forwarding is disabled. To remove the port list, use the “no” form of this command.
Command
Task
ip igmp snooping for-all
<uu>/<ss>/<pp>
Enables forwarding of all multicast
traffic on the specified port list. To
specify a range, use a hyphen, as
shown in the example. Do not use
blank spaces.
Example:
Device-Name(config)# ip igmp snooping for-all 1/1/1-1/1/5
This example enables forwarding of all multicast traffic on unit 1, slot 1, ports 1 – 5.
Prohibiting Forwarding for All Multicast Traffic On Specific
Ports
The ip igmp snooping forbidden command, in global Configuration mode, forbids
forwarding of the entire multicast traffic on the specified port list. By default, the
command is disabled. To remove the port list, use the “no” form of this command.
October 2003
© 2003 Foundry Networks, Inc.
Page 131
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Command
Task
ip igmp snooping
forbidden <uu>/<ss>/<pp>
Prohibit forwarding of all multicast
traffic on the specified port list. To
specify a range, use a hyphen, as
shown in the example. Do not use
blank spaces.
Example:
Device-Name(config)# ip igmp snooping forbidden 1/1/1-1/1/5
This example prohibits forwarding of all multicast traffic on unit 1, slot 1, ports 1 –
5.
Configuring Query Packet Intervals
The ip igmp snooping router-timers command, in global Configuration mode,
enables you to configure the query packet intervals sent to the host port when
performing leave snooping. The command sets the Multicast router timer variables
(described in RFC 2236) to synchronize the IGMP snooping.
By default, when the switch receives a leave packet from a host that is a member of a
certain group, the switch performs the following:
1) Sends a specific query for that group, with the response time field set to 10
seconds.
2) Waits 120 seconds.
3) If no join packet is received – the switch sends a specific query for that group
with the response time field set to 10 seconds.
4) Waits 120 seconds.
5) If no join packet is received – waits10 more seconds.
6) If no join packet is received – sends the leave packet to the Multicast router
port.
Note: This is done also when Immediate leave is enabled but the host is not the last
member of that group.
Page 132
October 2003
© 2003 Foundry Networks, Inc.
Command
Task
ip igmp snooping routertimers query <1-65535> |
responses <responsesvalue>
| robustness <robustnessvalue>
Configures the query packet
intervals sent to the host port when
performing leave snooping.
query <1-65535> is the time
interval, in seconds, between two
specific queries. The default value
is 120 seconds. The range is 1 –
65535.
responses <responses-value> is the
expected response time, in seconds,
for answering a specific query. The
default value is 10 seconds. The
range is 1 – 25. This value will be
inserted in the response-time field
of the specific query packet
generated by the switch. The
response time must be greater than
zero and less than the query
interval.
robustness <robustness-value> is
the number of specific query
packets sent by the switch. The
default value is 2. The range is 1 –
65535.
Example:
Device-Name(config)#ip igmp snooping router-timers query 30
Query interval is 30 sec
Device-Name(config)#ip igmp snooping router-timers responses 15
Device-Name(config)#ip igmp snooping router-timers robustness 4
In this example, four specific queries will be sent every 30 seconds with the response
time set to 15 seconds. If no join is received after 135 seconds, the leave packet will
be sent to the Multicast router port.
Configuring the Query Generator
The query generator generates queries at a specific rate (the query interval). Up to 10
simultaneous queries can be sent.
To configure the query generator, use the ip igmp snooping send-query command
in the global configuration mode. The query generator can be implemented only
when IGMP Snooping is enabled. To disable the query generator, use the “no” form
of this command.
Note: The response timeout value inserted in the packet is in one-second units.
October 2003
© 2003 Foundry Networks, Inc.
Page 133
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Command
Task
ip igmp snooping sendquery vlan <vlan-id>
interface <uu>/<ss>/<pp>
[group <ip-addr>]
[query-interval <queryinterval-value>]
[response-time <responsetime-value>]
Configures the query generator.
<vlan-id> – is the number of the
VLAN.
<uu>/<ss>/<pp> – is the unit, slot,
and port. To specify a range, use a
hyphen. Do not use blank spaces.
(Optional) <ip-addr> is the group
ID. The query may be specific or
general. By default, it’s the All
Router Query (224.0.0.1).
(Optional) <query-interval-value> is
the interval between queries in
seconds, in the range <1-300>. By
default the value is 120 seconds.
(Optional) <response-time-value> is
the host response time in onesecond units to set the query frame,
in the range <1-25>. By default the
value is 10 seconds.
Example:
Device-Name(config)# ip igmp snooping send-query vlan 5
interface 1/1/1 query-interval 5 response-time 15
This sets the general query packet every 5 seconds in VLAN 5 interface 1/1/1 with
response time of 15 seconds.
Displaying IGMP Snooping Information
You can display IGMP snooping information for dynamically learned and statically
configured multicast router ports and VLAN interfaces. You can also display MAC
address multicast entries for a VLAN configured for IGMP snooping.
Viewing Snooping Configuration
You can display snooping configuration information for the switch or for a specified
VLAN. These commands are executed from the enable mode.
Page 134
October 2003
© 2003 Foundry Networks, Inc.
Command
Task
show ip igmp snooping
[vlan <vlan-id>]
Display snooping configuration.
(Optional) <vlan-id> – is the number
of the VLAN.
Example:
Device-Name# show ip igmp snooping
vlan 1
====
IGMP snooping is globally enabled
IGMP snooping is enabled on this Vlan
IGMP snooping immediate-leave is disabled on this Vlan
vlan 2
====
IGMP snooping is globally enabled
IGMP snooping is enabled on this Vlan
IGMP snooping immediate-leave is disabled on this Vlan
Viewing Multicast Router Interfaces
When you enable IGMP snooping, the switch automatically learns the interface to
which a multicast router is connected. These commands are executed from the enable
mode.
Command
Task
show ip igmp snooping
mrouter [vlan <vlan-id>]
Display information on dynamically learned and
manually configured multicast router interfaces.
Example:
Device-Name# show ip igmp snooping mrouter
vlan | port | static/dynamic
-------+----+------------------0001 | 1/1/2| static
0001 | 1/1/1| dynamic
October 2003
© 2003 Foundry Networks, Inc.
Page 135
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Viewing MAC Address Multicast Entries
Command
Task
show mac-address-table multicast
[vlan <vlan-id>]
[user | igmp-snooping] [count]
Display MAC address table entries for
a VLAN.
(Optional) vlan <vlan-id> – is the
multicast group VLAN ID
(Optional) user – displays only the
user-configured multicast entries
(Optional) igmp-snooping – displays
entries learned through IGMP snooping
(Optional) count – displays only the
total number of entries for the selected
criteria, not the actual entries
These commands are executed from the Privileged mode.
Example:
Device-Name# show mac-address-table multicast vlan 1
vlan
! MAC address
! type
!ports
-------+-------------------------+-----------+-------------0001
01:00:5E:00:00:00
user
1/1/2
0001
01:00:5E:00:00:00
igmp
1/1/5
0001
01:00:5E:00:01:29
igmp
1/1/2,1/1/4,1/1/5,1/1/8
0001
01:00:5E:11:11:11
user
1/1/1,1/1/3
0001
01:00:5E:11:11:11
igmp
1/1/2
Device-Name# show mac-address-table multicast count
Multicast MAC Entries : 5
Device-Name # show mac-address-table multicast vlan 1 count
Multicast MAC Entries for vid 1 : 5
Device-Name# show mac-address-table multicast vlan 1 user
vlan
! MAC address
! type
!ports
-------+----------------------+----------+-------------0001
01:00:5E:00:00:00
user
1/1/2
0001
01:00:5E:11:11:11
user
1/1/1,1/1/3
Device-Name# show mac-address-table multicast vlan 1 igmpsnooping count
Multicast MAC Entries for vid 1 dynamically configured : 3
Page 136
October 2003
© 2003 Foundry Networks, Inc.
Setting IGMP Snooping Timers and Variables
List of Timers and Default Values
The following timers set IGMP snooping sensitivity. Most of them are
configurable. If non-default settings are used, they must be consistent among all
routers on a single link.
The Robustness Variable allows tuning for the expected packet loss on a subnet. If
a subnet is expected to be lossy, the Robustness Variable may be increased. The
Robustness Variable MUST NOT be zero. Default: 2
This is also the number of Group-Specific Queries sent before the multicast router
(and the switch) assumes there are no local members.
The Query Interval is the interval between General Queries sent by the Querier
(sent to the igmp-snooper in this context). Default: 125 seconds.
By varying the Query Interval, an administrator may tune the number of IGMP
messages on the subnet; larger values cause IGMP Queries to be sent less often.
The Query Response Interval is the Max Response Time inserted into the periodic
General Queries. Default: each 10 seconds
By varying the Query Response Interval, an administrator may tune the burstiness of
IGMP messages on the subnet; larger values make the traffic less bursty, as host
responses are spread out over a larger interval. The number of seconds represented
by the Query Response Interval must be less than the Query Interval.
The Last Member Query Interval is the Max Response Time inserted into GroupSpecific Queries sent in response to Leave Group messages, and is also the amount
of time between Group-Specific Query messages. Default: 10 (1 second).
This value may be tuned to modify the "leave latency" of the network. A reduced
value results in reduced time to detect the loss of the last member of a group.
The Group Membership Interval is the amount of time that must pass before a
multicast router decides there are no more members of a group on a network. This
value MUST be ((the Robustness Variable) times (the Query Interval)) plus (one
Query Response Interval). Only the first four are configurable, as the last one is an
equation of the other.
October 2003
© 2003 Foundry Networks, Inc.
Page 137
EdgeIron 4802F and EdgeIron 10GC2F User Guide
To configure from Config mode, use the following command:
Command
Task
ip igmp-snooping
router_timers var
var: one of the following variables
Robustness
response_interval
query_interval
last_member_query_interval
.
IGMP Statistics Counters
To display the IGMP Statistics Counters use the following commands. These
commands should be executed in enable mode.
Command
Task
show ip igmp snooping statistics
<parameter>
Displays various IGMP Statistics
Counters
Parameters may be:
Parameter
Function
reports
How many reports packets were
received
queries
How many queries packets were
received
leaves
How many leaves packets were received
maximum_simultaneously_groups
How many maximum groups there were
at one time
maximum_simultaneously_ports
How many maximum registered ports
(per VLAN / per Group) there were at
one time
Page 138
October 2003
© 2003 Foundry Networks, Inc.
To clear the IGMP Statistics Counters use the following commands. These
commands should be executed in configure mode.
Command
Task
ip igmp snooping clear
[<parameter>]
Clears all (no parameter) or certain
(see parameter table above) IGMP
Statistics Counters
Multiple VLANs
For multiple VLAN IGMP snooping, the GVRP and GMRP protocols must be
enabled as follows:
config terminal
protocol
gvrp enable (and validate by typing y)
gmrp enable
write memory
(*) To disable the GVRP and GMRP, repeat steps 1 and 2 and type: gvrp disabled
and gmrp disabled.
October 2003
© 2003 Foundry Networks, Inc.
Page 139
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Dynamic Host Configuration
Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) provides a framework for passing
configuration information to hosts on a TCP/IP network. DHCP, based on the
Bootstrap Protocol (BOOTP), adds the capability of automatic allocation of reusable
network addresses and additional configuration options. DHCP captures the
behavior of BOOTP relay agents and DHCP participants can interoperate with
BOOTP participants.
DHCP is described in RFC 2131: Dynamic Host Configuration Protocol and in
RFC 2132: DHCP Options and BOOTP Vendor Extensions.
DHCP provides configuration parameters to Internet hosts. DHCP consists of two
components: a protocol for delivering host-specific configuration parameters from a
DHCP server to a host and a mechanism for allocating network addresses to hosts.
DHCP is built on a client-server model, where designated DHCP server hosts
allocate network addresses and deliver configuration parameters to dynamically
configured hosts. Throughout the remainder of this chapter, the term server refers to
a host providing initialization parameters through DHCP, and the term client refers
to a host requesting initialization parameters from a DHCP server.
DHCP supports three mechanisms for IP address allocation:
·
Automatic allocation - DHCP assigns a permanent IP address to a client.
·
Dynamic allocation - DHCP assigns an IP address to a client for a limited period
of time (or until the client explicitly relinquishes the address). Dynamic
allocation allows automatic reuse of an address that is no longer needed by the
client to which it was assigned. Thus, dynamic allocation is particularly useful
for assigning an address to a client that will be connected to the network only
temporarily or for sharing a limited pool of IP addresses among a group of clients
that do not need permanent IP addresses. Dynamic allocation may also be a good
choice for assigning an IP address to a new client being permanently connected
to a network where IP addresses are scarce and it is important to reclaim them
when old clients are retired
·
Manual allocation - a client's IP address is assigned by the network administrator,
and DHCP is used simply to convey the assigned address to the client. A
particular network will use one or more of these mechanisms, depending on the
policies of the network administrator. Manual allocation allows DHCP to be used
to eliminate the error-prone process of manually configuring hosts with IP
addresses in environments where (for whatever reasons) it is desirable to manage
IP address assignments outside of the DHCP mechanisms.
Page 140
October 2003
© 2003 Foundry Networks, Inc.
The figure above shows that parameter negotiation starts with a DHCPDISCOVER
broadcast message from the client seeking a DHCP server. The DHCP Server
responds with a DHCPOFFER unicast message offering configuration parameters
(such as an IP address, a MAC address, a domain name, and a lease for the IP
address) to the client. The client returns a DHCPREQUEST broadcast message
requesting the offered IP address from the DHCP Server. The DHCP Server responds
with a DHCPACK unicast message confirming that the IP address has been allocated
to the client.
Overview
The client may suggest values for the IP address and lease time in the
DHCPDISCOVER message. The client may include the requested IP address option
to suggest that a particular IP address be assigned, and may include the IP address
lease time option to suggest the lease time it would like to have. The requested IP
address option is to be filled in only in a DHCPREQUEST message when the client
is verifying network parameters obtained previously.
If a server receives a DHCPREQUEST message with an invalid requested IP
address, the server should respond to the client with a DHCPNAK message and may
choose to report the problem to the system administrator. The server may include an
error message in the message option.
When Should Clients Use DHCP
A client should use DHCP to reacquire or verify its IP address and network
parameters whenever the local network parameters may have changed (e.g. at the
switch boot time or after a disconnection from the local network), as the local
network configuration may change without the client's or user's knowledge.
If a client has knowledge of a previous network address and is unable to contact a
local DHCP server, the client may continue to use the previous network address until
the lease for that address expires. If the lease expires before the client can contact a
DHCP server, the client must immediately discontinue use of the previous network
address and may inform local users of the problem.
October 2003
© 2003 Foundry Networks, Inc.
Page 141
EdgeIron 4802F and EdgeIron 10GC2F User Guide
By using the DHCP, the time required by a client to configure and deploy the IP
address is reduced. The configuration error can also be reduced and the costumers
can control the assigned IP address.
Configuring DHCP Client
DHCP is configured in global configuration mode:
device-name(config)#
ip address dhcp [A.B.C.D]
Enables DHCP client. By default the dynamic address allocation is disabled. The ip
address dhcp command, in Global Configuration mode, provides the switch with its
IP configuration information dynamically. The DHCP client is initiated with DHCP
negotiation.
If the IP address [A.B.C.D] is specified, the DHCP client sends a request for this
address, and if the requested IP address is not available the server returns another IP
address.
The no form of this command stops the DHCP client and restores the IP address,
subnet mask and IP gateway to their default values (using the command ip address).
For example:
device-name(config)#ip address dhcp [A.B.C.D]
dhcp-client discover-rto [time]
Defines the maximum time that the DHCP client is allowed to be active and to send
DHCPDISCOVER frames.
By default the DHCPDISCOVER timeout is 1 minute.
The client will resend a DHCPDISCOVER frame after 4, 8, 16, 32 and 64 seconds. If
the timeout value is greater than 1 minute, then after the first minute the client will
continue to send a DHCPDISCOVER frame every full minute until timeout (for
example, if the timeout value is 3 minutes the client will resend a DHCPDISCOVER
frame after 4, 8, 16, 32 and 64 seconds, and then 2 minutes and 3 minutes after
sending the first frame).
Enter a value for time to indicate when the DHCPDISCOVER message
retransmission timeout. This can be in from 1-32 minutes.
For example:
device-name(config)#dhcp-client discover-rto 5
Displaying the DHCP Client Configuration
show dhcp-client
Displays the DHCP client status and the DISCOVER message timeout.
Page 142
October 2003
© 2003 Foundry Networks, Inc.
For example:
device-name(config)#ip address dhcp
device-name(config)#exit
device-name#show dhcp-client
DHCP client is active
IP address is acquired by DHCP
DISCOVER messages retransmission timeout - 1 minute(s)
show ip
Displays the allocated IP address. Enter the command in Privileged (Enable) mode.
Configuration Example
1. Enter the following command to enable DHCP client configuration:
device-name(config)#ip address dhcp
2. Enter the following commands to display the DHCP Client Configuration:
device-name(config)#exit
device-name#show dhcp-client
IP-ADDR : 30.2.1.15 NET-MASK : 255.255.0.0
IP address determined by DHCP
October 2003
© 2003 Foundry Networks, Inc.
Page 143
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Appendix A
Boot Loader Commands
The Boot Loader starts after powering up or resetting the switch. The loader is
designed for:
·
Auto-starting the switch's application
·
Configuration of basic parameters
·
Rescue tools in case of switch inoperability
·
Memory exploring tools.
When starting, the loader counts down a few seconds allowing the user an entry point
into the loader's command line interface (CLI) by pressing any key. The loader then
passes to interactive mode, requests a login password, and starts a CLI.
If no key is pressed, the auto-startup of the switch application is performed.
Initially a new switch expects the password foundry. This password may be changed
from the Application CLI, after the auto-startup takes place. See page 100.
Commands Summary
Table 19. Initial CLI Mode Commands
more
Filter command output
config
Set starting defaults (entrance into configuration
mode)
download
Downloading software components to NVRAM
exit
Exit current mode and down to previous mode
(from this mode – logout as in command quit)
help
Description of the interactive help system
list
Print command list
memory
Memory debug tools (entrance into memory mode)
quit
Disconnect and logout
start
Start execution of switch application
Page 144
October 2003
© 2003 Foundry Networks, Inc.
Table 20. Configuration Mode Commands
more
Filter command output
mac-address
Set MAC address of switch
clean
Rough clean of NVRAM database
end
End current mode and change to enable mode.
exit
Exit current mode and down to previous mode
help
Description of the interactive help system
list
Print command list
quit
Disconnect and logout
Table 21. Memory Mode Commands
more
Filter command output
copy
Copy block of memory
display
Display block of memory
end
End current mode and change to initial mode.
exit
Exit current mode and down to previous mode
fill
Fill block of memory by value
help
Display description of the interactive help system
list
Print command list
quit
Disconnect and logout
October 2003
© 2003 Foundry Networks, Inc.
Page 145
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Downloading and Manual Starting of the Switch
start application
Terminates the loader and starts the execution of the switch’s application.
For example:
Loader>start application
Starting switch application from flash, please wait...
///////////////////////////////////////////////////////////////
//
//
//
//
// F o u n d r y N e t w o r k s
//
//
//
//
//
//
// Switch model
: EdgeIron 4802F
//
// SW version
: 3.3.7 created Aug 12 2001 - 10:13:33
//
//
//
//
//
///////////////////////////////////////////////////////////////
User Access Verification
Password:
download application
Copies a switch’s application from a source computer to permanent storage memory
in the switch, through a console connection by X-modem transfer.
When the download command is typed at the console, the switch waits for a file
transfer and periodically sends NAKs (negative acknowledgments) to the console.
These are seen on the console window as garbage characters.
The transfer is started in an X-modem format.
Upon completion of the transfer, the switch checks if the received file is a valid
switch application code. If it is, the received image is stored into the internal Flash
memory.
This command’s purpose is to act as a rescue solution in case the switch is inoperable
and a new application image could not be received by the TFTP transfer.
For example:
Page 146
October 2003
© 2003 Foundry Networks, Inc.
Loader>download application
XMODEM application download to flash 0
XMODEM Receive: Waiting for Sender
Image Size = 0xBD552
CRC Value = 0x691181F3
Saving application code to FLASH bank 0....Success.
Loader>
Configuration of the Switch from the Loader
config
Passes the CLI from the initial mode into the configuration mode.
For example:
Loader>config
Loader(config)#
mac-address [<mac-addr>]
Displays or changes the MAC address of the switch.
If no optional parameter is entered, the current MAC address is displayed.
For example:
Loader(config)#mac-address
Current MAC Address of switch = 00:A0:12:07:0F:77
If the command is entered with a new MAC address, it is accepted and stored in the
switch.
For example:
Loader(config)#mac-address 00:a0:12:07:0f:78
New MAC Address of switch = 00:A0:12:07:0F:78
clean startup-configuration
Cleans the startup configuration database in the permanent storage memory of the
switch, and sets it to its default values.
clean java
Cleans the Java image in the permanent storage memory of the switch.
October 2003
© 2003 Foundry Networks, Inc.
Page 147
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Memory Management
This mode is intended for qualified personnel only.
memory
Passes the CLI from the initial mode into the memory management mode.
For example:
Loader>memory
Welcome to memory handling tools.
Loader(memory)#
copy <src-addr> <dst-addr> <block-length>
Copies a block of memory of length <block-length> from the starting address of
<src-addr> into a location in the RAM from the starting address of <dst-addr>.
display [<start-addr>] [<block-length>]
Displays the contents of the memory block of length <block-length> from the starting
address <start-addr>.
If any of the optional argument/s are not entered, the last value of the display
command is taken.
Initial default value of <start-addr> is 0, and of <block-length> is 0x100.
For example:
Loader(memory)# display 0xfe400000
fe400000:
fe400010:
fe400020:
fe400030:
fe400040:
fe400050:
fe400060:
fe400070:
fe400080:
fe400090:
fe4000a0:
fe4000b0:
fe4000c0:
fe4000d0:
fe4000e0:
fe4000f0:
0000
0000
0000
1016
0050
001e
0030
83c2
0010
4010
0030
0010
0000
0030
1815
0030
04f0
04f0
0100
785c
4292
385c
488c
1864
2992
0000
208c
2992
40fe
288c
0000
208c
3006
0000
0003
0030
0030
0900
0120
0030
021e
0010
0415
0030
0010
0104
0030
0015
40fe
04f0
0000
488c
488c
3a61
1f00
208c
185c
2988
0000
208c
2992
0300
288c
0000
0010
0000
0200
0485
0085
0030
8942
3c15
2cc5
8249
0030
1015
0030
0010
0100
0030
0000
0000
788c
00ff
00ff
408c
4265
0000
1b35
2958
288c
0000
208c
2992
0300
308c
0000
007e
0800
001e
0119
0000
0c5e
6000
0030
0010
0000
0030
1415
0030
0010
4700
0040
60a0
0008
405c
4059
1f00
1a59
288c
208c
298a
40fe
288c
0000
208c
2992
8700
*....0.@........@*
*.............~`.*
*..........x.....*
*..x\.0H.......@\*
*.PB..0H.......@Y*
*..8\..:a.0@.....*
*.0H.. ...BBe.^.Y*
*...d.0 .<...`.(.*
*..)....\,..5.0 .*
*@.....)..I)X..).*
*.0 ......0(...@.*
*..)..0 ......0(.*
*..@...)..0 .....*
*.0(.......)..0 .*
*.....0(.......).*
*.0 ......00.G...*
fill <start-addr> <block-length> <value>
Fills a block of RAM of length <block-length> from the starting address <start-addr>
with the value of <value>.
Page 148
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 149
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Appendix B
Telnet Service
The Telnet service consists of two parts, a client and a server. The server is a task
that listens for connections on port 23 and grants or denies access to the device
whereas the client is a simple task that is initiated by a command to log in remote
hosts.
The Telnet Client
A Telnet connection is initiated to a remote host with the following command:
telnet <ip-addr> [<portnum>]
where:
<ip-addr> – is the IP address of the remote host.
<portnum> – is the port at which the remote service is running. The default value for
Telnet service is 23.
Telnet Special Commands
Moving Between Telnet Sessions
Special symbols such as IAC Telnet commands are processed, and if you press
Ctrl+Shift+6 or Ctrl+], you can switch between sessions initiated from the same
VTY.
The session Command
The session command displays the indexes of the sessions originated from the
current VTY, which are the sessions the user can switch to or kill. The latter is done
using the command session kill <0-2147483647>. This command first checks to
ensure that the user is not trying to terminate the master session, which is the VTY
from which other sessions originate. If the user is not trying to kill the master
session, the command closes the appropriate session to the remote host.
Page 150
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 151
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Appendix C
Syslog Messages in NVRAM
The switch stores trap messages on the NVRAM. You cannot disable this logging
feature, but you can specify the minimal priority level of messages that will be stored
on the NVRAM.
The NVRAM can hold up to 65535 trap messages.
Configuring the Trap Level for Stored System
Messages
Trap messages generated by the system are categorized into the following levels:
·
Emergency (highest level)
·
Alert
·
Critical
·
Error
·
Warning
·
Notice
·
Information
·
Debug (lowest level)
You can configure the switch to store messages from the Error level up. Lower level
trap messages are never stored.
By default, only Emergency-level messages are stored on the NVRAM. All lowerlevel trap messages are filtered out.
To change the level of the trap message logging filter, use the log-history nvram
trap command. The setting will take effect on the next startup.
Configuring the Message Format
The structure of the stored (and displayed) system messages is based on the
following format:
<source-task>: <date> <time> [<priority>]: <message-text>
where:
<source-task> – is the name of a system task that generated the message.
<date> and <time> – indicate when the message was issued.
Page 152
October 2003
© 2003 Foundry Networks, Inc.
<priority> – is the message’s priority level.
<message-text> – is the textual content of the message.
Note: The <priority> field is optional. By default this field is not included in any
message. To force inclusion of the <priority> field in trap messages, use the log
record-priority command.
Clearing the System Message History
To clear the trap message history, use the clear log nvram command.
Displaying The System Message History
To display the contents of the stored system message history, use the show loghistory nvram command. To display the current minimal priority setting for storing
trap messages, use the show log-history nvram status command.
NVRAM Trap Logging Commands
Table 22. NVRAM Logging Commands
log-history
nvram trap
Specifies the lowest trap message level that will be
stored on the NVRAM.
log recordpriority
Causes displayed and logged trap messages to
include the optional <priority> field.
clear log nvram
Removes all trap messages from the NVRAM.
show loghistory nvram
Displays the contents of the stored system message
history.
show loghistory nvram
status
Displays the current minimal priority level setting.
log-history nvram trap alerts | critical | emergencies | errors
where:
emergencies – sets the message log filter to the highest priority level (zero).
alerts – sets the message log filter to priority level one.
critical – sets the message log filter to priority level two.
errors – sets the message log filter to the lowest allowable level.
The log-history nvram trap command, in global Configuration mode, determines
the lowest trap message level that will be stored on the NVRAM. All trap messages
of the specified and higher levels will be stored.
October 2003
© 2003 Foundry Networks, Inc.
Page 153
EdgeIron 4802F and EdgeIron 10GC2F User Guide
The setting will take effect on the next startup.
log record-priority
The log record-priority command, in global Configuration mode, causes displayed
and logged trap messages to include the optional <priority> field. The no form of this
command causes displayed and logged trap messages to exclude the optional
<priority> field. By default, the <priority> field is excluded.
The setting takes effect on the next startup.
clear log nvram
The clear log nvram command, in Privileged (Enabled) mode, removes all trap
messages from the NVRAM. The history starts from scratch.
show log-history nvram [first <num> | last <num> | size]
where:
first <num> – shows the specified number of stored trap messages, starting at the
oldest existing record.
last <num> – shows the latest specified number of stored trap messages.
size – shows the number of records in the system message history.
The show log-history nvram command, in Privileged (Enabled) mode, displays the
contents of the stored system message history.
You can select output of the first (oldest) specified number of messages, the last
(latest) specified number of messages, or the size of the stored history (number of
records).
If no arguments are specified, the entire history is displayed. You can stop the output
by pressing <Ctrl+C>.
For example:
Device-Name#sh log-history nvram
tcliuart: 2002/01/01 07:02:07 errors: test error message
tcli_0: 2002/01/01 07:02:43 errors: test error message
tcli_0: 2002/01/01 07:03:00 errors: test error message
tcliuart: 2002/01/01 07:04:09 errors: test error message
tcliuart: 2002/01/01 07:04:20 errors: test error message
tcli_0: 2002/01/01 07:04:52 errors: test error message
tcli_0: 2002/01/01 07:05:13 errors: test error message
ttftptask: 2002/01/01 07:45:05 errors: transfer timed out.
ttftptask: 2002/01/01 07:45:07 errors: tftpget: error
occurred while transferring the file.
ttftptask: 2002/01/01 07:56:23 errors: transfer timed out.
ttftptask: 2002/01/01 07:56:23 errors: tftpget: error
occurred while transferring the file.
tcliuart: 2002/01/01 08:08:11 : test emergency message
tcliuart: 2002/01/01 08:10:17 : test emergency message
tcliuart: 2002/01/01 08:10:22 : test alert message
Page 154
October 2003
© 2003 Foundry Networks, Inc.
tcliuart:
tcliuart:
tcliuart:
tcliuart:
tcliuart:
tcliuart:
2002/01/01
2002/01/01
2002/01/01
2002/01/01
2002/01/01
2002/01/01
08:10:31
08:10:40
08:01:00
08:01:06
08:01:11
08:01:17
:
:
:
:
:
:
test
test
test
test
test
test
critical message
error message
emergency message
alert message
critical message
error message
show log-history nvram status
The show log-history nvram status command, in Privileged (Enabled) mode,
displays the minimal priority level setting.
Note: This setting determines the priority level that limits trap messages currently
stored, but does not indicate the minimal priority level of previously stored messages
that exist in the NVRAM.
For example:
Device-Name#sh log-history status
Trap level of log history is errors (priority 3)
October 2003
© 2003 Foundry Networks, Inc.
Page 155
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Appendix D
Configuration History in NVRAM
The configuration history is a CLI feature that enables you to record all the
commands that were entered from configure mode into the device and that changed
the configuration. All the commands are recorded into the NVRAM, even if the
device configuration changes are not saved (using the write command).
By default, configuration history recording is disabled.
History Log Format and Generation
Every time a user exits the global Configuration mode, the configuration-session
history is generated and stored into NVRAM in the following format:
!
! time_stamp :: user_id :: device{console|telnet|ssh}
! configuration session number start
!
command 1
command 2
….
!
! configuration session number end
!
The history session is stored in script-like format, so that users can easily re-execute
the commands later.
Configuring History Settings
Table 23. Command-History Configuration Commands
record
configurationhistory nvram
Enables recording of the configuration commands
into the NVRAM.
clear
configurationhistory nvram
Clears the history of configuration commands.
record configuration-history nvram
The record configuration-history nvram command, in global Configuration mode,
enables recording of the configuration commands into the NVRAM. The no form of
this command disables the recording, but does not clear existing command records.
If you enable configuration recording, you must exit configuration mode for the
command to take effect. Actual recording of configuration commands (not show
commands) starts the next time you re-enter global Configuration mode and
continues as long as that mode or any mode under it is active. In subsequent
configuration sessions, as long as configuration recording is enabled, configuration
commands accumulate in NVRAM by session.
Page 156
October 2003
© 2003 Foundry Networks, Inc.
If you disable configuration recording, recording stops immediately. You do not need
to exit configuration mode for the command to take effect.
clear configuration-history nvram
The clear configuration-history nvram command, in global Configuration mode,
removes all the recorded configuration commands from NVRAM.
Displaying the Configuration History
Table 24. Command-History Configuration Commands
show
configurationhistory
Displays all configuration commands stored in the
NVRAM during the specified session.
show
configurationhistory all
Displays all configuration commands stored in the
NVRAM during all recorded sessions.
show
configurationhistory size
Displays the number of sessions currently stored in
the NVRAM.
show
configurationhistory status
Displays the current recording state of configuration
history (enabled or disabled).
show configuration-history <num>
where <num> specifies a session number.
The show configuration-history command, in Privileged (Enabled) mode, displays
all configuration commands stored in the NVRAM during the specified session. If no
session number is specified, the command displays all configuration commands
stored in the NVRAM during the last session.
The following example displays the last configuration-session (two sessions were
recorded):
Device-Name#show configuration-history
! MON MAR 11 07:18:03 2002 :: vty :: console
! Configuration session 2 start
configure terminal
interface sw0
ip address 131.119.251.201/24
ip ospf authentication-key abcdefgh
exit
interface sw1
ip address 36.56.0.201/16
ip ospf authentication-key ijklmnop
exit
! Configuration session 2 end
The following example displays a specific configuration-session (session number 1):
October 2003
© 2003 Foundry Networks, Inc.
Page 157
EdgeIron 4802F and EdgeIron 10GC2F User Guide
Device-Name# show configuration-history 1
! THU MAR 07 18:40:17 2002 :: vty :: console
! configuration session 1 start
configure terminal
int 1/1/1
duplex-speed autonegotiate
duplex-speed full-10
! Configuration session 1 end
show configuration-history all
The show configuration-history all command, in Privileged (Enabled) mode,
displays all configuration commands stored in the NVRAM during all recorded
sessions.
The following example displays all recorded configuration sessions:
Device-Name# show configuration-history all
! THU MAR 07 18:40:17 2002 :: vty :: console
! Configuration session 1 start
configure terminal
int 1/1/1
duplex-speed autonegotiate
duplex-speed full-10
! configuration session 1 end
! MON MAR 11 07:18:03 2002 :: vty :: console
! Configuration session 2 start
configure terminal
ip address 131.119.251.201/24
! Configuration session 2 end
show configuration-history size
The show configuration-history size command, in Privileged (Enabled) mode,
displays the number of sessions currently stored in the NVRAM.
For example:
Device-Name#show configuration-history size
Configuration history consists of 4 sessions
show configuration-history status
The show configuration-history status command, in Privileged (Enabled) mode,
displays the current recording state (as set by the [no] record configuration-history
command).
For example:
Device-Name#show configuration-history status
Configuration history recording enabled
Page 158
October 2003
© 2003 Foundry Networks, Inc.
October 2003
© 2003 Foundry Networks, Inc.
Page 159
Download PDF