T-Marc 3208SH User Guide Ver 3.5.R1

T-Marc 3208SH
Carrier Ethernet Demarcation Switch User Guide
Release 3.5.R1
October 2013
MN100246 Rev T
The information in this document is subject to change without notice and describes only the product defined in
the introduction of this document. This document is intended for the use of customers of Telco Systems only
for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced
or transmitted in any form or means without the prior written permission of Telco Systems. The document is
intended for use by professional and properly trained personnel, and the customer assumes full responsibility
when using it. Telco Systems welcomes customer comments as part of the process of continuous development
and improvement of the documentation.
If the Release Notes that are shipped with the device contain information that conflicts with the information in
the user guide or supplements it, the customer should follow the Release Notes.
The information or statements given in this document concerning the suitability, capacity, or performance of the
relevant hardware or software products are for general informational purposes only and are not considered
binding. Only those statements and/or representations defined in the agreement executed between Telco
Systems and the customer shall bind and obligate Telco Systems. Telco Systems however has made all
reasonable efforts to ensure that the instructions contained in this document are adequate and free of material
errors and omissions. Telco Systems will, if necessary, explain issues which may not be covered by the
document.
Telco Systems sole and exclusive liability for any errors in the document is limited to the documentary
correction of errors. TELCO SYSTEMS IS NOT AND SHALL NOT BE RESPONSIBLE IN ANY EVENT
FOR ERRORS IN THIS DOCUMENT OR FOR ANY DAMAGES OR LOSS OF WHATSOEVER KIND,
WHETHER DIRECT, INCIDENTAL, OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES),
that might arise from the use of this document or the information in it.
This document and the product it describes are the property of Telco Systems, which is the owner of all
intellectual property rights therein, and are protected by copyright according to the applicable laws.
Telco Systems logo is a registered trademark of Telco Systems, a BATM Company. BiNOS, BiNOSCenter,
T-Marc, T5 Compact, T5C-XG, T-Metro, EdgeLink, EdgeGate, Access60, AccessIP,
AccessMPLS, AccessTDM, AccessEthernet, NetBeacon, Metrobility, and OutBurst are trademarks
of Telco Systems.
Other product and company names mentioned in this document reserve their copyrights, trademarks, and
registrations; they are mentioned for identification purposes only.
Copyright Telco Systems 2013. All rights reserved.
Introduction
Table of Contents
Table of Figures 1
Introduction 2
Key Features 2
Using This Document 3
Intended Audience 3
Documentation Suite 3
Conventions Used 3
Organization 4
Getting Documentation Updates 6
Technical Support 6
International Headquarters 6
US: North America and Latin America 6
Asia Pacific (APAC) 6
Europe, Middle East and Africa (EMEA) 7
Table of Figures
Figure 1: T-Marc 3208SH ...................................................................................................................... 2
Introduction (Rev. 01)
Page 1
T-Marc 3208SH User Guide
T-Marc3208SH
Introduction
The T-Marc 3208SH is a Carrier Ethernet demarcation device for service providers and wireless
operators who backhaul traffic from multiple 2G, 3G and 4G cell sites over Carrier Ethernet. This
device supports Ethernet, pseudowire, and TDM emulation using Circuit Emulation Services
(CES), MPLS, OAM tools, and QoS. The combination of features, technologies, and manageability
offered by the T-Marc 3208SH gives service providers a competitive advantage by extending
service intelligence to the customer edge as well as offering and maintaining advanced Service Level
Agreements (SLAs).
The T-Marc 3208SH provides a comprehensive set of synchronization options optimized for
cellular operators looking to backhaul their data and voice traffic from the Node-B\BTS (base
transceiver station) to their core network over Ethernet\MPLS transport. The device supports
Synchronous Ethernet (SyncE), external clock and phase source.
A wide set of QoS features provide granular control over the behavior of traffic and services in the
network.
The T-Marc 3208SH supports 8 dual PHY Gigabit Ethernet interfaces, 4 dual-speed (100/1000)
Ethernet plug-in (SFP) ports, Sync Clock and Phase Clock Coaxial interfaces, as well as two
expansion slots for add-on line cards.
Figure 1: T-Marc 3208SH
Key Features
The device offers the following features:
Page 2
Gigabit Ethernet, wire speed, non-blocking Carrier Ethernet service demarcation switch
Purpose-built, highly available, temperature-hardened Carrier Ethernet equipment
MEF, IEEE, ITU-T and IETF standards compliance for multivendor interoperability
Circuit Emulation Services (CES) for delivery of traditional TDM or leased line services
MPLS capabilities to provide access to H-VPLS and VPWS
Quality-of-Service (QoS) and service granularity support
Operations, Administration and Maintenance (OAM) support
Ideal for street cabinet installations
Using This Document

This user guide includes information needed to configure the device functionalities, provides
complete syntax for the commands available in the currently-supported software version, and
describes the features supplied with the device.
NOTE
Ensure that the device is installed in accordance with Telco Systems' installation instructions.
For more information regarding device installation, refer to the Installation Guide of
this device.
For the latest software updates, see the Release Notes for the relevant release. The release notes may
contain information that is in conflict with the user guide. In all cases, information contained in the
release notes supersedes material contained in this user guide.
Intended Audience
This user guide is intended for network administrators responsible for installing and configuring
network equipment. To use this guide, you must already be familiar with Ethernet and local area
networking (LAN) concepts and terminology.
Documentation Suite
This document is just one part of the full documentation suite provided with this product.
You are:
Document Function
Function
Installation Guide
Contains information about installing the hardware and

software including site preparation, testing, and safety
information.
User Guide
Contains information on configuring and using the system.
Release Notes
Contains information about the current release, including

new features, resolved issues (bug fixes), known issues,
and late-breaking information that supersedes information
in other documentation.
Conventions Used
The conventions listed below may appear in the user guide. Pay special attention as each one
contains important information:
Page 3
NOTE
Indicates information requiring special attention.
CAUTION
Indicates special instructions needed to avoid possible damage to the product.
WARNING
Indicates special instructions necessary to avoid possible injury or death.
The table below defines additional conventions used to show commands, variable and parameters
within the document:
Conventions
Description
commands
CLI and SNMP commands
command example
CLI and SNMP examples
<Variable>
user-defined variables
[Optional Command Parameters]
CLI syntax and coded examples
Organization
The device User Guide includes the following chapters, each focusing on a different feature or set
of features. Each chapter begins with a brief overview of the feature/s, followed by the
configuration flow, and concluding with the configuration details for the corresponding commands.
Page 4
Chapter Name
Description
Introduction
Overview of product and document
Using CLI
Setting up basic CLI commands required to get started.
Managing the Device
Administering T-Marc 3208SH devices, performing initial

device configuration (such as time and date, software upgrade,
and protection from outside attacks), MAC address table, NTP,
DNS Resolver, understanding the files system, and Layer-2
port security techniques. System message logging and the
Remote Monitoring (RMON) feature are also explained.
Simple Network Management

Protocol (SNMP)
Understanding and configuring Simple Network Management

Protocol (SNMP), community strings, trap managers, and
traps.
Device Authentication
Understanding and configuring the privileged access levels to

commands used for protecting the device from unauthorized
access. The chapter also describes RADIUS and TACACS+.
Physical Ports and Logical

Interfaces
Understanding and configuring device interface types The

chapter also offers information on static Link Aggregation
Groups (LAGs), establishing resilience across the network
segments.
Virtual LANs (VLANs) and

Super VLANs
Understanding and configuring VLANs and Super VLANs
Chapter Name
Description
Transparent LAN Services

(TLS)
Understanding and deploying Transparent LAN services
Spanning Tree Protocols
Understanding and configuring Spanning Tree protocols.
Multicast Layer 2 Features
Understanding and configuring Internet Group Management

Protocol (IGMP) snooping and Multicast VLAN Registration
(MVR)
Link Layer Discovery Protocol

(LLDP)
Understanding and configuring the IEEE 802.1AB standard
Access Control Lists (ACLs)
Understanding and configuring ACLs, traffic rate-limit, and

applying QoS using ACLs
Quality of Service (QoS)
Understanding and configuring QoS features
Operations, Administration,
and Maintenance (OAM)
Understanding and configuring various tools used for

monitoring and troubleshooting the network:
802.3ah Ethernet in the First Mile (EFM-OAM)

IEEE 802.1ag Connectivity Fault Management (CFM)
ITU-T G.8032v2 Ring Automatic Protection Switching (RAPS)
ITU-T G.8031 Ethernet Protection Switching (EPS)
ITU-T Y.1564 Next-Generation Carrier-Ethernet Testing
ITU-T Y.1731-SLM SAA In-Service Test
ITU-T Y.1731 SAA In-Service Test
RFC 2544 SAA Out-of-Service Throughput Test
Event propagation
Synchronous Ethernet
(SyncE)
Determine and configure the synchronized clock source for the

system as well as configure the clock source output for the
device
Routing Information and

Protocols
Understanding and configuring routing protocols
MPLS Protocols and Services
Understanding and configuring Multiprotocol Label Switching

(MPLS) and Virtual Private LAN Services (VPLS)
Configuring Circuit Emulation

Services (CES)
Understanding and configuring CES over Ethernet
Troubleshooting
Troubleshooting and monitoring tools used to detect and solve

system related problems
Appendix A: SNMP Reference

Guide
MIBs and objects for controlling, monitoring, and managing the

device
Appendix B: Specifications
An abbreviated version of the specifications for the device
Appendix C: Acronym
Glossary
The list of acronyms used in this user guide and their meaning
Page 5
Getting Documentation Updates

You can access the most current Telco Systems documentation on the following site:
http://support.telco.com/.
Access to most of the Telco Systems documentation is password protected. To obtain a password,
contact the Telco Systems support center.
Technical Support
Telco Systems provides technical assistance for customers and partners. Contact the Professional
Services team at our international headquarters, or the technical support center for your region.
Contact information is provided below:
Web Access: http://www.telco.com
Email: support@telco.com
International Headquarters
Telco Systems, A BATM Company
Professional Services
13 HaYetzira St., New Industrial Park
Yokneam Ilit, 20692, Israel
Tel: +972-4-993-5630
Fax: +972-4-993-7926
US: North America and Latin America

Telco Systems, A BATM Company
15 Berkshire Rd
Mansfield, MA 02048
Tel: +1-781-255-2120
Fax: +1-781-255-2122
Asia Pacific (APAC)

Telco Systems Pte Ltd
Technical Support
10 Anson Road
#17-03 International Plaza
Singapore, 079903
Tel: +65 6224 3112
Fax: +65 6220 5848
Page 6
Europe, Middle East and Africa (EMEA)

BATM Advanced Communications GmbH
Peterstr. 2-4
52062 Aachen
Tel: +49 241 463 5490
Fax: +49 241 463 5491
Page 7
Using CLI
Table of Contents
Table of Figures 1
List of Tables 1
Using the Command Line Interface (CLI) 3
Accessing the CLI 3
The CLI Modes 3
Committing Configuration Commands 4
Using the CLI 5
The range Expression 25
Debug Commands 28
Banner Commands 36
Table of Figures
Figure 1: CLI Modes Hierarchy ............................................................................................................4
List of Tables
Table 1: CLI Syntax Conventions in the User Guide ........................................................................6
Table 2: CLI Help Options ....................................................................................................................6
Table 3: CLI Keyboard Sequences .................................................................................................... 12
Table 4: CLI Messages......................................................................................................................... 13
Table 5: Common Regular Expressions ........................................................................................... 14
Table 6: General Operational Mode Commands ............................................................................ 16
Table 7: Show Commands .................................................................................................................. 18
Table 8: Show Command Filter Options ......................................................................................... 20
Table 9: General Configuration Mode Commands......................................................................... 23
Table 10: Debug Commands .............................................................................................................. 30
Table 11: Banner Commands ............................................................................................................. 36
Using CLI (Rev. 01)
Page 1
Using CLI (Rev. 01)
Page 2
T-Marc3208SH
Using the Command Line Interface (CLI)

The CLI is a network management application operated through an ASCII terminal.
Using the CLI commands, users can configure the device parameters and maintain them, receiving
text output on the terminal monitor. These system parameters are stored in a non-volatile memory
and users have to set them up only once.
The device CLI is password protected.
Accessing the CLI

You can access the CLI:
directly, by connecting a PC to the devices console port
over an IP network, using Telnet or SSH (outband and inband management)
Once the login prompt is displayed, type your username and password to access the CLI.
For more information regarding default usernames and passwords, refer to the Device Authentication
chapter.
Example for SSH login:
login as: admin

admin@10.3.172.101's password:
Telco Systems T-Marc 3208SH
admin connected from 10.3.71.17 using ssh on T-Marc 3208SH
T-Marc 3208SH#
The default device-name displayed at the prompt is T-Marc 3208SH. Throughout this guide, we
refer to T-Marc 3208SH as device-name.
The default password is admin.
The CLI Modes

The CLI is structured from hierarchical modes, each mode grouping relevant CLI commands.
Its two top level modes are:
Operational mode
Configuration mode
Operational Mode
This is the initial mode that the CLI enters after a successful login to the CLI.
device-name#
Using CLI (Rev. 01)
Page 3
The Operational mode is primarily used for:
viewing the system status
controlling the CLI environment
monitoring and troubleshooting network connectivity
initiating the Configuration mode
Configuration Mode
The Configuration mode is the mode in which users can change the device configuration.
To enter this mode from Operational mode, use the config
terminal
command.
device-name#config terminal
Entering configuration mode terminal
device-name(config)#
The Configuration mode has various sub-modes for configuring the different device features, as
shown in the figure below.
Figure 1: CLI Modes Hierarchy
Committing Configuration Commands

The commands executed in the Configuration mode are not applied to the devices active
configuration (the running configuration file) until after you commit them. These commands are
applied to a copy of the active configuration, called a candidate configuration, prior to being committed.
Use the commit command to save the unapplied configuration changes to the running
configuration file. The system verifies that no additional changes have been performed in the active
Using CLI (Rev. 01)
Page 4
configuration by other users. In case of relevant changes, the system prompts for validating these
changes and committing them.
In addition when you attempt to exit the Configuration mode (end command or exit command),
the system prompts you to commit unapplied configuration changes:
Uncommitted changes found, commit them (yes/no/cancel)? [cancel]
In this case:
type yes to save the configuration changes and exit the configuration session
type no to exit the configuration session without committing the configuration changes
type cancel to remain in the current configuration session without exiting or committing the
configuration changes
When committing commands, the CLI validates the configuration changes and prompts for
missing configuration:
Example:
device-name#config
device-name(config)#vlan vl10 10
device-name(config-vlan-10)#routing-interface sw10
device-name(config-vlan-10)#com
Aborted: Error: Vlan instance is using the current routinginterface or you are trying assign a non-existing
routing-interface to vlan!
device-name(config-vlan-10)#
Using the CLI

Command Keywords and Arguments
A CLI command is built up of a series of keywords and arguments:
Keywords identify the commands action
Arguments specify the commands configuration parameters
The CLI commands are not case sensitive.
The general CLI syntax is represented by the following format:

device-name[(config- ...)]#keyword(s) [argument(s)] ... [keyword(s)]
[argument(s)]
In this format
device-name[(config ...)]# represents the prompt displayed by the device. This prompt includes:
the user-defined device-name
the current CLI mode
the command keywords and arguments typed by the user
Using CLI (Rev. 01)
Page 5
Example:
In the command below:

device-name(config-port-1/1/10)#default-vlan 100
the CLI mode is config-port-1/1/10
default-vlan
100
is the command keyword
is the command argument
Table 1: CLI Syntax Conventions in the User Guide

Symbol/Format
Description
<Italic, small
letters>
A numerical argument:
Italic, capital
letters
A string argument:
bold letters
A command keyword:
<priority>
NAME
show port
A.B.C.D
An IP address:
10.4.0.4
UU/SS/PP
A physical port number in a unit/slot/port format:

1/1/6
HH:HH:HH:HH:HH:HH
A MAC address in a hexadecimal format:

00:a0:12:07:0f:78
[]
An optional argument or keyword:

[FILENAME]
{}
A mandatory argument or keyword:

{enable | disable}
An or between two arguments or keywords, the user should select from:

{true | false}
Getting Help
To get specific help on a command mode, keyword, or argument, use one of the following
commands or characters:
Table 2: CLI Help Options
Command
Purpose
help
Provides a brief description of the help system in any command mode.

Example:
device-name(config)# help ethernet
Help for command: ethernet
Configures Ethernet services and protocols
Using CLI (Rev. 01)
Page 6
Command
abbreviatedcommand<Tab>
Purpose
To display a commands possible completions, type the partial command
followed immediately by <Tab> or <Space>.
If the partially typed command uniquely identifies a command, the full
command name is displayed. Otherwise, the CLI displays a list of possible
completions:
Example:
device-name(config)#ether
Possible completions:
ether-type
Configure Ethertype access lists
ethernet
command?
or
abbreviatedcommand?
Using CLI (Rev. 01)
(Leave no space between the command and ?) Provides a list and description
of commands that begin with a particular string:
Example:
device-name#s?
send
Send message to terminal of one or all users
service
Configure services
show
Show information about the system
ssh
ssh to network hosts
system
Configure system's diagnostics, management and
troubleshooting
capabilities
Page 7
Command
Purpose
Lists all commands available in the current command mode.

Example:
device-name(config-system)#?
Description: Configure system's diagnostics, management and
troubleshooting capa
bilities
banner
Banner shown to the user when the CLI is
started.
dns-resolver
Configure DNS resolver
dscp-mapping
Specify the name of the L3 protocol
dscp-remarking
Specify DSCP that will be remarked
fdb-extended
Configure extended FDB table
hostname
Set system's network name
license
Software license
mirror
Configure port mirror
monitor
Operational monitoring of switch
netconf-server
Configure NETCONF access-control
no
Negate a command or set its defaults
reload
Reload the system
snmp
SNMP parameters
ssh-server
Configure SSH access-control
time
Configure time settings
--commit
Commit current set of changes
exit
Exit from current mode
help
Provide help information
pwd
Display current mode path
top
Exit to top level and optionally run
command
<cr>
command ?
or
abbreviatedcommand ?
Using CLI (Rev. 01)
(Leave a space between command and ?) Lists the available keywords or

arguments that can follow the specified command
Example:
device-name(config)#validate ?
| <cr>
Page 8
Command
!, #
Purpose
The CLI ignores all the characters following ! or # up to the next new line.
Example:
device-name#show running-config system snmp
system
snmp
engine-id
80:00:02:e2:03:00:a0:12:27:0d:a5
no shutdown
authentication-failure-trap
view myview 1.3
group mygroup noAuthNoPriv read myview write myview notify
myview
user tester mygroup v3
target-address mycomp
address
10.3.71.58
message-model v3
security-name tester
NOTE
To use ! or # as an argument, prefix it with \ or
inside double quotes ().
Using CLI (Rev. 01)
Page 9
Command
command |
{append FILE
NAME | begin
| count |
include |
exclude |
linnum |
more |
nomore |
save FILE
NAME} |
until
regularexpression
Purpose
Searches and filters the command output. This functionality is
useful if you need to sort through a large output or if
you want to exclude irrelevant output.
append: appends the command output to a file. You are prompted
for a file name
begin: begins an unfiltered output of the command with the
first line containing the regular expression
count: counts the output-lines number
include: displays output lines that contain the regular
expression
exclude: displays output lines that do not contain the regular
expression
linnum: enumerates lines in the output
more: enables the output pagination
nomore: disables the output pagination
save: saves the command output to a file. You are prompted for
a file name
regular-expression: see Table 5
Example 1:
The below example displays only lines that do not contain
Regular expression sw*.
device-name#show router interface | exclude sw*
========================================================================
--------+------+---------------+---------------+---------------+-------lo
up
outBand0 up
127.0.0.1
255.0.0.0
127.255.255.255 1500
10.3.155.5
255.255.0.0
10.3.255.255
1500
========================================================================
Example 2:
It is also possible to display the output starting at the
first match of a regular expression, using the begin
keyword.
device-name#show router interface | begin .*sw30
39
sw30
up
100.1.3.1
255.255.255.0
100.1.3.255
1544
40
sw40
up
100.1.4.1
255.255.255.0
100.1.4.255
1544
============================================================================
|
Svc20
|4098|
You can use more than one filter on a single command.

Example:
device-name# show router interface | begin .*sw20 | until
.*sw40 | count
Count: 3 lines
Minimum Abbreviation
The CLI accepts a minimum number of characters that uniquely identify a command. Therefore
you can abbreviate commands and parameters as long as they contain enough letters to differentiate
them from any other available commands or parameters on the specific CLI mode.
Example:
Using CLI (Rev. 01)
Page 10
You can type the config
terminal
command as con
device-name#con t
device-name(config)#
In case of an ambiguous entry (when the CLI mode includes more than one command matching
the characters typed), the system prompts for further input.
Example:
device-name#co
-------------^
syntax error:
Possible alternatives
commit
compare
a file
complete-on-space config
-
starting with co:

Confirm a pending commit
Compare running configuration to another configuration or
Manipulate software configuration information
Dynamic Completion of Commands

In addition to the Minimum Abbreviation functionality, the CLI can display the commands
possible completions.
To display possible command completions, type the partial command followed immediately by
<Tab> or <Space>.
In case the partial command uniquely identifies a command, the CLI displays the full command.
Otherwise the CLI displays a list of possible completions.
device-name(config)#ether
ether-type
Configure Ethertype access lists
ethernet
Negating Commands
The no prefix negates the command or resets the commands configuration to its default value. For
example, the log command logs system messages. To disable logging, use the no log command.
Using the Command History

The CLI maintains a history of commands entered in any CLI mode. You can scroll back through
the history of commands by pressing the up arrow key. You can modify and execute any command
displayed in the history list.
You can also use the show
device-name#show
00:06:29 -- show
00:06:39 -- show
00:06:42 -- show
Using CLI (Rev. 01)
history command to display a list of executed commands.
history
port
vlan
history
Page 11
00:06:48 -- config terminal

00:07:21 -- show history
CLI Keyboard Sequences

You can use keyboard sequences for moving around the command line and editing it. You can also
use keyboard sequences to scroll through a list of recently executed commands.
Table 3: CLI Keyboard Sequences
Key
Function
Ctrl+b or Left Arrow
Moves one character back
Esc+b or Alt+b
Moves one word back
Ctrl+f or Right Arrow
Moves one character forward
Esc+f or Alt+f
Moves one word forward
Ctrl+a or Home
Moves to the beginning of the command line
Ctrl+e or End
Moves to the end of the command line
Ctrl+h, Delete, or Backspace
Deletes the character that precedes the cursor
Ctrl+d
Moves one mode back
Ctrl+k
Deletes all characters to the end of the command line
Ctrl+u or Ctrl+x
Deletes the command line
Ctrl+w, Esc+Backspace, or
Alt+Backspace
Deletes last word before the cursor
Esc+d or Alt+d
Deletes the word after the cursor
Ctrl+y
Inserts the most recently deleted text at the cursor
Ctrl+p or Up Arrow
Moves up to the previous line in the history buffer
Ctrl+n or Down Arrow
Moves down to the next command line in the history buffer
Ctrl+r
Searches the command history in reverse order
Esc+c
Capitalizes the word at the cursor, for example, make the

first character uppercase and the rest of the word lowercase
Ctrl+c
Interrupts the current input and moves to the next command

line
Ctrl+t
Transposes characters
ESC+m
Enters multi-line mode (>):

[Entering Multiline mode, exit with ctrl-D.]
Ctrl+z
Returns to Operational mode
Using CLI (Rev. 01)
Page 12
CLI Messages
The CLI displays relevant messages in response to executed commands:
Table 4: CLI Messages
CLI Message
Description
syntax error:
expecting
Displayed when the entry is not a legal command:

device-name#shiw
----------------^
syntax error: expecting
clear
- Clear parameter
commit
- Confirm a pending commit
compare
- Compare running configuration to another
configuration or a file
complete-on-space config
Syntax error:
incomplete path
- Manipulate software configuration information
defaults-display
- Shows default values when showing the configuration
file
- Perform file operations
help
- Provide help information
history
- Configure history size
idle-timeout
- Configure idle timeout
logout
- Logout a user
mpls
- mpls related commands
no
- Negate a command or set its defaults
oam
ping
- Send ICMP ECHO_REQUEST to network hosts
run
- Exec CLI script command
send
- Send message to terminal of one or all users
show
- Show information about the system
ssh
- ssh to network hosts
system
telnet
- telnet to network hosts
tool
traceroute
- Print the route packets trace to network host
who
- Display currently logged on users
write
- Write configuration
Displayed when the user types a valid command but fails to type the
commands required arguments:
device-name(config)#port
------------------------^
syntax error: incomplete path
syntax error:
Possible
alternatives
starting with
Using CLI (Rev. 01)
Displayed when the user types too few characters. In these cases, the
CLI detects an ambiguity and displays the possible matches:
device-name(config)#re
-----------------------^
syntax error:
Possible alternatives starting with re:
resolved - Conflicts have been resolved
revert
- Copy configuration from running
Page 13
Regular Expressions
Regular expressions are a subset of EGREP and AWK programming-language regular expressions.
Table 5: Common Regular Expressions
Key
Function
Matches any character
^
$
[abc...]
[^abc...]
r1 | r2
r1r2
r+
r*
r?
(r)
Using CLI (Rev. 01)
Matches the beginning of a string

Matches the end of a string
Character class that matches any of the characters: abc
To specify a character range, type a pair of characters separated by a -.
Negated character class that matches any character except abc....
Matches either r1 or r2
Matches r1 and then r2
Matches one or more r
Matches zero or more r
Matches zero or one r
Matches a pattern group
Page 14
General Operational Mode Commands

device-name#
- clear {history | fdb | lag | oam | port | access-group-statistics |

igmp-statistics | log | l2-tunneling-statistics | mac-violation}
- commit [abort | confirm | persist-id <id>]
- [no] complete-on-space
- [no] defaults-display
- help COMMAND
- [no] history <size>
- logout [session <session-number> | user USER-NAME]

- send {USER-NAME | all} MESSAGE
- show
- who
- write <terminal>
Using CLI (Rev. 01)
Page 15
Table 6: General Operational Mode Commands

Command
Description
device-name#
Operational mode
clear {history | fdb | lag | oam |

port | access-group-statistics |
igmp-statistics | log | l2tunneling-statistics | macviolation}
Clears all history records
commit [abort | confirm | persistid <id>]
Ends the current configuration:
abort: aborts the commit action
confirm: saves the configuration

changes up to this point
persist-id <id>: commits from another

session, using the cookie from the
previous commit operation.
id: the sessions number
complete-on-space
Allows CLI to autocomplete a command also when

the user types the space character
no complete-on-space
Disables the option
defaults-display
Defines whether to display defaults settings
no defaults-display
Disables the option
help COMMAND
Displays a help text for the selected command
history <size>
Specifies the number of commands kept in the

history list:
size: in the range of <0-51>
10
no history
Restores to default
logout [session <session number>

| user USER-NAME]
Terminates the specified session
send {USER-NAME | all} MESSAGE
session number: the session number,

in the valid range of <1101>
USER-NAME: the specific users

session
Sends immediate messages from your terminal to

one or more terminals
USER-NAME: send an immediate message

to the selected user
all: send an immediate message to all

users
MESSAGE: text string
show
See below show commands
who
Displays information about currently logged on users

(such as session number, user name, and date)
write terminal
Displays the running configuration that differs from

the factory default values
show running-config
Using CLI (Rev. 01)
Page 16
Show Commands
device-name#
- show routes
- show bfd-session
- show bist
- show access-group-statistics
- show access-groups
- show access-lists
- show eps
- show ethernet
- show oam efm
- show port
- show rmon
- show snmp
- show snmp-server
- show snmp-system
- show syslog
- show cli
- show clock
- show fdb
- show history
- show igmp-snooping
- show l2-tunneling
- show saa
- show startup-config
- show super-vlan
- show system manufacturing-details [main-board | module STRING]
- show running-config
- show router
- show mpls
- show vpls
- show vpws
- show sap-access-group-statistics
- show service
- show system
- show technical-support
- show version
- show vlan
- show configuration commit list
Using CLI (Rev. 01)
Page 17
- show multicast mvr
- show radius-statistics
- show router
- show routes
- show service tls
- show tacacs-statistics
Table 7: Show Commands

Command
Description
device-name#
Operational mode
Using CLI (Rev. 01)
show access-group-statistics
For details, refer to Access Control List (ACLs)

chapter
show access-groups

chapter
show access-lists

chapter
show eps
For details, refer to Operations, Administration,

and Maintenance (OAM) chapter
show Routes
For details, refer to Routing Information and

Protocols chapter
show bfd-session

Protocols chapter
show oam efm
For details, refer to OAM chapter
show ethernet
For details, refer to Physical Ports and Logical

Interfaces chapter
show port
Displays port configuration.
show rmon
For details, refer to RMON chapter
show snmp
For details, refer to SNMP chapter
show snmp-server
show snmp-system
show syslog
For details, refer to Managing the Device chapter
Page 18
Command
show cli
Using CLI (Rev. 01)
Description
Displays the CLI configuration:
autowizard
complete-on-space
display-level
history
idle-timeout
ignore-leading-space
output
paginate
screen-width
service prompt config
show-defaults
terminal
show clock
Displays the day of the week, date, and time
show history
Displays the last CLI commands of the current

session
show igmp-snooping
For details, refer to IGMP Snooping chapter
show interface
Displays IP interface configuration.
show l2-tunneling
For details, refer to TLS chapter
show saa
For details, refer to Operations, Administration,

and Maintenance (OAM) chapter
show startup-config
show super-vlan
For details, refer to VLAN chapter
show fdb
show mpls
For details, refer to MPLS and H-VPLS chapter
show router

Protocols chapter
show running-config
Displays the configuration information currently in

running memory
show sap-access-group-statistics
For details, refer to ACL chapter
show system uptime
Displays the system uptime since last boot
show system monitor
Displays the following test results:
CPU Temperature Test
CPU Resources Test
Fan Test
Port Statistics Test
Power Supply Test
Ram Resources Test
Page 19
Command
show system manufacturing-details
[main-board | module STRING]
Description
Displays the factory-inputted manufacturing
information. Not user modifiable.
main-board: displays details for

the devices main board
module STRING: displays information

for specific devices module
show system statistics-history
Displays the complete collection of statistics:

For details, see Managing the device chapter
show technical-support
For details, see Troubleshooting chapter
show version
Displays the device software version
show vlan
For details, refer to VLANS chapter
show vpls
show vpws
show configuration commit list
Displays commit history
show multicast mvr
Displays MVR profile information
show radius-statistics
Displays Radius client statistics
show router
For details, refer to Physical Ports and Logical

Interfaces chapter
show routes

Protocols chapter
show service tls
Displays information about all currently configured

TLS services
show tacacs-statistics
Displays TACACS client statistics
Filtering the show Command Output
The output of the show commands can generate a large amount of data. To display only a subset of
information, type the Pipe character (|) followed by a specific keyword and a regular expression.
The below table shows the filtering options for the show command.
Table 8: Show Command Filter Options
Command
Description
show command | append file-name
Redirects the command output into an existing

file, located on NVRAM, FTP, or TFTP.
show command | begin regular-
Begins unfiltered command output with the first

line that contains the regular expression.
show command | count
Counts the number of lines in the output.
show command | details
(only for the show running-config command)

Displays all output elements.
show command | display {xml | txt}

Displays the command output in XML or text
format
expression
Using CLI (Rev. 01)
Page 20
Command
Description
show command | extended

Displays extended command output.
show command | exclude regular-
Displays output lines that do not contain the

regular expression.
show command | include regular-
Displays output lines that contain the regular

expression.
show command | linnum
Numbers the command output rows.
show command | more
Allows the command output to be sent to the

screen one page at a time.
show command | nomore
Displays the command output all at once instead

of one screen at a time.
show command | tab

Applies table format on the command output.
show command | save file-name
Saves the command output to a file.
show command | until regular-
Ends with the line that matches the regular

expression.
expression
expression
expression
Examples:
To display the interface starting with ethernet0, execute the following command:
device-nameH#show router interface | begin outBand0
outBand0 up
10.3.155.5
255.255.0.0
10.3.255.255
1500
========================================================================
To display only the route statements from the running-config, execute the following command:
device-name#show running-config | include route
router
router-id 2.2.2.2
To display only lines that start with 127, execute the following command:
device-name#show Routes | include ^127
127.0.0.0/8
0
0.0.0.0
0s
lo
connect
selected
ifindex
active,fib
127.0.0.1/32
0
0.0.0.0
0s
lo
connect
selected,self_ip
ifindex
active,fib
To display the whole configuration except for the access-lists, execute the following command:
device-name#show running-config | exclude access-list
To save your current configuration, execute the following command:

device-name#show running-config | save test2.cfg
Verify the result, by using the following command:

device-name#file ls
1 Jan 2009 28.0k 2
1 Jan 2009 4.0k test1.cfg
1 Jan 2009 40.0k ttt.cfg
Using CLI (Rev. 01)
Page 21
1 Jan 05:05 36.0k test2.cfg

Number of files: 4, 108K
Flash Size: Size
56.2M
Used Space: Used
44.6M
Free Space: Available
11.6M
To count the number of LSPs, execute the following command:

device-name#show running-config | include lsp | count
Count: 11 lines
General Configuration Mode Commands

device-name#
+ config terminal
- abort
- clear
- commit [comment COMMENT-DESCRIPTION]
- commit label LABEL-DESCRIPTION
- commit persist-id <id>

- move
- do COMMAND
- end [no-confirm]
- exit [configuration-mode | level | no-confirm]
- help COMMAND
- pwd
- resolved
- run
- revert [no-confirm]
- rollback configuration [<number>]
- show {configuration COMMAND | full-configuration COMMAND |

history <number of items to show>}
- top COMMAND
- validate
Using CLI (Rev. 01)
Page 22
Table 9: General Configuration Mode Commands

Command
Description
config terminal
Enters the Configuration mode
abort
Ends the Configuration mode and returns to the

Operational mode without committing the current
configuration
clear
Clears all uncommitted configuration changes
do COMMAND
Executes an operational mode command in the

Configuration mode
end [no-confirm]
Exits the Configuration mode and commits

uncommitted configuration changes
exit [configuration-mode | level | noconfirm]
no-confirm: exits the Configuration

mode without to commit the current
configuration. It returns you
directly in the Operational mode
configuration-mode: exits the

Configuration mode and commits the
uncommitted configuration changes.
It returns one mode level back
level: exits from the current mode

level. It returns one mode level
back

configuration
level
help COMMAND
Displays the help text for the selected command
pwd
Displays the current mode
resolved
If configuration conflicts are detected between

your configuration changes and the existing
running configuration during the commit
operation, a message prompts you to select a
conflict resolution:
Aborted: there are conflicts.
--------------------------------------Resolve needed before configuration can
be committed. View conflicts with
the command 'show configuration' and
execute the command 'resolved'
when done, or
exit configuration mode to abort.
Conflicting configuration items are
indicated with a leading '!'
Conflicting users: admin
--------------------------------------Use the resolved command to confirm the
resolution for the pending
changes.
Using CLI (Rev. 01)
Page 23
Command
revert [no-confirm]
Description
Copies the running configuration into candidate
configuration
rollback configuration [<number>]
show {configuration COMMAND | fullconfiguration COMMAND | history

<value>}
show configuration {commit changes

<number> | diff COMMAND | merge
COMMAND | rollback changes
<number> | running | this
COMMAND}
Using CLI (Rev. 01)

configuration
Returns the configuration to a previously

committed configuration:
number: the number of old

configuration to be restored
configuration: displays the current

configuration that is still not
committed
full-configuration: displays
whole configuration
history <value>: displays a list of

recorded commands in the current
CLI session, in the range of <032000>
number: configuration session

number
commit changes: displays the result

of comparing a committed
configuration (specified by a
number) to the candidate
configuration
rollback changes: displays the

result of comparing a rollback
configuration (specified by a
number) to the candidate
configuration
diff COMMAND: displays the

differences between the candidate
configuration and the committed
configuration per category
merge COMMAND: displays the result

of merging the candidate
configuration and the committed
configuration
running: displays the content of

the running configuration
this COMMAND: displays the

configuration changes for a
specific feature
the
top COMMAND
Returns you to the Configuration mode from any

other mode, and executes the selected command
in the Configuration mode
validate
Validates the current configuration
Page 24
The range Expression

The range expression enables you to modify, delete, or display ranges of values in one single
command, at the same time. Only group of VLANs can be created using range option.
device-name(config)#vlan range 500-502 tagged
Creating VLAN configuration. Please, wait ...
device-name(config-tagged- 1/1/1)#
1/1/1
NOTE
The range expression can be applied only on integer values.
The range expression can be omitted.
The range expression cannot be used for creating a new range of values.
Example 1:
device-name(config)#router
device-name(config-router)#rsvp-te
device-name(config-rsvp-te)#lsp
<lsp-id:int> range
device-name(config-rsvp-te)#lsp range 53-57, 1000
device-name(config-lsp-53-57,1000)#show full-configuration
router
rsvp-te
lsp 53
far-end
3.3.3.3
name
53
fast-reroute-mode facility
admin-group exclude-any 11
!
cspf
no shutdown
!
lsp 54
far-end
4.4.4.4
name
54
cspf
no shutdown
!
lsp 56
far-end
6.6.6.6
name
56
!
cspf
no shutdown
!
lsp 57
Using CLI (Rev. 01)
Page 25
far-end
7.7.7.7
name
57
cspf
no shutdown
!
lsp 1000
far-end
6.6.6.6
name
manual_bypass
guarded-destination 67.0.0.6
cspf
no shutdown
!
!
!
Example 2:
device-name(config-router)#rsvp-te
device-name(config-rsvp-te)#lsp
<lsp-id:int> range
device-name(config-rsvp-te)#lsp range 5*
device-name(config-lsp-5*)#show full-configuration
router
rsvp-te
lsp 53
far-end
3.3.3.3
name
53
!
cspf
no shutdown
!
lsp 54
far-end
4.4.4.4
name
54
cspf
no shutdown
!
lsp 56
far-end
6.6.6.6
name
56
!
cspf
Using CLI (Rev. 01)
Page 26
no shutdown
!
lsp 57
far-end
name
fast-reroute-mode
cspf
no shutdown
!
lsp 58
far-end
name
fast-reroute-mode
cspf
no shutdown
!
7.7.7.7
57
facility
8.8.8.8
58
facility
!
!
Example 3:
device-name(config)#service
device-name(config-service)#vpls 101-200
device-name(config-vpls-101-200)#shutdown
device-name(config-vpls-101-200)#commit
Commit complete.
Example 4:
device-name(config-service)#no vpls * spoke 3
device-name(config-service)#show configuration
service
vpls 101
no spoke-sdp 3
!
vpls 102
no spoke-sdp 3
!
vpls 103
no spoke-sdp 3
!
vpls 104
no spoke-sdp 3
!
vpls 105
no spoke-sdp 3
!
Using CLI (Rev. 01)
Page 27
vpls 106
no spoke-sdp
!
vpls 107
no spoke-sdp
!
vpls 108
no spoke-sdp
!
vpls 109
no spoke-sdp
Debug Commands
Caution
It is recommended to use the debug commands only under the direction of Technical
Support team when troubleshooting specific problems. Enabling debugging can disrupt
operation of the device when internetworks are experiencing high load conditions.
Command Hierarchy
device-name#
+ config terminal
+ [no] debug
- [no] bm api
- [no] bm api_time
- [no] bm api_call
- [no] bm async_io
- [no] bm drv
- [no] bm fdb
- [no] bm fdb_detailed
- [no] bm init
- [no] bm if_state
- [no] bm notify
- [no] bm oam
- [no] bm proto_1to1
- [no] bm proto_ces_circ
- [no] bm proto_ip
- [no] bm proto_reslink
- [no] bm proto_service
- [no] bm proto_trunk
- [no] bm rx
- [no] bm sfp
Using CLI (Rev. 01)
Page 28
- [no] bm stp
- [no] bm tx
- [no] bm vlan
- [no] cfm <value>
- [no] eps <value>

- [no] mpls ldp
- [no] mpls prefix-fec

- [no] mpls rsvp
- [no] mpls te
- [no] mpls vpls
- [no] mpls vpws
- [no] system-monitor
- [no] ptp-tc
- [no] raps <value>
- [no] drv acl
- [no] drv core

- [no] drv hqos
- [no] drv init
- [no] drv internal_memory

- [no] drv l2
- [no] drv link

- [no] drv mfib
- [no] drv mpls
- [no] drv param
- [no] drv pktdump
- [no] drv port_monitor

- [no] drv qos
- [no] drv rx
- [no] drv saa

- [no] drv sfp
- [no] drv sfp_event

- [no] drv stp
- [no] drv super_vlan

- [no] drv tls
- [no] drv trunk

- [no] drv tx
- [no] drv vlan
- [no] ospf assert

- [no] ospf events
Using CLI (Rev. 01)
Page 29
- [no] ospf ism_events

- [no] ospf ism_status
- [no] ospf ism_timers
- [no] ospf lsa_flood
- [no] ospf lsa_generate

- [no] ospf lsa_install
- [no] ospf lsa_refresh

- [no] ospf management
- [no] ospf nsm_events
- [no] ospf nsm_status
- [no] ospf nsm_timers

- [no] ospf nssa
- [no] ospf opaque
- [no] ospf pkt_db_desc

- [no] ospf pkt_detail
- [no] ospf pkt_hello
- [no] ospf pkt_ls_ack
- [no] ospf pkt_ls_req

- [no] ospf pkt_ls_upd
- [no] ospf recv
- [no] ospf rm_api
- [no] ospf rm_redistribute
- [no] ospf send
- [no] ospf system

- [no] ospf te
- [no] ospf tsm_events

- [no] ospf tsm_lists
- [no] ospf tsm_send
- [no] ospf tsm_status
- [no] isis authentication
Command Descriptions
To turn off a debug command enter the no form of the command at the command line.
Table 10: Debug Commands
Command
Description
config terminal
Enters Configuration mode
debug
Using CLI (Rev. 01)
Enters the Debug Configuration mode
Page 30
Command
Using CLI (Rev. 01)
Description
bm api
Enables displaying of additional log messages related to

Bridge Manager (BM) Application Programming Interface
(API) server
bm api_time

the execution time of each BM API
bm drv

driver events, received in BM
bm fdb

FDB
bm fdb_detailed

FDB in details (log messages for each Add/Remove
event)
bm init

BM Init flow
bm notify

notifications, sent from BM to its clients
bm oam

OAM specific logic in BM
bm proto_1to1

one-to-one interfaces
bm proto_ces_circ

CES circuit interfaces
bm proto_ip
Enables displaying of additional log messages related

to IP interfaces
bm proto_reslink

Resilient link interfaces
bm proto_service

Virtual Interfaces (VI)
bm proto_trunk

Trunk interfaces
bm rx

packet receive flow
bm sfp

SFP specific logic in BM
bm stp

Spanning tree specific logic in BM
bm tx

packet transmit flow
bm if_state

interface status change
bm async_io
Enables displaying of additional log related to async IO

channel
bm api_call
Enables displaying of additional log related to each API

call
Page 31
Command
cfm <value>
Description
CFM:
eps <value>

EPS:
Using CLI (Rev. 01)
value: opens debug logs in the

applications, in the range of <0
4294967295>
value: opens debug logs in the

applications, in the range of <0
4294967295>
mpls ldp

MPLS LDP
mpls prefix-fec

MPLS Prefix FEC LSP
mpls rsvp

MPLS RSVP
mpls te

MPLS TE LSP
mpls vpls

MPLS VPLS
mpls vpws

MPLS VPWS
system-monitor

system monitoring
ptp-tc

PTP transparent clock
raps <value>

RAPS
bm vlan

VLAN operations
drv acl

Access Lists
drv core

driver low level debug
drv hqos

HQoS
drv init

driver init flow
drv internal_memory

driver internal memory usage
drv l2

MAC address learning
drv link

physical link events
drv mfib

Multicast FIB (MFIB)
Page 32
Command
Using CLI (Rev. 01)
Description
drv mpls

MPLS
drv param

interface parameter handling
drv pktdump

detailed dump of packets (combined with tx/rx debug
flags)
drv port_monitor

port monitor
drv qos

QoS
drv rx

packet receive flow
drv saa

SAA
drv sfp

SFP logic
drv sfp_event

SFP events
drv stp

STP
drv super_vlan

Super VLAN
drv tls

TLS
drv trunk

link aggregations
drv tx

packet transmit flow
drv vlan

VLAN operations
ospf assert

assert errors
ospf events

general events and states
ospf ism_events

Interface State Machine events
ospf ism_status

to Interface State Machine status
ospf ism_timers

to Interface State Machine timers
ospf lsa_flood

to Link State Acknowledgment (LSA) flood process
ospf lsa_generate

LSA generation
Page 33
Command
Using CLI (Rev. 01)
Description
ospf lsa_install

to LSA install in local database
ospf lsa_refresh

to LSA refresh
ospf management

management requests
ospf nsm_events

to Neighbor State Machine events
ospf nsm_status

to Neighbor State Machine status
ospf nsm_timers

to Neighbor State Machine timers
ospf nssa

Not So Stubby Area (NSSA) LSA handling
ospf opaque

Opaque LSA handling
ospf pkt_db_desc

to Database description packets
ospf pkt_detail

to Detailed packet debug (dump packet contents)
ospf pkt_hello

Hello packets
ospf pkt_ls_ack

to Link State (LS) Acknowledge packets
ospf pkt_ls_req

to LS request packets
ospf pkt_ls_upd

to LS update packets
ospf recv

to receive packet flow
ospf rm_api

to interaction with Router Manager
ospf rm_redistribute

route redistribution of other protocols
ospf send

transmit packet flow
ospf system

to system events
ospf te

traffic engineering
ospf tsm_events

Traffic Engineering (TE) State Machine events
ospf tsm_lists

TE State Machine lists
Page 34
Command
Using CLI (Rev. 01)
Description
ospf tsm_send

TE State Machine information send
isis authentication

ISIS protocol authentication
ospf tsm_status

TE State Machine status change
Page 35
Banner Commands
Commands Hierarchy
+ config terminal
+ system
- [no] banner-ssh STRING
- [no] banner-telnet STRING
Commands Descriptions
Table 11: Banner Commands
Command
config terminal
system
banner-ssh STRING
Description
Enters System Configuration mode
Specifies a login banner for SSH users:
no banner-ssh
Removes the configured banner
banner-telnet STRING
Specifies a login banner for Telnet users
no banner-telnet
Using CLI (Rev. 01)
STRING: in format banner text\n
STRING: in format banner text\n
Removes the configured banner
Page 36
Managing the Device

Table of Contents
Table of Figures 3
List of Tables 3
Features Included in this Chapter 4
Device Management 6
Managing the Device via CLI 6
Managing the Device via SNMP 6
Managing the Device via NETCONF 7
NETCONF Commands 9
MAC Address Table (FDB) 15
MAC Address Table Commands16
MAC Address Table Configuration Example 21
MAC Learning Security Policies 22
Port Security 22
Port Limit 22
MAC Learning Security Profile Commands 23
Files System 28
File System Configuration Commands 28
Software Upgrade Example 35
System Time and Date 38
Network Time Protocol (NTP) 38
Summer Time (Daylight Saving Time) 38
IEEE-1588v2 Precision Time Protocol (PTP) 38
IEEE-1588v2 PTP Configuration Flow39
System Time and Date Configuration Commands 42
Domain Name System (DNS) Client 47
Managing the Device (Rev. 01)
Page 1
DNS Client Configuration Commands 47

Virtual Terminal Interface (VTY) 48
VTY Session Configuration Commands 48
License Configuration 49
License Configuration Commands 49
Session Limiting 50
Sessions Limiting Commands 50
Remote Monitoring 52
RMON Ethernet Statistics Group 52
RMON Commands 54
System Logs Message 59
System Logs Message Format 59
Settings and Values 59
System Log Commands 62
Commands Descriptions 62
Configuration Example 65
Denial of Service (DoS) Attack Prevention 66
DoS Attack Prevention Commands 66
Reload Commands 69
Control Plane Policing 71
Supported Standards, MIBs, and RFCs73
Appendix I: Preparing an MPLS Device for Provisioning by EdgeGenie 74
Verifying Control Plane Protocol Status 80
Provisioning the Device in EdgeGenie 81
Creating a New User85
Appendix II: Preparing an Ethernet Device for Provisioning by EdgeGenie 87
Preparing a BiNOX Ethernet device for provisioning by EdgeGenie 87
Provisioning the Device in EdgeGenie 88
Creating a New User93
Page 2
Table of Figures
Figure 1: PTP Session Configuration Flow ...................................................................................... 40
Figure 2: PTP Port Configuration Flow............................................................................................ 41
Figure 3: BMC Configuration Flow ................................................................................................... 41
Figure 1. Create User ........................................................................................................................... 85
Figure 2. Create User ........................................................................................................................... 94
List of Tables
Table 1: NETCONF Standard Capabilities ........................................................................................ 7
Table 2: NETCONF Commands ........................................................................................................ 9
Table 3: MAC Address Table Commands ........................................................................................ 16
Table 4: MAC Learning Security Profile Commands...................................................................... 24
Table 5: File System Commands ........................................................................................................ 29
Table 6: System Time and Date Commands .................................................................................... 43
Table 7: DNS Client Commands ....................................................................................................... 47
Table 8: VTY Session Commands ..................................................................................................... 48
Table 9: License Commands ............................................................................................................... 49
Table 10: Sessions Limiting Commands ........................................................................................... 50
Table 11: RMON Commands ............................................................................................................ 55
Table 12: Counters Displayed by the show rmon statistics Command ..................... 57
Table 13: System Message Fields........................................................................................................ 59
Table 14: Severity Levels ..................................................................................................................... 60
Table 15: Syslog Message Facilities .................................................................................................... 61
Table 16: System Log Commands...................................................................................................... 62
Table 17: DoS Commands .................................................................................................................. 67
Table 18: The reload Command ................................................................................................... 69
Table 19: CoPP Commands ................................................................................................................ 71
Page 3
T-Marc3208SH
Features Included in this Chapter

This chapter consists of these sections:
Page 4
Device Management
The device management enables system administrators to access, control and update
network devices.
MAC Address Table (FDB)

The device forwards traffic between ports using addresses contained in the MAC address
table (also known as the Forwarding Database). The T-Marc 3208SH devices maintain a
database of MAC addresses, both static entries, which are manually configured, and
dynamic entries learned by the device.
MAC Learning Security Policies

Port security and port limit policies control how many addresses the device can learn
from a particular port.
Files System
The File System manages software images and configuration files stored in flash memory
and used by T-Marc 3208SH devices.
System Time and Date

Protocols, such as the Network Time Protocol (NTP), help you automatically configure
system date and time for your device. NTP synchronizes device clocks over TCP/IP
networks thereby ensuring consistent file timestamps and proper correlation of log files.
Domain Name System (DNS) Client

The client-side of the DNS initiates and sequences queries leading to translation of a
domain name into an IP address.
Virtual Terminal Interface (VTY)

The Virtual Terminal Interface (VTY) controls access to Command Line Interface (CLI)
for device management.
Session Limiting
You can configure the number of sessions that are held to the T-Marc 3208SH device.
Remote Monitoring
Remote Monitoring (RMON) is a standard monitoring specification that enables network
monitors.
System Logs Message

The application software provides system log messages that are useful to the system
administrator for troubleshooting problems in the network.
Denial of Service (DoS) Attack Prevention

This section describes denial of service (DoS) attacks and how the BiNOX operating
system defends against DoS attacks.
Reload Commands
To reload the device, use any of the reload commands.
Control Plane Policing

CoPP feature increases security on the device by protecting the CPU from unused IPv4
reserved multicast traffic.
Appendix I: Preparing an MPLS Device for Provisioning by EdgeGenie
Appendix II: Preparing an Ethernet Device for Provisioning by EdgeGenie
Page 5
Device Management
Managing the Device via CLI
You can establish a CLI connection with the device by either:
Connecting the devices console port to your PC. For information about connecting to the
console port, see the devices Installation guide.
Using any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote PC. For
information see the Device Authentication chapter of this User Guide.
Managing the Device via SNMP

You can manage the device using any SNMP based management application.
To manage the device via SNMP:
Page 6
1.
Enable the SNMP protocol on the device (refer to the SNMP chapter of this user guide).
2.
Verify that the Management Information Bases (MIBs) provided with the release are installed
on the management PC.
3.
Connect your PC to a device port that is assigned to VLAN 1 (the default VLAN, refer to the
VLANs chapter of this User Guide)
4.
Permit device management access on VLAN 1 (refer to the VLANs chapter of this User
Guide).
Managing the Device via NETCONF

NETCONF is a network management protocol defined by IETF. It provides a simple mechanism
for managing network devices, retrieving configuration-data information, and uploading and
manipulating new configuration data.
The NETCONF protocol uses the Remote Procedure Call (RPC) model. The Netconf Manager (client)
sends a set of RPC request operations that trigger the Netconf Agent (server, in this case T-Marc
3208SH ) to respond with a corresponding set of RPC replies.
NETCONF provides the following features:
distinction between configuration and state data
multiple configuration datastores (such as running and startup)
support for configuration change transactions
configuration testing and validation support
selective data retrieval with filtering
streaming and playback of event notifications
extensible remote procedure call mechanism
NETCONF Sessions
A NETCONF session is the logical connection between a network administrator or network
configuration-application and a network device.
NETCONF Capabilities
NETCONF capabilities are a set of functionalities that supplement the base NETCONF
specification.
NETCONF allows the client to discover the capabilities supported by the server. These capabilities
are sent to the management PC.
Table 1: NETCONF Standard Capabilities
Command
Description
:candidate
The agent allows this special database to be locked,

edited, saved, and unlocked. The agent also supports the
operations:
<discard-changes>: clears all changes from the

<candidate/> configuration database and makes it
matching the <running/> configuration database
<commit>: commits the contents of the <candidate/>

configuration database to the <running/>
configuration database
Page 7
Page 8
Command
Description
:confirmed-commit
This special mode requires an agent to send two

<commit> RPC requests instead of one, to save any
changes to the <running/> database. If the second request
does not arrive within a specified time interval, the agent
automatically reverts the running configuration to the
previous version.
:interleave
The agent accepts <rpc> requests (besides <closesession>) while notification delivery is active. The
:notification capability must also be present if this
capability is advertised.
:notification
The agent supports the basic notification delivery

mechanisms defined in RFC 5277. The <createsubscription> operation (creates a NETCONF notification
subscription) is accepted by the agent. Unless the
:interleave capability is also supported, only the
<close-session> operation (terminates this session) must
be supported by the agent while notification delivery is
active.
:rollback-on-error
The agent supports the rollback-on-error value for the

<error-option> parameter to the <edit-config> operation
(modifies a configuration database). If any error occurs
during the requested edit operation, the target database
(usually the running configuration) will be left affected.
This provides an all-or-nothing edit mode for a single
<edit-config> request.
:url
The agent supports the <url> parameter value form to

specify protocol operation source and target parameters.
The capability URI for this feature indicates which
schemes (File, HTTPS, SFTP) the agent supports within a
particular URL value. The File allows editable local
configuration databases. The other allows remote storage
of configuration databases.
:validate
The agent supports the <validate> operation. When this

operation is requested on a target database, the agent
performs some amount of parameter validation and
referential integrity checking. Since the standard does not
define exactly what must be validated by this operation, a
manager cannot really rely on it for anything useful.
This operation is used to validate a complete database.
There is no standard way to validate a single edit request
against a target database, however a non-standard setoption for the <edit-config> operation called test-only was
defined for this purpose.
:writable-running
The agent allows the manager to change the running

configuration directly. Either this capability or the
:candidate capability is supported by the agent.
:xpath
The agent fully supports the XPath 1.0 specification for

filtered retrieval of configuration and other database
contents. The type attribute within the <filter> parameter
for <get> and <get-config> operations may be set to
xpath. The select attribute (which contains the XPath
expression) is also supported by the agent.
NETCONF Commands
Commands Hierarchy
+ config terminal
+ system
- [no] netconf-server
- [no] access source-ip A.B.C.D/M

- [no] source-address A.B.C.D
- [no] port <value>
- [no] shutdown
Table 2: NETCONF Commands
Command
Description
config terminal
system

netconf-server
Enters NETCONF Configuration mode
no netconf-server
Removes NETCONF configuration details
access source-ip A.B.C.D/M
Limits the access to the NETCONF server only

from the specific sources IP address(es):
no access source-ip
source-address A.B.C.D
A.B.C.D/M: IP address and subnet

mask (in a dotted-decimal format)
that identify a network or hosts.
A.B.C.D/32 specifies a specific IP
address.
Removes the trusted IP address(es)

Configures NETCONF server to listen on a
specified IP address for incoming connections.
The connections are restricted to a specific
router interface including loopbacks.
A.B.C.D: IP address, in a dotteddecimal format
0.0.0.0 (listen on all defined router

interfaces)
no
source-address
port <value>
Restores to default
Specifies the port through which the NETCONF
connection is established:
number: the port number, in the

range of <165535>
Port 830
no port
Restores to default
Page 9
Command
Description
shutdown
Disables the NETCONF server

The NETCONF server is disabled
no shutdown
Re-enables the NETCONF server
Accessing the Device via NETCONF

To access the device via NETCONF:
1.
Open an SSH2 connection to the NETCONF sub-system:

ssh -s -p830 admin@10.4.4.69 netconf
2.
Type the device password (default password is admin):

admin@10.4.4.69's password:admin
3.
The agent and the manager both send a hello message and a set of capabilities are displayed:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>]]>]]>
Page 10
NETCONF Configuration Example

1.
Display the port 1/1/1 configuration:

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">
<get>
<filter type="xpath" select="/interfaces/interface[name='1/1/1']"/>
</get>
</rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">
<data>
<interfaces xmlns="http://batm.com/ns/bridge/1.0">
<interface>
<name>1/1/1</name>
<ifMtu>1544</ifMtu>
<ifSpeed>auto</ifSpeed>
<ifDuplex>auto</ifDuplex>
<ifAdminStatus>up</ifAdminStatus>
<ifPromiscuousMode>false</ifPromiscuousMode>
<ifLinkUpDownTrapEnable>disabled</ifLinkUpDownTrapEnable>
<ip>0.0.0.0/0</ip>
<defaultVlan>1</defaultVlan>
<ifLearnNewMacAddresses/>
<clear/>
<InterfaceReadOnlyData>
<ifIndex>3</ifIndex>
<ifType>ethernetCsmacd</ifType>
<ifPhysAddress>00:50:43:40:bf:bf</ifPhysAddress>
<ifOperStatus>down</ifOperStatus>
<ifLastChange>0</ifLastChange>
<ifMedia>not-installed</ifMedia>
<ifOperSpeed>unknown</ifOperSpeed>
<ifOperDuplex>unknown</ifOperDuplex>
<ifInterfaceDual>single</ifInterfaceDual>
<ifInterfaceActive>not-relevant</ifInterfaceActive>
<ifFlowCtrl>disabled</ifFlowCtrl>
<ifIp>0.0.0.0</ifIp>
<ifMask>0.0.0.0</ifMask>
<ifBcast>0.0.0.0</ifBcast>
<ifMediaTxType>Unknown</ifMediaTxType>
<ifMediaConType>Unknown</ifMediaConType>
<ifMediaSonetComp>42</ifMediaSonetComp>
<ifMediaEthComp>42</ifMediaEthComp>
<ifMediaLengthSMF>0</ifMediaLengthSMF>
<ifMediaLength50UM>0</ifMediaLength50UM>
<ifMediaLength62UM>0</ifMediaLength62UM>
<ifMediaLengthCu>0</ifMediaLengthCu>
<ifMediaLengthOM3>0</ifMediaLengthOM3>
<ifMediaTxTech>42</ifMediaTxTech>
<ifMediaMode>42</ifMediaMode>
<ifMediaSpeed>42</ifMediaSpeed>
Page 11
<ifMediaEncoding>42</ifMediaEncoding>
<ifMediaBitrate>42</ifMediaBitrate>
<ifMediaVendorID>N/A</ifMediaVendorID>
<ifMediaVendorName>N/A</ifMediaVendorName>
<ifMediaVendorSN>N/A</ifMediaVendorSN>
<ifMediaVendorPN>N/A</ifMediaVendorPN>
<ifMediaVendorRev>N/A</ifMediaVendorRev>
<ifMediaVendorManufacturingDate>N/A</ifMediaVendorManufactur
ingDate>
<ifMediaCalibMode>42</ifMediaCalibMode>
</InterfaceReadOnlyData>
<Counters>
<ifInOctets>0</ifInOctets>
<ifInUcastPkts>0</ifInUcastPkts>
<ifInNUcastPkts>0</ifInNUcastPkts>
<ifInDiscards>0</ifInDiscards>
<ifInErrors>0</ifInErrors>
<ifInUnknownProtos>0</ifInUnknownProtos>
<ifOutOctets>0</ifOutOctets>
<ifOutUcastPkts>0</ifOutUcastPkts>
<ifOutNUcastPkts>0</ifOutNUcastPkts>
<ifOutDiscards>0</ifOutDiscards>
<ifOutErrors>0</ifOutErrors>
<ifOutQLen>0</ifOutQLen>
<ifSpecific>1.2.3</ifSpecific>
<ifInMulticastPkts>0</ifInMulticastPkts>
<ifInBroadcastPkts>0</ifInBroadcastPkts>
<ifOutMulticastPkts>0</ifOutMulticastPkts>
<ifOutBroadcastPkts>0</ifOutBroadcastPkts>
<ifHCInOctets>0</ifHCInOctets>
<ifHCInUcastPkts>0</ifHCInUcastPkts>
<ifHCInMulticastPkts>0</ifHCInMulticastPkts>
<ifHCInBroadcastPkts>0</ifHCInBroadcastPkts>
<ifHCOutOctets>0</ifHCOutOctets>
<ifHCOutUcastPkts>0</ifHCOutUcastPkts>
<ifHCOutMulticastPkts>0</ifHCOutMulticastPkts>
<ifHCOutBroadcastPkts>0</ifHCOutBroadcastPkts>
<ifHighSpeed>0</ifHighSpeed>
<ifConnectorPresent>true</ifConnectorPresent>
<ifCounterDiscontinuityTime>0</ifCounterDiscontinuityTime>
<ifUndersizePkts>0</ifUndersizePkts>
<ifOversizePkts>0</ifOversizePkts>
<ifFragmentsPkts>0</ifFragmentsPkts>
<ifJabberPkts>0</ifJabberPkts>
<ifCRCAligneErrorPkts>0</ifCRCAligneErrorPkts>
<ifCollisionsPkts>0</ifCollisionsPkts>
<ifFra64Pkts>0</ifFra64Pkts>
<ifFra65to127Pkts>0</ifFra65to127Pkts>
Page 12
<ifTotalOctets>0</ifTotalOctets>
<ifTotalInPkts>0</ifTotalInPkts>
<ifTotalPkts>0</ifTotalPkts>
<ifTotalBcastPkts>0</ifTotalBcastPkts>
<ifTotalMcastPkts>0</ifTotalMcastPkts>
<ifTotalOutPkts>0</ifTotalOutPkts>
<ifAlignErr>0</ifAlignErr>
<ifFCSErr>0</ifFCSErr>
<ifSQETestErr>0</ifSQETestErr>
<ifCSEErr>0</ifCSEErr>
<ifSymbolErr>0</ifSymbolErr>
<ifMacTxErr>0</ifMacTxErr>
<ifMacRxErr>0</ifMacRxErr>
<ifTooLongFra>0</ifTooLongFra>
<ifSnglCollision>0</ifSnglCollision>
<ifMultCollision>0</ifMultCollision>
<ifLateCollision>0</ifLateCollision>
<ifExcessCollision>0</ifExcessCollision>
<ifInUnknownOpcode>0</ifInUnknownOpcode>
<ifDefferedTx>0</ifDefferedTx>
</Counters>
<efm-oam xmlns="http://batm.com/ns/efm/1.0">
<oper-status>linkFault</oper-status>
<maximum-pdu-size>0</maximum-pdu-size>
<config-revision>0</config-revision>
<functions-supported>eventSupport
variableSupport</functions
-supported>
<packets-sent>0</packets-sent>
<packets-received>0</packets-received>
<loopback-status>noLoopback</loopback-status>
<get-forward-status>None</get-forward-status>
<get-forward-shutdown>None</get-forward-shutdown>
</efm-oam>
</interface>
</interfaces>
</data>
</rpc-reply>
2.
Change the port default VLAN to 2:

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
<edit-config>
<target>
<running/>
</target>
<config>
<interfaces xmlns="http://batm.com/ns/bridge/1.0">
<interface>
<name>1/1/1</name>
<defaultVlan>2</defaultVlan>
</interface>
</interfaces>
Page 13
</config>
</edit-config>
</rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
<ok/>
</rpc-reply>
CES Configuration Example via NETCONF

NOTE
Commands for changing the mode, IP address, mask, IP gateway restart the
CES module automatically.
Changing the working mode does not remove automatically all configured
commands related to the previous mode. Therefore, all previously configured
options as interface framings, circuits, etc. must be removed manually via XML
file.
. . .
<module>
<name>1/3</name>
<interface>
<e1-interfaces>
<interface>
<name>e1-2.0.0.0</name>
<framing>cas</framing>
<clock>adaptive</clock>
<clock-controller>
<number>primary</number>
<circuit>2</circuit>
</clock-controller>
</interface>
</e1-interfaces>
</interface>
<circuit>
<number>2</number>
<interface>e1-2.0.0.0</interface>
<timeslots>1-15,17-31</timeslots>
<vlan-id>10</vlan-id>
<destination>
<ip-address>1.2.3.4</ip-address>
</destination>
</circuit>
<circuit>
<number>3</number>
<interface>e1-3.0.0.0</interface>
</circuit>
</module>
. . .
Page 14
MAC Address Table (FDB)

Traffic passes through the switch according to information contained in the MAC address table
(also known as the Forwarding Database). Every device has its own MAC address table. For each
MAC address, the entry in the table defines the associated virtual LAN ID (VLAN), the port
number, priority, and the status of the port.
Entries in the MAC address table may contain one of the following status types:
Dynamic: Dynamic entries are MAC addresses learned by the device through examination of
incoming packets. Dynamic entries remain in the MAC address table provided traffic
continues to be received from the port but are deleted either when traffic is not received within
a specified time frame (defined by aging timeout).
The device flushes and repopulates dynamic entries when any of the following occurs:
A VLAN is removed
A VLAN ID is changed
A port mode is changed (tagged/untagged)
A port is disabled
A port goes down
Static: A user-defined entry, created using the Command Line Interface (CLI), that forces the
device to learn the MAC address for a specific port. Static entries are maintained permanently
by the device in the MAC address table and are retained by the device after reset or a power
on/off cycle.
Secure: Secured ports are configured using MAC Learning Profiles. MAC addresses learned
from a secured port will appear with a status of Secure.
Self: The MAC address of the device itself maintained permanently as a static entry in the
MAC address table. Such entries are created for each virtual LAN (VLAN) serviced by the
device and do not contain Port IDs.
Filtered: Addresses learned in excess of a defined Port Limit are added dynamically to the
MAC Address Table with the status of Filtered. The device will not forward additional packets
from a filtered address to the port indicated by the MAC Address Table entry.
Page 15
MAC Address Table Commands

This section defines the command hierarchy for the MAC address table and provides a list of
available commands. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+
port UU/SS/PP
- [no] learn-new-mac-addresses
+ service
+ [no] vpls <vpls-id>
+ [no] sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-id>]:[igmp]

| UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}
+ [no] spoke-sdp [<sdp-id>]
+ [no] mesh-sdp [<sdp-id> | <sdp-range>]

- [no] fdb aging-time <time>
+ [no] fdb static <vlan-id> <mac:hexList>

- port UU/SS/PP
- [no] priority <priority>

- type {filtered |
secure | self | static}
- clear fdb [interface UU/SS/PP | mac HH:HH:HH:HH:HH:HH | vlan <vlan-id>

| type {dynamic | filtered | secure} | service <id> | sap {{UU/SS/PP
| agN}[:[igmp] | :[<vlan-id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces
| ces-oos}}
- show fdb [detailed [vlan <vlan-id> | type {dynamic | filtered |

secure | self | static}] | service [<id> | tls id <id> | vpls-mtu id
<id> | vpls-pe id <id> | dot1q id <id> ]]
- show system self-mac

- show fdb count
Table 3: MAC Address Table Commands
Command
Description
config terminal
port UU/SS/PP
Enters configuration mode for a specific port:
Page 16
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
Command
Description
1/2/8
service
vpls <vpls-id>
Enters the Services Configuration mode

Creates a VPLS:
no vpls <vpls-id>
Removes the VPLS:
sap {{UU/SS/PP | agN}[:[igmp] |

:[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces
| ces-oos}}
vpls-id: in the range of

<14294967294>
<14294967294>
Adds a client port to a specific VPLS instance

and specifies the SAP attributes:
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
The valid port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
agN: LAG ID. N is in the range

of <1-14>
vlan-id: (optional) in the range

of <1-4094>
igmp: (optional) indicates the

traffic type for the SAP port
UU1/SS1/PP1: CES WAN port,

facing the packet processor. The
valid values are: 1/3/9 and
1/4/9.
ces-circuit: circuit ID in the

range of <1-64>
ces: for circuits carrying data

packets
ces-oos: for circuits carrying

control packets
For more details refer to Configuring Circuit

Emulation Services (CES) of this User Guide
no sap [{{UU/SS/PP | agN}[:[igmp]
| :[<vlan-id>]:[igmp] |
| ces-oos}}
]
Removes the defined SAP:
UU/SS/PP: (optional) the

corresponding physical port
(unit, slot and port) defined as
SAP.(can be obtained from the
show port command)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

of <1-14>

of <1-4094>
Page 17
Command
Description


1/4/9 .

range of <1-64>

packets

control packets

spoke-sdp <sdp-id>
Creates a spoke SDP:
no spoke-sdp [<sdp_id>]
Removes the spoke SDP:
mesh-sdp [<sdp_id>]
sdp-id: (optional) in the range

of <14294967295>
of <14294967295>
Creates a mesh SDP:

of <14294967294>
NOTE
By default, mesh SDPs are secured
thus the traffic between mesh
SDPs and secured SAPs/spoke
SDPs will be blocked.
no mesh-sdp [<sdp-id>]
Removes the mesh SDP:

of <14294967294>
learn-new-mac-addresses
Enables learning of new MAC addresses in

the MAC Address Table
Enabled
no learn-new-mac-addresses
Restores to default
fdb aging-time <time>
Aging determines the length of time that a

dynamic entry remains in the MAC Address
Table. Countdown begins when the entry is
added to the table and restarts each time the
MAC address is updated/used. :
time: in the range of <10

1000000> seconds
300 seconds
no fdb aging-time
Restores to default
fdb static <vlan-id> <mac:hexList>
Adds a static MAC address to the MAC

Address Table:
Page 18
vlan-id: the VLAN, in the range
Command
Description
of <1-4094>, for which the
packet with the specified MAC
address is received
mac:hexList: the destination

unicastMAC address
(HH:HH:HH:HH:HH:HH) added to the
MAC Address Table
None configured
no fdb
static
Removes a static entry:
port UU/SS/PP
vlan-id: on the specified VLAN

in the range of <14094>
mac:hexList: a specific MAC

address (HH:HH:HH:HH:HH:HH)
Specifies a port to which the received packet

is forwarded:
priority <priority>
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Specifies priority for entries in the MAC

address Table:
priority: in the range of <07>
0
no priority
type {filtered |
static}
Restores to default
secure | self |
Specifies how MAC addresses are learned by

the device:
filtered, secure, self, and

static
Static
clear fdb [interface UU/SS/PP | mac
HH:HH:HH:HH:HH:HH | vlan <vlan-id>
| type {dynamic | filtered | secure} |
service <id> | sap {{UU/SS/PP |
agN}[:[igmp] | :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}}
Removes all or specific entries from the MAC

address table:
UU/SS/PP: (optional) all MAC

addresses for the specified port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
HH:HH:HH:HH:HH:HH: (optional) a
specific MAC address
vlan-id: (optional) all MAC

addresses for the specified
VLAN in the range of <14094>
type: MAC type (dynamic,

filtered, or secure)
service <id>: in the range of

<14294967295>
sap: specifies a SAP port, based

on the below options:
UU/SS/PP: the
physical port
port) defined
obtained from
corresponding
(unit, slot and
as SAP.(can be
the show port
Page 19
Command
Description
command)

of <1-14>

of <1-4094>


1/4/9.

range of <1-64>

packets

control packets

show fdb [detailed [vlan <vlan-id> |
type {dynamic | filtered | secure |
self | static}] | service [<id> | tls
id <id> | vpls-mtu id <id> | vpls-pe
id <id> | dot1q id <id>]]
Page 20
Displays the content of the MAC address

table, filtered by the commands arguments:
detailed: displays detailed

information
vlan-id: (optional) all MAC

addresses for the specified
VLAN in the range of <14094>
type: MAC type (dynamic,

filtered, secure, self, static)
service: displays MAC table

related information on a
service. The user can obtain
this information on different
services by specifying the
service id, in the range of <14294967294>
show system self-mac
Displays the MAC address of the device
show fdb count
Lists the number of entries in the FDB.
MAC Address Table Configuration Example

device-name(config)#fdb static 1 00:0a:01:02:03:04
device-name(config-static-1/00:0a:01:02:03:04)#port 1/1/2
device-name(config-static-1/00:0a:01:02:03:04)#priority 6
device-name(config-static-1/00:0a:01:02:03:04)#commit
Commit complete.
device-name(config-static-1/00:0a:01:02:03:04)#end
device-name#show fdb
System FDB
=============================================================================
VlanID | MAC
|
Port
| Status | Priority |
-------+-------------------+--------------------------+----------+----------1
| 00:00:C8:00:00:02 | 1/1/3
| dynamic | 0
|
1
| 00:0A:01:02:03:04 | 1/1/2
| static
| 6
|
1
| 00:A0:12:64:07:01 |
| self
| 0
|
=============================================================================
Page 21
MAC Learning Security Policies

The Port Security and Port Limit policies control how many addresses the device can learn for a
particular port.
Port Security
MAC addresses are entered in the MAC address table with a secure status. Secure MAC Addresses
are retained permanently and are excluded automatically when the switch floods all ports on receipt
of an unknown address.
When a secured port receives a packet, it compares the packets source MAC address to the secured
MAC address list.
If the packets source MAC address is in the list, the incoming packet is forwarded.
If the packets source MAC address is not in the secured list, the port does not forward the
packet. In this case, the port either shuts down permanently or drops incoming packets from
the unauthorized device, generating an SNMP trap.
You can configure two types of secured MAC addresses:
Static secured MAC addresses created manually by the fdb

<mac:hexList> and type {filtered |secure | self |
These addresses are stored in the address table.
Dynamic secured MAC addresses that are dynamically learned. These addresses are stored in
the address table but are removed when the device restarts.
static <vlan-id>
static | unknown} command.
NOTE
The allocated MAC addresses on a port are permanently secured.
Port Limit
The Port Limit feature limits the number of MAC addresses learned by a port. When enabling this
feature:
MAC addresses within the limit are learned as dynamic.
MAC addresses that exceed the limit are learned as filtered MAC addresses.
packets with unknown MAC addresses are not forwarded. The mac-limited port behaves as
secured.
On the device, you can define one or more MAC Learning Profiles and add to each profile either
Port Security or Port Limit. Once defined, you can apply those profiles to the physical port.
To define the maximum number of addresses that can be learned, both Port Security and Port
Limit work in conjunction with the max-mac-count command. If a limit is not set through this
command, the device will continue to learn until the maximum number of addresses for the device
is reached.
Page 22
Beyond the limit, additional MAC addresses are entered into the MAC address table with a filtered
status. Exceeding the defined limit for a port is considered to be a security violation. The device can
take action. Through configuration options, the device can either shut down the port or generate an
SNMP trap and log message. Filtered addresses, which are not learned by the device, remain in the
table for later security analysis by the system administrator.
MAC Learning Security Profile Commands

In this section, the command hierarchy for Port Security and Port Limit is defined and a list of
available commands is provided. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] mac-learning learning-profile NAME
- [no] action {operational-shutdown | trap}

- [no] ignore-filtered-addresses
- max-mac-count <number-of-addresses>
- policy {port-limit | port-security}
- [no] watermark count <number-of-addresses>
- [no] watermark action {log | trap}
+ port UU/SS/PP
- [no] mac-learning-profile NAME
+ service
- [no] fdb-rapid-flush

- [no] mac-learning-profile profile-name NAME
+ [no] tls <service-id>
- [no] fdb-rapid-flush
- [no] sap {UU/SS/PP | agN}
- [no] c-vlan {<cvlan-id> | all | untagged}
- [no] mac-learning-profile profile-name

NAME
- show ethernet mac-security [interface UU/SS/PP | sap {{UU/SS/PP |

agN}[:[igmp] | :[<vlan-id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}}
Page 23
Table 4: MAC Learning Security Profile Commands
Command
Description
config terminal
ethernet
Enters Ethernet Configuration mode
mac-learning learning-profile NAME
Specifies a MAC-learning profile and enters the

MAC-learning Configuration mode:
no mac-learning learning-profile
[NAME]
action {operational-shutdown |
trap}
NAME: profile name
Removes the defined profile:
NAME: (optional) profile name
Specifies the port reaction upon a security

violation:
operational-shutdown: the port

shuts down
trap: an SNMP trap and log message

are generated
no action
Removes the configured violation
ignore-filtered-addresses
Disables configuring/learning of filtered MAC

addresses in the MAC address table
no ignore-filtered-addresses
Enables configuring/learning of filtered MAC

addresses in the MAC address table
max-mac-count <number-ofaddresses>
Specifies the maximum numbers of secure MAC

addresses the port can learn:
number-of-addresses: in the range

of <1-4096>
All MAC addresses are learned as secured

no max-mac-count
policy {port-limit | portsecurity}
watermark count <number-ofaddresses>
Restores to default
Specifies the Layer-2 security technique:
port-limit
port-security
Specifies the maximum numbers of secure MAC

addresses the port can learn before sending a
notification.
The idea of this command is to alarm the user
that the total number of secure MAC addresses
will be reached soon.
number-of-addresses: in the range

of <1-4096>
All MAC addresses are learned as secured
Page 24
no watermark count
Restores to default
watermark action {log | trap}
Specifies the notification type sent by the port

before a security violation occurs:
Command
no watermark action
port UU/SS/PP
Description
log: log message is generated
trap: trap is sent
Removes the configured notification type

Enters Configuration Mode for specific port:
service
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
tls <service-id>
Creates a TLS service instance and enters TLS

Configuration mode:
service-id: in the range of <1

4294967295>
NOTE
You cannot use the same service ID
for all MPLS L2 services.
no tls <service-id>
Removes the defined TLS instance
vpls <vpls-id>
Creates a VPLS:
no vpls <vpls-id>

<14294967294>
Removes the VPLS:

<14294967294>
fdb-rapid-flush
Enables MAC addresses dynamically-learned on

SDP/SAP port to flush when the port changes its
state to DOWN
Disabled
no fdb-rapid-flush
Restores to default

UU1/SS1/PP1:<cescircuit>:{ces | ces-oos}}

and specifies the SAP attributes:
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
agN: LAG ID. N is in the range of

<1-14>

of <1-4094>

UU1/SS1/PP1: CES WAN port, facing

the packet processor. The valid
values are: 1/3/9 and 1/4/9 .
Page 25
Command
Description

range of <1-64>

packets

control packets

no sap [{{UU/SS/PP |
agN}[:[igmp] | :[<vlanid>]:[igmp] |
UU1/SS1/PP1:<cescircuit>:{ces | ces-oos}}]
UU/SS/PP: the
physical port
port) defined
obtained from
command)

<1-14>

of <1-4094>



range of <1-64>

packets

control packets
corresponding
(unit, slot and
as SAP.(can be
the show port

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
sap {UU/SS/PP | agN}
Creates a service access point (SAP) and enters

SAP Configuration mode:
Page 26
UU/SS/PP: the SAP port is in the

range of 1/1/1-1/1/4, 1/2/1-1/2/8.
This port has to be an untagged
member of the S-VLAN.

<1-14>
Command
Description
NOTE
You cannot use the same

physical port as MPLS and TLS
SAP.
You cannot use the MPLS

uplink for L2 SAP, and vice
versa.
The default VLAN of the TLS

SAP port must not be changed.
no sap [UU/SS/PP | agN]
c-vlan {<cvlan-id> | all |

untagged}
no c-vlan {<cvlan-id> | all

| untagged}
UU/SS/PP: (optional) the SAP port

is in the range of 1/1/1-1/1/4,
1/2/1-1/2/8

<1-14>
Specifies a customer VLAN (C-VLAN) and enters

C-VLAN Configuration mode:
cvlan-id: in the range of <1-4094>
all: tunnels all the traffic
untagged: tunnels the untagged

traffic only
Removes the defined C-VLAN:

traffic only
mac-learning-profile
profile-name NAME
Assigns a MAC-learning profile to a port:
no mac-learning-profile
profile-name [NAME]
Removes the assigned MAC-learning profile:
show ethernet mac-security [interface

UU/SS/PP | sap {{UU/SS/PP |
UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}}
NAME: profile name

NAME: (optional) profile name
Displays information about the MAC security

profiles applied, filtered by the command
arguments
Page 27
Files System
The file system can define, download, and delete software images and/or configuration files stored
in Flash memory.
File System Configuration Commands

The following section defines the File System command hierarchy and provides command
descriptions as well as configuration examples.
Command Hierarchy
device-name#
- file activate-os-image FILE-NAME
- file backup binary-running-config flash FILE-NAME

- file backup binary-running-config
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp os-image PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp from FILE-NAME1 PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME2

- file cp from PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME1 FILE-NAME2
- file cp from FILE-NAME1 FILE-NAME2
- file cp technical-support PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILENAME
- file cp technical-support FILE-NAME
- file cp technical-support use-external-file FILE-NAME USE-EXTERNALFILE-NAME
- file cp technical-support use-external-file FILE-NAME

PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME USE-EXTERNAL-FILE-NAMEfile cp running-configuration
- file cp running-configuration FILE-NAME
- file cp startup-config from

- file cp startup-config from FILE-NAME
- file cp startup-configuration running-configuration
- file ls
- file ls os-image
- file rm from FILE-NAME
- file rm os-image FILE-NAME
- file more FILE-NAME
- file mv FILE-NAME1 FILE-NAME2

- file merge FILE-NAME
- file diff FILE-NAME1 FILE-NAME2
Page 28
- file restore binary-running-config flash FILE-NAME

- file restore binary-running-config
- file vi FILE-NAME
- file cp ces-image PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME

- file activate-ces-image module-id {1/3 | 1/4} FILE-NAME
Table 5: File System Commands
Command
Description
device-name#
Operational mode
file activate-os-image FILE-NAME
Specifies the name of the software image file

to be loaded during the next restart:
file backup binary-running-config flash
FILE-NAME
FILE-NAME: name of the software

image file
Backs up the binary running configuration to

the local file system:
FILE-NAME: name of the backup

file
The name of the backup file is

backup.tar.gz
file backup binary-running-config
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR
T]/FILE-NAME
Backs up the binary running configuration to a

TFTP/FTP server (see the Installation and
Maintenance chapter of this UG):
PROTOCOL type: tftp://A.B.C.D or

ftp://user:pass@A.B.C.D. For
TFTP servers, user, password,
and port are not required. For
FTP servers, port number is not
required.
USER: FTP user name
PASSWORD: FTP user password. The

password must be immediately
followed by the at sign (@).
IPv4: IP address of the TFTP/FTP

server (in dotted-decimal
format)
PORT: port number for the TFTP

transfer
FILE-NAME: name of the file to

be backed up
Page 29
Command
file cp os-image
T]/FILE-NAME
file cp from FILE-NAME1

T]/FILE-NAME2
Page 30
Description
Downloads a new software image from a
TFTP/FTP server:

required.
USER: FTP user name


format)

transfer
FILE-NAME: name of the software

image file
Uploads a configuration file from the local file

system to a TFTP/FTP server:
FILE-NAME1: name of the source

file

required.
USER: FTP user name


format)

transfer
FILE-NAME2: name of the

destination file
Command
file cp from
T]/FILE-NAME1 FILE-NAME2
file cp from FILE-NAME1 FILE-NAME2
file cp technical-support
T]/FILE-NAME
file cp technical-support FILE-NAME
Description
Downloads a configuration file from a
TFTP/FTP server to the local file system:

required.
USER: FTP user name


format)

transfer
FILE-NAME1: name of the source

file
FILE-NAME2: name of the

destination file
Saves a copy of any file to the local file

system:
FILE-NAME1: name of the copied

image file
FILE-NAME2: name of the new file
Uploads the output of the show technicalsupport command to a TFTP/FTP server

(see the Troubleshooting chapter of this UG):

required.
USER: FTP user name

followed by the at symbol (@).

format)

transfer
FILE-NAME: name of the file
Saves the output of the show technicalsupport command to the local file system
(see the Troubleshooting chapter of this UG):
Page 31
Command
file cp technical-support use-externalfile FILE-NAME USE-EXTERNAL-FILE-
NAME
file cp technical-support use-externalfile FILE-NAME

T]/FILE-NAME USE-EXTERNAL-FILE-
NAME
file cp running-configuration
T]/FILE-NAME
file cp running-configuration FILE-NAME
Description
Saves the show technical-support
command output to the local file system:
FILE-NAME: name of the new file

saved with
USE-EXTERNAL-FILE-NAME: name of
the file that contains the
filtered command output
Uploads an output of the show technicalsupport command to a TFTP/FTP server:

TFTP servers, no user, password,
and port are required. For FTP
servers, no port number is
required.
USER: FTP user name

followed by the ape symbol (@).

format)

transfer
FILE-NAME: name of the new file

saved with
the file that contains the
filtered command output
Uploads the running configuration file to a

TFTP/FTP server:

required.
USER: FTP user name

Ipv4: IP address of the TFTP/FTP

format)

transfer
Saves the running configuration file to the

local file system:
Page 32
Command
file cp startup-config from
PROTOCOL[USER[:PASSWORD]@]Ipv4[:POR
T]/FILE-NAME
file cp startup-config from FILE-NAME
Description
Downloads a startup configuration file from a
TFTP/FTP server to be loaded during the next
restart:

required.
USER: FTP user name

Ipv4: IP address of the TFTP/FTP

format)

transfer
FILE-NAME1: name of the file
Specifies a startup configuration file to be

loaded during the next restart:
file cp startup-config running-config
Copies the running configuration into the

startup configuration
file ls
Lists the content of the local file system
file ls os-image
Lists the available software images located on

the local file system
file rm from FILE-NAME
Removes a configuration file from the local file

system:
file rm os-image FILE-NAME
file more FILE-NAME
file merge FILE-NAME
Renames the selected configuration file:
FILE-NAME1: old (current) name

of the file
FILE-NAME2: new name of the file
Merges the content of a specified

configuration file into the current running
configuration.
The configuration files must be created
under the same software version.
FILE-NAME: name of the image

file
Displays the content of a configuration file:
file mv FILE-NAME1 FILE-NAME2
Removes a software image from the local file

system:
FILE-NAME: name of the

configuration file to be merged
Page 33
Command
file diff FILE-NAME1 FILE-NAME2
Description
Compares the content of two files and returns
matches without regard to
uppercase/lowercase:
file restore binary-running-config flash
FILE-NAME
FILE-NAME1, FILE-NAME2: names of

the files to be compared
Restores the binary running configuration

from a backup file located on the local file
system:
FILE-NAME: name of the restored

file
The name of the backup file is

backup.tar.gz
file restore binary-running-config
T]/FILE-NAME
file vi FILE-NAME
Restores the running configuration from a

backup file located on a TFTP/FRP server:

required.
USER: FTP user name


format)

transfer
FILE-NAME: name of the file to

be restored
Opens the selected file for editing in a

standard VI editor:
Page 34
Command
file cp ces-image
T]/FILE-NAME
file activate-ces-image module-id {1/3 |

1/4} FILE-NAME
Description
Downloads a new CES image from a

required.
USER: FTP user name


format)

transfer

file
Activates the CES image:
module-id: CES module (1/3 or

1/4)

file to be activated
Software Upgrade Example

NOTE
Before beginning the upgrade, it is recommended that you first verify that there is
sufficient free space available for storage of the new software image on the local file
system. To display the amount of free space and to list the currently stored software
image files, use the file ls os-image command illustrated below.
In the following example, the new_image. T-Marc 3208SH. app.binoxpkg application package file is
downloaded from an FTP server (IP address is 10.3.71.17).
NOTE
BiNOX application package file (app.binoxpkg) is used to upgrade the device. The
main advantage to using the package upgrade is the new file validation feature that
prevents activation of a corrupted or incorrect image file.
1.
Download the desired file from the FTP server to the local file system:
device-name#file cp os-image ftp://user:pass123@10.3.71.17/new_image.T-Marc
3208SH.app.binoxpkg
Downloading the image 'new_image. T-Marc 3208SH.app.binoxpkg' from
host ftp://10.3.71.46 (29,051,909 bytes transferred)... OK
Generating components list for the package file... OK
Package's Content:
----------------------------------------------------------------------
Page 35
___________________________________________________________________________
____________________________
/
\
| Component Type:
Name:
|
|
Version
|
| File
|------------------------------|---------------------|------------------------------------------------|
| > Application
|
| new_image | new_image. T-Marc 3208SH.tar.bz2
| > Kernel Image

uImage
| 2.6.21.7-hrt1-WR2.0 |
|
| > DTB File

board.dtb
| Undefined
| > Safe Mode Image
| 2.1.TP-dev55
| T-Marc 3208SHsafemode.img
| > Root File System Image

rootfs.jffs2
| Undefined
| > Applic. File System Image

applicfs.layout.jffs2
| Undefined
|
|
|
|
|
|
\______________________________|_____________________|__________________________________________
_______/
Extracting the required components from the package file( This may take
several minutes )... OK
Checking
Checking
Checking
Checking
Checking
Checking
the
the
the
the
the
the
component
component
component
component
component
component
file
file
file
file
file
file
' new_image. T-Marc 3208SH.tar.bz2'... OK

'uImage'... OK
'board.dtb'... OK
'T-Marc 3208SH-safemode.img'... OK
'rootfs.jffs2'... OK
'applicfs.layout.jffs2'... OK
-> Installing the DTB file 'board.dtb':

Erasing 128 Kibyte @ 0 -- 0 % complete.
Flashing the 'board.dtb' image on the /dev/mtd2 partition... OK
-> Installing the kernel image file 'uImage' version 2.6.21.7-hrt1WR2.0ap_standard:
Erasing 128 Kibyte @ 2e0000 -- 95 % complete.
Flashing the 'uImage' image on the /dev/mtd3 partition... OK
-> Installing the safe mode image file 'T-Marc 3208SH-safemode.img' version
2.1.TP-dev55:
Erasing 128 Kibyte @ e0000 -- 87 % complete.
Flashing the 'T-Marc 3208SH-safemode.img' image on the /dev/mtd4
partition... OK
-> Installing the root file system image file 'rootfs.jffs2':
Erasing 128 Kibyte @ be0000 -- 98 % complete.
Flashing the 'rootfs.jffs2' image on the /dev/mtd5 partition... OK
-> Installing the application file system image file
'applicfs.layout.jffs2':
skip ,the latest version allready in use.
-> Installing the application 'new_image.T-Marc 3208SH.tar.bz2' version
new_image:
Installing the 'new_image.T-Marc 3208SH.tar.bz2' file in the images
directory... Done.
Page 36
The package file 'new_image.T-Marc 3208SH.binoxpkg' has been installed

successfully!
Use the 'file activate-os-image' command to activate the new application.
NOTE
If insufficient free space is available, the new software image is not saved on the
local file system. The following error message appears:
Installing the image file... Failed! (cp: write error: No space left on
device)
2.
Activate the new image:

device-name#file activate-os-image new_image.T-Marc 3208SH.tar.bz2
Image file new_image.T-Marc 3208SH.tar.bz2 is tested for validity, please
wait... OK
Activating image new_image.T-Marc 3208SH.tar.bz2...
3.
(Optional) List the available software images:

device-name#file ls os-image
*
1 Jan 01:05 8.5M new_image.T-Marc 3208SH.tar.bz2
1 Jan 2010 8.6M old_image1.T-Marc 3208SH.tar.bz2
1 Jan 01:56 8.6M old_image2.T-Marc 3208SH.tar.bz2
Number of files: 3, 25.7M
Flash Size: Size
51.4M
Used Space: Used
26.0M
Free Space: Available
25.4M
4.
Reload the device:

device-name(config)#system
device-name(config-system)#relaod
Page 37

The internal clock for the device runs continuously from system start up and tracks date and time.
The internal clock is set using either the Network Time Protocol or through manual configuration.
Network Time Protocol (NTP)

Network Time Protocol (NTP) provides a reliable way of transmitting and receiving date/time
information over IP networks. NTP is organized according to a client-server model. An NTP
network receives information from an authoritative time source, such as a radio clock or an atomic
clock connected to a time server, and then distributes that information across the network.
Time is represented as the number of seconds since 00:00 (midnight) 1 January 1970 GMT and will
remain so until the year 2038. In the first second, for example, time would appear as 12:00:01 on 1
January 1970 GMT.
Summer Time (Daylight Saving Time)

Daylight Savings Time (DST), as observed in the United States, is a configuration option for the
device. When enabled, the device advances the clock by one hour at 2:00 a.m. on the first Sunday in
April and moves the clock back one hour on the last Sunday in October. Configuration also
provides options to define a different starting date and/or ending date as well as whether time
adjustment should occur yearly.
IEEE-1588v2 Precision Time Protocol (PTP)

PTP is a time synchronization protocol for devices distributed across a network. Its hardware
timestamp feature provides greater accuracy.
A PTP system can consist of a combination of PTP and non-PTP devices. PTP devices include
ordinary clocks, boundary clocks, and transparent clocks. Non-PTP devices include ordinary
network switches, routers, and other infrastructure devices
PTP Device Types

The following clocks are common PTP devices:
Page 38
Ordinary clockCommunicates with the network based on a single physical port, similar to
an end host. An ordinary clock can function as a grandmaster clock.
Boundary clockTypically has several physical ports, with each port behaving like a port of an
ordinary clock. However, each port shares the local clock, and the clock data sets are common
to all ports. Each port decides its individual state, either master (synchronizing other ports
connected to it) or member (synchronizing to a downstream port), based on the best clock
available to it through all of the other ports on the boundary clock. Messages related to
synchronization and establishing the master-member hierarchy terminate in the protocol
engine of a boundary clock and are not forwarded.
Transparent clockForwards all PTP messages like an ordinary device but measures the
residence time of a packet in the device (the time that the packet takes to traverse the
transparent clock) and in some cases the link delay of the ingress port for the packet. The ports
have no state because the transparent clock does not need to synchronize to the grandmaster
clock.
To avoid instances where slave clocks synchronize with suspicious and rogue masters, you can
define a table of acceptable masters. With this feature enabled, the slave device will filter out any
announce messages received from master clocks not included in the table.
PTP Process
The PTP process consists of two phases: establishing the master-member hierarchy and
synchronizing the clocks.
Within a PTP domain, each port of an ordinary or boundary clock follows this process to
determine its state:
Examines the contents of all received announce messages (issued by ports in the master state)
Compares the data sets of the foreign master (in the announce message) and the local clock for
priority, clock class, and accuracy.
Based on this comparison, determines its own state as either master or member
After the master-member hierarchy has been established, the clocks are synchronized as follows:
The master sends a synchronization message to the member and notes the time it was sent.
The member receives the synchronization message and notes the time it was received.
The member sends a delay-request message to the master and notes the time it was sent.
The master receives the delay-request message and notes the time it was received.
The master sends a delay-response message to the member.
The member uses these timestamps to adjust its clock to the time of its master
NOTE
After PTP is configured on master and slave devices, it is recommended to wait
20 minutes for the acquisition phase to finish.
IEEE-1588v2 PTP Configuration Flow

Configure Precision Time Protocol (PTP) if you are using PTP for the configured clock.
Page 39
Configuring PTP Session
Figure 1: PTP Session Configuration Flow
Page 40
Configuring PTP Port
Figure 2: PTP Port Configuration Flow
Configuring Best Master Clock (BMC)
Figure 3: BMC Configuration Flow
Page 41
System Time and Date Configuration Commands

The following section defines the System Date and Time hierarchy and provides command
descriptions.
Command Hierarchy
NOTE
System time for the device resets after reload. System time must be defined manually
when NTP is not configured.
device-name#
+ config terminal
+ system
+ [no] time
- [no] date CCYY-MM-DDTHH:MM:SS
- [no] summer-time
- [no] recurring [start-at {day-of-the-week DAY |

month MONTH | week-of-the-month <week> | time
HH:MM:SS} | end-at {day-of-the-week DAY | month
MONTH | week-of-the-month <week> | time
HH:MM:SS}]
- [no] recurring offset <offset>

- [no] recurring shutdown
+ [no] ntp
+ [no] remote-server-ip A.B.C.D
- [no] authentication key-id <key-id> [keystring STRING]
- refresh-interval <interval>
- timezone <-12+12>
- [no] time-out <value>
- [no] min <min>
- [no] dscp-mapping <value>

- [no] shutdown
+ [no] ptp
[no] transparent-clock
- [no] ports UU/SS/PP
[no] shutdown
- [no] source-mac {self | unmodified}

- [no] timeout <value>
Page 42
Table 6: System Time and Date Commands
Command
Description
config terminal
system
Enters System Configuration Mode
time
Enters Time Server Configuration mode
no time
Removes the system time configuration details
date CCYY-MM-DDTHH:MM:SS
Manually sets system time for the device:
CCYY-MM-DDTHH:MM:SS: CC represents
the century, YY the year, MM the
month and DD the day
T: date/time separator
HH, MM, and SS represent hour,

minute and second respectively
summer-time
Enter Summer-time daylight saving time (DST)

Configuration mode
no summer-time
Removes the configuration
recurring {start-at {day-ofthe-week DAY | month MONTH

| time HH:MM:SS | week-ofthe-month <week>} | end-at
{day-of-the-week DAY |
month MONTH | time
HH:MM:SS | week-of-themonth <week>}}
Specifies a yearly starting and ending date for

summer time DST:
start-at: start settings
end-at: end settings
DAY: the start/end day of the week

(Sunday, Monday)
MONTH: the start/end month

(January, February)
HH:MM:SS: the start/end time (24hour format)
week: the week of the month, in

which the specified day appears
for the first time (first, second,
third, forth week)
The summer time is disabled

recurring offset <offset>
Specifies the number of minutes added during

summer time DST:
offset: in the range of <1-1440>
recurring shutdown
Disables the recurring summer time
no recurring shutdown
Enables the recurring summer time
Page 43
Command
Description
ntp
Configures synchronization of the system time

for the device by an NTP server
Enabled
NOTE
After changing any of the NTP
configuration parameters, restart the
NTP server using shutdown/no
shutdown commands.
no ntp
remote-server-ip A.B.C.D
Disables NTP
Specifies the IP address of the NTP server:
no remote-server-ip
authentication key-id <165535> [key-string
STRING]
no authentication key-id
refresh-interval <interval>
Specifies the MD5 authentication key used by

the device during authentication of the NTP
server to prevent rogue server intervention:
key-id: in the range of <1-65535>
key-string STRING: (optional) a

string of <1-20> characters (blank
spaces and question marks are not
allowed)
Removes the MD5 authentication key

Specifies the number of minutes allotted for
synchronization of system time with the NTP
server:
timezone <-12+12>
time-out <value>
interval: in the range of <10

44640> minutes (the upper limit is
equivalent to 31 days)
Specifies the number of hours offset from

Coordinated Universal Time, known as UTC,
(formerly Greenwich Mean Time or GMT):
-12: corresponds to time zones

west of UTC
+12: corresponds to time zones

east of UTC
Specifies the NTP server session timeout:
value: in the range of <2-20>

seconds
no time-out
Removes the timeout
min <min>
Specifies the number of minutes offset from

UTC:
no min
Page 44
A.B.C.D: NTP servers IP address
Removes the IP address of the NTP server
min: in the range of <1-59>

minutes
Removes configured minutes
Command
Description
Configures NTP to listen on a specified IP

address for incoming connections. The
connections are restricted to a specific router
interface including loopbacks.

interfaces)
no source-address
Removes the configured IP address
dscp-mapping <value>
Specifies a DSCP priority of packets sent to the

NTP server:
no dscp-mapping
Removes the configured value
shutdown
Stops NTP configuration
no shutdown
Starts NTP configuration
ptp
Configures PTP for synchronizing the device and

enters PTP Configuration mode
no ptp
Removes the PTP configuration
transparent-clock
Configures transparent clock.

The device will calculate the time it requires to
forward traffic and updates the PTP time
correction field to account for the delay, making
the device transparent in terms of timing
calculations.
Disabled
no transparent-clock
Restores to default
port UU1/SS1/PP1
UU2/SS2/PP2
Specifies the port on which you are enabling

PTP:
UU1/SS1/PP1: the port connected to

the master clock
UU2/SS2/PP2: the port connected to

the slave clock
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
no port
Removes the port configuration
shutdown
Stops the transparent clock

Stopped
no shutdown
Starts the transparent clock
Page 45
Command
Description
source-mac {self |
unmodified}
Specifies the source MAC address of the

transmitted PTP packets:
self: replaces the source MAC

address of the packets with the
device MAC address
unmodified: keeps the source MAC

address unmodified
The source MAC address of PTP packet,

captured and resent by the CPU, is not
modified
no source-mac
Restores to default
timeout <value>
Specifies the interval timing messages are

exchanged to continue the synchronization:

seconds
10 seconds
no timeout
Restores to default
Example
The following example configures the following summer time recurring:
start on 27 March 2011 at 03:00am - move forward one hour
end on 30 October 2011 at 04:00am - move backward one hour

device-name#configure terminal
device-name(config-system)#time
device-name(config-time)#date 2011-01-01T01:00:00
device-name(config-time)#summer-time recurring
device-name(config-recurring)#start-at week-of-the-month fourth
device-name(config-recurring)#start-at day-of-the-week Sunday
device-name(config-recurring)#start-at month March
device-name(config-recurring)#start-at time 03:00:00
device-name(config-recurring)#end-at week-of-the-month last
device-name(config-recurring)#end-at day-of-the-week Sunday
device-name(config-recurring)#end-at month October
device-name(config-recurring)#end-at time 04:00:00
device-name(config-recurring)#offset 60
device-name(config-recurring)#no shutdown
device-name(config-time)#commit
The device LOG message is:

Jan 1 01:00:00 info time Clock will be moved forward with 3600 seconds (Sun Mar 27 03:00:00
2011)
Jan 1 01:00:00 info time Clock will be moved back with 3600 seconds (Sun Oct 30 04:00:00 2011)
Page 46
Domain Name System (DNS) Client

T-Marc 3208SH acts as a Domain Name System (DNS) client to resolve and cache DNS domain
names. Upon request, the device attempts to resolve an IP address from its cache. If a domain
name cannot be located, the device sends a query to the DNS server. The DNS server responds
with the IP address for the domain. The device then forwards the IP address to the requesting
agent and caches the response from the server for future reuse.
DNS Client Configuration Commands

The following section defines the DNS Client command hierarchy and provides command
descriptions.
Command Hierarchy
device-name#
+ config terminal
+ system
- [no] dns-resolver A.B.C.D [shutdown]
Table 7: DNS Client Commands
Command
Description
config terminal
system
dns-resolver A.B.C.D [shutdown]

Specifies the IP address of the DNS server
used for domain name and address
resolution.
You can specify up to 3 DNS servers. The
device sends DNS queries to the primary
server first. If that query fails, the backup
servers are queried.
A.B.C.D: DNS servers IP address
shutdown: (optional) shuts down

the selected DNS server
No DNS servers are configured

no dns-resolver
Remove the IP address for a configured DNS

server
Page 47
Virtual Terminal Interface (VTY)

The Virtual Terminal interface (VTY) controls access to the device. The administrator opens a
VTY connection to manage the device through configuration commands entered into the
Command Line Interface (CLI).
VTY Session Configuration Commands

The following section defines the command hierarchy for the Virtual Terminal Interface (VTY) and
provides command descriptions.
Command Hierarchy
device-name#
- idle-timeout <timeout>
Table 8: VTY Session Commands
Command
Description
device-name#
Operational mode
idle-timeout <timeout>
Specifies the timeout value for the VTY connection:
Page 48
timeout: in the range of <0-8192>

seconds. Specify value of 0 for
unlimited VTY connection.
License Configuration
In the current version, each device ships with a full license. To find out the software license for the
device, use the commands shown below.
License Configuration Commands

The following section defines the command hierarchy for License Configuration and provides a list
of available command descriptions.
Command Hierarchy
device-name#
+ config terminal
+ system
- license id <value>
- show system license
Table 9: License Commands
Command
Description
config terminal
system
license id <value>
Specifies a new software license identifier.

The command without argument displays the
software license of the device:
show system license
value: in the range of <04294967294>
Displays the software license of the device
Page 49
Session Limiting
The Session Limiting feature allows you to configure a limit on the number of CLI, SNMP, or
Netconf concurrent sessions.
Sessions Limiting Commands

Commands Hierarchy
device-name#
+ config terminal
+system
- [no] max-config-sessions <value>
- [no] max-sessions <value>
Table 10: Sessions Limiting Commands
Command
Description
config terminal
system
max-config-sessions <value>

Limits the number of allowed configuration
sessions, running simultaneously on the device:
20 sessions
SNMP and Netconf sessions are not considered
as configuration sessions.
no max-config-sessions
Restores to default
max-sessions <value>
Limits the global number of simultaneous

sessions allowed on the device:
20 sessions
Global number of sessions take precedence
over configuration session limit.
no max-sessions
Restores to default
Example:
When you reach the limit of allowed sessions, you can terminate any of the current sessions and log
into the device:
Page 50
device-name(config-system)#max-sessions 2
T-Marc 3208SH
admin@10.3.172.7's password:
Too many sessions. Ongoing sessions:
SID USER CTX FROM
PROTO LOGIN
CONFIG MODE
23 admin cli 10.3.71.112 ssh
13:36:48
20 admin cli 10.3.71.144 ssh
13:11:33
Enter SID of session to terminate or 'exit':
Page 51
Remote Monitoring
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between RMONcompliant console systems and network probes.
RMON provides you with comprehensive network-fault diagnosis, planning, and performancetuning information.
You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent to
monitor all the traffic flowing among devices on all connected LAN segments.
RMON Ethernet Statistics Group

The Ethernet statistics group collects Fast Ethernet and Gigabit Ethernet statistics on a
port.
Use the information from the Statistics group to detect changes in traffic and error
patterns in critical areas of the network.
Statistics History
A statistics monitoring provides historical view of the interface statistics based on user-defined
interval. A statistic monitoring profile defines which specific statistic-counter will be monitored.
Profile can be bound to specific interface instance in the control table
A table of build-in counters includes:
Page 52
Counter
Description
ifAlignErr
The total number of alignment errors
ifCRCAligneErrorPkts
The total number of packets with a CRC error
ifCSEErr
The total number of Carrier Sense errors
ifCollisionsPkts
The total number of collisions
ifDefferedTx
The total number of Deferred Transmissions
ifDownCounter
The total number of interface down events
ifExcessCollision
The total number of Excess Collisions
ifFCSErr
The total number of FCS errors
ifFra64Pkts
The total number of 64 octet packets
ifFra65to127Pkts
The total number of 65-127 octet packets
ifFra128to255Pkts
ifFra256to511Pkts
ifFra512to1023Pkts
ifFra1024to1518Pkts
ifFragmentsPkts
The total number of fragmented packets
ifHCInBroadcastPkts
The total number of input broadcast packets
ifHCInMulticastPkts
The total number of input multicast packets
ifHCInOctets
The total number of input octets
ifHCInUcastPkts
The total number of input unicast packets
ifHCOutBroadcastPkts
The total number of output broadcast packets
ifHCOutMulticastPkts
The total number of output multicast packets
ifHCOutOctets
The total number of output octets
ifHCOutUcastPkts
The total number of output unicast packets
ifInBroadcastPkts
The total number of input broadcast packets
ifInDiscards
The total number of dropped packets
ifInErrors
The total number of input errors
ifInFlowControl
The total number of input flow control packets
ifInFraFragments
The total number of input fragmented packets
ifInFraOversize
The total number of input oversized packets
ifInJabber
The total number of input jabber packets
ifInMulticastPkts
The total number of input multicast packets
ifInNUcastPkts
The total number of input non-unicast packets
ifInOctets
The total number of input octets
ifInRateBps10Sec
input rate for last 10 seconds, in bytes per second
ifInRateBps60Sec
input rate for last 60 seconds, in bytes per second
ifInUcastPkts
The total number of input unicast packets
ifInUnknownOpcode
The total number of Input Unknown Opcode
ifInUnknownProtos
The total number of unknown protocol packets
ifJabberPkts
The total number of jabber packets
ifLateCollision
The total number of Late Collisions
ifMacRxErr
The total number of Internal MAC Rx errors
ifMacTxErr
The total number of Internal MAC Tx errors
ifMultCollision
The total number of Multiple Collisions
ifOutBroadcastPkts
The total number of output broadcast packets
ifOutDiscards
The total number of output errors
ifOutErrors
The total number of output errors
ifOutFlowControl
The total number of output flow control packets
ifOutFraFragments
The total number of output fragmented packets
ifOutFraOversize
The total number of output oversized packets
ifOutJabber
The total number of output jabber packets
ifOutMulticastPkts
The total number of output multicast packets
ifOutNUcastPkts
The total number of output non-unicast packets
ifOutOctets
The total number of output octets
ifOutRateBps10Sec
output rate for last 10 seconds, in bytes per second
Page 53
ifOutRateBps60Sec
output rate for last 60 seconds, in bytes per second
ifOutUcastPkts
The total number of output unicast packets
ifOversizePkts
The total number of oversized packets
ifSQETestErr
The total number of SQE Test errors
ifSnglCollision
The total number of Single Collisions
ifSymbolErr
The total number of Symbol errors
ifTooLongFra
The total number of Too Long packets
ifTotalBcastPkts
The total number of input and output broadcast

packets
ifTotalInPkts
The total number of input packets
ifTotalMcastPkts
The total number of input and output multicast

packets
ifTotalOctets
The total number of input and output octets
ifTotalOutPkts
The total number of output packets
ifTotalPkts
The total number of input and output packets
ifUndersizePkts
The total number of undersized packets
NOTE
Counters are applied on a single port or on a group of ports.
RMON Commands
Commands Hierarchy
device-name#
+ config terminal
+system
+ [no] statistics-history
- [no] control <value> [profile-name NAME | xpath-key

<value>]
- [no] get-interval <value>
- [no] profile NAME [xpath-template <value>]

- [no] shutdown
- [no] type {absolute | delta}
- show system statistics-history [control | displaylevel <value>]
- show [port UU/SS/PP] rmon statistics [etherStatsBroadcastPkts |

etherStatsCollisions | etherStatsCRCAlignErrors |
etherStatsDropEvents | etherStatsFragments | etherStatsJabbers |
etherStatsMulticastPkts | etherStatsOctets | etherStatsOversizePkt |
etherStatsPkts | etherStatsPkts1024to1518Octets |
etherStatsPkts128to255Octets | etherStatsPkts256to511Octets |
Page 54
etherStatsPkts512to1023Octets | etherStatsPkts64Octets |
etherStatsPkts65to127Octets | etherStatsUndersizePkts]
Table 11: RMON Commands
Command
Description
config terminal
system
statistics-history
Enables the statistics history mechanism and

enters Statistics History Configuration mode
no statistics-history
Removes statistics history configuration details
control <value> [profile-name

NAME | xpath-key <value>]
Creates an RMON statistics entry in the device

configuration:
value: in the range <1-288>
profile-name NAME: applies the

specified profile name on port/s
or L3 interface
xpath-key <value>: specifies a

port, a group of ports or a L3
interface on which the RMON
profile is applied. value: a
string in the range <1-288>
characters
for a single port, in format UU/SS/PP

for a group of ports in format agN (N is in
the range of <1-14>)
for a L3 interface: loN (n in the range <1-9>,

outBand 0, swN (In is in the range <0
9999>)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
no control [<value>] [profilename NAME | xpath-key

<value>]
Removes the configured entry
get-interval <value>
Specifies interval between samples:
no get-interval

seconds
Restores to default
Page 55
Command
profile NAME [xpath-template
<value>]
Description
Specifies an RMON profile:
NAME: an user-defined profile name

in the range of <1-128> characters
(letters or/and numbers) or a predefined profile
xpath-template <value>: specifies

the pattern that selects a set of
XML nodes. To define the profile
pattern use the yang.zip file,
part of the software package.
value: a pattern string in XPATH
1.0 notation
no profile [NAME] [xpathtemplate <value>]
Removes the specified profile
shutdown
Disables historical collections of statistics
no shutdown
Enables historical collections of statistics
type {absolute | delta}
Specifies the methodology used to calculate

statistics:
absolute: absolute sample value is

used
delta: difference between sampled

values is used
Absolute
no type {absolute | delta}
show system statistics-history [control
| displaylevel <value>]
show [port UU/SS/PP] rmon statistics

[etherStatsBroadcastPkts |
etherStatsCollisions |
etherStatsCRCAlignErrors |
etherStatsDropEvents |
etherStatsFragments |
etherStatsJabbers |
etherStatsMulticastPkts |
etherStatsOctets |
etherStatsOversizePkts |
etherStatsPkts |
etherStatsPkts1024to1518Octets |
etherStatsPkts64Octets |
etherStatsUndersizePkts]
Restores to default
Displays the complete collection of statistics:
control: displays information for

specific RMON statistics entry
displaylevel <value>: displays the

specified level of output, in the
range of <1-64>
Displays the RMON statistics table. Optionally,

you can display statistics for a specific port or for
all ports (see Table 12)
port UU/SS/PP: 1/1/1-1/1/4 and

1/2/1-1/2/8
RMON statistics collection is enabled.

Statistics are refreshed every 60 seconds.
Example 1
device-name#show port 1/1/1 rmon statistics
===============================================================================
RMON Statistics
Page 56
===============================================================================
Port 1/2/8
Counter Name
Counter Value
------------------------------------------------------------------------------etherStatsDropEvents
117
etherStatsOctets
11298
etherStatsPkts
133
etherStatsBroadcastPkts
0
etherStatsMulticastPkts
133
etherStatsCRCAlignErrors
0
etherStatsUndersizePkts
0
etherStatsOversizePkts
0
etherStatsFragments
0
etherStatsJabbers
0
etherStatsCollisions
0
etherStatsPkts64Octets
4
etherStatsPkts65to127Octets
130
0
0
0
0
===============================================================================
Table 12: Counters Displayed by the show
rmon statistics
Command
Counter
Description
etherStatsBroadcastPkts
Number of good broadcast packets received not

including multicast packets
etherStatsCollisions
Number of collisions on this Ethernet segment
etherStatsCRCAlignErrors
Total CRC/alignment errors (FCS or alignment

errors)
etherStatsDropEvents
Total events in which packets are dropped due

to lack of resources
etherStatsFragments
Total packets received that are less than 64

bytes in length (excluding framing bits, but
including FCS bytes) and have either an FCS or
alignment error
etherStatsJabbers
Total packets received that are longer than 1518

bytes (excluding framing bits, but including FCS
bytes), and have either an FCS or an alignment
error
etherStatsMulticastPkts
Number of good multicast packets received
etherStatsOctets
Number of octets of data (including those in bad

packets) received on the network (excluding
framing bits but including FCS octets)
etherStatsOversizePkts
Total packets received that are longer than 1518

bytes (excluding framing bits, but including FCS
bytes) and are otherwise well formed (valid
CRC)
Page 57
Counter
Description
etherStatsPkts
Total packets received (including bad packets,

broadcast packets, and multicast packets)
Total packets received and transmitted

(including bad packets) where the number of
bytes fall within the specified range (excluding
framing bits but including FCS bytes)
etherStatsPkts64Octets
Total packets received and transmitted

(including bad packets) that are 64 bytes in
length (excluding framing bits but including FCS
bytes)
etherStatsUndersizePkts
Total packets received that are less than 64

bytes long (excluding framing bits, but including
FCS bytes) and are otherwise well formed (valid
CRC)
Example
The following example displays how to create a profile Test_1/1/1, apply it on port 1/1/1, and
collect statistics for 10 seconds:
device-name(config-system)#statistics-history
device-name(config-statistics-history)#profile Test_1/1/1
device-name(config-profile-Test_1/1/1)#xpath-template
"/interfaces/interface{%s}/Counters/ifInOctets"
device-name(config-profile-Test_1/1/1)#commit
Commit complete.
device-name(config-profile-Test_1/1/1)#exit
device-name(config-control-1)#profile-name Test_1/1/1
device-name(config-control-1)#xpath-key 1/1/1
device-name(config-control-1)#commit
Commit complete.
device-name(config-control-1)#exit
device-name(config-statistics-history)#get-interval 10
device-name(config-statistics-history)#no shutdown
device-name(config-statistics-history)#commit
Commit complete.
Page 58
System Logs Message

The application software provides system log messages that are useful to the system administrator
for troubleshooting problems in the network:
The console log routes system messages to a local or remote console, or to the system memory
buffer
Message logging is configurable (for example: what severity levels and where the log is sent)
System Logs Message Format

The logging subsystem takes messages initiated by various software processes within the application
software, formats the messages, and writes them to the appropriate log files. These messages come
from a local facility or module (a hardware device, protocol, or process within the system software).
The logging subsystem:
provides logging information for monitoring and troubleshooting
allows configuration of the types of logging information to be captured and the destination
(log file or other devices)
includes system log messages
The system message is stored and displayed based on the following format:
DATE TIME SEVERITY PROCESS MESSAGE-TEXT
Table 13: System Message Fields

Keyword
Description
DATE and TIME
Indicates when the message is issued
SEVERITY
The literal messages severity level
PROCESS
The name of a system process that generated the message
MESSAGE-TEXT
The textual content of the message
Example
Jan
1 01:02:48 info
Multicast group.
OSPF
interface 192.168.1.1 join AllSPFRouters
Settings and Values

Severity Levels
Trap level for logging should be configured per receiver (buffer, CLI console, SSH console, and
Syslog server) and per severity.
By default, the buffer is disabled and it does not store any LOG messages.
Page 59
To configure the level of the trap message logging filter, use the
command.
log buffer severity
Table 14: Severity Levels

Severity Level
Keyword
Description
emergency
Internal error occurred. The device reached a crash

state and cannot continue to operate.
alert
Immediate action needed. The device might operate

incorrectly.
critical
Internal error or non-supported event occurred.
error
Error condition (for example, error messages about

software or hardware malfunctions).
warning
Warning condition.
notice
Normal but significant condition (for example,

interface up/down transitions and system restart
messages).
info
Informational message only (for example, reload

requests and low-process stack messages).
debug
Debug level messages.
Zero (0) is the highest severity, and 7 is the lowest severity. When you specify a severity level,
logging output of the specified level and all lower levels (higher severities) are enabled.
Page 60
Syslog Facility
A Syslog facility is a setting for the remote Syslog server.
Table 15: Syslog Message Facilities
Keyword
Description
alert
Log alert
audit
Log audit
auth
Security/authorization messages
clock
Clock daemon
cron
Messages generated internally by Syslog
daemon
System daemons
ftp
FTP daemon
local0
Local use 0 (local0)
local1
local2
local3
local4
local5
local6
local7
lpr
Line printer subsystem
mail
Mail system
news
Network news subsystem
ntp
NTP subsystem
security
Security/authorization messages
syslog
Messages generated internally by Syslog
user
User-level messages
uucp
UUCP subsystem
NOTE
Some operating systems use facilities alert, audit, and auth for
security/authorization and audit/alert messages.
Page 61
System Log Commands

Commands Hierarchy
device-name#
+ config terminal
+ [no] log
- [no] cli-console {severity <level> | process-name NAME}
- [no] ssh-console {severity <level> | process-name NAME}

- [no] buffer {severity <level> | process-name NAME}
- [no] telnet-console {severity <level> | process-name NAME}

+ [no] syslog-server A.B.C.D
- [no] facility <level>
- severity <level>
- [no] process-name NAME
- show syslog
- show syslog message [level <level> | process NAME | text NAME |

timestamp NAME]
Table 16: System Log Commands
Command
Description
config terminal
log
Enters Log Configuration mode
no log
Exits Log Configuration mode
cli-console {severity <level> |

process-name NAME}
no cli-console {severity
name}
| process-
ssh-console {severity <level> |
Page 62
Configures logs sent to the CLI console:
severity level: specifies a

severity level to limit logs on
the CLI console. Refer to
Keyword column of Table 14.
process-name NAME: specifies a

process, related logs are
displayed (AAA, BFD, MPLS LDB
forwarding, MPLS LDB HW, MPLS
Management, MPLS Stack, BIST,
and etc)
Removes configured options

Configures logs sent to the SSH console:
Command
Description
process-name NAME}
no ssh-console {severity
name}
| process-
telnet-console {severity <level> |

process-name NAME}
no telnet-console {severity
process-name}
buffer {severity <level> | processname NAME}

the SSH console. Refer to
Keyword column of Table 14

and etc)

Configures logs sent to the Telnet console:

the Telnet console. Refer to
Keyword column of Table 14

and etc)

Specifies severity level to limit logs to buffer:
severity level: specifies

severity level to limit logs to
buffer. Refer to Keyword column
of Table 14

process, logs of which are
buffered (AAA, BFD, MPLS LDB
and etc)
Syslog buffer size is 2000 messages

no buffer {severity
| process-name}
syslog-server A.B.C.D
Restores to default
Specifies the IP address of Syslog server:
no syslog-server A.B.C.D
facility <level>
A.B.C.D: the IP address in

dotted-decimal format
Removes the configured server

Specifies type of syslog facility from which
logs are sent:
level: refer to Keyword column

of Table 15
no facility
Removes the configured facility level
severity <level>
Specifies the severity level to limit logs sent to

the Syslog server:
level: refer to Keyword column
Page 63
Command
Description
of Table 14
process-name NAME
Specifies a process, logs of which are sent to

the Syslog server:
NAME: process name (AAA, BFD,

MPLS LDB forwarding, MPLS LDB
HW, MPLS Management, MPLS Stack,
BIST, and etc)
no process-name
Removes the configured process
Configures Syslog server to listen on a

specified IP address for incoming
connections. The connections are restricted to
a specific router interface including loopbacks.
A.B.C.D: IP address, in a

interfaces)
no source-address
Restores to default
Specifies a DSCP priority of packets sent to

the Syslog server:
no dscp-mapping
Page 64
show syslog
Displays logs information
show syslog message [level <severity

level> | process NAME| text NAME |
timestamp NAME]]
Displays the detailed logs information:
severity level: refer to Keyword

column of Table 14
process NAME: process, logs of

which are displayed
text NAME: the text name
timestamp NAME: the timestamp

name
Configuration Example
The following example shows how to enable system log messages for different severity levels that
are displayed by the console port, on SSH session or Syslog buffer.
1.
Enable logging on the console port with severity level critical:

device-name#configure terminal
device-name(config)#log cli-console severity critical
device-name(config)#commit
Commit complete.
2.
Enable logging to SSH with severity level debug:

device-name(config)#log ssh-console severity debug
Commit complete.
3.
Enable logging to a Syslog buffer with severity level info:

device-name(config)#log buffer severity info
Commit complete.
Page 65
Denial of Service (DoS) Attack Prevention

During a denial of service attack, multiple attackers flood the device CPU with packets potentially
causing the device to fail.
To protect against this type of attack, configure your device to perform the following actions when
the number of packets received exceeds the configured threshold limit of packets per second:
Sends an SNMP trap to all configured SNMP management stations
Generates a log message
Activiates a DoS START event trigger (if configured)
Administrators typically configure protection against DoS attacks on edge devices to prevent an
attack from entering the core layers of the network. DoS attacks can be classified as:
Logic attacks: Exploit security vulnerabilities to cause a server or service to crash or

significantly reduce performance.
Resource exhaustion flooding attacks: Cause resources for the server or network to be
consumed to the point where the service no longer responds or the response is significantly
reduced.
DoS Attack Prevention Commands

This section defines the command hierarchy for the DoS attack prevention feature and provides a
list of available commands. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+
ethernet
+ [no] attack-prevent
- [no] first-tcp-fragment-without-full-tcp-header
-
[no] fragmented-icmp
[no] matching-source-destination-ip
[no] tcp-fin-urg-psh-sequence-zero
[no] tcp-src-equals-tcp-dst
Page 66
[no] icmp-payload-greater-than-icmp-max-size
[no] tcp-header-fragment-offset-1
[no] tcp-syn-fin
[no] udp-src-equals-udp-dst
[no] tcp-flag-and-sequence-zero
Table 17: DoS Commands
Command
Description
config terminal
ethernet
attack-prevent
Enters DoS Attack Prevention Configuration

mode
no attack-prevent
Removes DoS configuration details
first-tcp-fragment-without-fulltcp-header
Blocks all TCP packets with missing or

malformed TCP header (less than 20 bytes)
Disabled
no first-tcp-fragment-without-fulltcp-header
Restores to default
fragmented-icmp
Blocks fragmented ICMP packets.

Because ICMP packets contain very short
messages, there is no legitimate reason for
ICMP packets to be fragmented. If an ICMP
packet is so large that it must be fragmented,
something is amiss.
no fragmented-icmp
Restores to default
icmp-payload-greater-than-icmp-maxsize
Blocks packets with ping ICMP packets

payload larger than the maximum
programmed ICMP value
no icmp-payload-greater-than-icmpmax-size
Restores to default
matching-source-destination-ip
Blocks packets with a source IP address

equal to the destination IP address
no matching-source-destination-ip
Restores to default
tcp-fin-urg-psh-sequence-zero
Blocks packets with TCP flags FIN (No more

data from sender), URG (indicates that the
Urgent pointer field is significant), and PSH
(Push function) set; and sequence number set
to 0
no tcp-fin-urg-psh-sequence-zero
Restores to default
tcp-header-fragment-offset-1
Blocks packets with fragment offset of the

TCP header set to 1
no tcp-header-fragment-offset-1
Restores to default
tcp-src-equals-tcp-dst
Blocks packets with a source TCP address

equal to the destination TCP address
no tcp-src-equals-tcp-dst
Restores to default
tcp-syn-fin
Blocks TCP flags with SYN (Synchronize

sequence numbers) and FIN (No more data
from sender) set
no tcp-syn-fin
Restores to default
Page 67
Command
Description
udp-src-equals-udp-dst
Blocks packets with equal UDP source and

destination port numbers
no udp-src-equals-udp-dst
Restores to default
tcp-flag-and-sequence-zero
Blocks packets with no TCP control flag and

sequence number
no tcp-flag-and-sequence-zero
Restores to default
device-name(config-attack-prevent)#first-tcp-fragment-without-full-tcp-header
device-name(config-attack-prevent)#fragmented-icmp
device-name(config-attack-prevent)#commit
Commit complete.
device-name(config-attack-prevent)#end
device-name#show running-config ethernet attack-prevent
ethernet
attack-prevent
first-tcp-fragment-without-full-tcp-header
fragmented-icmp
!
!
Page 68
Reload Commands
device-name#
+ config terminal
- system
- reload [manufacturing-defaults] [downgrade]

- reload at MONTH DAY hour minute
- reload in hour minute
- show system reload
Table 18: The reload Command

Command
Description
config terminal
system
reload [manufacturing-defaults]
[downgrade]

Reloads the operating system:
manufacturing-defaults: resets
the device to the factory
default configuration
downgrade: resets the device to

the factory configuration of an
older software image
The option is mandatory when the user

rollback to an older software image.
reload at MONTH DAY hour minute
reload in hour minute
show system reload
Reloads the operating system at the specified

time. The restart must take place within 12
months.
MONTH: number of the month in

the range of <1-12>
DAY: number of the day in the

range of <1-31>
hour: hour in the range of <123>
minute: minutes in the range of

<0-59>
Reloads the operating system after the

specified time interval. The restart must take
place within 12 months.
hour: hour in the range of <123>
minute: minutes in the range of

<0-59>
Displays information about a scheduled reload
Example 1:
Page 69
device-name(config-system)#relaod
Connection to 10.3.133.6 closed by remote host.
Connection to 10.3.133.6 closed.
Example 2:
device-name(config)#system reload at 9 26 11 35
Where values are months, day, hour and minutes.
device-name#show system reload
system reload in time : In 0:0; Hex : 00000000
system reload at time : Month: 9 Day: 26 At 11:35; Hex : 1a090b23
Page 70
Control Plane Policing

Control Plane Policing (CoPP) allows you to manage the flow of IPv4 multicast traffic handled by
the CPU. CoPP is designed to prevent unnecessary traffic from overwhelming the CPU that, if left
unabated, could affect system performance.
The destination address of IPv4 multicast traffic is in the range of 224.0.0.0-224.0.0.255.
Destination MAC address is in the range of 01:00:5e:00:00:00 - 01:00:5e7f:ff:ff.
The last 23 bits should match the last 23 bits from the IP multicast address.
NOTE
By default, CoPP is applied on SAP ports of services carrying IPv4 multicast traffic. The
protection profile name is service with classification criteria pass. It is possible to harden
the device protection, by applying the protection profile on SDP ports of the configured
services.
Command Hierarchy
device-name#
+ config terminal
+ system
+
security
+ [no] protection-profile NAME
port UU/SS/PP
[no] ipv4-reserved-multicast {discard | pass | peer

| peer-and-pass}
- [no] protection-profile NAME
Table 19: CoPP Commands

Command
Description
config terminal
system
security

Enters the Security Configuration mode
protection-profile NAME
Specifies a Protection profile and enters the

Protection Configuration mode:
no protection-profile
NAME: string of up to 32
characters
Removes the defined profile
Page 71
Command
Description
ipv4-reserved-multicast {discard
| pass | peer | peer-andpass}
Defines the packet classification criteria for

the specified profile:
discard: packets are discarded
pass: packets are switched only
peer: packets are sent to the

CPU only, not switched to the
relevant ports
peer-and-pass: packets are

switched and also sent to the
CPU
peer-and-pass
no ipv4-reserved-multicast
Restores to default
port UU/SS/PP
Enters configuration mode for a specific port:
protection-profile NAME
Assigns a Protection profile to a port:
no protection-profile
Page 72
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

NAME: string of up to 32
characters
Removes the assigned Protection profile
Supported Standards, MIBs, and RFCs

Features
Standards
MIBs
RFCs
MAC Address Table
Not supported
Standard MIB,
8021Q_d6.mib
Not supported
MAC Learning
Security Policies
Not supported
Private MIB,
PRVT-MACSECURITY-MIB.mib
Not supported
Files System
Not supported
Private MIB,
PRVTINTERWORKING-OSMIB
Not supported
Not supported
Not supported
RFC 867, Daytime

Protocol
RFC 868, Time
Protocol
draft-ieee1588v2.1
DNS Resolver
Not supported
Not supported
RFC 1034, Domain

NamesConcepts
and Facilities
RFC 1035, Domain
Names
Implementation and
Specification
VTY (Virtual Telnet

Type) Commands
Not supported
Not supported
RFC 884, Telnet

terminal type option
Remote Monitoring
(RMON)
Not supported
PRVT-StatHistMIB.mib
Public MIBs:
RFC 1271, Remote

Network Monitoring
Management
Information Base
RFC 3273, Remote
Network Monitoring
Management
Information Base for
High Capacity
Networks
RFC 2819
RMON-MIB.mib
System Logs
Not supported
Not supported
RFC 3164, The BSD

Syslog Protocol (client
mode)
DoS Attack Prevention
Not supported
Not supported
Not supported
Page 73
Appendix I: Preparing an MPLS Device for

Provisioning by EdgeGenie
EdgeGenie can discover and provision MPLS devices in the network; however, before that can
happen, the device must first be prepared for provisioning using the following procedure.
To prepare an MPLS device for provisioning by EdgeGenie
1.
Configure the Outband IP Address and IP Route.

device(config)#router interface outband0 address 172.16.1.1/16
device(config-interface-outband0)#commit
If the EdgeGenie server network is different than the Outband management network,
add a static route to allow responses from the device to the EdgeGenie network.
device(config)#router static-route <EG_Network> 172.16.1.20 1
device(config-router)#commit
The device can also be managed through an Inband management network using the IP
SW interfaces configured in step #4 of this procedure.
2.
To prepare for SNMP management, create two SNMP Users: one user allows any
management software to read information from the device (including EdgeGenie) and the
other user allows EdgeGenie to configure the device. .
Set OID Tree View to All
device(config)#system
device(config-system)#snmp
device(config-snmp)#view all 1.3 included
Create a Read Community group with read-only privileges.

device(config-snmp)#group ro noAuthNoPriv read all write none notify none
Create a Write Community group with read-write privileges.

device(config-snmp)#group rw noAuthNoPriv read all write all notify none
Create a user in the Read Community group.

device(config-snmp)#user public ro v2c
Create a user in the Write Community group.

device(config-snmp)#user private rw v2c
device(config-snmp)#no shutdown
device(config-snmp)#commit
The user name will also be used as the name of the SNMP Community. In EdgeGenie,
when you create a Network Element for the device, enter the User Names you created
into the Read Community and Write Community fields. For more information, see Adding
a Network Element.
Once configured, SNMP can be customized according to management security
requirements through the EdgeGenie software. Use the same security community and
names and SNMP version.
3.
Page 74
Enable NETCONF on the device.
device(config-system)#netconf-server
device(config-netconf-server)#no shutdown
device(config-netconf-server)#commit
4.
Configure IP connectivity for the Control Plane protocols and enable the OAM-EFM and
SNMP source address.
Configure the IP SW and Loopback interfaces.
Device1(config)#router interface sw11 address 192.168.11.1/24
Device1(config-interface-sw11)#exit
Device1(config)#router interface sw13 address 192.168.13.1/24
Device1(config-interface-sw13)#exit
Device1(config)#router interface lo1 address 10.10.0.1/32
Device1(config-interface-lo1)#exit
Create VLANs and associate each VLAN with an IP Interface and Port.
Device1(config)#vlan -1-Device-2 11 routing-interface sw11 tagged 1/1/1
Device-1(config-untagged-1/1/1)#exit
Device-1(config-vlan-Device-1-Device-2/11)#exit
Device-1(config)#vlan Device-1-Device-3 13 routing-interface sw13 tagged
1/1/2
Device-1(config-vlan)#exit
Device-1(config)#commit
Remove the ports from the default VLAN 1:

Device-1(config)#vlan 1
Device-1(config-vlan-1)#no untagged 1/1/1
Device-1(config-vlan-1)#commit
In order for EdgeGenie to discover the links in the topology, define the OAM-EFM role
as active for all connected link ports.
Device-1(config)#port 1/1/1
Device-1(config-port-1/1/1)#efm role active
Device-1(config-port-1/1/1)#exit
Device-1(config-port-1/1/2)#commit
Define the SNMP source address as the Lo1 address.

Device-1(config)#system snmp
Device-1(config-snmp)#source-address 10.10.0.1
Device-1(config-snmp)#commit
Page 75
5.
Repeat the preceding step for the second device.

Device-2(config)#router interface sw11 address 192.168.11.2/24
Device-2(config-interface-sw11)# exit
Device-2(config-interface-sw12)#exit
Device-2(config)#router interface lo1 address 10.10.0.2/32
Device-2(config-interface-lo1)#exit
1/1/1
1/1/2
Device-2(config-vlan-1)#exit
6.
Repeat step #4 for the third device.

Page 76
Device-3(config)#router interface lo1 address 10.10.0.3/32

1/1/1
1/1/2
Device-3(config-vlan-1)#exit
7.
Configure OSPF and enable OSPF-TE.

Configure the Router ID to match the Loopback interface (Lo1).
Device-1(config)#router ospf
Device-1(config-ospf)#router-id 10.10.0.1
Enable TE/CSPF.
Device1(config-ospf)#traffic-engineering
Create an OSPF area and add all interfaces to this area (including the Loopback interface).
Device-1(config-ospf)#area 0.0.0.0
Device-1(config-area-0.0.0.0)#interface 10.10.0.1
Device-1(config-area-0.0.0.0)#exit
Device-1(config-ospf)#commit
8.
Repeat step #7 for the second device.

Device-2(config-ospf)#traffic-engineering
Page 77
9.
Repeat step #7 for the third device.

Device-3(config-ospf)#traffic-engineering
10. Configure the MPLS LSR-ID to match the Loopback interface (Lo1).
Device-1(config)#router mpls
Device-1(config-mpls)#lsr-id 10.10.0.1
Device-1(config-mpls)#exit
Device-1(config-router)#exit
11. Repeat step #10 for the second device.

12. Repeat step #10 for the third device.

13. Configure LDP and Targeted Peers.

Note
For information on how to display the status of an LDP Targeted session, see Best
Practice Commands on page 81.
Specify the Loopback Address of the other network devices as LDP Targeted Peers. The
targeted peers should be specified only for VPLS service end-points.
Device-1(config)#router ldp
Device-1(config-ldp)#targeted-peer 10.10.0.2
Device-1(config-targeted-peer-10.10.0.2)#exit
Enable LDP on all interfaces.

Device-1(config-ldp-te)#interface lo1
Device-1(config-ldp-te)#interface sw11
Page 78
Enable the LDP Protocol.

Device-1(config-ldp-te)#no shutdown
Device-1(config-ldp-te)#commit


16. Configure RSVP and FRR Protection.

Enable the FRR Feature globally.
Device-1(config)#router rsvp-te bypass-fast-reroute
Enable RSVP on all interfaces (including the Loopback interface, Lo1).

Device-1(config-rsvp-te)#interface lo1
Device-1(config-rsvp-te)#interface sw11
Enable the RSVP Protocol.

Device-1(config-rsvp-te)#no shutdown
Page 79
Device-1(config-rsvp-te)#commit


19. Verify the connectivity to the EdgeGenie server:

device#ping <EG_server IP_address>
20. It is recommended to set the loopback interface as an SNMP source address. This ensures that
SNMP connectivity from the device to the EG server, such as SNMP traps, use the loopback
interface IP address which is the address identifying the device in EG database.
device(config-snmp)#source-address 10.10.0.1
Verifying Control Plane Protocol Status

Before using EdgeGenie to create services, perform the following checks on the Control Plane
Protocols (OSPF, LDP, and RSVP) on the device.
21. OSPF Adjacency: Verify that peers are in full state.
Device-1#show router ospf neighbor
22. Routing Table: Verify that the L/O Address of the other network devices are in the Routing
Table of every device.
Device-1#show router ospf route
23. LDP Link and Targeted Sessions Status: Verify that both the Targeted and Link Sessions are in
the operational state for every peer.
Device-1#show mpls ldp discovery
Page 80
Provisioning the Device in EdgeGenie

For a complete discussion of installation and set up of EdgeGenie, please refer to the user guide
supplied with the product. This section assumes that the EdgeGenie Server has already been
installed and describes how to install the EdgeGenie Client on your computer as well as how to
manually add a device.
Installing the EdgeGenie Client

24. Use the internet browser to access the server where the server package was installed. The
address should look like the following:
https://<EG server IP address>:8080/webstart/
25. If not previously installed, download the Java runtime environment (can be found on the
EdgeGenie start page).
26. Click Launch. You will need a valid Username, Password, and Server IP Address.
Note
If an alert message is displayed informing you that the Server and the
Client versions are not the same. Click OK. You can update the version
later.
If you have redundant servers installed, then enter the IP Addresses of both servers,
separated by a comma. For example:
10.5.4.3,10.5.11.12
EdgeGenie displays the license screen when a valid license is not found or at the end of
an evaluation period.
27. To enter the license key before the end of the evaluation period, on the module ribbon, select
License.
28. Enter the license key provided to you and click Set License. The license key only needs to be
entered once. .
Note
When you are running an evaluation copy of EdgeGenie, the license screen
appears whenever you run the client. Click Close to continue working with the
Evaluation copy or enter a license key.
Creating a Domain
The domain is a logical entity and you must assign the devices to a domain (default domain is
NOC). If the domain in which the devices will reside is not already identified in EdgeGenie, use the
following procedure to define the domain.
To set up a domain:
29. On the EdgeGenie Desktop, click Domain. The Create Domain screen opens.
Page 81
30. Enter the following information:

Name: Enter a name for the new domain.
Parent: Enter the name of the root domain.
31. Click Create. The new Domain is created.
Viewing Existing Domains

The list of existing domains can be seen in:
Domain Inventory (on the Module Ribbon, select Inventory, and click Domains): Lists all
Domains together with the root domain and current status. When a Domain is selected,
the topological view of the domain is also displayed.
Domain Topology (on the Module Ribbon, select Topology, and click Domain): Displays
a graphical view of the domain. After Network Discovery, all devices within the domain
will be displayed together with their connections.
Adding a Network Element

Note
The user names you created in the Read Community and Write Community are
entered on this screen.
32. On the EdgeGenie Desktop, click the NE command button. The Create NE screen is
displayed.
Page 82
33. Enter information about the device as follows:

Field
Description
General
IP
(Mandatory) Enter the IP Address of the device. For a managed device,

EdgeGenie will discover additional information from the IP Address.
Name
Enter a name used to identify the device in EdgeGenie.
Page 83
Field
Description
Managed
In the field, select whether the device is currently:
Managed: The device has been discovered by EdgeGenie and

connectivity has been established between the device and the
software.
Managed and Unprovisioned: The device is recognized by

EdgeGenie but you do not want EdgeGenie to handle
configuration.
Unmanaged: The device will be unmanaged. EdgeGenie will not

contact the device and will not display any information other than
what you enter.
Domain
Select the Domain in which the device resides from the list provided.
(Default is NOC.)
Role
Select the role that the device plays in the network. Choices are: Core,
Aggregation, and Access. Note that information entered here is used to
identify the device but does not affect path calculations.
Access
CLI Username
Enter the CLI User Name required to access individual devices and
obtain information about those devices.
CLI Password
Enter the CLI Password associated with the CLI User Name.
SNMP Version
Select the SNMP version used for management access to devices in

the domain. Choices are:
V1: When selected, you will also need to enter Read Community
and Write Community information.
V2c: When selected, you will also need to enter Read Community
and Write Community information.
V3: When selected, you will also need to enter the Authentication
Protocol and Password as well as the Privacy Protocol and
Password.
ReadCommunity
Enter the Read Community string required for SNMP V1 or V2c access
to devices in the domain. Enter the User Name you created for the
Read Community Group.
Write
Community
Enter the Write Community string required for SNMP V1 or V2c access
to devices in the domain. Enter the User Name you created for the
Write Community Group.
User Name
Enter the User Name required for SNMP V3 access to the device.
Security Level
Select the Security Level defined for SNMP V3 access to devices in the
domain from the list provided:
Authentication
Protocol
Page 84
No Authentication, No Privacy: Only the User Name is required for

Access.
Authorization without Privacy: In addition to the User Name,

Authentication Protocol and Password are also required.
Authorization & Privacy: In addition to the User Name,

Authentication Protocol and Password as well as Privacy Protocol
and Password are also required.
Select the Authentication Protocol defined for SNMP V3 access to

devices in the domain from the list provided. Choices are: SHA and
MD5.
Field
Description
Authentication
Password
Select the Authentication Password associated with the Authentication

Protocol selected.
Privacy Protocol
Select DES as the Privacy Protocol defined for SNMP V3 access to

devices in the domain.
Privacy
Password
Select the Privacy Password associated with the selected Privacy

Protocol.
NE Inventory
Instant Filter
Filters the list according to the number (of Modules) entered here.
NE Type
Select an NE Type. EdgeGenie supplies Module information based on

the NE Type you select.
Supports MPLS
Select the checkbox when the device supports MPLS. The default icon
for the device will show MPLS.
Module Index
Identify the module order as defined by the device manufacturer.
Type
For each Module in the ordered list, select the Module Type from the
list provided.
34. Click Create. The Network Element is saved.
Creating a New User

A user is any individual who works with EdgeGenie. Each user is assigned a role which specifically
defines what areas of the software are accessible and what actions can be taken within those areas.
To create a user
On the EdgeGenie Desktop, click the User command button. The Create User screen opens.
Figure 1. Create User
Enter the following information:

Field
Description
Name
Enter the name that will be used to log onto the EdgeGenie client.
Page 85
Password
Enter the Password that will be used in conjunction with the User
Name to log onto the EdgeGenie client.
Confirm Password
For verification purposes, enter the Password a second time.
Role
To define the level of access given to the user, select a Role from
the list provided.
Click Create. The User Name and Password are now saved in the EdgeGenie database.
Page 86
Appendix II: Preparing an Ethernet Device for

Provisioning by EdgeGenie
EdgeGenie can discover and provision Ethernet devices in the network; however, before that can
happen, the device must first be prepared for provisioning using the following procedure.
Preparing a BiNOX Ethernet device for provisioning by

EdgeGenie
1.
Configure the Outband IP Address and IP Route.

device(config)#router interface outband0 address 172.16.1.1/16
device(config-interface-outband0)#commit
If the EdgeGenie server network is different from the Outband management network,
add a static route to allow responses from the device to the EdgeGenie network.
device(config)#router static-route <EG_Network> 172.16.1.20 1
device(config-router)#commit
The device can also be managed through an Inband management network.

2.
In case the Inband management is used, create a management VLAN with a routing interface
attached, corresponding to the EdgeGenie network:
device(config)#router interface sw1 address 9.0.1.2/16
device(config-interface-sw1)#exit
device(config-router)#exit
device(config)#vlan MANAGEMENT 1000
device(config-vlan-1000)#untagged 1/1/1
device(config-untagged-1/1/1)#exit
device(config-vlan-1000)#untagged 1/1/2
device(config-untagged-1/1/2)#exit
device(config-vlan-1000)#routing-interface sw1
device(config-vlan-1000)#management
device(config-vlan-1000)#exit
device(config)#port 1/1/1
device(config-port-1/1/1)#default-vlan 1000
device(config-port-1/1/1)#port 1/1/2
device(config-port-1/1/2)#default-vlan 1000
device(config-port-1/1/2)#exit
In this example the Inband management is using untagged ports. If the management
communication between the EG server and the device is tagged, use tagged ports.
3.
Verify the connectivity to the EdgeGenie server:

device#ping <EG_server IP_address>
4.
Page 87
5.
To prepare for SNMP management, create two SNMP Users: one user allows any
management software to read information from the device (including EdgeGenie) and the
other user allows EdgeGenie to configure the device.
Set OID Tree View to All
device(config-system)#snmp
device(config-snmp)#view all 1.3 included
Create a Read Community group with read-only privileges.

device(config-snmp)#group ro noAuthNoPriv read all write none notify none
Create a Write Community group with read-write privileges.

device(config-snmp)#group rw noAuthNoPriv read all write all notify none
Create a user in the Read Community group.

device(config-snmp)#user public ro v2c
Create a user in the Write Community group.

device(config-snmp)#user private rw v2c
device(config-snmp)#no shutdown
device(config-snmp)#commit
The user name will also be used as the name of the SNMP Community. In EdgeGenie,
when you create a Network Element for the device, enter the User Names you created
into the Read Community and Write Community fields. For more information, see Adding
a Network Element on page 82.
Once configured, SNMP can be customized according to management security
requirements through the EdgeGenie software. Use the same security community and
names and SNMP version.
6.
Enable NETCONF on the device.

device(config-system)#netconf-server
device(config-netconf-server)#no shutdown
device(config-netconf-server)#commit
7.
Enable the OAM-EFM. In order for EdgeGenie to discover the links in the topology, define
the OAM-EFM role as active for all connected link ports.
device(config-port-1/1/1)#efm role active
device(config-port-1/1/1)#exit
device(config-port-1/1/2)#efm role active
device(config-port-1/1/2)#commit
Provisioning the Device in EdgeGenie

For a complete discussion of installation and set up of EdgeGenie, please refer to the user guide
supplied with the product. This section assumes that the EdgeGenie Server has already been
Page 88
installed and describes how to install the EdgeGenie Client on your computer as well as how to
manually add a device.
Installing the EdgeGenie Client

8.
Use the internet browser to access the server where the server package was installed. The
address should look like the following:
https://<EG server IP address>:8080/webstart/
9.
If not previously installed, download the Java runtime environment (can be found on the
EdgeGenie start page).
10. Click Launch. You will need a valid Username, Password, and Server IP Address.
Note
If an alert message is displayed informing you that the Server and the Client
versions are not the same. Click OK. You can update the version later.
If you have redundant servers installed, then enter the IP Addresses of both servers,
separated by a comma. For example:
10.5.4.3,10.5.11.12
EdgeGenie displays the license screen when a valid license is not found or at the end of
an evaluation period.
11. To enter the license key before the end of the evaluation period, on the module ribbon, select
License.
12. Enter the license key provided to you and click Set License. The license key only needs to be
entered once.
Note
When you are running an evaluation copy of EdgeGenie, the license screen
appears whenever you run the client. Click Close to continue working with the
Evaluation copy or enter a license key.
Creating a Domain
The domain is a logical entity and you must assign the devices to a domain (default domain is
NOC). If the domain in which the devices will reside is not already identified in EdgeGenie, use the
following procedure to define the domain.
To set up a domain
13. On the EdgeGenie Desktop, click Domain. The Create Domain screen opens.
Page 89
14. Enter the following information:

Name: Enter a name for the new domain.
Parent: Enter the name of the root domain.
15. Click Create. The new Domain is created.
Viewing Existing Domains

The list of existing domains can be seen in:
Domain Inventory (on the Module Ribbon, select Inventory, and click Domains): Lists all
Domains together with the root domain and current status. When a Domain is selected,
the topological view of the domain is also displayed.
Domain Topology (on the Module Ribbon, select Topology, and click Domain): Displays
a graphical view of the domain. After Network Discovery, all devices within the domain
will be displayed together with their connections.
Adding a Network Element

Note
The user names you created in the Read Community and Write Community are
entered on this screen.
16. On the EdgeGenie Desktop, click the NE command button. The Create NE screen is
displayed.
Page 90
17. Enter information about the device as follows:

Field
Description
General
IP
(Mandatory) Enter the IP Address of the device. For a

managed device, EdgeGenie will discover additional
information from the IP Address.
Name
Enter a name used to identify the device in EdgeGenie.
Page 91
Field
Description
Managed
In the field, select whether the device is currently:
Managed: The device has been discovered by

EdgeGenie and connectivity has been established
between the device and the software.
Managed and Unprovisioned: The device is

recognized by EdgeGenie but you do not want
EdgeGenie to handle configuration.
Unmanaged: The device will be unmanaged.

EdgeGenie will not contact the device and will not
display any information other than what you enter.
Domain
Select the Domain in which the device resides from the

list provided. (Default is NOC.)
Role
Select the role that the device plays in the network.

Choices are: Core, Aggregation, and Access. Note that
information entered here is used to identify the device
but does not affect path calculations.
Access
Page 92
CLI Username
Enter the CLI User Name required to access individual

devices and obtain information about those devices.
CLI Password
Enter the CLI Password associated with the CLI User

Name.
SNMP Version
Select the SNMP version used for management access

to devices in the domain. Choices are:
V1: When selected, you will also need to enter

Read Community and Write Community
information.
V2c: When selected, you will also need to enter

Read Community and Write Community
information.
V3: When selected, you will also need to enter the

Authentication Protocol and Password as well as
the Privacy Protocol and Password.
ReadCommunity
Enter the Read Community string required for SNMP V1

or V2c access to devices in the domain. Enter the User
Name you created for the Read Community Group.
Write Community
Enter the Write Community string required for SNMP V1

or V2c access to devices in the domain. Enter the User
Name you created for the Write Community Group.
User Name
Enter the User Name required for SNMP V3 access to

the device.
Field
Description
Security Level
Select the Security Level defined for SNMP V3 access

to devices in the domain from the list provided:
No Authentication, No Privacy: Only the User

Name is required for Access.
Authorization without Privacy: In addition to the

User Name, Authentication Protocol and Password
are also required.
Authorization & Privacy: In addition to the User

Name, Authentication Protocol and Password as
well as Privacy Protocol and Password are also
required.
Authentication Protocol
Select the Authentication Protocol defined for SNMP V3

access to devices in the domain from the list provided.
Choices are: SHA and MD5.
Authentication Password
Select the Authentication Password associated with the

Authentication Protocol selected.
Privacy Protocol
Select DES as the Privacy Protocol defined for SNMP

V3 access to devices in the domain.
Privacy Password
Select the Privacy Password associated with the

selected Privacy Protocol.
NE Inventory
Instant Filter
Filters the list according to the number (of Modules)

entered here.
NE Type
Select an NE Type. EdgeGenie supplies Module

information based on the NE Type you select.
Supports MPLS
Select the checkbox when the device supports MPLS.

The default icon for the device will show MPLS. Do not
check it.
Module Index
Identify the module order as defined by the device

manufacturer.
Type
For each Module in the ordered list, select the Module

Type from the list provided.
18. Click Create. The Network Element is saved.
Creating a New User

A user is any individual who works with EdgeGenie. Each user is assigned a role which specifically
defines what areas of the software are accessible and what actions can be taken within those areas.
To create a user
On the EdgeGenie Desktop, click the User command button. The Create User screen opens.
Page 93
Figure 2. Create User
Enter the following information:

Field
Description
Name
Enter the name that will be used to log onto the EdgeGenie client.
Password
Enter the Password that will be used in conjunction with the User
Name to log onto the EdgeGenie client.
Confirm Password
For verification purposes, enter the Password a second time.
Role
To define the level of access given to the user, select a Role from
the list provided.
Click Create. The User Name and Password are now saved in the EdgeGenie database.
Page 94
Simple Network Management Protocol

(SNMP)
Table of Contents
Table of Figures 1
List of Tables 2
Overview 3
SNMP Entity 3
SNMP Agent 4
Structure of Management Information (SMI) 4
SNMP Manager 4
Management Information Base (MIB) 4
SNMP Engine ID 4
SNMP View Records 5
SNMP Notifications 5
The Discovery Mechanism 7
Versions of SNMP 9
SNMP Commands 11
Command Hierarchy 11
Command Descriptions 12
SNMP Configuration Example 26
Creating Users 26
SNMP Notification for Users 28
Table of Figures
Figure 1: SNMP Agent and Manager Communication ..................................................................... 3
Figure 2: Trap Sent to SNMP Manager Successfully ........................................................................ 5
Simple Network Management Protocol (SNMP) (Rev. 01)
Page 1
Figure 3: Inform Request Sent to SNMP Manager Successfully ..................................................... 6

Figure 4: Trap Unsuccessfully Sent to SNMP Manager ................................................................... 6
Figure 5: Inform Request Successfully Resent to SNMP Manager ................................................. 7
Figure 6: Obtaining the snmpEngineID ............................................................................................. 8
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime ............................................... 8
List of Tables
Table 1: SNMP Versions ....................................................................................................................... 9
Table 2: Security Levels Available in the SNMPv3 Security Models ............................................ 10
Table 3: SNMP Configuration Commands ...................................................................................... 12
Table 4: Notification Types................................................................................................................. 17
Page 2
T-Marc3208SH
Overview
SNMP is an application layer protocol that facilitates the exchange of management information
between network devices. An SNMP-managed network consists of three key components:
Managed Device: A network node that contains an SNMP Agent and resides on a managed
network
Agent: A network-management software module that resides in a managed device. An agent

has local knowledge of management information and translates that information into a form
compatible with SNMP
Network-Management System: Responsible for execution of applications that monitor and

control managed devices.
Using SNMP, a network administrator can manage network performance, find and solve network
problems, and extend the network.
Table 1 displays communication between an SNMP Agent and a Manager.
Figure 1: SNMP Agent and Manager Communication
SNMP Entity
An SNMP Entity, an implementation of the SNMP architecture, consists of an SNMP Engine and
one or more associated applications.
An SNMP Engine provides services for sending and receiving messages, authenticating and
encrypting messages, and controlling access to managed objects. The SNMP Engine is
identified by the SNMP Engine ID.
Applications use the services of an SNMP Engine to accomplish specific tasks. They
coordinate the processing of management information operations, and may use SNMP
messages to communicate with other SNMP Entities.
Page 3
SNMP Agent
An Agent is a network-management software module that resides in a managed device and is
responsible for maintaining local management information and delivering that information to a
Manager via SNMP. A management information exchange can be initiated by the Manager or by the
Agent.
The SNMP Agent contains MIB variables and these values can be requested or changed by the
SNMP Manager. The Agent and MIB reside on the device. The Agent gathers data from the MIB
and responds to a Managers request to get or set data.
Structure of Management Information (SMI)

Management information is a collection of managed objects, residing in a virtual information store,
termed the MIB. Collections of related objects are defined in MIB modules. Each type of object
has:
Name: Names are used to identify managed objects and are represented uniquely as an Object
Identifier (OID). An OID is an administratively assigned name used to identify an object
regardless of the semantics associated with that object.
Syntax
Encoding: Encoding is the way that instances of a particular object type are represented using
the object types syntax.
SNMP Manager
An SNMP Manager is a software module in a management network responsible for managing
either part of or the entire configuration on behalf of network management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB values.
Communication among protocol entities is accomplished by the exchange of messages; each of
them is entirely and independently represented within a single UDP datagram. A message consists
of a version identifier, an SNMP community name, and a protocol data unit (PDU). PDUs are the
packets that are exchanged in the SNMP communication.
Management Information Base (MIB)

A MIB consists of a collection of objects organized into groups. Objects have values that represent
managed resources. All managed objects in the SNMP environment are arranged in a hierarchical
or tree structure. A MIB is the repository for information about devices parameters and network
data.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier of a participant in
SNMP communication within a single management domain. The SNMP Manager and SNMP
Agent must be configured by an administrator to have unique SNMP Engine IDs.
Page 4
SNMP View Records

With the community-based authentication defined in SNMPv1, an authorized user is granted access
to the whole MIB tree for reading or for reading/writing. With SNMPv1, it is not possible to allow
diverse authorized users access to different portions of the MIB database.
This deficiency is overcome in SNMPv3 with the introduction of views. A view is a set of rules that
define what portion of the MIB database can be visible to a specific user. The rules are defined by
the OID of a node in the MIB tree, and the type of rule: included or excluded. The OID defines a
view familya set of object identifiers that have a common prefix. A single rule (included or
excluded) in the view is applied to view family, not only to a single OID.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages to the SNMP
Managers. Devices can send notifications to SNMP Managers when particular events occur. For
example, an Agent might send a message to a Manager when the Agent experiences an error
condition.
NOTE
All traps, except the ones sent with SNMPv1, have a request ID as part of the PDU.
SNMP notifications can be sent as traps or Inform requests. Traps are unreliable because the
receiver does not send an acknowledgment upon receipt of a trap. However, an SNMP Manager
that receives an Inform request acknowledges the message with an SNMP response PDU. If the
sender does not receive a response after a particular time interval, the Inform request is sent again.
Informs consume more resources in the device and in the network but are more reliable. Unlike a
trap, which is discarded after being sent, an Inform request must be held in memory until a
response is received or the request times out. Also, traps are sent only once, while an Inform may
be sent several times.
Figure 2 through Figure 5 illustrate the differences between traps and Inform requests.
In Figure 2, the Agent successfully sends a trap to the SNMP Manager. The Manager receives the
trap but does not send an acknowledgment to the Agent. The Agent has no way of knowing
whether the trap reached its destination.
Figure 2: Trap Sent to SNMP Manager Successfully
In Figure 3, the Agent successfully sends an Inform request to the Manager. Upon receipt of the
Inform request, the Manager sends a response back to the Agent. As a result, the Agent knows that
the Inform request successfully reached its destination. In this example, while traffic is generated
twice, as in Figure 2; the Agent is sure that the Manager received the notification.
Page 5
Figure 3: Inform Request Sent to SNMP Manager Successfully
In Figure 4, the Agent sends a trap to the Manager, but the trap does not reach the Manager. Since
the Agent has no way of knowing whether the trap reached its destination, the trap is not sent
again. The Manager never receives the trap.
Figure 4: Trap Unsuccessfully Sent to SNMP Manager
Page 6
In Figure 5, the Agent sends an Inform request to the Manager, but the Inform request does not
reach the Manager. The Manager does not send a response. After a period of time, the Agent
resends the Inform request. This time, the Manager receives the Inform request and replies with a
response. In this example, there is more traffic than in Figure 4; however, the notification reaches
the SNMP Manager.
Figure 5: Inform Request Successfully Resent to SNMP Manager
The Discovery Mechanism

To protect the user network against message reply, delay and redirection, one of the SNMP engines
involved in each communication is designated as the authoritative SNMP engine. When an SNMP
message contains a payload that expects a response, the receiver of such a message is authoritative.
The PDUs involved in an authenticated/encrypted session between the Agent and the Manager are
encoded with keys that are localized with the snmpEngineID of the Manager and not with the
snmpEngineID of the local application software Agent.
To match the described requirements, you need an additional configuration of users, on whose
behalf Inform PDUs can be sent. User keys are required to be localized with the snmpEngineID of
the Manager (the authoritative side). The keys of these users are localized for the remote side and
the Agent cannot process configuration of SNMP requests on their behalf. GET, GET-NEXT,
GET-BULK, or SET requests from users with a SNMP Engine ID that is different from the Agent
SNMP Engine ID cannot be processed. The application software defines as remote those users
created with a snmpEngineID different from the Agents snmpEngineID. Remote users can
participate just by sending Inform PDUs.
To create a remote user, specify the snmpEngineID of the notification recipient, where this user is
correctly defined. The proper calculation of authentication/encryption keys requires a valid remote
user.
To send the Inform PDU to the authoritative side, the Agent needs information for the
snmpEngineID of the target-address of the recipient.
Page 7
To reduce a configuration complexity, the application software Agent implements an auto

discovery procedure for obtaining the SNMP Engine IDs of different Inform recipients.
When an event occurs, for example LinkUp, the Agent sends an Inform PDU to all valid targets for
this Inform. The very first Inform PDU actually is not valid as the Agent still does not know the
parameters of the Receiver Engine IDsnmpEngineId, snmpEngineBoots and snmpEngineTime.
In Figure 6, the Manager reports the PDU with its Engine ID to the Agent.
Figure 6: Obtaining the snmpEngineID
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is received as shown
in Figure 6), but with incorrect snmpEngineBoots and snmpEngineTime. These parameters are still
unknown to the Agent. The discovery process ends when no authentication/encryption exists for
the target address. If authentication/encryption exists, the packet is with the corresponding
authentication/encryptionMD5, SHA or DES.
In Figure 7, the Manager returns an authenticated REPORT PDU (notInTimeWindow) that
consists of valid snmpEngineBoots and snmpEngineTime parameters.
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime
Finally, when the discovery process is completed, the Agent and the Manager are synchronized and
subsequent packets do not discover the Engine ID of the Manager.
Page 8
Versions of SNMP
The application software supports the following versions of SNMP:
Table 1: SNMP Versions
Variable
Description
SNMPv1
In the SNMP version 1, user can get and set MIB objects, traverse the
MIB tree using the getNext operation, and enable the management
device to receive asynchronous messages from the Agent using the trap
mechanism. SNMPv1 bases its security on community strings.
SNMPv2c
SNMP version 2c (the c stands for community) is the community-string

based Administrative Framework. SNMPv2c includes the following
improvements over SNMPv1:
Improved performance for getting data using getBulk. The bulk

retrieval mechanism supports the retrieval of tables and large
quantities of information in one PDU, thus minimizing the number of
round-trips required.
Improved error handling. SNMPv2 adds many error codes to the

five originally defined in SNMPv1. Management devices are
provided with more detailed information about the cause of the
error. Also, three exceptions are reported with SNMPv2c:
no such object, no such instance, and end of MIB view
exceptions.
Extended asynchronous reporting. SNMPv2 allows the Agent to

send SNMP notifications by inform request, as well as by trap
messages that are available in SNMPv1. Whereas traps do not
provide the Agent with an indication that the message is received,
the inform request requires the Manager to confirm reception and
is therefore more reliable. As for the trap message, its format is
changed to match the PDU format of a regular get/set PDU, in order
to simplify the protocol. The SNMPv2 protocol requires adding more
details to every trap in order to supply the Manager with more
information.
Generally, MIBs written for Agents that use SNMPv2c or higher versions
use SMIv2 instead of version 1 of the SMI. This version adds some new
variables types.
Both SNMPv1 and SNMPv2c use a community-based form of security.
SNMPv3
SNMP version 3, an interoperable standards-based protocol, provides

secure communication using the USM (User-based Security Model) and
access control using the VACM (View-based Access Control). The USM
model provides an answer to the following threats:
Replay, interception and retransmission of messages prevented by

using time-stamp.
Masquerading prevented by authenticating the message sender.

Integrity, interception, changing data, and retransmission of
messages prevented by authenticating the message sender and
encryption of the message data.
Disclosure prevented by encryption of the message data.

The SNMPv3 USM allows three levels of security (see
Table 2):
No Authentication and No Privacy (noAuthNoPriv)
Page 9
Variable
Description
Authentication and No Privacy (AuthNoPriv)

Authentication and Privacy (authPriv)
Table 2: Security Levels Available in the SNMPv3 Security Models

Level
Authentication
Encryption
Explanation
noAuthNoPriv
Username
No
All PDUs are sent unencrypted and

not authenticated in the network.
authNoPriv
HMAC-MD5 or
HMAC-SHA
No
The PDUs are authenticated with

HMAC (keyed-Hashing for Message
Authentication Codes). They cannot
be altered by an attacker, but can be
read.
authPriv
HMAC-MD5 or
HMAC-SHA
Cipher Block
ChainingData
Encryption
Standard
(CBC-DES)
The PDUs are authenticated and

encrypted (with CBC-DES Symmetric
Encryption Protocol).
You must configure the SNMP Agent to use the version of SNMP supported by the management
device. An Agent can communicate with multiple users. For this reason, you can configure the
application software to support communications with many users: some users can use the SNMPv1
protocol, some can use the SNMPv2c protocol, and the rest can use SMNPv3.
NOTE
You can participate in different groups, with a different security model in each
group. You cannot participate in more than one group with the same security model.
Page 10
SNMP Commands
The following section presents the SNMP Command Hierarchy together with command
descriptions and an example.
Command Hierarchy
device-name#
+ configure terminal
+ system
+ [no] snmp
- [no] engine-id <engineID>
- [no] max-packet-size <size>
- [no] general-port <port-number>

- [no] shutdown
- [no] authentication-failure-trap
- [no] system-name .LINE-TEXT
- [no] system-location .LINE-TEXT

- [no] system-contact .LINE-TEXT
- [no] system-description .LINE-TEXT

- [no] notification-change-trap
- [no] view VIEWNAME OID-TREE [MASK | included | excluded]
- [no] group GROUPNAME {authNoPriv | authPriv |

noAuthNoPriv} read READ-VIEW write WRITE-VIEW notify
NOTIFY-VIEW
- [no] user USERNAME GROUPNAME {v1 | v2c | v3} [md5 | sha

| remote ENGINE-ID] [AUTHENTICATION-PASSWORD]
[ENCRYPTION-PASSWORD]
+ [no] target-address ADDR-NAME
- [no] message-model {v1 | v2c | v3}
- [no] security-level {noAuthNoPriv | authNoPriv |

authPriv}
- [no] address TARGET-ADDRESS
- [no] security-name USERNAME
- [no] dst-port <port-number>

- [no] retry-count <value>
Page 11
- [no] type [both | inform | trap]
- show snmp-server [displaylevel <level> | statistics]
- show snmp engine [displaylevel <level>]

- show snmp-system [displaylevel <level>]
- show snmp views [displaylevel <level>]
- show snmp group [displaylevel <level>]
- show snmp access [displaylevel <level>]
- show snmp target-address [displaylevel <level>]
Table 3: SNMP Configuration Commands
Command
Description
config terminal
system
snmp
Enters SNMP Configuration mode
no snmp
Removes the SNMP configuration
Limits the access to the SNMP server only from

the specific sources IP address(es):

address.
no access source-ip
engine-id <engineID>
Defines a new value for the SNMP Engine ID of

the Agent:
engineID: a string of 10 to 64
characters (represented internally
by 5 to 32 bytes), in the format
of XX:XX:XX:XX:XX:XX
80 00 02 E2 03 [MAC ADDR]
no engine-id
Restores the default
max-packet-size <size>
Defines a new value for the maximum packet

size:
size: in the range of <4842147483647>
9216
no max-packet-size
general-port <port-number>
Defines a new value for the IP SNMP port

number:
port-number: in the range of <161,

1025-65535>
161
Page 12
Command
Description
no general-port
shutdown
Disables the SNMP server

SNMP server is disabled
no shutdown
Enables the SNMP server

Enables authentication SNMP traps on the

device. An authentication failure trap signifies that
the sending protocol entity is the addressee of a
protocol message that is not properly
authenticated.
Enabled
no authentication-failure-trap
Disables authentication SNMP traps
system-name .LINE-TEXT
Defines the MIB-II system name:
.LINE-TEXT: descriptive system

name string, up to 255 characters
long
The default value is the devices model

name
no system-name
Removes the defined system name.
system-location .LINE-TEXT
Defines the MIB-II system location string:

location string, up to 255
characters long
Empty (null)
no system-location
Restores to default.
system-contact .LINE-TEXT
Defines the MIB-II system contact string:

contact string, up to 255
characters long
Empty (null)
no system-contact
Restores to default
system-description .LINE-TEXT
Defines the MIB-II system description string:
.LINE-TEXT: description string, up

to 255 characters long
Empty (null)
no system-description
Restores to default
notification-change-trap
Enables SNMP notification change traps
no notification-change-trap
Disables traps
Specifies the source address of SNMP packets:
no source-address
Page 13

SNMP server:
no dscp-mapping
view VIEWNAME OID-TREE [MASK
| included | excluded]
no view VIEWNAME
group GROUPNAME {authNoPriv |
authPriv | noAuthNoPriv} read
READ-VIEW write WRITE-VIEW
notify NOTIFY-VIEW
Defines the subset of all MIB objects accessible

to the given view:
VIEWNAME: the name of the view up

to 32 characters
OID-TREE: the starting point

inside the MIB tree given in dotnotation or as an object name
MASK: the mask is typed as a

hexadecimal value, and is
interpreted as a binary value. A
binary 1 in the mask states that
the Object ID at the corresponding
position has to match, a binary 0
states that the Object ID at the
corresponding position is
irrelevantno match is required
included: the Object ID subtree is

included in the view
excluded: the Object ID subtree is

excluded from the view
Removes the specified view
Creates an SNMP group with a specified security

model and defines the access-right for this group
by associating views to this group:
GROUPNAME: the name of the group

is limited to 32 characters
{authNoPriv | authPriv |
noAuthNoPriv}: the security level.
For more information, refer to
Table 2
If no security level is specified,

noAuthNoPriv security level is assumed
Page 14
READ-VIEW: the name of the view

(not to exceed 32 characters) in
which you can only view the
contents of the Agents MIB
WRITE-VIEW: the name of the view

(not to exceed 32 characters) in
which you can type data and
configure the contents of the
Agents MIB
NOTIFY-VIEW: the name of the view

(not to exceed 32 characters) that
specifies what portion of the MIB
database is accessible for
notifications
Command
Description
no group GROUPNAME {authNoPriv

| authPriv | noAuthNoPriv}
user USERNAME GROUPNAME {v1 |

v2c | v3} [md5 | sha | remote
ENGINE-ID]
[AUTHENTICATION-PASSWORD]
[ENCRYPTION-PASSWORD]
Removes the SNMP group data:
If you specify only the group name, all

groups with that name are removed,
regardless of security model and level.
If you specify the security model, only the

group matching all conditions is removed.
Creates an SNMP local or remote user:
USERNAME: the name of the user on

the host that connects to the
Agent.
SNMP user is not configured
GROUPNAME: the name of the group

is limited to 32 characters
v1, v2c, v3: the security model.

Table 1
md5: enables HMAC-MD5 (Message

Digest 5) authentication
sha: enables HMAC-SHA (Secure Hash

Algorithm) authentication
(only for v3 users)remote ENGINEID: creates a remote user by its

engine ID, in hexadecimal format
FF:FF:FF:FF
ENCRYPTION-PASSWORD: the PDUs sent

to or received by this user should
be encrypted, with the key
generated from the encryption
password; up to 32 characters
AUTHENTICATION-PASSWORD: the
authentication password string up
to 32 characters
no user USERNAME GROUPNAME {v1

| v2c | v3}
Removes the specified user definition
target-address ADDR-NAME
Defines the notification target address:
no target-addr ADDR-NAME
message-model {v1 | v2c | v3}
ADDR-NAME: the name of the

notification target address up to
32 characters
Removes the notification target address.

Defines the security model specifying the version
of the protocol in which the traps are sent (for
more information, refer to Table 1):
v1, with TRAP-V1 PDU type
v2c with TRAP-V2 PDU type
v3, with TRAP-V2 PDU type)
v2c
no message-model
Page 15
Command
Description
security-level {noAuthNoPriv
| authNoPriv | authPriv}
Defines the SNMP level of security:
authNoPriv, authPriv,
noAuthNoPriv: the security level.
Table 2
If no security level is specified,

noAuthNoPriv security level is assumed
no security-level
address TARGET-ADDRESS
Defines the IP address of the target:
A.B.C.D: the IP address of the

target
0.0.0.0
no address
Restores to default
security-name USERNAME
Defines the security name that identifies how

SNMP messages will be generated using this
entry:
USERNAME: the security user name
no security-name
Removes the security name
dst-port <port-number>
Specifies the UDP port number:
port-number: in the range of <162,

1025-65535>
162
no dst-port
timeout <value>
Configures the time to wait for an

acknowledgement before resending an
unacknowledged inform PDU:

seconds
15 seconds
no timeout
retry-count <value>
Configures the number of retries if there is no

response from the client on the informs:
3 retries
no retry-count
type [both | inform | trap]
Defines the notification type:
no type
show snmp-server [displaylevel <level> |
statistics]
Page 16
both: specifies both inform- and

trap-type notifications
inform: specifies inform-type

notifications
trap: trap-type notifications
Removes the configured notification type

Displays the bind address, the status of the
SNMP server, and the UDP port on which SNMP
Command
Description
is enabled:
show snmp engine [displaylevel <level>]
level: in the range of <0-64>
statistics: the SNMP server

statistics
Displays the local SNMP Engine ID of the SNMP

Agent, all Engine IDs that are known to the
Agent, and information about the inform operation
values:
show snmp-system [displaylevel <level>]
Displays the SNMP server system configuration:
show snmp views [displaylevel <level>]
Displays the users and associated remote engine

ID:
show snmp target-address [displaylevel

<level>]
Displays the configured groups, associated

views, and security model. If the security model is
USM (v3), the command displays the security
level:
show snmp access [displaylevel <level>]
Displays all configured views and the viewmask

of a particular view (if configured):
show snmp group [displaylevel <level>]
Displays the notification target address:
Table 4: Notification Types

Argument Value
Description
authenticationFailure
This notification indicates that the SNMP entity,

acting as an Agent, has received a protocol
message that is not properly authenticated. The
authentication method depends on the version of
SNMP that is used. For SNMPv1 or SNMPv2c,
authentication failure occurs for packets with an
incorrect community string. For SNMPv3,
authentication failure occurs for packets with an
incorrect SHA/MD5 authentication key or for a
packet that is outside of the authoritative SNMP
engines time window.
prvtSysMonCpuTemperature
This notification indicates that the sending Agent

senses that the internal temperature has
exceeded the program threshold.
prvtSysMonCpuUtilization

sensed that the CPU utilization has passed the
programmed threshold.
customerCreated
This notification is generated when an entry in

custInfoTable is created.
Page 17
Page 18
Argument Value
Description
customerDeleted
This notification is generated when an entry in

custInfoTable is deleted.
prvtSysMonFansTest
This notification indicates that the sending agent

senses that one of the fans changed its status.
lagLinkDown
This notification is generated when lag link

becomes down.
lagLinkUp
This notification is generated when lag link

becomes up.
lagMemberAdd
This notification is generated when a new port is

added to a LAG link. The first ifIndex indicates the
ID of the trunk interface. The second one displays
the added port member.
lagMemberLinkDown
This notification is generated when the LAG link

becomes down. The first ifIndex indicates the ID
of the trunk interface. The second one shows the
port member with link status change.
lagMemberLinkUp
This notification is generated when the LAG link

becomes up. The first ifIndex indicates the ID of
the trunk interface. The second one displays the
port member with a link status change.
lagMemberRemove
This notification is generated when a port is

removed from a LAG. The first ifIndex indicates
the ID of the trunk interface. The second one
shows the removed port member.
linkDown

acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links is about to enter the down state from some
other state (but not from the notPresent state).
This other state is indicated by the included value
of ifOperStatus.
linkUp

acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links left the down state and transitioned into
another state (but not into the notPresent state).
The other state is indicated by the included value
of ifOperStatus.
mplsAutoTunnelDown
This notification is generated when a

mplsAutoTunnelOperStatus object for one of the
configured tunnels is about to enter the down
state from some other state (but not from the
notPresent state). This other state is indicated by
the included value of mplsAutoTunnelOperStatus.
mplsAutoTunnelUp
his notification is generated when a

mplsAutoTunnelOperStatus object for one of the
configured tunnels is about to leave the down
state and transition into some other state (but not
into the notPresent state). This other state is
indicated by the included value of
mplsAutoTunnelOperStatus.
Argument Value
Description
mplsDynTunnelDown

mplsDynTunnelOperStatus object for one of the
the included value of mplsDynTunnelOperStatus.
mplsDynTunnelUp

mplsDynTunnelOperStatus object for one of the
mplsDynTunnelOperStatus.
mplsManTunnelDown

mplsManTunnelOperStatus object for one of the
the included value of plsManTunnelOperStatus.
mplsManTunnelReoptimized
This notification is generated when a tunnel is

reoptimized. If the mplsTunnelARHopTable is
used, then this tunnel instance's entry in the
mplsTunnelARHopTable MAY contain the new
path for this tunnel some time after this trap is
issued by the agent.
mplsManTunnelUp

plsManTunnelOperStatus object for one of the
mplsManTunnelOperStatus.
mstNewRoot
This notification indicates that a new root is

elected by the Multiple Spanning Tree algorithm.
mstTopologyChange
This notification indicates that the topology

change is detected by the Multiple Spanning Tree
algorithm.
prvtSysMonOnBoardPowerSupplyTest
Change in onBoardPowerSupplyTest results
portSecurityViolation
This notification indicates that a security violation

is done on a port defined as a secure port.
prvtSysMonPortStatisticsTest
This notification indicates that port statistics test

has changed.
prvtSysMonPowerSupplyFansTest
Change in powerSupplyFansTest results
prvtSysMonPowerSupplyTest
This notification indicates that the sending agent

senses that one of the power supplies changed its
status.
prvtCfm1wJitterThreshold
This notification is sent when CFM one way jitter

threshold crossed.
prvtCfmAisLckCleared
The notification is sent each time AIS/LCK

condition is cleared.
Page 19
Page 20
Argument Value
Description
prvtCfmAisLckRecieved
A MEP may generate a AIS/LCK notification each

time its AIS/LCK condition is activated.
prvtCfmFaultAlarm
A MEP has a persistent defect condition. A

notification (fault alarm) is sent to the
management entity with the OID of the MEP that
has detected the fault.
prvtCfmFaultAlarmCleared
A MEP has a persistent defect condition has

cleared. A notification is sent to the management
entity with the OID of the MEP that has cleared
the fault.
prvtCfmFrameLossThreshold
This notification is sent when CFM frame loss

threshold crossed.
prvtCfmJitterThreshold
This notification is sent when CFM two way jitter

threshold crossed.
prvtCfmLatencyThreshold
This notification is sent when CFM latency

threshold crossed.
prvtCfmUnexpectedPriority
The Unexpected Priority defect is calculated at the

ETH layer. It detects the configuration of different
Priorities for CCM at different MEPs belonging to
the same MEG. Refer to G.8021/Y.1341.
prvtConfigChangeAlarm
This notification is generated when the value of

configurable attribute is changed. Use the
notification to trigger maintenance polling of the
running configuration on the device. One of the
variables points either to entry of the modified
table or the OID of the modified scalar object.
prvtEfmOamDyingGasp
Generates a dying-gasp alarm.

This notification indicates for a failure due to loss
of local power - Dying Gasp. In order for dyinggasp trap to be functional, also configure
warmStart and coldStart notifications.
Dying-gasp is sent only to one server (last one
used).
prvtEfmOamLoopBackState
This notification is changed when DOT3-OAM

Loopback state has changed.
prvtEfmOamNonThresholdEvent
This notification is sent when a local or remote

threshold crossing event is detected. A local
threshold crossing event is detected by the local
entity, while a remote threshold crossing event is
detected by the reception of an Ethernet OAM
Event Notification OAMPDU that indicates a
threshold event. This notification should not be
sent more than once per second. The OAM entity
can be derived from extracting the ifIndex from the
variable bindings. The objects in the notification
correspond to the values in a row instance in the
dot3OamEventLogTable. The management entity
should periodically check dot3OamEventLogTable
to detect any missed events.
Argument Value
Description
prvtEfmOamThresholdEvent
This notification is sent when a local or remote

non-threshold crossing event is detected. This
notification should not be sent more than once per
second.
prvtEpsDefectAlarm
This notification is sent when EPS service

operational status changed or protocol defect
occurred.
prvtEpsLostCommunication
This notification is sent when EPS communication

failed.
prvtEpsProtctSignalFailDetected
The alarm is issued in case of CCMs are not

received on the protected link and (3.5 *
CCMtime(CCMinterval)) has expired or the
protected link is down.
prvtEpsProtctSignalFailRecovery
The alarm is issued in case of CCMs start to be

received correctly again on the protected link after
a prvtEpsProtctSignalFailDetected alarm occurred
and (3.5 * CCMtime(CCMinterval)) timer no longer
expires or the link is up .
prvtEpsRestoredCommunication
This notification is sent when EPS communication

restored.
prvtEpsSignalDegradeDetected
This notification is sent when monitored error

threshold is crossed.
prvtEpsSignalDegradeRecovery
The alarm is issued in case of monitored error

threshold is crossed bellow limis:
1W Jitter error
2W Jitter error
Latency error
Frame loss error.
prvtEpsSignalFailDetected
This notification is sent when three consecutive

CCMs are not received.
prvtEpsSignalFailRecovery
The alarm is issued in case of CCMs start to be

received correctly again after a
prvtEpsSignalFailDetected alarm occurred and
(3.5 * CCMtime(CCMinterval)) timer no longer
expires or the link is up .
prvtEpsSwitchoverAlarm
This notification is sent when EPS service active

link changed.
prvtRapsDefectAlarm
This notification is sent when ring EPS service

operational status changed or a protocol defect
occurred.
Page 21
Page 22
Argument Value
Description
prvtRapsInstSubRingDefectAlarm
This trap will be sent by any subring instance

when it notices a defect.
So far only the situation when two or more RPLowners are defined in the ring is identified as a
defect. This scenario is noticed when the instance
with the RPL-Owner role receives a RAPS packet
with the RB bit set in its status field from a
different NodeID than its own.
The management entity receiving the notification
can identify the system from the network source
address of the notification, and can identify the
instance reporting the change by the indices in the
OID of the prvtRapsInstSubRingOperStatus
variable in the notification.
prvtRapsInstSubRingSwitchoverAlarm
his trap will be sent by any subring instance when

it changes state.
The management entity receiving the notification
can identify the system from the network source
address of the notification, and can identify the
instance reporting the change by the indices in
the OID of the prvtRapsInstSubRingRapsState
variable in the notification.
prvtRapsSwitchoverAlarm
This notification is sent when ring EPS service

active link changed.
prvtResilientLinkStatusChange
This notification indicates that the resilient link

status changed, identified by the
resilientLinkIndex.
prvtSaaRFC2544ProbeFailed
This notification is sent for each failed SAA probe

ping packet.
prvtSaaRFC2544ProbeSuccess
This notification is sent for each successfully

completed SAA probe ping.
prvtSaaTestRfc2544Finished
This notification is sent for each completed SAA

test.
prvtSaaY1731DelayFarEndThreshold
The SAA Y1731 Far End delay threshold crossed

the preconfigured threshold in any direction,
raising or falling.
prvtSaaY1731DelayNearEndThreshold
The SAA Y1731 Near End delay threshold

crossed the preconfigured threshold in any
direction, raising or falling.
prvtSaaY1731FrLossFEThreshold
The SAA Y1731 Far End frame-loss threshold

prvtSaaY1731FrLossNearEndThreshold
The SAA Y1731 Near End frame-loss threshold

prvtSaaY1731JitterFarEndThreshold
The SAA Y1731 Far End jitter threshold crossed

raising or falling.
Argument Value
Description
prvtSaaY1731JitterNearEndThreshold
The SAA Y1731 Near End jitter threshold crossed

raising or falling.
prvtSysMonRamUsage

sensed that the internal amount of free RAMs is
lower than a program threshold.
sapCreated
This trap is sent when a new row is created in the

sapTable.
sapDeleted
This trap is sent when an existing row is deleted

from the sapTable.
sdpCreated

sdpTable.
sdpDeleted

from the sdpTable.
serviceCreated

serviceTable.
serviceDeleted

from the serviceTable.
sfpPlugged
This trap is sent when SFP is inserted.
sfpUnPlugged
This trap is sent when SFP is extracted.
stNewRoot
This notification indicates that a new root is

elected by the Spanning Tree algorithm.
stTopologyChange
This notification indicates that the topology

change is detected by the Spanning Tree
algorithm.
syncEthernetDPLLChanged
Some of the DPLL's operational status changes.
syncEthernetDPLLLockFailed
If after new Reference selection the DPLL can't

lock onto it, this will affect the Clock Source
associated with that reference
syncEthernetDPLLReferenceChange
DPLL's reference clock changed.
syncEthernetInvalidESMC
Invalid ESMC has been received.
syncEthernetInvalidQualityLevelReceived
Invalid Quality level equals to QL-INVx has been

received.
syncEthernetQualityLevelChange
Current value of syncEthernetClockSourceQuality

has been changed.
Page 23
Page 24
Argument Value
Description
prvtSwAclIfAcgApplyFailed
This notification indicates that access group is not

properly applied in hardware.
This means that traffic will not be filtered as
expected. User should either remove this access
group or rearrange other access groups.
prvtSwAclIfAcgRLimitApplyFailed

prvtSwAclIfAcgRedirectApplyFailed

prvtSwAclIfAcgFcApplyFailed

prvtSwAclIfAcgMonPrfApplyFailed

prvtSwAclSapAcgApplyFailed

prvtSwAclSapAcgRLimitApplyFailed

prvtSwAclSapAcgRedirectApplyFailed

prvtSwAclSapAcgFcApplyFailed

Argument Value
Description
prvtSwAclSapAcgMonPrfApplyFailed

coldStart
This notification is generated on device restart

caused by unplugging the power cable or using
the power switch.
warmStart
This notification is generated on device restart

caused by specific a CLI command.
Page 25
SNMP Configuration Example

Creating Users
In this example, an SNMP user is added to the device. The user is named tester and is attached to
a group named public. The SNMPv3 community is parsed by the SNMP Agent as the user name.
1.
Enable SNMP:
device-name(config-system)#snmp
2.
Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3.
Create a user named tester that uses SNMPv3 and attach it to a group named public without
authentication and privacy:
device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
device-name(config-snmp)#user tester public v3
4.
Enable SNMP server:

device-name(config-snmp)#no shutdown
5.
Commit the configuration:

device-name(config-snmp)#commit
Commit complete.
device-name(config-snmp)#end
Page 26
6.
Display the SNMP configuration:

device-name#show snmp
SNMP engine configuration
===============================================================================
Local snmpEngineID
: 800002E203005043B5AA9B
snmpEngineBoots
: 30
snmpEngineTime
: 17
snmpEngineMaxMessageSize : 9216
===============================================================================
SNMP Views
===============================================================================
MIB View name
: internet
MIB Subtree
: 1.3
MIB Subtree Mask
MIB Subtree View type
: included
===============================================================================
Number of entries: 1
SNMP Groups table
===============================================================================
SNMP group name
: public
Security-model
: noAuthNoPriv
Read-only MIB view
: internet
Read-write MIB view
: internet
Accessible-for-notify MIB view
: internet
===============================================================================
SNMP user access configuration
===============================================================================
SNMP user name
: tester
SNMP group name
: public
SNMP version
: SNMPv3
Authentication type
: None
Authentication password string
: N/A
Encryption password
: N/A
Remote Engine ID
===============================================================================
SNMP Notification targets
===============================================================================
7.
Display the configured SNMP groups:

device-name#show snmp group
SNMP Groups table
===============================================================================
SNMP group name
: public
Security-model
: noAuthNoPriv
Read-only MIB view
: internet
Read-write MIB view
: internet
Accessible-for-notify MIB view
: internet
===============================================================================
Page 27
SNMP Notification for Users

In this example, a user named private with IP address 20.0.0.5 is attached to a group named
private_grp. This user receives SNMPv1 notifications linkUp and linkDown.
1.
Enable SNMP:
device-name(config-system))#snmp
2.
Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3.
Create a group named public that supports notifications:

device-name(config-snmp)#group public
internet notify internet
4.
noAuthNoPriv read internet write
Create a user named tester that uses SNMPv3, and attach it to the already created group named
public:
device-name(config-snmp)#user tester public v3
5.
Create the target address my_pc with IP address 20.0.0.5:

device-name(config-snmp)#target-address my_pc
device-name(config-target-address-my_pc)#address 20.0.0.5
device-name(config-target-address-my_pc)#message-model v3
device-name(config-target-address-my_pc)#security-name tester
device-name(config-target-address-my_pc)#security-level noAuthNoPriv
device-name(config-target-address-my_pc)#type trap
device-name(config-target-address-my_pc)#exit
6.
Enable SNMP server:

7.

device-name(config-snmp)#commit
Commit complete.
device-name(config-snmp)#end
8.
Display the SNMP server:

device-name#show running-config system snmp
system
snmp
engine-id
80:00:02:e2:03:00:a0:12:64:05:60
no shutdown
view internet 1.3
group public noAuthNoPriv read internet write internet notify internet
user tester public v3
target-address my_pc
address
20.0.0.5
message-model v3
security-name tester
Page 28
type
trap
Page 29
Page 30
Feature
Standards
MIBs
RFCs
Simple Network
Management
Protocol (SNMP)
STD0015, Simple
Network
Management
Protocol
STD0016, Structure
of Management
Information
STD0017,
Management
Information Base
STD0058, Structure
of Management
Information Version 2
(SMIv2)
STD0062, Simple
Network
Management
Protocol Version 3
(SNMPv3)
Public MIBs:
SNMPV1-MIB
MIB-II (RFC1213MIB)
SNMP-COMMUNITYMIB (RFC2576)
SNMPv2-MIB
SNMP-VIEWBASED-ACM-MIB
SNMP-USERBASED-SM-MIB
RFC 1157, SNMPv1

The Simple Network
Management Protocol: A
full Internet Standard
RFC 1213, Management
Network Management of
TCP/IP-based internets:
MIB-II
RFC 2579, Textual
Conventions for SMIv2
RFC 2580, Conformance
Statements for SMIv2
RFC 3410, Introduction
and Applicability
Statements for Internet
Standard Management
Framework
RFC 3411, An
Architecture for
Describing Simple
Network Management
Protocol (SNMP)
Management
Frameworks
RFC 3412, Message
Processing and
Dispatching for the
Simple Network
Management Protocol
(SNMP)
RFC 3413, Simple
Network Management
Protocol (SNMP)
Applications
RFC 3414, User-based
Security Model (USM) for
version 3 of the Simple
Network Management
Protocol (SNMPv3)
RFC 3415, View-based
Access Control Model
(VACM) for the Simple
Network Management
Protocol (SNMP)
RFC 3416, Version 2 of
the Protocol Operations
for the Simple Network
Management Protocol
(SNMP)
Feature
Standards
MIBs
RFCs
RFC 3417, Transport
Mappings for the Simple
Network Management
Protocol (SNMP)
RFC 3418, Management
Information Base (MIB)
for the Simple Network
Management Protocol
(SNMP)
RFC 1901, Introduction to
Community-based
SNMPv2.
RFC1902, Structure of
Management Information
for Version 2 of the
Simple Network
Management Protocol
(SNMPv2).
RFC1905, Protocol
Operations for Version 2
of the Simple Network
Management Protocol
(SNMPv2).
RFC3584, Coexistence
between Version 1,
Version 2, and Version 3
of the Internet-standard
Network Management
Framework
Page 31
Table of Contents
Table of Figures 2
List of Tables 2
Features Included in This Chapter 3
Managing User Privilege Levels 4
Default User Name and Password 4
User Privilege-Level Configuration 5
Users and Privilege Level Commands 5
Remote Authentication Dial in User Service (RADIUS) 11
The RADIUS Negotiation Procedure 11
Defining User Privileges on the RADIUS Server 12
RADIUS Configuration Flow 13
RADIUS Commands 13
Terminal Access Controller Access-Control System Plus (TACACS+) 18
TACACS+ Negotiation 18
Defining User Privileges on the TACACS+ Server 19
TACACS+ Configuration Flow 20
TACACS+ Commands 20
Comparing TACACS+ and RADIUS 24
Telnet 25
Telnet Commands 25
Secure Shell (SSH) 27
SSH Commands27
Prioritizing ARP Packets 30
ARP Prioritization Commands 30
Device Authentication (Rev. 01)
Page 1
Table of Figures
Figure 1: User Privilege Levels Configuration Flow ......................................................................... 5
Figure 2: A RADIUS Communication Example ............................................................................. 11
Figure 3: RADIUS Configuration Flow ............................................................................................ 13
Figure 4: TACACS+ Configuration Flow ........................................................................................ 20
List of Tables
Table 1: Privilege Profile Types ............................................................................................................ 4
Table 2: Default Device Username and Password ............................................................................ 4
Table 3: User and Privilege Level Commands ................................................................................... 6
Table 4: RADIUS Commands ............................................................................................................ 14
Table 5: TACACS+ Server Responses .............................................................................................. 18
Table 6: TACACS+ Commands ........................................................................................................ 21
Table 7: A comparison between TACACS+ and RADIUS ........................................................... 24
Table 8: Telnet Commands ................................................................................................................. 25
Table 9: SSH Commands .................................................................................................................... 27
Table 10: ARP Prioritization Commands ......................................................................................... 30
Page 2
T-Marc3208SH
Features Included in This Chapter

This chapter provides information on security features incorporated into the T-Marc 3208SH
software as protection from unauthorized access.
This chapter includes the following features:
Managing User Privilege Levels

Profile-based access to the management functions of the device through an authorized
user list defined either locally or by remote database lookup.
Remote Authentication Dial in User Service (RADIUS)

Authentication, authorization, and accounting protocol used to authenticate users
requesting access to the device.
Terminal Access Controller Access-Control System Plus (TACACS+)

Security protocol, used for remote authentication, authorization, and accounting, through
communication between the device and an authentication database.
Telnet
Telnet, part of the TCP/IP protocol suite, is a virtual terminal protocol that allows you to
make connections to remote devices.
Secure Shell (SSH)

Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting
access to a remote computer.
Page 3
Managing User Privilege Levels

Management access to the Command Line Interface (CLI) requires a user name and password
associated with one of five, predefined privilege profiles designed to protect the CLI from
unauthorized access. Each profile determines the level of access available to the user.
Table 1: Privilege Profile Types
Profile Type
Description
Administrators
Full read/write privileges (without restriction) for Layers 2 and 3.
Network-Admins
Read/write privileges for Layers 2 and 3 without access to security

(usernames and passwords), debug commands, and other
administrative settings (such as software upgrade and device
reload).
Technicians
Read/write privileges for Layer 2 and read-only privileges for Layer

3.
Users
Read-only privileges for Layers 2 and 3. Users with this privilege

level have access to all show commands and general commands
such as exit, quit, ping, and traceroute commands.
Guests
Read-only privileges in Root mode.
During logon, the device checks the user name and password either against a table that is stored
locally or in a remote database:
Locally: Authentication occurs through a database of user names and passwords located on
the local file system. If a remote database exists but the device is unable to make contact after
repeated attempts, the local database is queried instead. If there is no response or the local
database does not exist, the user is not permitted access.
RADIUS/TACACS+: Authentication occurs through contact with a remote database lookup

that can be used for other authentication tasks. Information contained in the remote database
is not shared with the local database.
Default User Name and Password

Initial access to the device requires the default user name and password supplied as part of the
installation process:
Table 2: Default Device Username and Password
Page 4
Username
Password
admin
Admin
User Privilege-Level Configuration
Figure 1: User Privilege Levels Configuration Flow
Users and Privilege Level Commands

The following section describes the command hierarchy for Users and Privilege Level
Configuration and provides a list of available commands as well as a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ system
+ security
+ [no] password preferred-authentication {local | radius

| tacacs}
+ [no] privilege-profile PRIVILEGE-PROFILE-NAME
+ [no] netconf-access-rule <number>
- action {permit | permit_log | deny}

- match COMMAND-STRING
- namespace NAME
- operation {r | rw | rwx | rx | w | wx | x}
+ [no] command-access-rule <number>
- action {permit | permit_log | deny}
Page 5
- match COMMAND-STRING
- agent cli]
- operation {r | x | rx}
+ [no] user USER-NAME
- member PRIVILEGE-PROFILE-NAME
- password PASSWORD
Configuration Commands
Table 3: User and Privilege Level Commands
Command
Description
config terminal
system
security
Enters Security Configuration mode
password preferred-authentication
{local | radius | tacacs}
Specifies the device login-authentication

method:
local: local authentication

method
radius: RADIUS authentication

method
tacacs: TACACS+ authentication

method
Local authentication method

no password preferredauthentication
Restores to default
privilege-profile PRIVILEGE-
Specifies a new privilege profile and enters

Profile Configuration mode:
PROFILE-NAME
no privilege-profile PRIVILEGE-
PROFILE-NAME
netconf-access-rule <number>
PRIVILEGE-PROFILE-NAME: a string
of <1-256> characters. You can
use predefined privilege profiles
(see Table 1)
Removes the defined privilege profile

Specifies a NETCONF access rule:
number: in the range of <1-50>
NOTE
Before executing the netconfaccess-rule command, you
must commit all changes.
no netconf-access-rule
<number>
Page 6
Removes the NETCONF access rule:
Command
Description
action {permit | permit_log
| deny}
match COMMAND-STRING
Specifies the access rule type:
permit: permits the rule
permit_log: permits log messages

for all permitted rules
deny: denies the rule
Specifies a command matching the specified

access rule:
namespace NAME
Specifies the namespace name for the selected

rule:
operation {r | rw | rwx | rx
| w | wx | x}
command-access-rule <number>
COMMAND-STRING: a string of
characters
NAME: a string of <1-256>

characters
Specifies the operation type:
r: read
rw: read-write
rwx: read-write-execute
rx: read-execute
w: write
wx: write-execute
x: execute
Specifies a command access rule:
NOTE
Before executing the commandaccess-rule command, you
must commit all changes.
no command-access-rule
<number>
action {permit | permit-log

| deny}
match COMMAND-STRING
Removes the command access rule

Specifies the access rule type:
permit: permits the rule
permit-log: permits log messages

for all permitted rules
deny: denies the rule
Specifies a command matching the selected

access rule:
COMMAND-STRING: a command string
agent cli
Specifies the management agent for the

selected rule
operation {r | x | rx}
Specifies the operation type permitted/denied

by the specified rule:
r: read
x: execute
rx: read-execute
Page 7
Command
Description
user USER-NAME
Creates a new username in the local database

and enters User Configuration mode:
no user USER-NAME
member PRIVILEGE-PROFILE-
NAME
password PASSWORD
USER-NAME: a case-sensitive
string of <1-100> characters
(blank spaces and question marks
(?) are not allowed)
Removes the defined username

Assigns a user to a profile:
PRIVILEGE-PROFILE-NAME: a string
of <1-256> characters. You can
use predefined privilege profiles
(see Table 1)
Specifies a password for the user:
PASSWORD: case-sensitive string

of <1-64> characters (blank
spaces are not allowed)
1.
Define a privilege profile telco which denies access to the device via CLI:
Device-name#config
Device-name(config)#system
Device-name(config-system)#security
Device-name(config-security)#privilege-profile telco
Device-name(config-privilege-profile-telco)#command-access-rule 2
Device-name(config-command-access-rule-2)#action deny
Device-name(config-command-access-rule-2)#agent cli
Device-name(config-command-access-rule-2)#match "file ls"
Device-name(config-command-access-rule-2)#operation rx
Device-name(config-command-access-rule-2)#exit
Device-name(config-command-access-rule-3)#match "config terminal"
Device-name(config-command-access-rule-4)#match "config no-confirm"
Device-name(config-command-access-rule-5)#match config
Page 8
Device-name(config-command-access-rule-5)#commit
Device-name(config-privilege-profile-telco)#exit
2.
Create an user telco and assign it to a profile:

Device-name(config-security)#user telco
Device-name(config-user-telco)#member telco
Device-name(config-user-telco)#password telco
Device-name(config-user-telco)#commit
login as: telco
telco@10.3.171.101's password:
T-Marc 3208SH
telco connected from 10.3.71.96 using ssh on T-Marc 3208SH
3.
Display the port status after applying the access rule:

Device-name#show port
Aborted: permission denied
4.
Display the authentication details in the device running configuration:

Device-name#show running-config system security
system
security
password preferred-authentication local
privilege-profile admin
!
privilege-profile guests
!
privilege-profile net-admins
!
privilege-profile technicians
!
privilege-profile tester
command-access-rule 2
action
deny
agent
cli
match
"file ls"
operation rx
!
action
deny
agent
cli
match
"config terminal"
operation rx
!
action
deny
agent
cli
match
"config no-confirm"
operation rx
Page 9
!
action
deny
agent
cli
match
config
operation rx
!
!
privilege-profile users
!
user tester
password $1$zrynUo$D7sdDdi0ps/BdQnrksXvH0
member
tester
!
!
!
Page 10
Remote Authentication Dial in User Service

(RADIUS)
RADIUS is a client-server protocol used during user authentication. The protocol provides the
following AAA services:
Authentication: determining who a user (or entity) is
Authorization: determining what a user is allowed to do
Accounting: tracking network activity for each user
The RADIUS client (typically a Network Access Server [ NAS]) exchanges UDPs with the
RADIUS server (usually a UNIX or Windows NT daemon process) to authenticate userconnection requests.
NAS sends user-connection requests to designated RADIUS servers. The RADIUS server returns
the configuration information needed by NAS to provide the user with requested access. The RSA
MD5 algorithm encrypts user passwords prior to exchange between the NAS and RADIUS server.
The NAS and the RADIUS server authenticate transactions using a shared secret key that is not
sent over the network.
The RADIUS Negotiation Procedure

The following figure demonstrates a typical RADIUS negotiation procedure. In this example:
The user sends a Telnet request to connect to a T-Marc 3208SH device (NAS).
The device sends an Access Request packet, which contains the user name, encrypted password,
NAS IP address, and port to the RADIUS server. The request packet also provides
information about the type of session the user wants to initiate.
Figure 2: A RADIUS Communication Example
Page 11
The RADIUS server first validates NAS (based on the shared secret-key) then validates the
user request against a local database by matching the password (and in some cases, other
parameters such as the port number). The RADIUS server then:
sends an acceptance message if the user information is validated. The acceptance message
includes a list of attributes that should be used in the session. An important parameter is
the privilege level of the authenticated user.
sends a rejection message if the user is not found in the database or the information does
not match. The message may or may not include the reason for the rejection.
Based on this response, NAS accepts or rejects the request.
Defining User Privileges on the RADIUS Server

The following procedure describes how to ensure correct user privileges on the RADIUS server.
The example refers only to FreeRADIUS server authentication.
1.
Complete the RADIUS configuration (as described in the FreeRADIUS README file) on
the RADIUS server.
2.
Copy an additional dictionary.batm file (with the information shown below) to the folder
containing the RADIUS configuration files. The free RADIUS server version is 2.1.0.
------------------------------------------------dictionary.batm
------------------------------------------------VENDOR
BATM
738
ATTRIBUTE
3.
BATM-privilege-profile
string
BATM
Assign a privilege level to all other users in the users configuration file, as shown in the
following example:
------------------------------------------------raddb/users
------------------------------------------------admin
net-admins
tech
users
guests
4.
Page 12
Auth-type := Local, Cleartext-Password :=

Reply-Message = "Hello, administrator!",
BATM-privilege-profile =admin
Reply-Message = "Hello, NET admin!",
BATM-privilege-profile =net-admins
Reply-Message = "Hello, technician!",
BATM-privilege-profile = technicians
Reply-Message = "Hello, user!",
BATM-privilege-profile = users
Reply-Message = "Hello, guests!",
BATM-privilege-profile = guests
"adminpass"
"net-adminspass"
"techpass"
"userspass"
"guestspass"
Add the following line to the dictionary file (in the RADIUS-configuration folder):
$INCLUDE dictionary.batm
5.
Add the subnetwork address from which NAS is connected to the clients.conf file:
------------------------------------------------raddb/clients.conf
------------------------------------------------client 10.3.0.0/16 {
secret
= secretkey
}
RADIUS Configuration Flow
Figure 3: RADIUS Configuration Flow
RADIUS Commands
This section describes the command hierarchy for RADIUS configuration and provides a list of
available commands as well as a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ system
+ security
- [no] radius-server
- [no] host A.B.C.D
- [no] port <number>
Page 13
- [no] deadtime <minutes>
- [no] key KEY
- [no] key-storage-type {local | file}

- [no] retransmit <count>
- [no] timeout <seconds>

- show radius-statistics
- clear-radius-statistics statistics
Table 4: RADIUS Commands
Command
Description
config terminal
system
security
radius-server
Enters RADIUS Server Configuration mode
no radius-server
Removes the RADIUS Server configuration
host A.B.C.D
Selects up to 5 RADIUS severs.

The device connects to the RADIUS servers using
the order you define:
A.B.C.D: the RADIUS server's IP

address
NOTE
When the RADIUS server is
unavailable (either shut down or
disconnected), the device retransmits
the request three times. On
retransmission timeout for the third
try, the device attempts
authentication using the local
database.
No RADIUS servers are configured
no host
port <number>
Remove the IP address for the configured RADIUS

server
Specifies the UDP-authentication port number:
number: in the range of <1024

65535>
1812
no port
Page 14
Restores to default
Command
Description
deadtime <minutes>
Specifies length of time, expressed in minutes, that

the device will wait for an authentication response
before declaring the RADIUS server unavailable
and moving to the next RADIUS server:
minutes: in the range of <01440>

minutes
3 minutes
no deadtime
Restores to default
key KEY
Specifies a key used to encrypt/decrypt traffic

between the device and the RADIUS server:
KEY: a string of <1-255> characters
no key
Removes the configured key
key-storage-type {local |
file}
Specifies the type of encryption key storage:
local: the encrypted key, as

entered, is stored in the running
configuration
file: the encryption key is stored

in a separate file in the Flash
memory. Only the name of the file
containing the key is displayed in
the running configuration
Local
no key-storage-type
Restores to default
retransmit <count>
Specifies the number of attempts the device will

make to transmit an authentication request to the
RADIUS server, before declaring the RADIUS
server unavailable:
count: in the range of <130>
3 retries
no retransmit
Restores to default
timeout <seconds>
Specifies the length of time, expressed in seconds,

that the device will wait for a reply from the
RADIUS server before transmitting the request
again:
seconds: in the range of <160>

seconds
3 seconds
no timeout
Restores to default
Specifies the source address of RADIUS packets:
The device uses the source IP of the server

network. The typical use of the sources IP is
the loopback address.
no source-address
Page 15
Command
Description
RADIUS server:
no dscp-mapping
show radius-statistics
Displays the RADIUS statistics for accounting and

authentication packets
clear-radius-statistics statistics
Clears the RADIUS statistics
1.
Select the RADIUS server and define the shared secret key:
device-name(config-system)#security
device-name(config-security)#radius-server host 10.2.42.137
device-name(config-host-10.2.42.137)#exit
device-name(config-security)#radius-server key batm
2.
Create local user localuser and password mypass:

device-name(config-security)#user localuser password mypass member users
device-name(config-user-localuser)#exit
3.
Configure the RADIUS timers:

device-name(config-security)#radius-server retransmit 3
device-name(config-security)#radius-server timeout 10
device-name(config-security)#radius-server deadtime 3
4.
Define the device login-authentication method:

device-name(config-security)#password preferred-authentication radius
device-name(config-security)#commit
device-name(config-security)#end
5.
Display the RADIUS configuration:

device-name#show running-config system security
system
security
password preferred-authentication radius
radius-server
host 10.2.42.137
!
key
$2$3c544ef45f0bc43f
timeout 10
!
privilege-profile admin
!
privilege-profile guests
!
Page 16
privilege-profile net-admins
!
privilege-profile technicians
!
privilege-profile users
!
!
!
6.
Display the RADIUS statistics:

device-name#show radius-statistics
===========================================================================
===
Statistic
| Counter
===========================================================================
===
request-send
|
6
access-accept
|
2
access-reject
|
1
invalid-responces
|
0
packets-droped
|
0
responces-from-unknown-address
|
0
===========================================================================
===
Configuration Results
When accessing the device using the username richy, the RADIUS server sends a REJECT
reply:
Username:richy
Password:
Username:
When accessing the device using the username admin and the password adminpass, the
RADIUS server sends an ACCEPT reply, authenticating the user:
Username:admin
Password:adminpass
device-name#
Page 17
Terminal Access Controller Access-Control System

Plus (TACACS+)
TACACS+ is a security protocol used in communication between network devices and an
authentication database for the purpose of remote authentication, authorization, and accounting.
TACACS+ is based upon communication between a Network Access Server (NAS) (T-Marc
3208SH device) and the TACACS+ authentication server. TCP communication, used by
TACACS+, is considered a more reliable protocol than UDP (the protocol used by RADIUS).
TACACS+ Negotiation
When a user attempts to connect to the device, the following actions occur:
1.
NAS mediates between the user and the TACACS+ server. NAS prompts for a username.
2.
When the user types a username at the prompt, NAS prompts for a password.
3.
When the user types a password, NAS sends the username and password to the TACACS+
server.
The TACACS+ server may request additional identifying information, other than the user
name and password, for user authentication.
4.
When the user enters the required information, the TACACS+ server returns one of the
following responses:
Table 5: TACACS+ Server Responses
Page 18
Response
Description
ACCEPT
User authentication succeeds. Based on configuration, NAS might need to

start the authorization phase.
REJECT
User authentication does not succeed. Depending on the TACACS+ server

configuration, the user either is prompted to retry login or is denied access
to the network.
ERROR
An error occurred during authentication (such as a network connection

issue). In this case, NAS typically attempts authentication by an alternate
method.
CONTINUE
The TACACS+ server prompts the user for further authentication

information.
Defining User Privileges on the TACACS+ Server

TACACS+ usernames and privilege levels are defined in the TACACS+ configuration file. The
following example displays the contents of a TACACS+ server configuration file. The free
TACACS+ server version is F4.0.3.alpha.
------------------------------------------------tac_plus.conf
------------------------------------------------key = "secretkey"
user = admin {
login = cleartext "adminpass"
service = batm {
Group = "admin"
}
}
user = tech {
login = cleartext "techpass"
service = batm {
Group = "technicians"
}
}
user = guest {
login = cleartext "guestpass"
service = batm {
Group = "guests"
}
}
Page 19
TACACS+ Configuration Flow
Figure 4: TACACS+ Configuration Flow
TACACS+ Commands
Commands Hierarchy
device-name#
+ config terminal
+ system
+ security
- [no] tacplus
- [no] host A.B.C.D
- [no] description DESCRIPTION
- [no] key KEY
- [no] timeout <seconds>

Page 20
Table 6: TACACS+ Commands
Command
Description
config terminal
system
security
tacplus
Enters TACACS+ Server Configuration mode
no tacplus
Removes the TACACS+ Server configuration
host A.B.C.D
Selects TACACS+ server(s), up to 5

RADIUS servers
The device connects the TACACS+ servers in a
predefined order:
A.B.C.D: the TACACS+ server's IP

address
No TACACS+ servers are configured
NOTE
If the TACACS+ server is
unavailable (shut down or
disconnected), the device
retransmits the request three
times. On retransmission timeout
for the third try, the device
attempts authentication using the
local database.
no host
description DESCRIPTION
Removes the configured IP address for the

TACACS+ server
Describes the TACACS+ server:
no description
DESCRIPTION: a string of
<1255> characters
Removes the TACACS+ server description
key KEY
Specifies an encryption key used to

encrypt/decrypt traffic between the device and
the TACACS+ server:
KEY: a string of <1-255>

characters
no key
Removes the configured key
timeout <seconds>
Specifies the length of time, expressed in

seconds, that the device will wait for an
authentication response from the TACACS+
server before declaring the server unavailable:
seconds: in the range of <160>

seconds
3 seconds
Page 21
Command
Description
no timeout
Restores to default
Specifies the source address of TACACS+
packets:
The device uses the source IP of the

server network. The typical use of the
sources IP is the loopback address.
no source-address

TACACS+ server:
no dscp-mapping
Device Configuration:
1.
Select the TACACS+ server and define the shared encryption key:
device-name(config-system)#security
device-name(config-security)#tacplus host 10.2.42.137
device-name(config-security)#tacplus key TacacsPlus
2.
Define the device login-authentication method:

device-name(config-security)#password preferred-authentication tacacs
device-name(config-security)#commit
device-name(config-security)#end
3.
Display the TACACS+ configuration:

device-name#show running-config system security
system
security
password preferred-authentication tacacs
tacplus
host 10.2.42.137
description test
!
key $2$846b519358b80098
!
Configuration Results
When accessing the device using username richy, the TACACS+ server sends a REJECT
reply:
Username:richy
Page 22
Password:
Username:
When accessing the device using username admin and password radminpass, the TACACS+
server sends an ACCEPT reply, authenticating the user:
Username:admin
Password:adminpass
device-name#
When the TACACS+ server is unreachable/down, local authentication is used.
Page 23
Comparing TACACS+ and RADIUS

Table 7: A comparison between TACACS+ and RADIUS
Page 24
Feature
RADIUS
TACACS+
Communication
Protocol
UDP
TCP
Authentication and
Authorization
Combined AAA processes
AAA architecturethree separate

processes: Authentication,
Authorization, and Accounting
Packet Encryption
Encrypts only the password sent

by the user to the server
Encrypts the entire packet body

but leaves a standard TACACS+
header
Router Management
Sends the device a privilege

level used for command
authorization
Controls command authorization

on a per-user or per-group basis
by assigning privilege levels to
commands
Multiprotocol Support
Does not support the following

protocols:
Offers multiprotocol support
AppleTalk Remote Access

(ARA)
NetBIOS Frame Protocol

Control
Novell Asynchronous
Services Interface (NASI)
X.25 PAD connection
Telnet
Telnet is a network protocol used to provide a bidirectional communications facility using a virtual
terminal connection. User data is transmitted over the Transmission Control Protocol (TCP).
Telnet Commands
Commands Hierarchy
device-name#
- telnet {A.B.C.D | HOSTNAME} [<port-number>]
+ config terminal
+ system
+ telnet-server
- [no] port <number>

- [no] shutdown
Table 8: Telnet Commands
Command
Description
device-name#
Operational mode
telnet {A.B.C.D | HOSTNAME} [<portnumber>]
Initiates a Telnet connection to a specified

remote device:
A.B.C.D: the remote devices IP

address
HOSTNAME: the remote devices name
port-number: (optional) the TCP

port number for the service, in
the range of <165535>
port 23
The Telnet connection is password-protected.
The default password is admin. The
default user name is admin too.
config terminal
system
telnet-server

Enters Telnet server Configuration mode
Page 25
Command
Description
Limits the access to the Telnet server only from

the specific IP address:

A.B.C.D/32 defines a specific IP
address.
no access source-ip
port <value>
Specifies the port through which the Telnet


range of <165535>
port 23
no port <value>
Restores to default
Configures Telnet to listen on a specified IP


interfaces)
no source-address
Restores to default
Specifies a DSCP priority of packets sent from

Telnet server:
Page 26
no dscp-mapping
shutdown
Stops the Telnet server
no shutdown
Starts the Telnet server
Secure Shell (SSH)

SSH is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is
authenticated.
The operating system offers both an SSH server and an SSH client. You can connect to the devices
SSH server from an SSH client, or you can connect your device's SSH client to another device that
has an SSH server.
To access the device via SSH protocol, install one of the following supported SSH clients on your
PC:
SSH Communications Security Corp
OpenSSH
PuTTY terminal program
F-Secure SSH
SecureCRT
Other clients that supports SSH version 2
To connect to the device, use the IP address for the device in the SSH client.
SSH Commands
Commands Hierarchy
device-name#
- ssh USERNAME@{A.B.C.D | SSHNAME}
+ config terminal
+ system
- [no] ssh-server

- [no] port <value>
- [no] shutdown
Table 9: SSH Commands
Command
Description
device-name#
Operational mode
Page 27
Command
Description
ssh USERNAME@{A.B.C.D | SSHNAME}
Connects to a SSH server from the devices

SSH client:
USERNAME@: the username to access

the SSH server. The user name must
be followed by the ape symbol (@).
A.B.C.D: the IP address of the SSH

server
SSHNAME: the name of the SSH

server
After executing the command, you are prompted

for the user password.
The default username to access the SSH
server is root. The default password is
root too.
config terminal
system
ssh-server
Enters SSH Configuration mode
no ssh-server
Removes the SSH configuration details
Limits the access to the SSH server only from

no access source-ip

A.B.C.D/32 defines a specific IP
address.
Removes the trusted IP address

Configures SSH to listen on a specified IP

interfaces)
no
source-address
port <value>
Restores to default
Specifies the port through which the SSH

range of <165535>
port 22
no port
Restores to default
Specifies a DSCP priority of packets sent from
SSH server:
no dscp-mapping
Page 28
Command
Description
shutdown
Disables the SSH server

The SSH server is disabled
no shutdown
Re-enables the SSH server
Page 29
Prioritizing ARP Packets

Use Class of Service (CoS) Forwarding Classes (FC) to protect ARP packets from being dropped
during periods of network congestion and delay.
ARP Prioritization Commands

Commands Hierarchy
+ config terminal
+ system
- [no] router
- [no] arp priority-mapping fc {af | be | ef | h1 | h2 |

l1 | l2 | nc}
Configuration Commands
Table 10: ARP Prioritization Commands
Command
Description
config terminal
system
router
Enters the Router Configuration mode
no router
Removes the router configurations
arp priority-mapping fc {af | be |

ef | h1 | h2 | l1 | l2 | nc}
Sends the ARP packets to user-defined

forwarding class (FC):
be: assigns be FC to the ARP

packets
l2: assigns l2 FC to the ARP

packets
af: assigns af FC to the ARP

packets
l1: assigns l1 FC to the ARP

packets
h2: assigns h2 FC to the ARP

packets
ef: assigns ef FC to the ARP

packets
h1: assigns h1 FC to the ARP

packets
nc: assigns nc FC to the ARP

packets
be
Page 30
Command
no arp priority-mapping fc
Description
Restores to default
Page 31
Page 32
Feature
Standards
MIBs
RFCs
User-Privilege
Levels
Not supported
Not supported
Not supported
RADIUS
Not supported
Not supported
RFC 2865, Remote

Authentication Dial In User
Service (RADIUS)
RFC 2869, Remote

Authentication Dial In User
Service (RADIUS) Extensions
TACACS+
Not supported
Not supported
draft-grant-tacacs-02tacrfc.1.78.txt draft
SSH
Not supported
Not supported
Not supported
Telnet
Not supported
Not supported
Not supported
Physical Ports and Logical Interfaces

Table of Contents
Table of Figures 1
List of Tables 2
Device Interface Types 4
Fast and Giga Ethernet Ports 4
Ports and IP Interface Commands 5
Ports Configuration Example 9
IP-Interface Configuration Example 11
Link Aggregation Groups (LAGs) 13
LAG Configuration 14
Link Aggregation Control Protocol (LACP) 14
LAG Commands 15
LACP Configuration Example 18
Resilient Links 22
Resilient Links Configuration Notes 22
Resilient Link Commands23
Traffic Storm-Control 25
Storm-Control Commands 25
Table of Figures
Figure 1: Four Ports Combined into a Link Aggregation Group ................................................. 13
Figure 2: Example of Two LAGs Configured on the Same Device ............................................. 19
Physical Ports and Logical Interfaces (Rev. 01)
Page 1
List of Tables
Table 1: Ports Configuration Commands ........................................................................................... 6
Table 2: IP Interface Configuration Commands ............................................................................... 7
Table 3: Commands Used to Display and Clear Port Settings and Statistics ................................ 8
Table 4: LAGs Configuration Commands........................................................................................ 16
Table 5: Commands Used to Display and Clear LAG Settings and Statistics ............................. 18
Table 6: Resilient Links Commands .................................................................................................. 23
Table 7: Descriptions of the Storm-Control Configuration Commands ..................................... 25
Page 2
T-Marc3208SH

This chapter describes the T-Marc 3208SH device interface types, which includes load sharing,
resiliency and security solutions. Configuration examples are also provided.
The chapter includes the following sections:
Fast and Giga Ethernet Ports

This section details the physical T-Marc 3208SH device ports and lists configuration
commands.
Link Aggregation Groups (LAGs)

Link Aggregation Groups (LAGs) combine several ports in one logical link. LAGs
provide increased bandwidth and redundancy as well as higher availability.
Resilient Links
A resilient link consists of a main link and a standby (backup) link that together form a
resilient-link pair. Resilient links protect critical links and prevent network downtime.
Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a
broadcast, multicast, and/or unicast traffic storm.
Page 3
Device Interface Types

There are two device interface types, one physical and the other logical:
Device Port: Device ports are Layer 2 only interfaces associated with a physical port.
Software Interface: A logical, Layer 3 (IP) interface specifying various attributes such as IP
address and mask. A single port can be associated with more than one IP interface via Virtual
Local Area Network (VLAN) configuration.
Fast and Giga Ethernet Ports

With this T-Marc 3208SH device, service providers can deliver multiple services on separate user
ports. A single port can support multiple application flows with each flow mapped to a different
traffic class.
The T-Marc 3208SH device supports:
Page 4
Four Gigabit Ethernet SFP ports (100 Mbps and 1 Gbps)
One of the following 8 Ethernet combo ports:

Fiber SFPs (100 Mbps and 1 Gbps)
Copper ports (10 Mbps, 100 Mbps, and 1 Gbps)
(optional) Four or eigth E1/T1 TDM ports
Ports and IP Interface Commands

This section defines the command hierarchy used by both the physical port and the logical IP
interface as well the available commands for both. Also included are configuration examples for
both.
Command Hierarchy
device-name#
+ config terminal
+ port UU/SS/PP
- [no] ethertype <value>
- [no] speed {10 | 100 | 1000 | auto}

- [no] duplex {auto | full | half}
- [no] default-vlan <vlan-id>
- [no] flow-control
- [no] mtu <value>
- [no] self-egress-filter
- [no] shutdown
+ [no] router
+ [no] interface {outBand0 | loN | swN}

- [no] address A.B.C.D/M

- [no] mtu <value>
- [no] shutdown
- show router interface [name]
- show router interface statistics
- show port [UU/SS/PP] [statistics | detailed]
- clear port UU/SS/PP statistics
The following tables list separate configuration commands for ports and interfaces. Commands
used to display/clear port settings and statistics are also included:
Table 1: Ports Configuration Commands
Table 2: IP Interface Configuration Commands
Table 3: Commands Used to Display and Clear Port Settings and Statistics
Page 5
Table 1: Ports Configuration Commands

Command
Description
config terminal
port UU/SS/PP
Enters Configuration Mode for a specific port:
ethertype <value>
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Specifies the packet ethertype value of forwarded

packets:
value: valid values:
0x88A8 - Provider Bridging (IEEE 802.1ad)

0x8100 - VLAN-Tagged Frame
0x9100 - Q-in-Q
0x8100
no ethertype
Restores to default
Description of the port:
no description
speed {10 | 100 | 1000
DESCRIPTION: a string of <1-255>

characters
Removes the port description

|
auto}
Specifies the speed of the port:
10, 100, 1000: duplex speed, in

Mbps
auto: the port automatically finds

the highest supported speed
Auto
no speed
Restores to default
duplex {auto | full | half}
Specifies the ports duplex mode:
auto: auto detect mode
full: full duplex mode
half: half duplex mode
Auto
no duplex
Restores to default
default-vlan <vlan-id>
Specifies the default VLAN for the port (only one

default VLAN allowed per port):
vlan-id: in the range of <14094>
Page 6
no default-vlan
Restores to default
flow-control
Controls the amount of data sent from the

transmitting port to the receiving port (also called
Flow Control Mode).
Disabled
no flow-control
Restores to default
Command
mtu <value>
Description
Specifies the maximum packet size allowed for
the port.
The port can send frames larger than the
configured MTU but cannot accept frames of that
size.
value: in the range of <25612288 >

Bytes
1544 Bytes
no mtu
Restores to default
self-egress-filter
Denies packets received on the selected port from

being sent back to the same port.
NOTE
The command is applied only

on port selected to be a SAP port
in VPLS services.
Disabled
no self-egress-filter
Restores to default
shutdown
Disables the port (the port no longer receives,

forwards, or learns)
no shutdown
Enables the port
Table 2: IP Interface Configuration Commands

Command
Description
config terminal
router
Enters Router Configuration mode
no router
Removes router configurations
interface {outBand0 | loN | swN}
Creates an IP interface and enters Configuration

Mode for the IP-Interface:
outBand0: an Ethernet network

interface
loN: an internal logical loopback

IP-interface. N: in the range of
<09>
swN: an IP interface number in the

range of <09999>
NOTE

versa.
Page 7
Command
no interface {outBand0 | loN |
swN}
Description
Removes the created IP interface:

interface

<09>

range of <09999>
NOTE
To remove the created IP interface,
remove the IP interface from all
VLANs of which it is a member.
Describes the IP interface:
DESCRIPTION: a string of up to 256

characters (spaces are allowed)
no description
Removes the IP interface description
address A.B.C.D/M
Specifies the IP address for the IP interface:
no address
Removes the IP address of the IP interface:
mtu <value>
A.B.C.D/M: the IP address of the IP

interface and subnet mask (M) in
the range of <130>
A.B.C.D/M: the IP address of the IP
interface and subnet mask (M) in
the range of <132>
Specifies the maximum packet size allowed for

the interface:
value: in the range of <256 >

Bytes
1544 Bytes
no mtu
Restores to default
shutdown
Disables the interface
no shutdown
Enables the interface
Table 3: Commands Used to Display and Clear Port Settings and Statistics
Page 8
Command
Description
show port [UU/SS/PP] [statistics |

detailed]
Displays the status and configuration of all ports

or a specific port:
UU/SS/PP: (optional) 1/1/1-1/1/4,

1/2/1-1/2/8
statistics: (optional) displays

port statistics and packet counters
detailed: (optional) displays

detailed configuration information
for the port
Command
Description
show router interface name { outBand0 |

loN | swN}
Displays the status and configuration of the

selected interface:

interface

<09>

range of <09999>
show router interface statistics
Displays interface statistics and packet counters
clear port [UU/SS/PP] statistics
Clears all port statistics:
UU/SS/PP: clears statistics for the

selected port: 1/1/1-1/1/4 and
1/2/1-1/2/8
Ports Configuration Example

1.
Enter the Configuration mode of port 1/1/1:

device-name(config)#port 1/1/1
2.
Specify the speed of the port:

device-name(config-port-1/1/1)#speed 1000
device-name(config-port-1/1/1)#commit
3.
Specify the duplex type for the port:

device-name(config-port-1/1/1)#duplex full
4.
Describe the port as 1/1/1:

device-name(config-port-1/1/1)#description 1/1/1
5.
Set the MTU for the port to 4096:

device-name(config-port-1/1/1)#mtu 4096
6.
Display the configuration of the port:

device-name#show port 1/1/1 detailed
===============================================================================
Ethernet Interface
===============================================================================
Interface
: 1/1/1
Description
: 1/1/1
Admin State
: up
Port State
: down
Config Duplex
: full
Operational Duplex
: unknown
Config Speed
: 1000
Operational Speed(Mbps) : unknown
------------------------------------------------------------------------------Flow Control
: disabled
Dual Port
: No
Active Link
: No-Link
Page 9
------------------------------------------------------------------------------Default VLAN
: 1
MAC Learning
LAG ID
: N/A
MTU[Bytes]
: 4096
===============================================================================
===============================================================================
Transceiver Data
===============================================================================
Transceiver Type
: Unknown
Cable Connector
: Unknown
Vendor Name
: N/A
Encoding
: Unknown
Manufacture Date
: N/A
Media
: n/a
Serial Number
: N/A
TX Laser Wavelength: n/a
Part Number
: N/A
Revision Level
: N/A
Link Length Support: N/A

------------------------------------------------------------------------------Transceiver Compliance
Ethernet
Fibre Channel:
: Unknown
Media : Unknown
InfiniBAND : Unknown
Tech
10G
: Unknown
Speed : unknown
: Unknown
ESCON
: Unknown
Length: unknown
SONET
: Unknown
------------------------------------------------------------------------------Diagnostic:
Bitrate:
Digital Diagnostic Monitoring : no
Nominal: 0
Internal Calibration
: no
Maximum: 0% above nominal
External Calibration
: no
Minimum: 0% below nominal
Avgerage Power Measurement
: no
Address Change Required
: no
===============================================================================
7.
Display the configuration of all ports:

NOTE
Ports 1/3/9 and 1/4/9 are allocated to the CES modules.
The example below shows that 1/3/9 is the only port used by the CES module.
device-name#show port
==============================================================================
Ports Information
==============================================================================
Port
Admin
Port
Id
State
State MTU
Cfg
LAG
Speed
Duplex
Dual Port
Id
Properties
-----------------------------------------------------------------------------1/1/1
Enable
Down
4096
N/A
Unknown Unknown No
not-installed
1/1/2
Enable
Down
1544
N/A
Unknown Unknown No
not-installed
1/1/3
Enable
Down
1544
N/A
Unknown Unknown No
not-installed
1/1/4
Enable
Down
1544
N/A
Unknown Unknown No
not-installed
1/2/1
Enable
Up
1544
N/A
1G
RJ45
1/2/2
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
1/2/3
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
1/2/4
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
1/2/5
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
1/2/6
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
1/2/7
Enable
Down
1544
N/A
Unknown Unknown Yes
100BASE-SX-MM-SFP
1/2/8
Enable
Up
1544
N/A
1G
1000BASE-SX-MM-SFP
1/3/9
Enable
Up
1544
N/A
Unknown Unknown Yes
RJ45
1/4/9
Enable
Down
1544
N/A
Unknown Unknown Yes
not-installed
Full
Full
Yes
Yes
===============================================================================
Number of ports: 14
Number of link up ports: 3
Page 10
8.
Display the statistics information of port 1/1/1:

device-name#show port 1/1/1 statistics
===============================================================================
Port Statistics
===============================================================================
Input
Output
------------------------------------------------------------------------------Unicast Packets
168
132
Multicast Packets
Broadcast Packets
198
Flow Control
Discards
Errors
-------------------------------------------------------------------------------Total
171
335
===============================================================================
===============================================================================
Ethernet Statistics in Packets
===============================================================================
RX CRC Errors
RX Undersize
TX Collisions
------------------------------------------------------------------------------Input
Output
------------------------------------------------------------------------------Fragments
Oversize
Jabbers
------------------------------------------------------------------------------Octets
48583
Packets
506
Packets of 64 Octets
264
Packets of 65 to 127 Octets
142
97
Packets of 1519 or more Octets
-------------------------------------------------------------------------------Total
171
335
===============================================================================
===============================================================================
Rates in Bytes per Second
===============================================================================
Input
Output
Rate for last 10 sec
Rate for last 60 sec
===============================================================================
IP-Interface Configuration Example

1.
Create IP interface sw10 and enter the IP-Interfaces Configuration mode:

device-name(config-router)#interface sw10
device-name(config-interface-sw10)#commit
Page 11
2.
Assign IP address 200.1.1.1/24 to interface sw10:

device-name(config-interface-sw10)#address 200.1.1.1/24
3.
Describe the interface:

device-name(config-interface-sw10)#description IpIfsw10
4.
Create VLAN 10 and associate sw10 with it:

device-name(config)#port 1/1/1 default-vlan 10
device-name(config-port-1/1/1)#exit
device-name(config-vlan-10)#routing-interface sw10
device-name(config-vlan-10)#untagged 1/1/1
device-name(config-vlan-vlan10/10)#commit
device-name#show vlan
====================================================================
VLANs Information
====================================================================
Name
| L3 Interface |VTag| Created By | Owned By
|
-------------------+--------------+----+-------------+-------------+
default
| sw0
|1
| User
| User
|
-------------------------------------------------------------------Tagged Ports:
-------------------------------------------------------------------Untagged Ports: 1/1/1 1/1/2 1/1/3 1/1/4 1/2/1 1/2/2 1/2/3
1/2/4 1/2/5 1/2/6 1/2/7 1/2/8
-------------------------------------------------------------------====================================================================
Name
|
-------------------+--------------+----+-------------+-------------+
vlan10
| sw10
|10 | User
| User
|
-------------------------------------------------------------------Tagged Ports:
-------------------------------------------------------------------Untagged Ports: 1/1/1
--------------------------------------------------------------------
Page 12
Link Aggregation Groups (LAGs)

Link Aggregation Groups (LAGs) combine several ports in one logical link. All links within a LAG
operate at the same data rate (specifically, 10 Mbps, 100 Mbps, 1 Gbps). By aggregating multiple
Giga ports (as shown in the following figure), LAGs also support bandwidths beyond 10 Gpbs.
LAGs provide increased bandwidth and high reliability and eliminate the cost of hardware
upgrades.
NOTE
LAGs are numbered from 1 to 14.
Each LAG can consist of up to eight compatibly configured ports.
Figure 1: Four Ports Combined into a Link Aggregation Group
There are two LAG types:
Static LAGs, which consist of individual Gigabit Ethernet links bundled into a single logical
link, treat multiple device ports as one device port. These port groups act as a single logical
port for high-bandwidth connections between two network devices. A static LAG balances
the traffic load across the links in the channel. If a physical link within the static LAG fails,
traffic previously carried over the failed link moves to the remaining links.
Most protocols can operate using LAG infrastructure as though all ports in the group
were a single, physical port.
Dynamic LAGs dynamically adapt aggregated links to changes in traffic conditions using the
Link Aggregation Control Protocol (LACP) to accommodate load sharing and automatic
readjustments in case of LAG link-failure and recovery.
Page 13
LAG Configuration
You can configure both static and dynamic LAGs simultaneously, assuming the following
restrictions:
Both static and dynamic LAGs receive unique identifiers from the same LAG ID pool. Each
LAG, whether static or dynamic, must have its own LAG ID number.
Each port can only belong to a single LAG but that LAG can be either static or dynamic.
Link Aggregation Control Protocol (LACP)

The Link Aggregation Protocol (LACP) is the protocol used by a LAG. LACP, defined in IEEE
802.3ad, dynamically groups similarly configured ports into a single logical link (aggregate port) to
increase bandwidth and redundancy as well as provide higher availability. You can group ports
based on hardware or by administrative and port parameter constraints.
The device exchanges LACP frames to synchronize LACP-enabled port databases.
You can group up to a maximum of eight compatible ports in one LAG.
LACP Modes
LACP has two operational modes:
Active: When active, the port can start LACP negotiation and as a result form a link with
another device. The other device can be either active or passive.
Passive: The port does not start LACP negotiation.
LACP Parameters
The following factors define the ability of a port to aggregate with other ports:
Physical characteristics such as, data transfer rate, duplex capability, and medium type
User-defined configuration constraints
To use LACP, define the following parameters:
Page 14
1.
Enter the System ID. The System ID identifies the LACP system negotiating with other
LACP systems. The System ID is always the MAC address for the device.
2.
Define System Priority. System priority, along with port priority, provides the means for
connected LACP ports to determine dynamically an exchange policy.
3.
Enter the Administrative key to define the ability of the port to aggregate with other ports.
4.
Define port priority. Port and system priority work together so that connected LACP ports
can dynamically determine an exchange policy.
5.
Enable the LACP.
NOTE
When enabled, LACP attempts to group the maximum of eight compatible ports in a
LAG. However, if LACP is unable to aggregate compatible ports (for example, due
to remote device limitations), these ports remain in a hot standby state to be used
when one of the channeled ports fail.
LAG Commands
In this section, the command hierarchy used by LAGs is defined. Also presented is a list of useable
commands and configuration examples.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] lag
- [no] distribution-type {L2 | L3 | L4}

+ [no] lag-id agN

- [no] lacp enable
- lacp mode {active | passive}
- [no] lacp administrative-key <number>
- [no] lacp id <number>
- [no] lacp marker {disable | enable}

- [no] lacp priority <number>
+ [no] port UU/SS/PP

- show ethernet lag
- [no] priority <number>
- show ethernet lag lag-id agN [details | statistics]
- clear lag [lag-id agN] statistics
Page 15
In this section, configuration commands are described in the following tables:
Table 4: LAGs Configuration Commands
Table 5: Commands Used to Display and Clear LAG Settings and Statistics
Table 4: LAGs Configuration Commands

Command
Description
config terminal
ethernet
lag
Enters LAG Configuration mode
no lag
Removes LAG configurations
distribution-type {L2 | L3 | L4}
Specifies the LAG packet-distribution between

the ports:
L2: distributes packets based on

the source and destination MAC
addresses of the packets

the source and destination IP
addresses of the packets

the TCP/UDP ports.
L2
no distribution-type
Restores to default
lag-id agN
Creates a static LAG and enters LAG

Configuration mode:
no lag-id agN
Removes the created static LAG

Describes the LAG:
Page 16

<1-14>
1255 characters (spaces are
allowed)
no description
Removes the LAG description
lacp enable
Enables the Link Aggregation Control Protocol

(LACP)
Disabled
no lacp enable
Restores to default
Command
Description
lacp administrative-key
<number>
Specifies the LACP administrative key,

determining the ability of the port to aggregate
with other ports.
A unique LACP administrative key must be
specified for each LAG.
1
no administrative-key
Restores to default
lacp id xx:xx:xx:xx:xx:xx
Assigns a user-defined system ID of a specific

dynamic LAG:
xx:xx:xx:xx:xx:xx: user-defined
system ID, in a MAC address format
the MAC address of the device

no lacp id
Restores to default
lacp marker {disable | enable}
Enables the device to respond to LACP marker

requests
Disabled
no lacp marker
Restores to default
lacp mode {active | passive}
Specifies the LACP negotiating mode:
active: places a port into an

active negotiating state. The port
initiates negotiations by sending
LACP packets to other ports
passive: places a port into a

passive negotiating state. The
port responds to received LACP
packets but does not initiate
negotiation
Active
no lacp mode [active |
passive]
Restores to default or to specific negotiating

mode
lacp priority <number>
Specifies the LACP system priority. LACP uses

system priority, together with the device MAC
address, to form the system ID. System Priority
is also used during negotiation with other
systems:

(higher numbers have lower
priority)
32768
no lacp priority
Restores to default
Page 17
Command
Description
port UU/SS/PP
Adds a port to a LAG and enters LAG Port

Configuration mode.
When a LAG is used as an uplink, its
member ports must be shut down before the
LAG is deleted.
no port [UU/SS/PP]
Removes the selected port from a LAG group:
priority <number>
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

1/2/1-1/2/8
Specifies the priority of an individual port within

the LAG:
32768
no priority
Restores to default
Table 5: Commands Used to Display and Clear LAG Settings and Statistics
Command
Description
show ethernet lag
Displays the status and configuration of all LAGs
show ethernet lag lag-id agN [details |

statistics]
Displays the status and configuration of the

selected LAG:
clear lag [lag-id agN] statistics

<1-14>
details: LAG detail information
statistics: LAG statistics and

packet counters
Clears all LAG statistics:
agN: clears statistics for a

specific LAG ID, where N is in the
range of <1-14>
LACP Configuration Example

The following example establishes two dynamic link aggregation groups between Device1,
Devices2 and Device3.
Page 18
Figure 2: Example of Two LAGs Configured on the Same Device
Configuring Device 1:
In the following example ports 1/1/1, 1/1/2,
ag1 and ag2 on which LACP is enabled.
1.
1/1/3, and 1/1/4 are added respectively to LAG
Create static LAGs ag1 and ag2. Add relevant ports to both LAGs:
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag1
device-name(config-lag-id-ag1)#port 1/1/1
device-name(config-port-1/1/1)#port 1/1/2
2.
Enable LACP on both LAGs:

device-name(config-lag-id-ag1)#lacp enable
device-name(config-lag-id-ag1)#commit
Commit complete.
device-name(config-lag-id-ag1)# lag lag-id ag2
Commit complete.
3.
Display LAG configuration:

device-name#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
Distribution Type: L2
Page 19
Operational Status: up
LACP: enabled
LACP Mode: active
System ID: 005043b5aa9c
System Priority: 32768
Administrative Key: 1
Marker: disabled
Port
Admin Status
Oper Status
Priority
Aggr Status
----------------------------------------------------------1/1/1
up
up
32768
success
1/1/2
up
up
32768
success
Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
System ID: 005043b5aa9c
Marker: disabled
Port
Admin Status
Oper Status
Priority
Aggr Status
----------------------------------------------------------1/1/3
up
up
32768
success
1/1/4
up
up
32768
success
In the following example ports 1/1/1 and 1/1/2 are added to LAG ag1 on which LACP is enabled.
1.
Create static LAG ag1. Add relevant ports to the LAG:

2.
Enable LACP on the LAG:

Commit complete.
3.

Interface Name ag1
Mode: network
Page 20
LACP: enabled
LACP Mode: active
System ID: 005043b5aa66
Marker: disabled
Port
Admin Status
Oper Status
Priority
Aggr Status
----------------------------------------------------------1/1/1
up
up
32768
success
1/1/2
up
up
32768
success
In the following example ports 1/1/3 and
enabled.
1.
1/1/4 are added to LAG ag2 on which LACP is
Create static LAG ag2. Add relevant ports to the LAG:

2.
Enable LACP on the LAG:

Commit complete.
3.

Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
System ID: 005043b5aa77
Marker: disabled
Port
Admin Status
Oper Status
Priority
Aggr Status
----------------------------------------------------------1/1/3
up
up
32768
success
1/1/4
up
up
32768
success
Page 21
Resilient Links
Resilient links protect critical links and prevent network downtime. A resilient link consists of a
main link and a standby (backup) link that together form a resilient-link pair. Under normal
network conditions, the main link carries network traffic. In case of signal loss, the device
immediately switches to the standby link. There is no session timeout since switchover to the
standby link occurs in less than one second.
If the main link has a higher bandwidth than its standby or if the main link is configured as a
preferred link, the device switches traffic back to the main link as soon as the connection recovers.
Otherwise, you must manually switch traffic back to the main link.
Resilient Links Configuration Notes

When configuring resilient links, note the following:
Define a resilient-link pair only on one end of the link. This provides a fully redundant
network, even when connecting the device to other devices, such as routers and servers.
If using shutdown mode, configure on one device (either local or remote).
When configuring a VLAN, the resilient link ports must belong to the same VLAN.
Ports can reside on different LICs.
You can configure a resilient link pair only if:
Page 22
The ports have the same PVID
Neither port is part of a LAG
Neither port belongs to another resilient-link pair.
Resilient Link Commands

In this section, the command hierarchy for Resilient Links is defined and a list of available
commands is provided. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] resilient-link resN
- backup-mode {standby | shutdown}

- backup-port UU/SS/PP
- primary-port UU/SS/PP
Table 6: Resilient Links Commands
Command
Description
config terminal
ethernet
resilient-link

resN
Enables the resilient link feature and enters

Resilient-link Configuration mode:
no resilient-link
backup-mode {standby | shutdown}
N: in the range of <1-256>
Disables the resilient link feature

Specifies the standby (backup) link behavior:
standby: the port is powered on

(the LED for the port is on)
shutdown: the port is powered off

(the LED for the port is off)
Standby
backup-port UU/SS/PP
Specifies the standby (backup) port for the

resilient-link pair:
primary-port UU/SS/PP
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Specifies the main port of the resilient-link pair:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
In the following example ports 1/1/1 and 1/1/2 define a resilient-link pair res1.
Page 23
1.
Enter the Configuration mode of resilient link
res1:
device-name(config-ethernet)#resilient-link res1
2.
Define primary and backup ports:

device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
3.
Define resilient link behavior:

device-name(config-resilient-link-res1)#backup-mode standby
device-name(config-resilient-link-res1)#commit
Commit complete.
4.
Display the resilient link configuration:

device-name#show ethernet resilient-link res1
INTERFACE
BACKUP
NAME
PRIMARY BACKUP REVERTIVE MODE
ACTIVE SWAPS
--------------------------------------------------------------res1
1/1/1
1/1/2
No
standby N/A
0
Page 24
Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a broadcast,
multicast, and/or unicast traffic storm. This mechanism regulates the rate at which devices forward
the traffic. Traffic storm-control monitors incoming traffic rates over a 1-second storm-control
interval and, compares this traffic rate with the traffic storm-control rate that you configure. When
the port threshold is met, all incoming traffic on the port is dropped.
Storm-Control Commands
Storm-Control Commands Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] storm-control
- [no] traffic-type broadcast [rate-threshold

<rate>]
- [no] traffic-type multicast [rate-threshold
<rate>]
- [no] traffic-type unknown [rate-threshold <rate>]
- [no] traffic-type all [rate-threshold <rate>]

- [no] shutdown
- show ethernet storm-control {in-use | port}
Storm-Control Commands Descriptions

Table 7: Descriptions of the Storm-Control Configuration Commands
Command
Description
config terminal
ethernet
Enters the Ethernet Configuration mode
storm-control
Enters the Storm-control Configuration mode
no storm-control
Removes the storm-control configurations
port UU/SS/PP
Selects a port:
no port UU/SS/PP
Removes the port from the configuration:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Page 25
Command
Description
traffic-type broadcast [ratethreshold <rate>]
Specifies the upper threshold rate for

broadcast traffic. The storm control action
occurs when traffic utilization reaches this rate.
rate: the valid range is <0

4294967295> packets per second
(pps), which, calculated on 64byte packet size basis,
translates to the following
limits (in pps):
for 100-megabit ports: 148810

for 1-gigabit ports: 1488095
no traffic-type broadcast
Restores to default
traffic-type multicast [ratethreshold <rate>]
Specifies the upper threshold rate for multicast

traffic:

limits (in pps):

no traffic-type multicast
Restores to default
traffic-type unknown [ratethreshold <rate>]
Specifies the upper threshold rate for unknown

traffic:

limits (in pps):

no traffic-type unknown
Restores to default
traffic-type all [rate-threshold

<rate>]
Specifies the upper threshold rate for all traffic:

limits (in pps):

Page 26
no traffic-type all
Restores to default
shutdown
Disables the storm-control on the port

Disabled
Command
Description
no shutdown
show ethernet storm-control {in-use | port}
Enables the storm-control on the port

Displays the configured thresholds and status
of the ports:
in-use: displays the above

information for all stormcontrol-active ports
port: displays the above

information only for stormcontrol-configured ports
Page 27
Page 28
Feature
Standards
MIBs
RFCs
Fast and Giga

Ethernet Port
IEEE 802.3 Ethernet

IEEE 802.3u Fast
Ethernet
IEEE 802.3x Flow
Control
IEEE 802.3z Gigabit
Ethernet
Public MIBs:
RFC 1213,
Management
Network Management
of TCP/IP-based
internets: MIB-II
(interface table and
configL2IfaceTable)
RMON MIB
Private MIB, PRVTSWITCH-MIB.mib
RFC 2863 The

Interfaces Group MIB
(configL2IfaceTable
and interface table)
Link Aggregation
Groups (LAGs)
IEEE 802.3ad
Private MIB,
PRVT-PORTSAGGREGATIONMIB.mib
Not supported
Resilience Links
Not supported
Private MIB,
PRVT-RESILIENTLINK-MIB.mib
Not supported
Virtual and Super Local Area Networks

Table of Contents
Table of Figures 1
List of Tables 1
Virtual Local Area Network (VLAN) 4
VLAN Tagging 4
Management VLAN 6
VLAN Configuration Flow 7
VLAN Commands 8
Super VLANs 14
Super VLAN Types15
Super-VLAN Commands 16
Table of Figures
Figure 1: IEEE 802.1Q Frame Tag Structure .................................................................................... 4
Figure 2: VLANs in Ingress Traffic ..................................................................................................... 5
Figure 3: VLANs in Egress Traffic ...................................................................................................... 5
Figure 4: VLAN Configuration Flow .................................................................................................. 7
Figure 5: Switching Decisions without the Super VLAN Agent ................................................... 15
Figure 6: Switching Decisions with the Super VLAN Agent......................................................... 15
Figure 7: Super VLAN Ring Mode Configuration Example ......................................................... 16
List of Tables
Table 1: VLAN Commands .................................................................................................................. 8
Virtual and Super Local Area Networks (Rev. 01)
Page 1
Table 2: 802.1Q Service Commands.................................................................................................. 10

Table 3: Super-VLAN Commands .................................................................................................... 17
Page 2
T-Marc3208SH

The chapter contains the following sections:
Virtual Local Area Network (VLAN)

A Virtual LAN (VLAN) forms a user group having common requirements on the same
LAN regardless of physical location. A logical LAN can be implemented using any
physical infrastructure.
Super VLANs
The Super VLAN is a mechanism for separating users within one VLAN into multiple
broadcast domains.
Page 3
Virtual Local Area Network (VLAN)

A Virtual Local Area Network (VLAN) assigns ports to separate, logical, broadcast domains.
Unlike a LAN, a VLAN is not limited to a single device but rather, spans an entire enterprise
organization or WAN link.
Through configuration options, the system administrator can:
Move members from one VLAN to another through port assignment
Set up individual VLANs for a service or group of services offered by the organization
Enforce rule-based polices (such as limiting the type of traffic permitted to pass between users
in a VLAN)
Prioritize VLAN traffic to ensure that Service Level Agreements (SLAs) are met.
Add ports from different LICs to a specific VLAN
VLAN Tagging
The VLAN Tagging Standard, IEEE 802.1Q, requires packets to be tagged at the port with a
unique VLAN ID. An Ethernet Frame, tagged with a VLAN ID inserted into the header,
associates that frame with a specific VLAN. Tagged packets cannot be shared between VLANs
with different VLAN IDs.
VLAN tagging makes it possible for a port that interconnects devices to carry traffic for multiple
VLANs over the same physical connection.
Figure 1: IEEE 802.1Q Frame Tag Structure
A port can belong to one or more VLANs. However, only one VLAN can be defined as the
default for that port. Initially, all device ports are defined as members of a VLAN named Default
with a default VLAN value of one (1).
Ingress Traffic
The following flow diagram shows how the combination of VLAN membership and default
VLAN definition for the port has a direct effect on incoming (ingress) traffic. When the port
receives tagged packets and the port is a member of the VLAN, the packets are redirected to
Page 4
ports that are members of the same VLAN. If not a member of the VLAN, the port drops the
tagged packets. For untagged packets, the port adds a VLAN tag according to its default
VLAN ID and then processes as usual.
Figure 2: VLANs in Ingress Traffic
Egress Traffic
For each VLAN, a member port is further defined as being either a tagged or untagged member
which has a direct effect on outgoing (egress) traffic:
If the port is an untagged member of a VLAN, the port removes the VLAN ID before
forwarding frames for that VLAN.
If the port is a tagged member of a VLAN, the port forwards frames with the VLAN ID as is.
Figure 3: VLANs in Egress Traffic
Page 5
Management VLAN
The Management VLAN controls device management. By connecting to any port assigned to the
Management VLAN, the device administrator can:
Enter Command Line Interface (CLI) commands to the device using SSH or Telnet (Telnet is
disabled by default)
Monitor and manage the device using the SNMP protocol
Use device pinging to troubleshooting connections
Upload/download files, such as software images, using TFTP and FTP file transfer protocols
Direct log messages to a Syslog Server in the same VLAN
The Management VLAN also isolates the management IP address of the device from data traffic
passing through the device to prevent unauthorized access and malicious attacks.
To set up the Management VLAN, enable management access (disabled initially for all VLANs). In
VLAN configuration mode, use the management command. More than one Management VLAN
can be defined for a device.
To delete an existing Management VLAN, first disable management access. In VLAN
configuration mode, use the no management command. Once disabled, Management VLAN can be
deleted.
Page 6
VLAN Configuration Flow

The following figure displays the process used to configure VLAN parameters.
Figure 4: VLAN Configuration Flow
Page 7
VLAN Commands
This section describes the command hierarchy for a Virtual Local Area Network (VLAN) as well as
command descriptions and a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ [no] vlan [VLAN-NAME] <vlan-id>

- [no] cpu
- [no] tagged {UU/SS/PP | PORT-RANGE}

- [no] name VLAN-NAME
- [no] untagged {UU/SS/PP | PORT-RANGE}

- [no] management
- [no] routing-interface swN
- show vlan [detailed id VLAN-ID]
Table 1: VLAN Commands
Command
Description
config terminal
vlan [VLAN-NAME] <vlan-id>
Creates a VLAN with a specified name and ID

(VLAN tag) and enters the VLAN Configuration
mode:
no vlan [VLAN-NAME] <vlan-id>
Page 8
vlan-id: the valid range is <1

4094>
VLAN-NAME: (optional) a string of

<131> characters
Removes the existing VLAN:

4094>
VLAN-NAME: (optional) a string of

<131> characters
cpu
Adds the CPU port to the specified VLAN
no cpu
Removes the CPU port from the VLAN
tagged {UU/SS/PP | PORT-RANGE}
Adds tagged port/s to the specified VLAN.
PORT-RANGE: a hyphenated range of

ports is in format UU/SS/PPUU1/SS1/PP1
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Command
no tagged [UU/SS/PP | PORT-RANGE]
untagged {UU/SS/PP | PORT-RANGE}
no untagged [UU/SS/PP | PORTRANGE]
name VLAN-NAME
Description
Removes a tagged port(s) from the specified
VLAN:
PORT-RANGE: (optional) a
hyphenated range of ports is in
format UU/SS/PP-UU1/SS1/PP1
UU/SS/PP: (optional) 1/1/1-1/1/4

and 1/2/1-1/2/8
Adds port/s as untagged to the specified VLAN.
PORT-RANGE: a hyphenated range of

ports is in format UU/SS/PPUU1/SS1/PP1.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Removes untagged port(s) from the specified

VLAN:
PORT-RANGE: (optional) a
hyphenated range of ports is in
format UU/SS/PP-UU1/SS1/PP1

1/2/1-1/2/8
Define a text-based VLAN name:
VLAN-NAME: a string of <131>

characters
no name
Removes the configured VLAN name
management
Enables management access to the device from

the current VLAN
Disabled
no management
Disables management access to the device from

the current VLAN
routing-interface swN
Attaches an IP interface to the specified VLAN.

The sw0 IP interface is attached only to the
default VLAN (VLAN ID 1).
no routing-interface
show vlan [detailed id VLAN-ID]
swN: an IP interface number the

valid range is <19999>
Detaches the IP interface from the specified

VLAN
Displays VLAN configuration information:
detailed: configuration
information for the specified VLAN
id VLAN-ID: in the range of 1-4094
802.1Q Service Commands

This section describes the command hierarchy used to configure a Virtual Local Area Network
(VLAN) by services as well as command descriptions and a configuration example.
802.1Q Service Commands Hierarchy
Page 9
device-name#
+ config terminal
+
service
- [no] dot1q <service-id>
- [no] description <value>

- [no] cpu
- [no] sap {UU/SS/PP | agN}
- [no] c-vlan {<cvlan-id> | untagged}
- [no] access-groups-rule-sequence <number>

- [no] shutdown
- [no] sdp vlan <vlan-id>
- [no] port {UU/SS/PP | agN}

- [no] untagged
- [no] shutdown
- [no] management
- [no] routing-interface swN

- [no] priority <value>
- [no] shutdown
- show service dot1q
802.1Q Service Commands Descriptions

Table 2: 802.1Q Service Commands
Command
Description
config terminal
service
Enters Service Configuration mode
no service
Removes the defined services
dot1q <service-id>
Enters Service Configuration mode for the

specified 802.1Q service:
no dot1q [<service-id>]
Removes the specified 802.1Q service or, when

used without a parameter, removes all
configured 802.1Q services:
description <value>
service-id: (optional) in the

range of <1-4294967294>
Specifies the 802.1Q service description:
Page 10
service-id: in the range of <14294967294>

characters
no description
Removes the 802.1Q service description
cpu
Adds the CPU port to the specified 802.1Q
Command
Description
service instance
no cpu
Removes the CPU port from the 802.1Q service

instance

UU/SS/PP: SAP port, in the range

of 1/1/1-1/1/4, 1/2/1-1/2/8. This
port has to be an untagged member
of the S-VLAN.
agN: SAP LAG ID. N is in the range

of <1-14>
NOTE

SAP.

versa.

c-vlan {<cvlan-id> |
untagged}

| untagged}
UU/SS/PP: (optional) SAP port, in

the range of 1/1/1-1/1/4, 1/2/11/2/8.
agN: SAP LAG ID. N is in the range

of <1-14>
Specifies a customer VLAN (C-VLAN) and enters

C-VLAN Configuration mode:

traffic only

traffic only
Page 11
Command
Description
access-groups-rule-sequence
<number>
Specifies the sequential order in which ACL rules

are processed:
number: in the range of <1 - 250>
NOTE
When applying the same ACL type
(for example, IP or MAC ACLs) to
an already used sequence number,
remove and apply the ACL again.
This action is not required when
applying different ACL types to the
same sequence number.
For more information about configuring and
applying ACLs, refer to chapter Access Control
Lists (ACLs) of this User Guide.
no access-groups-rulesequence [<number>]
Removes the configured sequence number:
shutdown
Disables the SAP port

Disabled
no shutdown
Enables the SAP port
sdp vlan <vlan-id>
Specify the S-VLAN ID and enters the S-VLAN

Configuration mode:
no sdp vlan [<vlan-id>]
number: (optional) in the range of

<1-250>
vlan-id: in the range of <1-4094>
Removes the previously configured S-VLAN/s:

of <1-4094>
management
Enables management access to the device from

the current S-VLAN
Disabled
no management
Disables management access to the device from

the current S-VLAN
routing-interface swN
Attaches an IP interface to the specified S-VLAN.

The sw0 IP interface is attached only to the
default VLAN (VLAN ID 1).
swN: an IP interface number the

valid range is <19999>
no routing-interface
Detaches the IP interface from the specified SVLAN
port {UU/SS/PP | agN}
Adds port/s as tagged to the specified S-VLAN:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
agN: SDP LAG ID. N is in the range

of <1-14>
The port is tagged

no port [UU/SS/PP | agN]
Page 12
Removes tagged port/s from the specified S-
Command
Description
VLAN:

and 1/2/1-1/2/8
agN: (optional) SDP LAG ID. N is

in the range of <1-14>
untagged
Adds ports as untagged to the specified S-VLAN
no untagged
Removes untagged port/s from the specified SVLAN
shutdown
Disables the SDP port

Disabled
no shutdown
Enables the SDP port
ethertype <value>
Specify the ethertype value for forwarded

packets:

0x9100 - Q-in-Q
0x8100
no ethertype
Restores to default
priority <value>
Specifies the VLAN Priority Tag (VPT) for

forwarded packets:
no priority
show service dot1q
Removes the selected VPT

Displays the currently configured 802.1Q
services
shutdown
Deactivates the 802.1Q encapsulation on the

service
Disabled
no shutdown
Activates the 802.1Q encapsulation on the

service
VLAN Configuration Example

1.
Enter Configuration mode for VLAN v110 with ID 10:

2.
Add to the VLAN ports 1/1/1 and 1/1/2 as tagged:

device-name(config-vlan-vl10/10)#tagged 1/1/1
device-name(config-vlan-vl10/10)#tagged 1/1/2
3.
Add to the VLAN port 1/2/1 as untagged:

device-name(config-vlan-vl10/10)#untagged 1/2/1
Page 13
4.
Specify the default VLAN for port 1/2/1:

device-name(config-vlan-vl10/10)#port 1/2/1
5.
Configures routing interface for this VLAN:

device-name(config-router)#interface sw11
device-name(config-vlan-vl10/10)#routing-interface sw11
6.
Configures this VLAN as management VLAN for the device:

device-name(config-vlan-vl10/10)#management
device-name(config-vlan-vl10/10)#commit
device-name(config-vlan-vl10/10)#end
7.
Display the VLAN's information:

device-name#show vlan
====================================================================
VLANs Information
====================================================================
Name
|
-------------------+--------------+----+-------------+-------------+
default
| sw0
|1
| User
| User
|
-------------------------------------------------------------------Tagged Ports:
-------------------------------------------------------------------Untagged Ports: 1/1/1 1/1/2 1/1/3 1/1/4 1/2/1 1/2/2 1/2/3
1/2/4 1/2/5 1/2/6 1/2/7 1/2/8
-------------------------------------------------------------------====================================================================
Name
|
-------------------+--------------+----+-------------+-------------+
vl10
| sw11
|10 | User
| User
|
-------------------------------------------------------------------Tagged Ports: 1/1/1 1/1/2
-------------------------------------------------------------------Untagged Ports: 1/2/1
====================================================================
System: 0
User: 2
Total: 2
====================================================================
Super VLANs
A Super Virtual Local Area Network (VLAN) further divides members of one VLAN into
multiple, virtual broadcast domains known as sub-VLANs. In a Super VLAN, the system
Page 14
administrator uses the same IPv4 subnet and default gateway IP address for all users in the same,
switched infrastructure resulting in decreased IPv4 address consumption and eliminating the need
for a dedicated IP subnet for each VLAN.
Each sub-VLAN is a broadcast domain isolated at Layer 2. Communication between members of
different VLANs uses the IP address of the Super VLAN virtual interface as the IP address of the
gateway. Because multiple VLANs share the same virtual interface IP address, IP address usage is
minimized.
The following example illustrates traffic through the device without a Super VLAN. Traffic
entering the user device port is not restricted to the uplink port, therefore, all broadcast, unknown,
and multicast packets are spread across all VLANs on the device.
Figure 5: Switching Decisions without the Super VLAN Agent
With Super VLAN configuration, the Super VLAN agent overrides switching/routing decisions
and instead directs traffic to the Super VLAN uplink port.
Figure 6: Switching Decisions with the Super VLAN Agent
Super VLAN Types

There are two Super VLAN type:
Super VLAN layer 2: Suitable for a Layer-2 switching environment, where the sub-VLANs and
Super VLAN share the same IP subnet mask. The Super VLAN provides enhanced security
between customers by disallowing communication between sub-VLANs regardless of whether
the sub-VLANs are on the same LAN.
Super VLAN ring topology: Suitable for ring topology networks using the Multiple Spanning
Tree Protocol (MSTP). Traffic flows either clockwise or counterclockwise. Both ports
Page 15
connected to the ring are uplink ports, while the rest of the ports are referred to as user ports.
The Super VLAN uplink must be one of the two ports connected to the rest of the ring.
Use this topology when the Super VLAN port has to be the root port of the bridge. The
Super VLAN uplink-port is selected dynamically by the bridge between the two, uplink
ports. If a topology change occurs, the Super VLAN uplink changes automatically and the
new Root port is selected as a Super VLAN uplink port.
In the figure below, one of the clients connected to device D sends broadcast traffic. The
traffic travels counterclockwise only since the Super VLAN active uplink-port is the root
port. If the link between device B and A is disconnected, a topology change occurs and
Device D selects a new Super VLAN uplink-port. As a result, traffic flows clockwise only.
Dynamic Super VLAN takes effect on all the bridges, except for the root bridge since it
does not have a root port (only designated ports).
Figure 7: Super VLAN Ring Mode Configuration Example
Super-VLAN Commands
This section describes the Super Virtual Local Area Network (VLAN) and provides both command
descriptions and a configuration example.
Page 16
Command Hierarchy
device-name#
+ config terminal
+ [no] super-vlan {UU/SS/PP | agN}
+ [no] ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 | agN2}

- [no] preferred-port {UU/SS/PP | agN}
- [no] vlan <vlan-id>
- [no] target-port {UU/SS/PP | agN}
- show super-vlan [ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 | agN2}

active-port]
- show super-vlan
Table 3: Super-VLAN Commands
Command
Description
config terminal
super-vlan {UU/SS/PP | agN}
Specifies a user port for the Super-VLAN

mechanism and enters the Super-VLAN
Configuration mode:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Disabled
no super-vlan
ring-ports {UU1/SS1/PP1 | agN1}
{UU2/SS2/PP2 | agN2}
Restores to default
Specifies uplink ports used by the Super-VLAN

mechanism for networks with a ring topology:
UU1/SS1/PP1: first uplink ring

port
UU2/SS2/PP2: second uplink ring

port
agN1: first LAG ID. N is in the

range of <1-14>
agN2: second LAG ID. N is in the

range of <1-14>
The correct range is:
no ring-ports
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Removes the selected uplink ports
Page 17
Command
preferred-port {UU/SS/PP | agN}
Description
Selects a preferred uplink port for the SuperVLAN ring-topology mechanism:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
no preferred-port
Removes the selected uplink port
vlan <vlan-id>
Specifies a VLAN which has as its members the

uplink ring ports:
vlan-id: the valid range is <14094>
The Super-VLAN mechanism is applied

on the uplink ring ports for all VLANs of
which these ports are members
no vlan
target-port {UU/SS/PP | agN}
no target-port
show super-vlan ring-ports [{UU1/SS1/PP1
| agN1} {UU2/SS2/PP2 | agN2} activeport]

Specifies an uplink port used by the SuperVLAN mechanism for networks:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Removes the selected uplink port

Displays the Super-VLAN ring-topology
configuration:
UU1/SS1/PP1: first uplink ring

port
UU2/SS2/PP2: second uplink ring

port
agN1: first LAG ID. N is in the

range of <1-14>
agN2: second LAG ID. N is in the

range of <1-14>
active-port]: the active uplink

port
The correct range is:
show super-vlan
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Displays the Super-VLAN configuration
Example
The below example demonstrates how to configure Super-VLAN mechanism for a network with a
ring topology:
1.
Define an user port used by the Super-VLAN mechanism:

device-name(config)#super-vlan 1/1/1
device-name(config-super-vlan-1/1/1)#
Page 18
2.
Define uplink ports used by the Super-VLAN in ring mode:

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3
3.
Select a preferred uplink port for the Super-VLAN ring-topology:

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3 preferredinterface 1/1/2
device-name(config-ring-ports-1/1/2/1/1/3)#exit
4.
Display the Super-VLAN ring-topology configuration:

device-name#show super-vlan
================================================================================================
===========
Super-vlan Information
================================================================================================
===========
User port
Mask
Target port
Ring ports
Preferred port
Active port
C-Vlan
Vlan-
---------------------------------------------------------------------------------------------------------1/1/1
1/1/2
1/1/3
1/1/2
1/1/2
---------------------------------------------------------------------------------------------------------================================================================================================
===========
device-name#show super-vlan ring-ports

FIRST SECOND
RING
RING
ACTIVE
PORT
PORT
PORT
----------------------1/1/2 1/1/3
1/1/2
Page 19

Feature
Standards
MIBs
RFCs
Virtual LANs
IEEE 802.1Q-1998
IEEE 802.1Q-2003
IEEE 802.1P
IEEE 802.1u-2001
Public MIBs:
No RFCs are supported by this

feature.
No standards are
supported by this
feature.
Private MIB,
PRVT-SUPERVLAN-MIB.mib
Super VLANs
Page 20
IEEE 802.1Q
Q-BRIDGEMIB.mib
RFC 3069, VLAN Aggregation

for Efficient IP Address
Allocation
Transparent LAN Services (TLS)

Table of Contents
Table of Figures 1
List of Tables 1
Transparent LAN Services (TLS) 2
TLS Tunneling 2
Layer 2 Protocol Tunneling (L2PT) 3
TLS Configuration Flow 4
TLS Commands 5
TLS Commands Hierarchy 5
TLS Commands Descriptions 6
Supported Standards, MIBs, and RFCs 14
Table of Figures
Figure 1: TLS Tunneling Configuration .............................................................................................. 2
Figure 2: TLS Configuration Flow ....................................................................................................... 4
List of Tables
Table 1: TLS Commands....................................................................................................................... 6
Table 2: Predefined Protocols ............................................................................................................ 10
Table 3: Default Multicast MAC Addresses (Tunnel MAC address)............................................ 11
Transparent LAN Services (TLS) (Rev. 01)
Page 1
T-Marc3208SH
Transparent LAN Services (TLS)

TLS deployment gives network operators the capability of transporting a large number of virtual
LANs (VLANs) for their customers while keeping traffic secured within individual VLANs. The
TLS mechanism establishes Layer 2 tunnels inside the service provider network where traffic from
different customers is segregated and where it is marked with an appropriate tunnel name.
TLS Tunneling
Use TLS tunneling to deploy secure TLS through IEEE 802.1Q standard tags. Service providers
can use a separate service VLAN (S-VLAN) to support customers who have multiple VLANs,
while preserving the customer VLAN IDs and maintaining traffic segregation in VLANs (CVLANs) for individual customers.
TLS tunneling expands the VLAN space by adding an additional 802.1Q tag (the tunnel ID) to all
previously-tagged packets when they enter the service provider infrastructure, as illustrated in the
following figure.
Figure 1: TLS Tunneling Configuration
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port configured to support TLS tunneling is known as a tunnel port. When you configure
tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling.
Three types of ports are defined on the network devices that are deployed by the service provider:
Page 2
Residential port: a port that is connected to a user and does not participate in TLS. Packets that
are transmitted through this port have no tag added.
Access (SAP) port: a port that is connected to a user and participates in TLS. Packets that are
transmitted through this port have no tag added.
Core (SDP) port: a port that is connected to the service providers network. All packets that are
transmitted through this port are either control packets or packets with an additional tag. If the
packets arrive from an access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header is not added.
An access port (SAP) receives tagged customer traffic from a port on the customer device. The
access port (SAP) leaves the 802.1Q tag intact and forwards the traffic to a SDP port. The SDP
port adds a second 2-byte EtherType field (0x8100) followed by a 2-byte field containing the
priority (CoS) and the VLAN.
After the traffic exists the provider network, the core port (SDP) now strips the 2-byte EtherType
field (0x8100) and the 2-byte length field and transmits the traffic with the 802.1Q tag still intact to
the customer device. The port on the customer device strips the 802.1Q tag and puts the traffic into
the appropriate customer VLAN.
Layer 2 Protocol Tunneling (L2PT)

Layer 2 protocol tunneling allows IEEE Layer 2 protocol data units (PDUs) to tunnel through a
network. L2PT is based on PDU software encapsulation in the ingress edge device. Encapsulation
involves rewriting the destination media access control (MAC) address in the PDU. The ingress
edge device rewrites the destination multicast MAC address for received PDUs and replaces that
address with a predefined multicast tunnel MAC addresses to ensure transparent L2CP traffic flow.
All devices inside the service provider network treat these encapsulated frames as regular data
packets and forward them appropriately. The egress edge device listens for these special
encapsulated frames and decapsulates them before forwarding them out of the tunnel.
Page 3
TLS Configuration Flow
Figure 2: TLS Configuration Flow
Page 4
TLS Commands
TLS Commands Hierarchy
device-name#
+ config terminal
+ l2-tunneling
- global-tunnel-mac HH:HH:HH:HH:HH:HH
+ [no] profile {PROFILE-NAME | discard-all | tunnel-all |

tunnel-bpdu}
- [no] protocol PROTOCOL-NAME action {discard | tunnel}
+ [no] protocol PROTOCOL-NAME
- standard-mac HH:HH:HH:HH:HH:HH
- tunnel-mac HH:HH:HH:HH:HH:HH
- [no] use-global-tunnel-mac
- [no] shutdown
+ service
- [no] description <value>

- [no] cpu
+ [no] sap {UU/SS/PP | agN}
+ [no] c-vlan {<cvlan-id> | all | untagged}
- [no] tunnel-profile {PROFILE-NAME | discardall | tunnel-all | tunnel-bpdu}
+ [no] sdp s-vlan <svlan-id>
+ [no] port {UU/SS/PP | agN}
- [no] precedence {backup | primary}
- [no] tunnel-profile {PROFILE-NAME | discardall | tunnel-all | tunnel-bpdu}
- [no] shutdown
- show l2-tunneling profiles
- show l2-tunneling protocols
- show l2-tunneling statistics

- show service tls
- clear l2-tunneling statistics
Page 5
TLS Commands Descriptions

Table 1: TLS Commands
Command
Description
config terminal
l2-tunneling
global-tunnel-mac
HH:HH:HH:HH:HH:HH
Enters Layer 2 Configuration mode

Specifies a single multicast tunnel MAC address
used for global rewriting the original multicast
destination MAC addresses for user-defined and
predefined Layer-2 protocols:
HH:HH:HH:HH:HH:HH: in hexadecimal
format
Global MAC address is 01:00:0c:cd:cd:d0

profile {PROFILE-NAME | discardall | tunnel-all | tunnel-bpdu}
no profile [PROFILE-NAME]
Configures a specific tunnel profile:
PROFILE-NAME: a custom profile name

of <1-32> characters
discard-all: discards only Layer 2

protocol PDUs
tunnel-all: tunnels only Layer 2

protocol PDUs
tunnel-bpdu: tunnels only xSTP

packets
Removes the defined tunnel profile:
protocol PROTOCOL-NAME action

{discard | tunnel}
no protocol [PROTOCOL-NAME]
PROFILE-NAME: (optional) a custom

profile name of <1-32> characters
Specifies the protocol action:
PROTOCOL-NAME: a string of <1-16>

characters or see Table 2 for
predefined protocols names
discard: discards PDUs of the

specified protocol
tunnel: tunnels PDUs of the

specified protocol
Removes the defined protocol name:

predefined protocol names
Predefined protocols names cannot be removed.

protocol PROTOCOL-NAME
Specifies the Layer 2 protocol name, PDUs of

which are tunneled/discarded and enters Layer 2
Protocol Configuration mode:
Page 6

Command
Description
no protocol [PROTOCOL-NAME]
Removes the defined protocol name:

Predefined protocols names cannot be removed.

ethertype <value>
Indicates which protocol is encapsulated in the

payload of the Ethernet frame:
value: in hexadecimal format (for

example 0x9000)
0x8100
no ethertype
Restores to default
standard-mac
Specifies the original multicast destination MAC

address of the specified protocol:
HH:HH:HH:HH:HH:HH
tunnel-mac HH:HH:HH:HH:HH:HH
format (see Table 3)
Specifies a multicast tunnel MAC address that

rewrites the original multicast destination MAC
address in the encapsulated Layer 2 PDUs:
format
use-global-tunnel-mac
Applies the already defined global tunnel MAC

address on selected protocols
no use-global-tunnel-mac
Restores the default tunnel MAC address, listed in

Table 3, for the selected protocol
shutdown
Disables the L2-tunneling

Disabled
no shutdown
Enables the L2-tunneling
service
Enters Service mode
tls <service-id>

Configuration mode:

4294967295>
NOTE
You cannot use the same service

ID for all MPLS L2 services.
no tls <service-id>
description <value>

Specifies the TLS service description:

characters
no description
Removes the TLS service description
cpu
Adds the CPU port to the specified TLS service

instance
Page 7
Command
Description
no cpu
Removes the CPU port from the TLS service

instance

UU/SS/PP: SAP port, in the range of

1/1/1-1/1/4, 1/2/1-1/2/8
agN1: first SAP LAG ID. N is in the

range of <1-14>
agN2: second SAP LAG ID. N is in

the range of <1-14>
NOTE

SAP.

versa.


untagged}

| untagged}
Page 8

the range of 1/1/1-1/1/4, 1/2/11/2/8.
agN1: first SAP LAG ID. N is in the

range of <1-14>
agN2: second SAP LAG ID. N is in

the range of <1-14>
Specifies the type of the customer VLAN (CVLAN) to be tunneled and enters C-VLAN
Configuration mode:

traffic only

traffic only
Command
Description
tunnel-profile {PROFILENAME | discard-all |
tunnel-all | tunnelbpdu}
no tunnel-profile
{PROFILE-NAME |
discard-all | tunnelall | tunnel-bpdu}
Applies the user-defined or predefined tunnel

profile on a specified SAP:
PROFILE-NAME: a string of <1-32>

characters
discard-all: discards all Layer-2

protocol PDUs
tunnel-all: tunnels all Layer-2

protocol PDUs

packets

characters
discard-all: discards all Layer 2

protocol PDUs
tunnel-all: tunnels all Layer 2

protocol PDUs

packets
sdp s-vlan <svlan-id>
Creates a service distribution point (SDP) and

enters SDP Configuration mode:
no sdp s-vlan <svlan-id>

ethertype <value>
svlan-id: in the range of <1-4094>
Removes the defined SDP

Specifies the packet ethertype value of forwarded
packets:

0x9100 - Q-in-Q
0x8100
no ethertype
Restores to default
Adds port/s to the specified S-VLAN
no port [UU/SS/PP | agN]
UU/SS/PP: SDP port in the range of

1/1/1-1/1/4, 1/2/1-1/2/8
agN: SDP LAG ID. N is in the range

of <1-14>
Removes port/s from the specified S-VLAN:
UU/SS/PP: (optional) SDP port, in

the range of 1/1/1-1/1/4 and 1/2/11/2/8
agN: (optional) SDP LAG ID. N is in

the range of <1-14>
Page 9
Command
Description
precedence {backup |
primary}
Specifies precedence for the SDP port:
backup: backup port
primary: primary port

The command is used during configuring ITUT G.8031 Ethernet Protection Switching (EPS).
no precedence {backup |
primary}
Removes the defined precedence
tunnel-profile {PROFILENAME | discard-all |

tunnel-all | tunnelbpdu}

profile on a specified SAP/SDP:
no tunnel-profile
{PROFILE-NAME |
discard-all | tunnelall | tunnel-bpdu}

characters

protocol PDUs

protocol PDUs

packets

characters

protocol PDUs

protocol PDUs

packets
shutdown
Disables the defined TLS service

TLS is disabled
no shutdown
Enables the defined TLS service
show l2-tunneling profiles
Displays TLS profile names used to define the

tunneling policy
show l2-tunneling protocols
Displays L2PT encapsulation information
show l2-tunneling statistics
Displays L2PT statistics
show service tls
Displays information about all currently configured

TLS services
clear l2-tunneling statistics
Clear Layer 2 protocol tunneling (L2PT) statistics
Table 2: Predefined Protocols

Protocol
all-brs
other
Page 10
Description
Specifies that PDUs intended for the reserved MAC address
used exclusively by All Bridges are tunneled/discarded
Specifies that PDUs intended for MAC addresses from the
bridge block that are not related to specific protocols are
tunneled/discarded
Protocol
Description
dot1x
IEEE 802.1x standard
efm-oam
e-lmi
garp
lacp
lldp
pvst
Ethernet in the First Mile-Operations, Administration and

Maintenance standard
Enhanced Local Management Interface
Generic Attribute Registration Protocol
Link Aggregation Protocol
Per-VLAN Spanning Tree (PVST) maintains a spanning tree
instance for each VLAN configured in the network. Since
PVST treats each VLAN as a separate network, it has the
ability to load balance traffic (at Layer 2) by forwarding some
VLANs on one link and other VLANs on another link without
causing a spanning tree loop.
pb-stp
Provider Bridge Spanning Tree Protocol
stp
Spanning Tree Protocol
Table 3: Default Multicast MAC Addresses (Tunnel MAC address)

Protocol
MAC Address
xSTP
01-A0-12-FF-FF-00
LACP/LAMP
01-A0-12-FF-FF-02
Link OAM (802.3ah)
01-A0-12-FF-FF-02
Port Authentication (802.1x)
01-A0-12-FF-FF-03
E-LMI
01-A0-12-FF-FF-07
LLDP (802.1AB)
01-A0-12-FF-FF-0E
Bridge block of protocols
01-A0-12-FF-FF-0X
NOTE
X denotes a random digit from 0 to F. If found
in the original MAC, the digit is preserved in
the replacement MAC.
All Bridges
01-A0-12-FF-FF-10
GARP Block of protocols
01-A0-12-FF-FF-2X
NOTE
X denotes a random digit from 0 to F. If found
in the original MAC, the digit preserved in the
replacement MAC.
Provider bridge STP
01-A0-12-FF-FF-08
PVST
01-A0-12-CC-CC-CD
When you configure the destination MAC address for encapsulated PDUs, you must leave the last
byte of the MAC address for protocols Bridge block of protocols and GARP Block of protocols as default
values:
Page 11
00for Bridge block of protocols
20for GARP Block of protocols
Example:
device-name#show running-config l2-tunneling

l2-tunneling
shutdown
protocol stp
standard-mac 01:80:c2:00:00:00
tunnel-mac
01:a0:12:ff:ff:00
!
protocol garp
tunnel-mac
01:a0:12:ff:ff:20
!
protocol lacp
tunnel-mac
01:a0:12:ff:ff:02
ethertype
0x8809
!
protocol lldp
standard-mac 01:80:c2:00:00:0e
tunnel-mac
01:a0:12:ff:ff:0e
!
protocol pvst
standard-mac 01:00:0c:cc:cc:cd
tunnel-mac
01:a0:12:cc:cc:cd
!
protocol dot1x
tunnel-mac
01:a0:12:ff:ff:03
!
protocol e-lmi
tunnel-mac
01:a0:12:ff:ff:07
!
protocol other
tunnel-mac
01:a0:12:ff:ff:00
!
protocol pb-stp
tunnel-mac
01:a0:12:ff:ff:08
!
protocol all-brs
tunnel-mac
01:a0:12:ff:ff:10
!
protocol efm-oam
tunnel-mac
01:a0:12:ff:ff:02
Page 12
ethertype
0x8809
!
.
.
.
1.
Enable Layer 2 protocol tunneling (L2PT):

device-name(config)#l2-tunneling
device-name(config-l2-tunneling)#no shutdown
device-name(config-l2-tunneling)#commit
2.
Configure a specific tunnel profile to permit STP BPDUs only:

device-name(config-l2-tunneling)#profile stp
device-name(config-profile-stp)#protocol stp action tunnel
device-name(config-profile-stp)#commit
3.
Create a TLS service instance and enable it:

device-name(config-service)#tls 5
device-name(config-tls-5)#no shutdown
4.
Define SAP on ports 1/1/1. Apply tunnel profile tunnel-all on the SAP:
device-name(config-tls-5)#sap 1/1/1
device-name(config-sap-1/1/1)#c-vlan all
device-name(config-c-vlan-all)#tunnel-profile tunnel-all
5.
Define SDP on a port 1/1/2. Apply tunnel profile STP on the SDP:
device-name(config-c-vlan-all)#sdp s-vlan 10
device-name(config-s-vlan-10)#port 1/1/2
device-name(config-interface-1/1/2)#tunnel-profile stp
device-name(config-interface-1/1/2)#commit
Commit complete.
Page 13
Page 14
Features
Standards
MIBs
RFCs
Transparent LAN
Services (TLS)
No standards are
supported by this
feature.
Private MIBs:
No RFCs are supported

by this feature.
PRVT-SERVMIB.mib
PRVTL2TUNNELINGMIB.mib

Table of Contents
Table of Figures 2
List of Tables 2
Overview 3
Spanning Tree Protocol 4
Computing the Spanning Tree 4
Exchanging Information with BPDUs 4
Controlling BPDU Traffic 5
Detecting Changes in Topology 6
Broadcasting an Event to the Network 7
Timer Effect on Performance 8
Timer Settings and the STP Diameter 9
Calculating the STP Timers 9
STP Address Management 10
Rapid Spanning Tree Protocol 11
Rapid Recovery and Convergence 12
Determining the Port Link-Type 13
Synchronization of Port Roles13
RSTP BPDU Format and Processing 14
Multiple Spanning Tree Protocol 15
MST Instance Parameters 16
Interoperability with 802.1D STP 18
Fast Ring Modes 18
Interoperability Fast Ring 19
Cisco Compliance 21
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs 21
xSTP Commands 27
Spanning Tree Protocols (Rev. 01)
Page 1
Commands Hierarchy27
Configuration Examples 36
Example 1 36
Example 2 43
Fast Ring Configuration Example 47
Fast Ring with Border Bridge Configuration Example 51
Table of Figures
Figure 1: The Spanning Tree Port States ............................................................................................ 6
Figure 2: Topology Change ................................................................................................................... 7
Figure 3: Topology Change with TC Message ................................................................................... 8
Figure 4: BPDU Message Age Parameter ........................................................................................... 8
Figure 5: Calculating the Diameter ...................................................................................................... 9
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence .................................. 13
Figure 2: Sequence of Events during Rapid Convergence ............................................................. 14
Figure 3: RSTP BPDU Flags .............................................................................................................. 15
Figure 6: MSTP within a Region ........................................................................................................ 16
Figure 7: MSTP in Ring Topology in a Link-Down Event ............................................................ 19
Figure 8: MSTP in Ring Topology with a Device in Link-Down Event ..................................... 20
Figure 9: Schematic MSTI Configuration ......................................................................................... 36
Figure 10: Link Failure between Two Devices................................................................................. 44
Figure 11: Fast Ring Topology ........................................................................................................... 47
Figure 12: Fast Ring Topology ........................................................................................................... 51
List of Tables
Table 1: STP States ................................................................................................................................. 5
Table 2: STP Timers............................................................................................................................... 8
Table 3: MSTI Parameters................................................................................................................... 16
Table 4: BiNOX BPDU Parsed According to IEEE 802.1s ......................................................... 22
Table 5: Cisco BPDU Parsed by a Telco Systems Device.............................................................. 23
Table 6: Configuration Commands.................................................................................................... 28
Table 7: MSTP Link-types................................................................................................................... 35
Table 8: Default Path Cost Configuration (IEEE802.1s)............................................................... 35
Page 2
T-Marc3208SH

Spanning Tree Protocol, and its improved versionsRSTP and MSTPare required to prevent
network loops, resulting from multiple paths to the same destination, and to introduce redundancy
to the link connections. Spanning Tree Protocols identify the best route to a destination and block
all other paths and by doing so, eliminate the possibility of loop formation and congestion in the
network.
Overview
The following standards are employed in Telco Systems ring topology management:
Description
Spanning Tree Protocol (STP)

based on IEE 802.1d
Spanning Tree Protocol is a Layer 2 link

management protocol that provides path
redundancy while preventing undesirable loops in
the network.
Rapid Spanning Tree Protocol (RSTP)

based on IEE Std. 802.1w
Rapid Spanning Tree Protocol reduces the time

needed to update and reconfigure network
topology routes by proactive monitoring of port link
status. RSTP performs the roles assigned to the
STP protocol considerably faster by utilizing point
topoint wiring to provide rapid convergence of the
spanning tree.
The RSTP algorithm creates a dynamic tree that
efficiently directs packets to their destinations and
reduces a bridged network to a single, spanning
tree topology. With RSTP, the tree can be
reconfigured in less than one second. Redundant
connections can be reactivated in the event of link
or device failure.
Multiple Spanning Tree Protocol (MSTP)

based on IEE Std. 802.1s
The Multiple Spanning Tree Protocol (MSTP)

improves upon RSTP by giving users the ability to
group and associate VLANs to forwarding paths
known as Multiple Spanning Tree Instances
(MSTI). In a VLAN environment, MSTP ensures
load balancing as well as rapid convergence.
Each MSTI is an RSTP instance with its own,
independent topology that is applied on a
predefined set of VLANs.
MSTP includes all of its spanning tree information
in a single BPDU format to reduce the number of
BPDUs required on a LAN to communicate
spanning tree information for each instance.
In the following sections, specific information is provided on each of the spanning tree protocols.
Page 3

Computing the Spanning Tree
Algorithm Selection Step
Description
Select a Root Bridge
In order to elect active paths within a network, STP first determines a

Root bridge. Each bridge within STP has a unique ID consisting of
the user-defined priority and MAC address for the bridge. The
protocol selects the bridge with the lowest ID as the Root.
The Root is the device used to calculate path cost by all other
devices. STP selects the path with the lowest cost between each
device to the Root as the active path and blocks all other redundant
paths.
Note: System administrators can alter the Bridge ID by configuring
the bridge priority and, as a result, control the probability of a bridge
becoming the Root.
Select a Designated
Bridge per Network
Segment
After selecting the Root bridge, STP selects one Designated Bridge
for each network segment. The Designated Bridge is closest to the
Root and has a Designated port used to forward packets from the
segment to the Root Bridge.
Select the Root and

Alternate Ports
As the final step, STP selects a Root Port (per bridge) that sends data
towards the Root Bridge. In order to avoid loops, all other ports that
provide redundant paths to the Root Bridge are set as Alternate Ports.
These ports do not forward traffic unless the Root Port goes down.
Each bridge has only one Root Port, a single path toward the Root
bridge.
Exchanging Information with BPDUs

Bridges exchange information using Bridge Protocol Data Units (BPDUs). Each BPDU contains
the following information:
Root Bridge ID
Designated Bridge ID
Path Cost:: Distance between the Root and the device
the designated port ID
Each bridge port has an assigned path cost, a user-definable parameter that determines the ports
preference to be included in the active spanning tree topology. During BPDU exchange, STP sums
up the path costs along all Designated ports (Designated path cost). This value then serves as the
bridges distance from the Root.
The lower the cost, the closer the device is to the Root. If two devices have identical path costs,
STP selects the path based on port priority and bridge IDs as a tiebreaker.
There are three BPDU types:
Page 4
Configuration BPDU: Used for the election algorithm
Topology Change Notification (TCN) BPDU: Used to announce network topology

changes
Topology Change Notification Acknowledgment BPDU: Used to forward a TCN,

received by the device, to the Root Port.
Controlling BPDU Traffic

STP uses five port states to control BDPU traffic and ensure a loopfree network. During a
topology change involving inactive ports:
The port cannot start forwarding until the new topology information propagates throughout
the switched LAN
Frames, forwarded using the old topology, have to be allowed to expired
Table 1: STP States

STP State
Description
Blocking
The port does not forward frames. The port moves to this state after the
initialization phase when a different device/port was elected as Root.
If there is only one device in the network, no exchange occurs, the forwarddelay timer expires, and the ports move to Listening state.
A port in the Blocking state:
Discards frames
Discards frames switched from another port for forwarding
Does not learn MAC addresses
Receives BPDUs
A Blocking port can enter the Listening or Disabled states.
Listening
This is the first state a Blocking port transitions to when STP determines that
the port should participate in frame forwarding. The device processes
BPDUs and waits for possible new information that might cause the port to
return to the Blocking state.
A port in Listening state performs the same steps as Blocking state:
Discards frames
Does not learn MAC addresses
Receives BPDUs
From this state the port can enter Learning or Disabled states.
Learning
The second state the port enters when preparing to participate in frameforwarding. The port does not yet forward frames. However the port learns
source addresses from received frames and adds those addresses to the
filtering database.
A port in Learning the state:
Discards frames
Learns MAC addresses
Receives BPDUs
From this state the port can enter Forwarding or Disabled states.
Page 5
STP State
Description
Forwarding
The port forwards frames. The device processes BPDUs and waits for
possible new information that might cause the port to return to the Blocking
state to prevent a loop. A port in Forwarding state:
Receives and forwards frames

Forwards frames switched from other ports
Receives BPDUs
From this state the port can enter Disabled state.
Disabled
A port in this state does not participate in frame forwarding and spanning
tree. The port performs the same steps as Blocking state but does not
receive BPDUs.
The following figure illustrates how a port moves through the states described in the previous table.
Figure 1: The Spanning Tree Port States
Detecting Changes in Topology

Upon detection of a topology change in the network (such as a link failure or the link changing to
Forwarding state), the Bridge sends this event to the entire bridged network using a twostage
process. First, the Bridge notifies the STP Root and then, the Root broadcasts that information to
the whole network.
As a result of the topology change, the address tables of all devices are flushed and new paths are
learned. The following illustration depicts the reaction of the network to a topology change. Data
paths before and after the change were:
Page 6
Initial Data Path
Device ADevice BDevice C
After Topology Change
Device ADevice DDevice C
Figure 2: Topology Change
Note that during the topology change, Devices C and D are not aware of the change. Frames sent
from Computer 1 are forwarded to Device B and there is no connection between Computers 1 and
2 until the address table ages out.
To avoid connection loss caused by a topology change, STP implements a mechanism called
Topology Change Notification (TCN) to flush out device MAC addresses.
Broadcasting an Event to the Network

When the Root is aware of a topology change, it sends out configuration BPDUs with the
Topology Change (TC) flag set. As a result, all bridges become aware of the topology change and
reduce the MaxAge timer to the forward-delay timer.
Bridges receive topology-change BPDUs on both forwarding and blocking ports.
Page 7
Figure 3: Topology Change with TC Message
Timer Effect on Performance

The following timers affect STP performance.
Table 2: STP Timers
Variable
Description
Hello timer
The interval between two consecutive BPDUs a device sends to other

devices.
Forward-delay timer
The time a port is in Listening and Learning states before the port begins
forwarding.
Maximum-age timer
(MaxAge)
The time the device stores protocol information received on a port.
Message Age
How far a device is from the Root when it receives a BDPU
The Message Age value of all BPDUs sent by the Root is zero. Each subsequent device increments
the Message Age value by one as illustrated in the following figure:
Figure 4: BPDU Message Age Parameter
After receiving a new BPDU equal to or greater than the recorded information on the port, all
BPDU information is stored, and the age timer begins to run, starting at the message age. If this age
timer reaches MaxAge before receiving another BPDU, the information ages out for that port.
For example, in the above figure:
Page 8
Device B and C receive a BPDU from Device A with message age value zero. On the port
going to Device A, it takes MaxAge seconds before the information ages out.
Device D and E receive a BPDU from Device B with message age value one. On the port
going to Device A, it takes MaxAge-1 seconds before the information ages out.
Device F receives a BPDU from Device E with message age value two. On the port going to
Device E, it takes MaxAge-2 seconds before the information ages out.
Timer Settings and the STP Diameter

The STP timer settings are based on the STP diameter, defined as the maximum number of
bridges between any two end points on the network. IEEE 802.1D specification recommends a
maximum network diameter of 7 hops. (Therefore the maximum STP ring size is 14 devices: a
distance of seven hops from the root to the last bridge in the ring.)
The following figure illustrates a network built up of a diameter of five (path A-C-B-E-D). It
contains three access devices (C, D, and E) attached to two distribution devices (A and B) and a
Layer 3 boundary between the distribution devices and the core. The bridged domain stops at the
distribution devices.
The maximum STP diameter of five is between:
C-A-D-B-E
D-A-C-B-E
Figure 5: Calculating the Diameter
Calculating the STP Timers

To calculate the STP timers use the following formulas:
Max_age = 4 x hello +2 x dia - 2
Page 9
Forward_delay = (4 x hello + 3 x dia) / 2
Based on these formulas, lowering the Hello timer value will decrease other STP parameter values.
However, the decrease will also double the number of BPDUs sent/received by each Brdige,
causing additional load on the CPU.
STP Address Management

IEEE 802.1D specifies 17 multicast MAC addresses, with a valid range from 0x0180C2000000 to
0x0180C2000010, to use by different bridge protocols. These addresses are static addresses that
cannot be removed.
Regardless of the STP state, the device receives but does not forward packets destined for addresses
between 0x0180c2000000 and 0x0180C200000F.
If STP is enabled, the CPU of the device receives packets destined for 0x0180C2000000 and
0x0180C2000010. If STP is disabled, the device forwards those packets as unknown multicast
addresses.
Page 10
Rapid Spanning Tree Protocol

RSTP distinguishes between Port State and Port Role: Port State describes the relationship of that
port to the frame processing (filtering and forwarding) and learning functions while the Port Role
describes the role of the port in the spanning tree function.
There are three RSTP port states (as oppose to five STP states):
Table 1: RSTP Port States
Port State
Description
Learning
As in STP, the port prepares to participate in frame-forwarding. It learns

source addresses from frames received and adds them to the filtering
database.
From this state the port can enter a Forwarding state.
Forwarding
As in STP, the port enters this state from the Learning state. The device
processes BPDUs and waits for possible new information that may cause
it to switch to the Discarding state to prevent a loop. A port in Forwarding
state:
Receives and forwards frames

Forwards frames switched from another port
Receives BPDUs
From this state, the port can only switch to Discarding state.
Discarding
STP states Disabled, Blocking, and Listening are merged into this state.
This state describes a port that does not forward user traffic in either
direction. The port discards received frames and no learning occurs. As a
result, there are no entries in the filtering database pointing to this port and
no traffic is forwarded across it.
In order to create a loop-free environment and to provide rapid convergence, RSTP selects the
device with the highest priority as the root bridge, assigns port roles, and determines the active
topology. RSTP assigns a role to each bridge port throughout the bridged LAN:
Table 2: RSTP Port Role Assignments
Port Role
Description
Root port
Provides the best path (lowest cost) for packets forwarded from a device
to the root device.
A Root port is in Forwarding state.
Designated port
Connects to the designated device that provides the best path for packets
forwarded from that LAN to the root device.
A Designated port is in Forwarding state.
Alternate port
Offers an alternative path to the one provided by the current Root port.
Alternate ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Page 11
Port Role
Description
Backup port
Acts as a backup for the path provided by a Designated port in the

direction of the spanning tree leaves (end nodes).
A Backup port exists only when two ports are connected together in a
loopback by a point-to-point link or when a device has two or more
connections to a shared LAN segment.
Backup ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Disabled port
Disabled ports do not participate in frame forwarding and are not

operational. These ports:
discard frames
discard frames switched from another port for forwarding
do not learn MAC addresses
do not receive BPDUs
Rapid Recovery and Convergence

Edge ports, new Root ports, and ports connected through point-to-point links converge rapidly
upon a link failure.
Table 3: The RSTP Rapid Convergence
Port Type
Description
Edge ports
Edge ports are configured by users on RSTP enables devices. Once

configured, these ports immediately transit to Forwarding state.
NOTE
You should configure Edge ports only on ports
connected to end devices (such as hosts and printers).
Root ports
When RSTP selects a new Root port, it blocks the old Root port and
immediately transitions the new Root port to Forwarding state.
Point-to-point links
Point-to-point links are links directly connecting two devices.

When you connect two devices using a point-to-point link the Designated
port negotiates rapid transition with the remote port by using the
proposal-agreement handshake to ensure a loop-free topology.
The following figure shows a rapid convergence example. In this example, Devices A and B are
connected through a point-to-point link and all the ports are in blocking state. Assume that Device
As priority is higher than Device Bs. The proposal-agreement handshaking proceeds as follows:
Page 12
Device A proposes itself as the designated device by sending a proposal message (a

configuration BPDU with the proposal flag set).
Device B reactions to the proposal message from Device A as follows:

Assigning the port on which the proposal message was received as its new Root port.
Forcing all non-edge ports to Discarding state to avoid loops.
Sending an agreement message to Device A (a BPDU with the agreement flag set)
through its new Root port.
Device A immediately transitions its designated port to the Forwarding state.
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence
The same handshaking process is repeated for each device that joins the active topology,
progressing from the root toward the leaves of the spanning tree as the network converges.0.
Determining the Port Link-Type

RSTP can implement a rapid transition only on point-to-point links. The link type is automatically
derived from the ports duplex mode:
A port operating in full-duplex mode is assumed to be point-to-point
A port operating in half-duplex mode is considered as a shared port by default.
You can override this automatic link-type setting by explicit configuration.
Today in most switched networks most links operate in full-duplex mode and are treated as pointto-point links by RSTP. This makes them candidates for rapid transition to Forwarding state.
Synchronization of Port Roles

Upon receiving a proposal message for best path to the root through a port, the RSTP selects that
port as the new Root port and forces all other ports to synchronize with the new root information.
An individual port on the device is synchronized if:
The port is in Discarding state
The port is an edge port
Page 13
If a Designated port is in Forwarding state and is not configured as an edge port, it transitions to
Discarding state when RSTP forces it to synchronize with new root information. When RSTP
forces a port to synchronize with root information and the port does not satisfy any of the above
conditions, it transitions to Discarding state.
After synchronizing all ports, the device sends an agreement message to the designated device
corresponding to its Root port. At this point RSTP immediately transitions the port states to
Forwarding.
The sequence of events is displayed in the following figure:
Figure 2: Sequence of Events during Rapid Convergence
RSTP BPDU Format and Processing

The RSTP BPDU has the same format as the STP BPDU except that the protocol version is set to
2.
Page 14
Figure 3: RSTP BPDU Flags
The sending device proposes itself to be the designated device by setting:
Proposal flag (bit 1)
Port Role flag (bits 2-3) to Designated port
The receiving device accepts the proposal by setting:
Agreement flag (bit 6)
Port role flag to Root port
RSTP uses the Topology Change (TC) flag to indicate topology changes. Unlike STP, the RSTP
does not have a separate topology change notification (TCN) BPDU. However, for interoperability
with STP devices, the RSTP device processes and generates TCN BPDUs.
The Learning and Forwarding flags (bits 4 and 5) are determined according to the sending port.
Multiple Spanning Tree Protocol

Term
Definition
MSTP Region
A collection of interconnected bridges that share the same MSTP

configuration. Devices in the same MST Region share the following
attributes:
MST Instances
(MSTI)
Region name
Revision number of the region
MST InstancetoVLAN assignment map (each VLAN can be
mapped only to one instance)
Each bridge in the MSTP region contains up to 16 MSTIs which act like
separate RSTP bridges for a specific set of configured VLANs. All MSTIs
within the same region share the same protocol timers, but each instance
has its own topology parameters, such as root-device ID, root path-cost,
and active topology. By manipulating these parameters, systems
administrator can modify the spanning tree topology (defining forwarding
and blocked ports) for the MSTI VLANs to achieve traffic load-balancing
within the region.
MSTIs are identified by their instance ID:
Instance 0: The Common Internal Spanning Tree (CIST) to which

all VLANs are mapped by default. This instance is obligatory and
cannot be removed.
Instances 115: User-configurable, optional instances, to which the

system administrator maps sets of VLANs.
Load balancing is supported only with the MST Region. The following figure illustrates load
balancing between two instances.
MSTI 1
MSTI 2
Device C is the MST Root
Device B is the MST Root
The port on Device B connected to Device A is blocked

Traffic for VLANs 101200 flows between Device C and Device A
The port on Device C connected to Device A is blocked
Traffic for VLANs 201300 flows between Device B and Device A
Page 15
Figure 6: MSTP within a Region
Outside the region, spanning tree information is carried by MST instance 0. The MST region can
participate in Common Spanning Tree (CST ) of legacy xSTP bridges and other MSTP regions
connected to the MST region.
This region is responsible for combining and forwarding all Internal Spanning Tree (IST)
information to the CST, handling CST information and setting roles for regional boundary ports.
As a consequence, each MSTP region acts as a single RSTP bridge within the CST topology.
In each region:
One boundary port, which can be the root port for the region, connects the region to the CST
Root bridge (the CIST Root). This port is called the Master port.
Boundary ports that provide alternative paths from the region to the CIST Root are blocked
(set to Alternative).
Boundary ports that provide connectivy to Designated LANs can be set as Designated ports.
MST Instance Parameters

Table 3: MSTI Parameters
Page 16
Parameter
Description
Boundary Ports
Connect the designated bridge (an SST bridge or a bridge with a

different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the boundary flag
is set) if it detects an STP bridge or receives an agreement message
from an RST or MST bridge with a different configuration.
The role of the MST ports at the boundary is not important since the
MST port is forced to take the same state as the IST port. The IST port
at the boundary can take any port role except backup.
Parameter
Description
IST Master
The IST master of an MST region is the bridge with the lowest bridge
identifier and the lowest path cost to the CST root.
If an MST bridge is the root bridge of the CIST in a region, then it is

the IST master of that MST region.
If the CST root is outside the MST region, then one of the MST
bridges at the boundary is selected as the IST master. Other
bridges on the boundary that belong to the same region eventually
block the boundary ports that lead to the root.
If two or more bridges have an identical path to the root, you can
set a lower bridge priority value to make a specific bridge the IST
master.
The root path-cost and message age inside a region stay constant.
However the IST path cost is incremented and the IST remaining hops
are decremented at each hop.
Regional Root
The MSTI Regional root is the root bridge of each MSTI within a region.
In case of IST, it is the CIST Regional root. Therefore, the terms IST
Master and CIST Regional root are interchangeable.
Edge Ports
An Edge Port is a port connected to a non-bridging device (for example,

a host or a device). A port that connects to a hub is also an edge port if
the hub or any LAN that is connected to it does not have a bridge.
An edge port can start forwarding as soon as its link is up.
Link-Type
Rapid connectivity is established only on point-to-point links.

When connecting a port to another port through a point-to-point link, if
the local port becomes a designated port, RSTP negotiates a rapid
transition with the other port, using the proposal-agreement handshake
to ensure a loop-free topology.
By default, the link-type is automatically determined by the duplex state
of the port. However, when a half-duplex link is physically connected
point-to-point to a single port on a remote device running RSTP, you can
override the link-type default setting and enable rapid transitions to
Forwarding state.
Message Age and

Hop Count
IST and MSTIs use a hop count mechanism similar to the IP time-to live
(TTL) mechanism. Users can configure the maximum MST bridge hop
count.
The MSTI root bridge sends a BPDU (or M-record) with the remaining
hop count. The bridge receiving the BPDU (or M-record) decrements the
remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge discards
the BPDU and ages out the port information. Non-root bridges propagate
the decremented count as the remaining hop count in the BPDUs they
generate.
Port Priority
The port priority determines the ports Forwarding state in case of a loop.
MSTP selects the port with the highest priority (lower priority value) first.
In case all ports have the same priority, MSTP selects the port with the
lowest number and blocks all other ports.
Page 17
Parameter
Description
Path Cost
MSTP uses the path cost when selecting the forwarding port in case of a
loop.
The default path-cost for the port derives from its link speed. However,
you can define lower cost values to ports you want selected first and
higher cost values to ports you want selected last.
In case all ports have the same path cost value, MSTP selects the port
with the lowest number and blocks all other ports.
Interoperability with 802.1D STP

A device running MSTP supports a built-in protocol migration mechanism that enables the device
to interoperate with legacy 802.1D devices.
If the device receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set
to 0), the device sends only 802.1D BPDUs on that port. An MSTP device can also detect that a
port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3)
associated with a different region, or an RST BPDU (version 2).
However, the device cannot determine whether the legacy device was removed from the link
(unless the legacy device is the designated device). Therefore, the device does not automatically
revert to MSTP mode if no further 802.1D BPDUs are received.
Also, a device might continue to assign a boundary role to a port when the device to which it is
connected has joined the region.
If all the legacy devices on the link are RSTP devices, they can process MSTP BPDUs as if they are
RSTP BPDUs. Therefore, MSTP devices send either a version 0 configuration and TCN BPDUs
or version 3 MSTP BPDUs on a boundary port. A boundary port connects the designated device
to a LAN that is either a single spanning tree device or a device with a different MST configuration.
Fast Ring Modes

The fast ring mode shortens the MSTP convergence time to below 50 milliseconds when there is a
disconnection in a ring topology. Telco Systems offers two Fast Ring solutions:
Fast Ring: Use when all of the devices in the ring are Telco Systems devices
Interoperability Fast Ring: Use with devices that do not support MSTP or RSTP protocols
NOTE
Use standard MSTP as a ring solution if your network demands a topology different
from the one offered here.
Fast Ring
Use this solution when all the devices in the ring are Telco Systems devices.
Page 18
1.
Select one bridge to be the root bridge: set the priority for this bridge to the lowest value (0).
To avoid instability, do not enable the Fast Ring feature on this bridge.
2.
Configure all user ports as MSTP edge ports.
3.
To optimize network performance, increment the priority value for the bridge as you draw
away from the root bridge.
The figure below shows a ring topology using MSTP:
Device 1 is the MST root bridge
All the ports have equal priority thus one of Device 8's uplink ports are in Alternate state.
In case of link failure between Device 14 and Device 1:

4.
Device 14 detects the link failure on its root port.
5.
The ring solution immediately changes the traffic flow to a new direction.
Figure 7: MSTP in Ring Topology in a Link-Down Event
Interoperability Fast Ring

Designed especially for interoperation with devices that do not support MSTP or RSTP protocols.
Use Interoperability Fast Ring when you use a non Telco Systems gateway as a part of the ring.
The figure below shows a ring topology using MSTP, when one of the devices (Router, in the figure
below) does not support MSTP, but is capable of switching the MSTP BPDUs between the ports
connected in the topology.
Page 19
Figure 8: MSTP in Ring Topology with a Device in Link-Down Event
To use an Interoperability Fast Ring:

6.
Configure the two devices closest to the Router (Device 1 and Device 8) as Border Bridges to
avoid network-performance degrade.
7.
Do not define any MSTP priorities on Border Bridges. These are automatically set once the
bridges are set as border bridges.
8.
Increment the priority value for the bridge as you draw away from the root bridge, starting
with priority value 8192.
9.
Configure all the user ports as MSTP edge ports.
In case the link between Device 8 and the Router fails:
Page 20
Device 1 becomes the root
Traffic changes its direction toward the new root
Cisco Compliance
The device can be placed into Cisco-Compliant Mode, which changes the BPDU format to
conform to the standard adopted for Cisco devices. When the device is not in Cisco-Compliant
Mode, the root port is synchronized only if the port receives an agreement together with the
proposal flag from the designated port.
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs

Both Cisco-compliant and IEEE 802.1s-compliant modes send an Agreement flag in response to a
Proposal flag when the port transitions to Root role. However there are differences between the
two modes in the conditions under which the Agreement flag is set:
In the standard IEEE 802.1s-compliant mode, MSTP sets the Agreement flag when:
the port is either a Designated or a Root port
and
all the device ports are synchronized (when all the ports participate only in loop-free
topologies)
In Cisco-compliant mode the Agreement flag is set also when the port is going to Alternate
role.
The following two tables compare two BPDUs:
Table 2 displays a BPDU generated in IEEE 802.1s-compliant mode and includes two
M-records.
Table 3 displays a BPDU generated in Cisco-compliant mode, parsed in the format generated
by Cisco devices.
Page 21
Standard BiNOX Dump (IEEE 802.1s-Compliant)

01
03
00
02
00
00
45
00
00
00
80
00
00
00
00
00
40
a0
00
00
c2
00
80
0f
00
00
14
12
00
00
00
03
00
00
00
00
da
11
00
00
00
02
00
00
00
00
65
29
80
80
00
4e
a0
00
00
00
22
92
80
80
00
80
12
60
00
00
bd
28
28
28
a0
00
11
00
00
00
08
4e
4e
12
00
29
00
00
00
f3
80
80
11
a0
92
00
00
01
cd
01
02
29
12
80
00
00
60
00
00
00
92
11
0b
00
00
b0
00
a0
a0
00
29
00
00
00
d3
00
12
12
89
92
00
00
00
6e
00
11
11
42
00
14
00
00
cc
80
29
29
42
00
00
00
00
e1
00
92
92
00
60
eb
00
00
00
11
14
60
08
00
d5
5a
00
00
b7
00
01
a3
00
a2
00
00
00
c0
01
00
37
07
00
00
00
00
92
69
07
f1
eb
80
00
00
64
60
60
eb
c1
d5
01
00
00
b1
00
01
d5
00
a2
00
00
00
f4
00
00
a2
84
00
00
00
00
bb
07
07
00
42
00
14
00
00
1f
eb
eb
80
42
00
00
00
00
3c
d5
d5
01
Cisco-Compliant Dump
01
03
00
02
00
00
6d
a2
a2
14
80
00
00
00
00
00
4d
00
00
00
c2
00
60
0f
00
00
a3
00
00
00
03
00
00
00
00
00
00
00
00
02
00
00
00
00
94
00
00
00
68
07
00
00
00
c1
00
00
Table 4: BiNOX BPDU Parsed According to IEEE 802.1s
Page 22
Field Name
Content
ETH Dest.
01 80 c2 00 00 00
ETH Src
00 a0 12 11 29 92
ETH Len
00 89
LLC
42 42 03
Protocol Identifier
00 00
Protocol version Identifier
03
BPDU type
02
CIST Flags
4e
CIST Root Identifier
80 00 00 a0 12 11 29 92
CIST Ext. Path Cost
00 00 00 00
CIST Regional Root Identifier
80 00 00 a0 12 11 29 92
CIST Port Identifier
80 0b
Message age
00 00
MaxAge
14 00
Hello-time
02 00
Forward-delay
0f 00
Field Name
Content
Version 1 length (must be 0)
00
Version 3 length (Mrecords total length)
00 60
MSTI configuration Identifier (Key,

Revision, Name) 51 Bytes
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 60
b0 d3 6e cc e1 45 40 14 da 65 22 bd
08 f3 cd
CIST Internal Root Path Cost
00 00 00 00
CIST Bridge Identifier
80 00 00 a0 12 11 29 92
CIST Remaining hops
28
MSTI1
Flags
MSTI Regional Root Identifier
MSTI Internal root path cost
MSTI Bridge Priority
MSTI Port Priority
4e
80 01 00 a0 12 11 29 92
00 00 00 00
80
80
28
MSTI Remaining hops
MSTI2
Flags
MSTI Regional Root Identifier
MSTI Internal root path cost
MSTI Bridge Priority
MSTI Port Priority
4e
80 02 00 a0 12 11 29 92
00 00 00 00
80
80
28
MSTI Remaining hops
Table 5: Cisco BPDU Parsed by a Telco Systems Device

Field Name
Content
Notes
ETH Dest.
01 80 c2 00 00 00
Matches the IEEE-802.1s
ETH Src
00 08 a3 37 f1 c1
ETH Len
00 84
LLC
42 42 03
Protocol Identifier
00 00
Protocol version Identifier
03
BPDU type
02
CIST Flags
68
CIST Root Identifier
60 00 00 07 eb d5 a2 00
CIST Ext. Path Cost
00 00 00 00
CIST Bridge Identifier
60 00 00 07 eb d5 a2 00
CIST Port Identifier
80 01
Page 23
Field Name
Content
Message age
00 00
MaxAge
14 00
Hello-time
02 00
Forward-delay
0f 00
Version 1 length (must be

0)
00
Extra byte
00
Version 3 length (Mrecords

total length)
00 5a
MSTI configuration
Identifier (Key, Revision,
Name) 50 Bytes.
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 64 b1 f4 bb 1f 3c
6d 4d a3 00 94 c1 11 b7 c0 92
The first byte of the

configuration is called selector,
and is omitted (or over-ridden
by the version 3 length field).
CIST Regional Root

Identifier
60 00 00 07 eb d5 a2 00
Fields order is flipped.
CIST Remaining hops2

bytes instead of 1.
14 00
Extra byte-Cisco BPDU with no

MSTIs ends here and contains
the extra byte.
MSTI1
Page 24
Notes
If the Cisco BPDUs are parsed

as specified in the IEEE 802.1s
standard, some offsets and
shifts may cause wrong values
for the M-records and for the
matching fields that are located
after the version 3 length
CIST Internal root path cost,
CIST Bridge identifier, CIST
remaining hops.
The whole M-Record structure

is different. In the 802.1s there
is no MSTID field. The priority
of the sending bridge and the
port priority are sent without
bridge ID and port ID of the
sending bridge.
MSTID
01

sending bridge.
Flags
69

sending bridge.
Field Name
Content
Notes
MSTI Regional Root

Identifier
60 01 00 07 eb d5 a2 00

sending bridge.
MSTI Internal root path

cost
00 00 00 00

sending bridge.
MSTI Transmitting Bridge

Identifier
60 01 00 07 eb d5 a2 00

sending bridge.
MSTI Port Identifier
80 01

sending bridge.
MSTI Remaining hops
14 00

sending bridge.
Page 25
Page 26
xSTP Commands
Commands Hierarchy
device-name#
+ config terminal
+ ethernet
+ spanning-tree
- [no] hold-count <value>
- [no] forward-delay <interval>

- [no] hello-time <interval>
- [no] learn-mode {none | standard | temporary-disabled}

- [no] max-age <interval>

- [no] bpdu-rx
- [no] bpdu-tx
- [no] cisco-compliant
- [no] detect-bpdu-loss
- [no] edge-port
- [no] edge-port-flush
- [no] link-type {auto | point-to-point | shared}

- [no] mstp instance-id <instance-id>
- [no] path-cost <cost>

- [no] restricted-root
- [no] restricted-tcn
- [no] shutdown
+ [no] protocol-fast-ring
- [no] border-bridge preferred-link {UU/SS/PP | agN}
- [no] ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 |

agN2}
- [no] shutdown
+ [no] protocol-mstp
+ [no] instance <value>
- [no] max-hops <hops>
- [no] region-name NAME
- [no] region-revision <unsignedShort>
Page 27
- [no] shutdown
- [no] vlan-per-instance <vlan-id>

- [no] instance-id <value>
- [no] protocol-rstp
- [no] shutdown
- [no] protocol-stp
- [no] shutdown
- [no] provider-bridge-address {dot1ad | dot1d}
- show ethernet mstp [cist port UU/SS/PP | configuration | detailed |

instance <value> port UU/SS/PP]
- show ethernet rstp [port UU/SS/PP | details]
- show ethernet stp [port UU/SS/PP | details]
Table 6: Configuration Commands
Command
Description
config terminal
ethernet
spanning-tree
hold-count <value>
Enters the Ethernet Configuration mode

Enters the Spanning Tree Configuration mode
Specifies the number or BPDUs that can be
transmitted during every hello time period:
3
no hold-count
Restores to default
forward-delay <interval>
Specifies the time a port waits in Learning and

Listening states before moving to Forwarding
state:
interval: in the range of <4-30>

seconds
15 seconds
no forward-delay
Restores to default
hello-time <interval>
Specifies the interval between consecutive

BPDUs the device transmits:

seconds
2 seconds
no hello-time
Page 28
Restores to default
Command
Description
learn-mode {none | standard |

temporary-disabled}
Specifies the mode in which MAC addresses are

learned and flushed:
none: permanently disables

learning on non-edge/ring ports
standard: permanently enables

learning on non-edge/ring ports
temporally-disabled: enables
learning, except for cases where
an MSTP topology change occurs and
learning is temporarily disabled
Standard
no learn-mode
Restores to default
max-age <interval>
Specifies the time a device waits without

receiving configuration messages before
attempting a reconfiguration:

seconds
20 seconds
no max-age
Restores to default
NOTE
The port command is accessible
only after enabling xSTP protocol
in the Spanning Tree
Configuration mode.
Configures Spanning Tree on a port and enters

Specific Ports or LAG Configuration mode and:
no port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Restores the default port/LAG configuration
bpdu-tx
Enables BPDU packets transmission on an

edge-port
no bpdu-tx
Disables the BPDU packets transmission
bpdu-rx
Enables BPDU packets receiving on an edgeport
no bpdu-rx
Prevents the port from receiving BPDUs
cisco-compliant
Activates the Cisco-Compliant Mode
no cisco-compliant
Deactivates the Cisco-Compliant Mode
detect-bpdu-loss
Enables the Loop Guard on a port

Disabled
no detect-bpdu-loss
Disables the Loop Guard on a port
edge-port
Changes the ports administrative status, setting

it as an Edge Port
The port is not an edge port.
Page 29
Command
Description
no edge-port
Restores to default
edge-port-flush
Forces the MSTP to flush the edge port it is

configured on, when the link on the port is down
The port is not a flush port.
no edge-port-flush
Restores to default
link-type {auto | point-topoint | shared}
Specifies the port administrative link-type:
auto: see Table 7
point-to-point: see Table 7
shared: see Table 7
Auto
no link-type
Restores to default
mstp instance-id <value>
Enters the MSTP Instance Configuration mode

for the specified port. Parameters for instance 0
are defined in the Port mode:
no mstp instance-id
Removes the defined MSTP instance
path-cost <cost>
Specifies the path cost of an MSTP instance. A

lower path cost represents a higher-speed
transmission:
cost: in the range of <1200000000>
Table 8 displays the default value

calculated by the ports media speed.
no path-cost
Restores to default
shutdown
Shuts the port down and currently disables

xSTP
no shutdown
Activates the port and enables xSTP on it
priority <priority>
Specifies the port priority:
priority: valid values are: 0, 16,

32,48, 64, 80, 96, 112, 128, 144,
160,176, 192, 208, 224, and 240
128
Page 30
no priority
Restores to default
restricted-root
Enables the selection of a port as the Root port

Disabled
no restricted-root
Disables the selection of a port as the Root port
restricted-tcn
Enables receiving Topology Change

notifications (TCN) and propagating them to
other ports on the device
Disabled
no restricted-tcn
Disables receiving the Topology Change

notifications (TCN)
Command
Description
priority <priority>
Specifies the bridge priority. When MSTP is

enabled, the priority value Specifies the bridge
priority for instance 0:
priority: the valid values are: 0,

4096, 8192, 12288, 16384, 20480,
24576, 28672, 32768, 36864, 40960,
45056, 49152, 53248, 57344, and
61440. The bridge with the highest
bridge priority (the lowest
numerical priority value) is
selected for a Root device
32768
no priority
Restores to default
protocol-fast-ring
Enables the MSTP Fast Ring mode and enters

the MSTP Fast Ring Configuration mode:
Disabled
no protocol-fast-ring
Removes MSTP Fast Ring settings
border-bridge preferred-link
{UU/SS/PP | agN}
no border-bridge preferredlink [UU/SS/PP | agN]
ring-ports {UU1/SS1/PP1 |
agN1} {UU2/SS2/PP2 |
agN2}
Configures the device as a border bridge and

selects a preferred MSTP Fast Ring port or a
LAG that connects the ring topology to the
network gateway:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Disables the process of configuring border

bridge:

and 1/2/1-1/2/8
agN: (optional) LAG ID. N is in

the range of <1-14>
Specifies two physical ports or two groups of

ports that provide connectivity in the ring:
UU1/SS1/PP1: the first ring port
UU2/SS2/PP2: the second ring port
agN2: the second ring LAG, where

N2 is in the range of <1-14>
agN1: the first ring LAG, where N1

is in the range of <1-14>
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Page 31
Command
Description
no ring-ports [UU1/SS1/PP1 |
agN1] [UU2/SS2/PP2 |
agN2]
Disables the process of defining ring ports or

groups of ports:
UU1/SS1/PP1: (optional) the first

ring port
UU2/SS2/PP2: (optional) the second

ring port
agN2: (optional) the second ring

LAG, where N2 is in the range of
<1-14>
agN1: (optional) the first ring

LAG, where N1 is in the range of
<1-14>
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
shutdown
Disables the MSTP Fast Ring mode
no shutdown
Enables the MSTP Fast Ring mode
protocol-mstp
Enters the MSTP Configuration mode
no protocol-mstp
Removes MSTP configurations
instance <value>
Enters the Specific MSTP Instance

Configuration mode:
no instance
priority <priority>
Removes the defined instance

Specifies the MSTP priority for instances in the
range of <1-15>. MSTP priority for instance 0 is
defined in the Spanning Tree Configuration
mode:
priority: 0, 4096, 8192, 12288,

16384, 20480, 24576, 28672, 32768,
36864, 40960, 45056, 49152, 53248,
57344, and 61440
32768
no priority
max-hops <hops>
Restores to default
Specifies the maximum number of hops allowed
in a region before discarding a BPDU:
hops: in the range of <1-40>
40
no max-hop
Restores to default
region-name NAME
Specifies the MSTP region name:
no region-name
Page 32
NAME: a case-sensitive string of

<1-32> characters
Removes the defined name
Command
Description
region-revision
<unsignedShort>
Specifies the region revision-number:
no region-revision
Restores to default
shutdown
Disables MSTP
no shutdown
Enables MSTP
vlan-per-instance <vlan-id>
Define a VLAN mapped to an instance:
unsignedShort: in the range of <032767>
All VLANs are mapped to instance 0

no vlan-per-instance
instance-id <value>
Restores to default
Specifies an instance mapped to the desired
VLAN/s:
no instance-id
protocol-rstp
Removes the specified instance

Enters the RSTP Configuration mode
shutdown
Disables RSTP
no shutdown
Enables RSTP
protocol-stp
Enters the STP Configuration mode
shutdown
Disables STP
no shutdown
Enables STP
provider-bridge-address {dot1ad |
dot1d}
Specifies the destination MAC address used to

send STP BPDUs:
dot1ad: sets the destination MAC

to 01:80:C2:00:00:08
dot1d: sets the destination MAC to

01:80:C2:00:00:00
dot1d
no provider-bridge-address
Removes the defined destination MAC address
Page 33
Command
Description
show ethernet mstp [cist port UU/SS/PP |

configuration | detailed | instance
<value> port UU/SS/PP]
Displays the MSTP port states and roles for

each instance :
cist port UU/SS/PP: (optional)

displays detailed MSTP
configuration of the selected port

detailed information about MSTP
information vectors
configuration: (optional) displays

the current regions MSTP
configuration
instance <value> port UU/SS/PP:

(optional) displays MSTP instance
configuration on port
The port range is:
show ethernet rstp [port UU/SS/PP |

details]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Displays the RSTP general information or RSTP

information per port:
details: (optional) displays

information vectors
port UU/SS/PP: (optional) displays

detailed RSTP configuration of the
selected port
The port range is:
show ethernet stp [port UU/SS/PP |

details]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
D Displays the STP general information or STP

information per port:
details: (optional) displays

information vectors
port UU/SS/PP: (optional) displays

detailed STP configuration of the
selected port
The port range is:
Page 34
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Table 7: MSTP Link-types

Link-Type
Description
Admin Link-Type
auto
Operational LinkType
The device automatically manages the port's link-type. The

device considers the port connected to a point-to-point LAN
segment if any of the following conditions are met:
The MST algorithm determines that the LAN segment

operates in full duplex mode.
If you configure the port by management means to a

full duplex operation. Otherwise, consider the MAC to
be connected to a LAN segment that is not point-topoint (shared media).
point-to-point
Consider the device connected to a point-to-point LAN

segment that forces the operational link-type to be point-topoint.
shared
Consider the device connected to a shared media LAN

segment that forces the operational link-type to be shared.
If you configure Admin link-type to auto, then you can determine the value of
Operational link-type in accordance with the specific procedures defined for
the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then Operational
link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of linktype is shared.
Table 8: Default Path Cost Configuration (IEEE802.1s)

Link Speed
Recommended Value
Recommended Range
Range
<=100 Kbps
200,000,000
20,000,000200,000,000
1200,000,000
1 Mbps
20,000,000
2,000,00020,000,000
1200,000,000
10 Mbps
2,000,000
200,0002,000,000
1200,000,000
100 Mbps
200,000
20,000200,000
1200,000,000
1 Gbps
20,000
2,000200,000
1200,000,000
10 Gbps
2,000
20020,000
1200,000,000
100 Gbps
200
202,000
1200,000,000
1 Tbps
20
2200
1200,000,000
10 Tbps
120
1200,000,000
Page 35
Configuration Examples
Example 1
In the following example, four devices are connected via VLANs V100 and V200 that are mapped
to two MST instances on each device. The example shows the redundancy achieved with MSTP.
After configuring the network, use the show
instances are configured correctly.
mstp command on each device to verify that the MST
Figure 9: Schematic MSTI Configuration
1.
Create VLANs V100 and V200 and add the appropriate ports to each VLAN:
Device1(config)#vlan default 1
Device1(config-vlan-1)#no untagged 1/1/1
Device1(config-vlan-1)#exit
Device1(config)#vlan v100 100
Device1(config-vlan-100)#tagged 1/1/1
Device1(config-tagged-1/1/1)#tagged 1/1/3
Device1(config-tagged-1/1/3)#exit
Device1(config-vlan-100)#untagged 1/1/4
Device1(config-untagged-1/1/4)#top
Device1(config)#port 1/1/4
Device1(config-port-1/1/4)#default-vlan 100
Device1(config-port-1/1/4)#exit
Device1(config-tagged-1/1/3)#top
2.
Enable MSTP:
Device1(config)#ethernet
Page 36
Device1(config-ethernet)#spanning-tree protocol-mstp
Device1(config-protocol-mstp)#no shutdown
3.
Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:

Device1(config-protocol-mstp)#instance 1 priority 0
Device1(config-instance-1)#exit
4.
Add the VLANs to MSTIs 1, and 2:

Device1(config-protocol-mstp)#vlan-per-instance 100 instance-id 1
Device1(config-vlan-per-instance-1)#exit
Device1(config-vlan-per-instance-2)#commit
1.
Device2#configure
Device2(config-vlan-1)#exit
2.
Enable MSTP:
3.
Set priority 0 to MSTI 2 to force Device 2 to be MSTI2 root:

Device2(config-protocol-mstp)#instance 2 priority 0
Device2(config-instance-2)#exit
4.
Add the VLANS to MSTIs
1, and 2:

Page 37
1.
Device3#configure
2.
Enable MSTP:
3.
Add the VLANS to MSTIs 1, and 2:

1.
Create VLAN V200 and add the appropriate ports to each VLAN:
Device4#configure
Page 38
2.
Enable MSTP:
3.
Add the VLANs to MSTIs
and 2:

Displaying Device 1 Configuration:
Device1#show ethernet mstp detailed

Multiple spanning trees
= enabled
ProtocolSpecification
= ieee8021s
Priority
= 32768
TimeSinceTopologyChange
= 0 (Sec)
TopChanges
= 6
CIST Root
= 32768.00:A0:12:27:00:80
MaxAge
= 20 (Sec)
HelloTime
= 2 (Sec)
ForwardDelay
= 15 (Sec)
BridgeMaxAge
= 20 (Sec)
BridgeHelloTime
= 2 (Sec)
BridgeForwardDelay
= 15 (Sec)
ProtoMigratioDelay
= 3 (Sec)
MaxHopCount
= 40
TxHoldCount
= 3
FastRing
= disabled
LearnMode
= standard
CIST Information
VLANs mapped
= 1..99,101..199,201..4094
Priority
= 32768
Regional Root
= 32768.00:A0:12:27:00:80
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 6
Border Bridge
= Disabled
No active ports are mapped to the MSTI
Page 39
MST 1
VLANs mapped
Priority
Regional Root
RemainingHopCount
TopChanges
Border Bridge
=
=
=
=
=
=
=
100
0
This bridge is the root
40
3039 (Sec)
5
disabled
==========================================================================
Port
|Pri|Prt role|State|PCost
|DCost
|Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+------01/01/01 128 Designat frwrd
200000
0 00000.00A0122700C0 128.003
01/01/03 128 Designat frwrd
200000
0 00000.00A0122700C0 128.005
200000
0 00000.00A0120A0168 128.006
MST 2
VLANs mapped
= 200
Priority
= 32768
Regional Root
= 00002.00:A0:12:27:14:20
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 7
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/02 128 Designat frwrd
200000
0 32768.00A0122700C0 128.004
01/01/03 128 Root
frwrd
200000
0 00000.00A012271420 128.005

device-name#show ethernet
Priority
TopChanges
CIST Root
MaxAge
HelloTime
ForwardDelay
BridgeMaxAge
BridgeHelloTime
BridgeForwardDelay
ProtoMigratioDelay
MaxHopCount
TxHoldCount
FastRing
LearnMode
Page 40
mstp detailed
= enabled
= ieee8021s
= 32768
= 0 (Sec)
= 4
= 32768.00:A0:12:27:00:80
= 20 (Sec)
= 2 (Sec)
= 15 (Sec)
= 20 (Sec)
= 2 (Sec)
= 15 (Sec)
= 3 (Sec)
= 40
= 3
= disabled
= standard
CIST Information
VLANs mapped
= 1..99,101..199,201..4094
Priority
= 32768
Regional Root
= 32768.00:A0:12:27:00:C0
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 4
Border Bridge
= disabled
MST 1
VLANs mapped
= 100
Priority
= 32768
Regional Root
= 00001.00:A0:12:27:00:C0
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 4
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/01 128 Alternat block
200000
200000 32768.00A0122700C0 128.004
01/01/03 128 Root
frwrd
200000
200000 00000.00A0122700C0 128.005
MST 2
VLANs mapped
= 200
Priority
= 0
Regional Root
= This bridge is the root
RemainingHopCount
= 40
= 3039 (Sec)
TopChanges
= 4
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/02 128 Designat frwrd
200000
0 00000.00A012271420 128.002
200000
0 00000.00A012271420 128.003
200000
0 00000.00A012271420 128.005

= enabled
= ieee8021s
Priority
= 32768
= 0 (Sec)
TopChanges
= 3
CIST Root
MaxAge
= 20 (Sec)
HelloTime
= 2 (Sec)
ForwardDelay
= 15 (Sec)
BridgeMaxAge
= 20 (Sec)
Page 41
BridgeHelloTime
BridgeForwardDelay
ProtoMigratioDelay
MaxHopCount
TxHoldCount
FastRing
LearnMode
=
=
=
=
=
=
=
2 (Sec)
15 (Sec)
3 (Sec)
40
3
disabled
standard
CIST Information
VLAN mapped
= 1..99,101..199,201..4094
Priority
= 32768
Regional Root
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 3
Border Bridge
= disabled
MST 1
VLANs mapped
= 100
Priority
= 32768
Regional Root
= 0001.00:A0:12:27:00:C0
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 2
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/01 128 Root
frwrd
200000
0 00000.00A0122700C0 128.003
200000
0 32768.00A0122700C0 128.004
200000
0 32768.00A0122700C0 128.006
MST 2
VLANs mapped
= 200
Priority
= 32768
Regional Root
= 00002.00:A0:12:27:14:20
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 3
Border Bridge
= disabled

= enabled
= ieee8021s
Priority
= 32768
= 0 (Sec)
TopChanges
= 2
CIST Root
= 32768.00:A0:12:27:00:80
Page 42
MaxAge
HelloTime
ForwardDelay
BridgeMaxAge
BridgeHelloTime
BridgeForwardDelay
ProtoMigratioDelay
MaxHopCount
TxHoldCount
FastRing
LearnMode
=
=
=
=
=
=
=
=
=
=
=
20 (Sec)
2 (Sec)
15 (Sec)
20 (Sec)
2 (Sec)
15 (Sec)
3 (Sec)
40
3
disabled
standard
CIST Information
VLAN mapped
= 1..99,101..199,201..4094
Priority
= 32768
Regional Root
= 32768.00:A0:12:27:00:80
RemainingHopCount
= 38
= 3039 (Sec)
TopChanges
= 2
Border Bridge
= disabled
MST 1
VLAN mapped
= 100
Priority
= 32768
Regional Root
= 00001.00:A0:12:27:00:C0
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 5
Border Bridge
= disabled
MST 2
VLAN mapped
= 200
Priority
= 32768
Regional Root
= 00002.00:A0:12:27:14:20
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 2
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/01 128 Root
frwrd
200000
0 00000.00A012271420 128.003
200000
0 32768.00A012271420 128.004
200000
0 32768.00A012271420 128.006
Example 2
In the example above if the direct link between Device 1 and Device 3 fails, MSTI1 is recalculated,
and port 1/1/2 in Device 3 changes its role from alternative to root.
Page 43
Figure 10: Link Failure between Two Devices
In this case, the show
ethernet mstp detailed command displays the following:

= enabled
= ieee8021s
Priority
= 32768
= 0 (Sec)
TopChanges
= 6
CIST Root
= 32768.00:A0:12:27:00:80
MaxAge
HelloTime
ForwardDelay
BridgeMaxAge
BridgeHelloTime
BridgeForwardDelay
ProtoMigratioDelay
MaxHopCount
TxHoldCount
FastRing
LearnMode
=
=
=
=
=
=
=
=
=
=
=
20 (Sec)
2 (Sec)
15 (Sec)
20 (Sec)
2 (Sec)
15 (Sec)
3 (Sec)
40
3
disabled
standard
CIST Information
VLANs mapped
= 1..99,101..199,201..4094
Priority
= 32768
CIST Root
= 32768.00:A0:12:27:00:80
RemainingHopCount
= 38
= 3039 (Sec)
TopChanges
= 6
Border Bridge
= disabled
MST 1
VLAN mapped
Priority
Regional Root
RemainingHopCount
Page 44
=
=
=
=
100
0
40
= 3039 (Sec)
TopChanges
= 5
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/03 128 Designat frwrd
200000
0 00000.00A0122700C0 128.005
200000
0 32768.00A0122700C0 128.006
MST 2
VLAN mapped
= 200
Priority
= 32768
Regional Root
= 00002.00:A0:12:27:14:20
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 7
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/02 128 Designat frwrd
200000
0 32768.00A0122700C0 128.002
01/01/03 128 Root
frwrd
200000
0 00000.00A012271420 128.003

= enabled
= ieee8021s
Priority
= 0
= 0 (Sec)
TopChanges
= 3
CIST Root
MaxAge
= 20 (Sec)
HelloTime
= 2 (Sec)
ForwardDelay
= 15 (Sec)
BridgeMaxAge
= 20 (Sec)
BridgeHelloTime
= 2 (Sec)
BridgeForwardDelay
= 15 (Sec)
ProtoMigratioDelay
= 3 (Sec)
MaxHopCount
= 40
TxHoldCount
= 3
FastRing
= disabled
LearnMode
= standard
CIST Information
VLAN mapped
Priority
CIST Root
RemainingHopCount
TopChanges
Border Bridge
=
=
=
=
=
=
=
1..99,101..199,201..4094
32768
39
3039 (Sec)
3
disabled
Page 45

MST 1
VLAN mapped
= 100
Priority
= 32768
Regional Root
= 00001.00:A0:12:0A:01:68
RemainingHopCount
= 38
= 3039 (Sec)
TopChanges
= 3
Border Bridge
= disabled
==========================================================================
Port
|DCost
--------+---+--------+-----+---------+---------+------------------+------01/01/02 128 Root
frwrd
200000
400000 32768.00A00001090B 128.002
200000
400000 32768.00A012BBBBBB 128.006
MST 2
VLAN mapped
= 200
Priority
= 32768
Regional Root
= 00002.00:A0:12:27:14:20
RemainingHopCount
= 39
= 3039 (Sec)
TopChanges
= 3
Border Bridge
= disabled
On Device 2 and Device 4:
This topology change does not affect Device 2 and Device 4 output.
Page 46
Fast Ring Configuration Example

The following example displays how to configure the devices in a fast ring so that traffic is
distributed correctly among client networks.
Figure 11: Fast Ring Topology
1.
Enable MSTP and configure Device 1 to be the root device:

Device1(config-protocol-mstp)#exit
Device1(config-spanning-tree)#priority 0
2.
Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device1(config-vlan-default/1)#no untagged 1/2/1
Page 47
Device1(config-tagged-1/1/2)#commit
1.
Enable MSTP fast-ring and configure fast ring ports:

Device2(config-spanning-tree)#protocol-fast-ring
Device2(config-protocol-fast-ring)#no shutdown
Device2(config-protocol-fast-ring)#ring-ports 1/2/1 1/1/2
Device2(config-protocol-fast-ring)#exit
2.
Configure an edge port on the client port:

Device2(config-spanning-tree)#port 1/1/1 edge-port
Device2(config-port-1/1/1)#port 1/1/3 edge-port
Device2(config-port-1/1/4)#top
3.
Device2(config-vlan-default/1)#no untagged
Device2(config-untagged-1/1/1)#exit
Device2(config-port-1/1/1)#port 1/1/3
Page 48
1/1/1
1/1/2
1/2/1
1/1/3
1/1/4
Device2(config-port-1/1/4)#commit
1.

2.
1.

2.

3.
Device4(config- vlan-10)#tagged 1/2/1
Page 49
Device4(config-tagged-1/1/2)#vlan v30 30
1.

2.

3.
Page 50
Fast Ring with Border Bridge Configuration Example

The following example displays how to configure the devices in a fast ring with border-bridge so
that traffic is distributed correctly among client networks.
Figure 12: Fast Ring Topology
Any xSTP protocol is not enabled on Device 1 but Device 1 forwards BPDUs.
1.
Page 51
1.
Enable MSTP fast-ring, configure fast ring ports, and set border-bridge preferred-link:
Device2(config-protocol-fast-ring)#border-bridge preferred-link 1/1/2
Device2(config-border-bridge)#exit
2.

Device2(config-port-1/1/4)#top
3.
1/1/1
1/1/2
1/2/1
1/1/3
1/1/4
1.

Page 52
2.
1.

2.

3.
Device4(config- vlan-10)#tagged 1/2/1
Page 53
1.
Enable MSTP fast-ring, configure fast ring ports, and set border-bridge preffer-link:
Device5(config-protocol-fast-ring)#border-bridge preferred-link 1/2/1
Device5(config-border-bridge)#exit
2.

3.
Page 54

Feature
Standards
MIBs
RFCs

(xSTP)
IEEE 802.1d-1998
IEEE 802.1t-2001
IEEE 802.1w-2001
IEEE 802.1s-2002
No MIBs are
supported by this
feature.
RFC 2863, Interfaces

Group MIB
(configL2IfaceTable)
Page 55
Multicast Layer 2 Features

Table of Contents
Table of Figures 2
List of Tables 2
Internet Group Management Protocol (IGMP) Snooping 4
Multicast Forwarding Table 4
Dynamic Entries 4
Static Entries 5
IGMP Configuration Flow 6
IGMP Snooping Commands 7
Commands Hierarchy 7
Configuration Example 1 16
Multicast VLAN Registration (MVR) 26
Overview26
MVR Modes 26
Immediate Leave 26
MVR Commands 27
Commands Hierarchy27
Multicast Layer 2 Features (Rev. 01)
Page 1
Table of Figures
Figure 1: Initial IGMP Join Message ................................................................................................... 5
Figure 2: IGMP Configuration Flow ................................................................................................... 6
List of Tables
Table 1: IGMP Snooping Commands ................................................................................................. 8
Table 2: MVR Commands .................................................................................................................. 28
Page 2
T-Marc3208SH

This chapter consists of these sections:
Internet Group Management Protocol (IGMP) Snooping

IGMP Snooping is the process of listening to IGMP traffic in order to learn the IP
multicast group memberships and direct multicast traffic only to relevant users. IGMP
Snooping is very important in order to ensure proper performance on networks with
heavy multicast traffic
Multicast VLAN Registration (MVR)

Multicast VLAN Registration (MVR) is a protocol for Layer 2 networks that enables
multicast-traffic from a source VLAN to be shared with subscriber-VLANs.
Page 3
Internet Group Management Protocol (IGMP)

Snooping
To prevent flooding ports with multicast traffic, IGMP snooping dynamically configures ports on
the host side of the switch to receive multicast traffic only when the attached host previously
expressed an interest in receiving that traffic.
On the transmitter side of the device, the port that connects upstream to the multicast source is
called the Mrouter port.
Multicast Forwarding Table

The device maintains a Multicast Forwarding table and creates entries either dynamically or
statically.
NOTE
The maximum number of multicast entries in the Multicast Forwarding Table is
1024.
Dynamic Entries
The host can request to join or leave one or more multicast groups using the following IGMP
Report types:
IGMP Join Message: Host side request to join an IP multicast group by sending an
unsolicited IGMP Join Message that identifies the IP multicast group. The CPU creates a
multicast entry in the Multicast Forwarding table for that group and adds the port to the table.
The host associated with that port receives multicast traffic for that group.
On receipt of an IGMP Join Message on the host side, the device generates and sends an
IGMP Join Message on the transmitter side upstream, via the mrouter port, to the
multicast traffic source. By doing so, the device creates a logical connection between the
host and the source of the multicast traffic.
IGMP Leave Group Message: When the device receives an IGMP Leave Group message
(IGMP Version 2), the device deletes the port number for the host from the Multicast
Forwarding Table. When the device receives a Leave Group message from a host, the Group
timer is reset to the robustness value* last member query interval value (see the IGMP Snooping
Commands table).
If the user enables fast leave processing, the device handles requests to leave a multicast
group immediately to ensure optimal bandwidth management for all hosts on a switched
network even when the device manages several multicast groups simultaneously.
On the edge of the network, the multicast router connects to an IGMP Snooping device on the
transmitter side. The transmitter side port where the Mrouter connects becomes an Mrouter port
either through static configuration or automatically upon receipt of an IGMP Query from the
multicast traffic source side.
Page 4
When the device receives a transmitter side request, known as an IGMP Query, the device
automatically responds with an IGMP Join Message for any active Multicast groups maintained by
the device.
Figure 1: Initial IGMP Join Message
Static Entries
Along with IGMP Snooping-learned entries, the Multicast Forwarding table can also include static
entries. Create static entries using the IGMP Snooping commands for the Command Line Interface
(CLI) found in Table 1.
Page 5
NOTE
Static, or permanent, entries supersede dynamic changes creates through the IGMP
Snooping protocol.
IGMP Configuration Flow
Figure 2: IGMP Configuration Flow
Page 6
IGMP Snooping Commands

Commands Hierarchy
device-name#
+ config terminal
- [no] multicast filter-mode {any-source | source-specific}

+ [no] vlan VLAN-NAME <vlan-id>
+ [no] ip-igmp-snooping
+ [no] ip-tos-check
- [no] router-alert-check
+ [no] router-timers
- [no] last-member-query-interval <interval>
- [no] query-interval <interval>
- [no] robustness <value>
- [no] query-response-interval <interval>
+ [no] untagged UU/SS/PP
- [no] multicast-static-group NAME

+ [no] igmp-snooping
- [no] explicit-tracking {enable | disable}

- [no] fast-leave {enable | disable}
- [no] max-groups <unsignedInt>
- [no] mrouter
- [no] mrouter-block
- [no] report-block
+ [no] tagged UU/SS/PP
- [no] multicast-static-group NAME

- [no] mrouter
+ service
- [no] report-block
- [no] multicast filter-mode any-source

+ [no] ip-igmp-snooping
- [no] router-alert-check
Page 7
+ [no] router-timers
- [no] last-member-query-interval <interval>
- [no] query-interval <interval>
- [no] robustness <value>
- [no] query-response-interval <interval>
+ [no] spoke-sdp <spoke-sdp-id>


- [no] mrouter
- [no] report-block


- [no] mrouter
- show igmp-snooping
- [no] report-block
- show igmp-snooping service [<service-id> | detailed | groups |

mrouters | statistics]
- show igmp-snooping vlan [<vlan-id> | detailed | groups | mrouters |

statistics]
Table 1: IGMP Snooping Commands
Command
Description
config terminal
multicast filter-mode {any-source

source-specific}
Page 8
Specifies the multicast model:
any-source: Any-Source Multicast

(ASM) mode is when any user is
permitted to send data.
source-specific: Single-Source
Multicast (SSM) mode is when only
the user initiating the session
is allowed to send data; other
users can receive only.
Command
Description
no multicast filter-mode
Disables the feature
vlan VLAN-NAME <vlan-id>
Creates a VLAN with the defined name and ID

(VLAN tag) and enters VLAN Configuration
mode:
no vlan VLAN-NAME <vlan-id>
VLAN-NAME: a string of
<131> characters
Removes the existing VLAN:
VLAN-NAME: a string of
<131> characters
ip-igmp-snooping
Enables IGMP Snooping on a specific VLAN

Disabled
no ip-igmp-snooping
Restores to default
router-alert-check
Enables the IP Router Alert option (RFC 2113)

verification
Enabled
no router-alert-check
Disables the IP Router Alert option check
ip-tos-check
Enables the IP TOS field verification (RFC

3376)
Enabled
no ip-tos-check
Disables the IP TOS field check
router-timers
Enters IGMP Snooping Timer Configuration

mode
no router-timers
Removes the IGMP Snooping Timer

configuration
last-member-query-interval
<interval>
Specifies the time that the IGMP router waits to

receive a response to a Group-Specific query:
interval: in the range of <11024> seconds
1 second
no last-member-query-interval
Restores to default
query-interval <interval>
Specifies the time between successive IGMP

General queries:
125 seconds
no query-interval
Restores to default
robustness <value>
Specifies a robustness value to reflect expected

packet loss on a congested network. Use a
larger value for a lossy network:
Page 9
Command
Description
no robustness
Restores to default
query-response-interval
Specifies the time, the multicast router waits to

receive a response to an IGMP General query.
During downgrade from version 2.4.R1.4 to
version 2.3.R3 and lower, the user-defined
value will disappeared from the running
configuration.
<interval>
10 seconds
no query-response-interval
untagged UU/SS/PP
Restores to default
Enters in Configuration mode of specific
untagged port:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
no untagged [UU/SS/PP]
tagged UU/SS/PP
Enters in Configuration mode of specific tagged

port:
no tagged [UU/SS/PP]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
igmp-snooping
Enables IGMP snooping

Disabled
no igmp-snooping
Restores to default
explicit-tracking {enable |
disable}
Enables the router to explicitly track each

individual host joined to a group:
enable, disable: enables/disables

the option
Enabled
no explicit-tracking
Restores to default
fast-leave {enable | disable}
Enables IGMP fast-leave processing:
enable, disable: enables/disables

the option
Enabled
no igmp-snooping fast-leave
Restores to default
max-groups <unsignedInt>
Specifies the number of multicast groups that

can be registered:
unsignedInt: in the range of <01024>
1024
Page 10
no max-groups
Restores to default
mrouter
Configures a port as a multicast router port

Disabled
no mrouter
Restores to default
Command
Description
mrouter-block
All IGMP queries received on the selected port

are not processed and entered in local IGMP
database
Disabled
no mrouter-block
Restores to default
report-block
All IGMP reports received on the selected port

database
Disabled
no report-block
Restores to default
multicast-static-group UU/SS/PP
Specifies a port to be added to the multicast

group:
no multicast-static-group
[UU/SS/PP]
multicast-static-group NAME
Removes the specified port/s from the multicast

group
Specifies a multicast group name and enters
Multicast Static Configuration mode:
no multicast-static-group
ip A.B.C.D
Specifies the IP address of the multicast group:
no ip-source A.B.C.D
A1.B1.C1.D1
mac <mac:hexList>

multicast group
A1.B1.C1.D1: the source IP

address of the multicast traffic
Removes the defined entry:

multicast group
A1.B1.C1.D1: the source IP

address of the multicast traffic
Specifies the Group Destination MAC address

(GDA) of the multicast group:
mac:hexList: GDA MAC address, in
format HH:HH:HH:HH:HH:HH
Removes the defined Group Destination MAC

(GDA) address:
A.B.C.D: in the range of

<224.0.0.0-239.255.255.255>
Specifies a source-specific multicast entry in the

Multicast Forwarding Table for a group:
no mac <mac:hexList>
A.B.C.D: in the range of

<224.0.0.0-239.255.255.255>
Removes the defined multicast IP address:
ip-source A.B.C.D A1.B1.C1.D1
NAME: a string
Removes the multicast group
no ip A.B.C.D
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
mac:hexList: GDA MAC address, in

format HH:HH:HH:HH:HH:HH
Page 11
Command
Description
service
Enters Service mode
NOTE
SAP and SDP ports have to be
untagged members of the default
VLAN.
vpls <vpls-id>
Creates a VPLS service instance and enters

VPLS Configuration mode:
no vpls [<vpls-id>]

4294967294>
Removes the defined VPLS instance:

range of <14294967294>
ip-igmp-snooping
Enables IGMP Snooping for a specific VPLS

instance and enters IGMP Snooping VPLS
Configuration mode
Disabled
no ip-igmp-snooping
Restores to default
router-alert-check
Enables the IP Router Alert option (RFC 2113)

verification
Enabled
no router-alert-check
Disables the IP Router Alert option
router-timers
Enters IGMP Snooping Timer Configuration

mode
no router-timers
Removes the IGMP Snooping Timer

configuration
last-member-query-interval
<interval>
Specifies the time that the IGMP router waits to

receive a response to a Group-Specific query:
1 second
no last-member-queryinterval
Restores to default
query-interval <interval>
Specifies the time between successive IGMP

General queries:
125 seconds
no query-interval
Restores to default
robustness <value>
Specifies a robustness value to reflect expected

packet loss on a congested network. Use a
larger value for a lossy network:
2 packets
no robustness
Restores to default
query-response-interval
Specifies the time, the multicast router waits to

receive a response to an IGMP General query:
<interval>
Page 12
Command
Description
10 seconds
no query-response-interval
spoke-sdp <spoke-sdp-id>
Restores to default
Configures a spoke binding between a VPLS
and a Service Distribution Point (SDP) and
enters Spoke-sdp Configuration mode:
no spoke-sdp [<spoke-sdp-id>]
spoke-sdp-id: an existing SDP ID

to bind to the specified service
ID, in the range of <14294967295>
Removes SDP binding for the specified VPLS:

spoke-sdp-id: (optional) an
existing SDP ID to bind to the
specified service ID, in the
range of <1-4294967295>
Creates a Service Access Point (SAP) and

enters SAP Configuration mode:
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

of <1-4094>



range of <1-64>

packets

control packets

UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
Page 13
Command
Description
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

of <1-4094>



range of <1-64>

packets

control packets

igmp-snooping
Enables IGMP Snooping for a specific spoke

binding and enters IGMP Snooping
Configuration mode
Disabled
no igmp-snooping
Restores to default
explicit-tracking {enable |
disable}
Configures the router to explicitly track each

individual host joined to a group:
enable: enables the feature
disable: disables the feature
Enabled
Restores to default
fast-leave {enable |
disable}
Configures IGMP fast-leave processing:
enable: enables the feature
disable: disables the feature
Enabled
no fast-leave
Restores to default
max-groups <unsignedInt>
Specifies the number of multicast groups that

can be registered:
1024
Page 14
no max-groups
Restores to default
mrouter
Configures a static connection to a multicast

router
Disabled
no mrouter
Restores to default
Command
Description
report-block
All IGMP reports received on the selected port

database
Disabled
no report-block
Restores to default
mrouter-block
All IGMP queries received on the selected SDP

are not entered in the local IGMP database but
instead, are forwarded to all SAPs/SDPs
according to split horizon rules:
Deny IGMP queries entering local IGMP
database and forward to all SAPs/SDPs
according to split horizon rules:
Disabled
no mrouter-block
Restores to default
show igmp-snooping
Displays information for all aspects of IGMP

snooping on VPLS services and VLANs
show igmp-snooping service [<service-id>

| detailed | groups | mrouters |
statistics]

snooping on a VPLS service, filtered by the
following arguments:
show igmp-snooping vlan [<vlan-id> |

detailed | groups | mrouters |
statistics]

range of <14294967294>

detailed information
groups: (optional) displays

information for multicast groups
that are joined on SDP or SAP
mrouters: (optional) displays

multicast routers ports related
to the specified service

IGMP snooping statistics for the
specified service

snooping on a VLAN, filtered by the following
arguments:

of <14094>

detailed information
groups: (optional) displays

information for multicast groups
that are joined on the specified
VLAN
mrouters: (optional) displays

multicast routers ports related
to the specified VLAN

IGMP snooping statistics for the
specified VLAN and port
Page 15
In the following example IGMP snooping is configured on VLAN 100. The multicast router that
sends IGMP queries is connected to port 1/2/5. The multicast host that sends the IGMP report is
connected to port 1/2/4:
1.
Enter the Configuration mode of VLAN v100 with ID 100:

device-name(config)#vlan v100 100
device-name(config-vlan-v100/100)#untagged 1/2/4
2.
Enable IGMP snooping on the specified VLAN and configure last-member-query interval:
device-name(config-vlan-v100/100)#ip-igmp-snooping
device-name(config-ip-igmp-snoopping)#router-timers last-member-queryinterval 20
device-name(config-untagged-1/2/4)#igmp-snooping
device-name(config-untagged-1/2/5)#igmp-snooping
3.
Display IGMP snooping queries and reports information (the multicast router with source IP
address 100.1.1.33 is connected to port 1/2/5 and a multicast host joines a multicast group
with IP address 224.2.2.2 on port 1/2/4):
device-name#show igmp-snooping vlan 100 mrouters
================================================================================
Vlan ID 100 - IGMP Snooping Mrouters
================================================================================
Port ID: 1/2/5
Mrouters: 1
-------------------------------------------------------------------------------Mrouter Ip:
100.1.1.33
Type: Dynamic
Group Ip:
224.2.2.2
Age: 244s
--------------------------------------------------------------------------------
device-name#show igmp-snooping vlan 100 groups
================================================================================
Vlan ID 100 - IGMP Snooping
================================================================================
Port ID: 1/2/5
Groups: 0
================================================================================
================================================================================
Port ID: 1/2/4
Groups: 0
================================================================================
device-name#show igmp-snooping vlan 100 groups
================================================================================
Vlan ID 100 - IGMP Snooping
================================================================================
Port ID: 1/2/5
Groups: 0
================================================================================
================================================================================
Port ID: 1/2/4
Groups: 1
================================================================================
================================================================================
Group IP: 224.2.2.2
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
258s
100.1.1.11
258s
Page 16
In the following example, IGMP Snooping is configured on VPLS-MTU 1010. The multicast
router that sends IGMP queries is connected to SAP 1/1/3: The multicast host that sends the
IGMP report is connected to SAP 1/1/3::.
1.
Configure IP interfaces, OSPF, LDP, and VLANs on Device_1 device:

Device_1#config terminal
Device_1(config)#vlan 10 10
Device_1(config-vlan-10/10)#routing-interface sw10
Device_1(config-vlan-10/10)#untagged 1/1/1
Device_1(config-untagged-1/1/1)#exit
Device_1(config-vlan-10/10)#exit
Device_1(config-untagged-1/1/2)#port 1/1/1
Device_1(config-port-1/1/1)#default-vlan 10
Device_1(config-port-1/1/1)#port 1/1/2
Device_1(config-port-1/1/2)#top
Device_1(config)#router interface lo1 address 1.1.172.101/32
Device_1(config-interface-lo1)#exit
Device_1(config-router)#interface sw10
Device_1(config-interface-sw10)#address 11.0.10.1/24
Device_1(config-interface-sw10)#exit
Device_1(config-interface-sw20)#commit
Commit complete.
Device_1(config-router)#ospf
Device_1(config-ospf)#router-id 1.1.172.101
Device_1(config-ospf)#area 0.0.0.2
Device_1(config-area-0.0.0.2)#interface 1.1.172.101
Page 17
Device_1(config-interface-1.1.172.101)#passive
Device_1(config-interface-1.1.172.101)#exit
Device_1(config-interface-11.0.20.1)#commit
Commit complete.
Device_1(config-area-0.0.0.2)#exit
Device_1(config-ospf)#trafic-engineering
Device_1(config-ospf)#commit
Commit complete.
Device_1(config-ospf)#exit
Device_1(config-router)#mpls lsr-id 1.1.172.101
Device_1(config-mpls)#ldp
Device_1(config-ldp)#interface lo1
Device_1(config-interface-lo1)#interface sw10
Device_1(config-interface-sw10)#interface sw20
Commit complete.
Device_1(config-ldp)#targeted-peer 1.1.3.1
Device_1(config-targeted-peer-1.1.3.1)#targeted-peer 1.1.4.1
Device_1(config-targeted-peer-1.1.4.1)#exit
Device_1(config-ldp)#distribute ingress ospf
Device_1(config-distribute)#egress ip 1.1.172.101/32
Device_1(config-ip-1.1.172.101/32)#exit
Device_1(config-distribute)#exit
Device_1(config-ldp)#exit
Device_1(config-router)#rsvp-te
Device_1(config-rsvp-te)#commit
Commit complete.
Device_1(config-rsvp-te)#exit
Device_1(config-router)#end
Device_1#
Device_1#show router ospf neighbor
2.
Neighbor ID
Pri
RXmtL RqstL DBsmL
State
Dead Time
Uptime
Address
Interface
1.1.3.1
0
0
Full/DROther
00:00:32
0d 00:00:17
11.0.10.2
sw10:11.0.10.1
1.1.4.1
0
0
Full/DROther
00:00:32
0d 00:00:17
11.0.20.2
sw20:11.0.20.1
Configure VPLS-MTU 1010:

Device_1(config)#service sdp 1
Device_1(config-sdp-1)#far-end 1.1.3.1
Device_1(config-sdp-1)#exit
Device_1(config-service)#sdp 2
Device_1(config-service)#vpls 1010
Device_1(config-vpls-1010)#no shutdown
Page 18
Device_1(config-vpls-1010)#mode mtu-s
Device_1(config-vpls-1010)#redundancy-mode none
Device_1(config-vpls-1010)#sap 1/1/3::
Device_1(config-sap-1/1/3::)#sap 1/1/3::
Device_1(config-sap-1/1/3::)#no shutdown
Device_1(config-sap-1/1/3::)#learn-new-mac-address
Device_1(config-sap-1/1/3::)#exit
Device_1(config-vpls-1010)#spoke-sdp 1
Device_1(config-spoke-sdp-1)#no shutdown
Device_1(config-spoke-sdp-1)#learn-new-mac-address
Device_1(config-spoke-sdp-1)#exit
Device_1(config-spoke-sdp-2)#backup
Device_1(config-spoke-sdp-2)#commit
Commit complete.
Device_1(config-spoke-sdp-2)#end
3.
Enable IGMP snooping on VPLS 1010:

Device_1(config)#service vpls 1010
Device_1(config-vpls-1010)#ip-igmp-snooping
Device_1(config-ip-igmp-snooping)#exit
Device_1(config-sap-1/1/3::)#igmp-snooping
Device_1(config-igmp-snooping)#exit
Device_1(config-spoke-sdp-1)#igmp-snooping
Device_1(config-igmp-snooping)#commit
Commit complete.
Device_1(config-igmp-snooping)#end
4.
Verify the VPLS configuration:

Device_1#show vpls 1010 sdp
------------------------------------------------------------------------------ServiceID
SDP Peer
Role
Up time
Adm
Opr
===============================================================================
1010
1.1.3.1
Prim
00:00:21
Up
Up
1010
1.1.4.1
Prim
00:00:00
Up
Stndby
Device_1#show igmp-snooping service 1010

================================================================================
IGMP Information Service 1010
================================================================================
Service-ID
VIs
Mrouter
IGMP Status
Groups
-------------------------------------------------------------------------------1010
0(0)
UP
Page 19
================================================================================
Services: 1
Groups: 0
================================================================================
5.
Verify the IGMP group database:

Device_1#show igmp-snooping service groups
================================================================================
Service ID 1010 - IGMP Snooping
================================================================================
SAP :
1/1/3::
Groups: 0
================================================================================
================================================================================
SDP :
1010:1.1.4.1
Groups: 0
================================================================================
================================================================================
SDP :
1010:1.1.3.1
Groups: 10
================================================================================
================================================================================
Group IP: 239.1.1.1
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.2
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
100.1.1.51
Forward
256s
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.3
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
100.1.1.51
Forward
256s
100.1.1.11
100.1.1.52
256s
Forward
256s
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.4
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.52
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.5
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.53
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.6
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
--------------------------------------------------------------------------------
Page 20
100.1.1.10
Block
================================================================================
Group IP: 239.1.1.7
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.10
Block
100.1.1.11
Block
================================================================================
6.
Configure IP interfaces, OSPF, LDP, and VLANs on Device_2 device:

Device_2(config)#port 1/1/1
Device_2(config-port-1/1/1)#exit
Device_2(config)#port 1/1/2
Device_2(config-port-1/1/2)#exit
Device_2(config)#router interface lo1
Device_2(config-interface-lo1)#address 1.1.172.102/32
Device_2(config-interface-lo1)#exit
Device_2(config-router)#commit
Commit complete.
Device_2(config-router)#ospf
Device_2(config-ospf)#router-id 1.1.172.102
Device_2(config-ospf)#trafic-engineering
Device_2(config-ospf)#no area 0.0.0.0
Device_2(config-interface-1.1.172.102)#passive
Page 21
Device_2(config-ospf)#commit
Commit complete.
Device_2(config-ospf)#exit
Device_2(config-router)#mpls lsr-id 1.1.172.102
Device_2(config-mpls)#ldp
Device_2(config-mpls)#interface lo1
Device_2(config-interface-lo1)#interface sw10
Device_2(config-interface-sw10)#interface sw20
Commit complete.
Device_2(config-mpls)#ld
Device_2(config-ldp)#distribute ingress ospf
Device_2(config-distribute)#egress ip 1.1.172.102/32
Device_2(config-ip-1.1.172.102/32)#exit
Device_2(config-distribute)#exit
Device_2(config-ldp)#rs
Device_2(config-rsvp-te)#commit
Commit complete.
Device_2(config-rsvp-te)#end
Device_2#
Device_2#show router ospf neighbor
7.
Neighbor ID
Pri
RXmtL RqstL DBsmL
State
Dead Time
Uptime
Address
Interface
1.1.3.2
0
0
Full/DROther
00:00:38
0d 00:00:21
12.0.10.2
sw10:12.0.10.1
1.1.4.2
0
0
Full/DROther
00:00:38
0d 00:00:21
12.0.20.2
sw20:12.0.20.1
Configure VPLS-MTU 1010:

Device_2(config)#service sdp 1
Device_2(config-service)#sdp 2
Device_2(config-service)#vpls 1010
Device_2(config-vpls-1010)#no shutdown
Device_2(config-vpls-1010)#mode mtu-s
Device_2(config-vpls-1010)#redundancy-mode none
Device_2(config-sap-1/1/3::)#no shutdown
Device_2(config-sap-1/1/3::)#learn-new-mac-address
Page 22
Device_2(config-spoke-sdp-2)#backup
Device_2(config-spoke-sdp-2)#commit
Commit complete.
Device_2(config-spoke-sdp-2)#end
8.
Enable IGMP snooping on VPLS 1010:

Device_2(config)#service vpls 1010
Device_2(config-vpls-1010)#ip-igmp-snooping
Device_2(config-ip-igmp-snooping)#exit
Device_2(config-vpls-1010)#sap 1/1/3:: igmp-snooping
Device_2(config-igmp-snooping)#commit
Commit complete.
Device_2(config-igmp-snooping)#end
9.
Verify the VPLS configuration:

Device_2#show vpls sdp
------------------------------------------------------------------------------ServiceID
SDP Peer
Role
Up time
Adm
Opr
===============================================================================
1010
1.1.3.2
Prim
00:00:24
Up
Up
1010
1.1.4.2
Prim
00:00:00
Up
Stndby
10. Verify the IGMP group database:

Device_2#show igmp-snooping service groups
================================================================================
Service ID 1010 - IGMP Snooping
================================================================================
SAP :
1/1/3::
Groups: 10
================================================================================
================================================================================
Group IP: 239.1.1.1
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.2
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
Page 23
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
100.1.1.51
Forward
256s
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.3
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.50
Forward
256s
100.1.1.11
100.1.1.51
Forward
256s
100.1.1.11
100.1.1.52
256s
Forward
256s
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.4
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.52
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.5
Mode: Include
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.53
Forward
256s
100.1.1.11
256s
================================================================================
Group IP: 239.1.1.6
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.10
Block
================================================================================
Group IP: 239.1.1.7
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.10
Block
100.1.1.11
Block
================================================================================
Group IP: 239.1.1.8
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------================================================================================
Group IP: 239.1.1.9
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------================================================================================
Group IP: 239.1.1.10
Mode: Exclude
ExpTimer: 258s
-------------------------------------------------------------------------------SrcIp
Mode
Joined Host
ExpTime
-------------------------------------------------------------------------------100.1.1.13
Block
================================================================================
SDP :
1010:1.1.4.2
Groups: 0
================================================================================
================================================================================
Page 24
SDP :
1010:1.1.3.2
Groups: 0
================================================================================
Page 25
Multicast VLAN Registration (MVR)

Overview
Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of
multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast
of multiple television channels over a service-provider network). MVR allows a subscriber on a port
to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN. It also
allows the single multicast VLAN to be shared in the network while subscribers remain in separate
VLANs. MVR provides the ability to continuously send multicast streams in the multicast VLAN,
but to isolate the streams from the subscriber VLANs for bandwidth and security reasons.
MVR assumes that subscriber ports subscribe to and unsubscribe from (join and leave) these
multicast streams by sending out Internet Group Management Protocol (IGMP) join and leave
messages. These messages can originate from an IGMP version-2-compatible set-top box with an
Ethernet connection or from a PC capable of generating IGMP version-2 messages. The device
identifies IP multicast streams and their associated MAC addresses in the forwarding table,
intercepts the IGMP messages, and modifies the VLAN table to include or remove the subscriber
port from/to multicast VLAN.
MVR Modes
The device supports two MVR modes of operation:
In the dynamic mode, the device performs standard IGMP snooping. When the device receives
an IGMP report for a particular group-on MVR receiver port, it forwards the IGMP report to
the multicast router, connected to any MVR source port. The multicast router only forwards
multicast streams for groups for which reports are received. Receiver ports are treated as
members of the multicast VLAN for MVR multicast control and data traffic.
In the static mode, the device sends IGMP reports for all configured multicast groups to the
multicast router. The multicast router is forced to send multicast stream for all configured
groups. When the device receives an IGMP report on the receiver port, it immediately starts
switching the stream to the subscriber.
NOTE
The maximum number of multicast groups is 256.
Immediate Leave
If Immediate Leave is enabled on a receiver port, the port leaves a multicast group more quickly.
Without Immediate Leave, when the device receives an IGMP leave message from a subscriber on a
receiver port, it sends out an IGMP query on that port and waits for IGMP group membership
reports. If no reports are received within a configured time period, the receiver port is removed
from multicast group membership. With Immediate Leave, an IGMP query is not sent from the
receiver port on which the IGMP leave was received. As soon as the leave message is received, the
receiver port is removed from multicast group membership, which speeds up leave latency.
Page 26
MVR Commands
Commands Hierarchy
device-name#
+ config terminal
- [no] multicast filter-mode source-specific
+ ethernet
+ [no] mvr
+ [no] mc-group <id>
+ [no] asm-group <value>
- [no] count <value>
- [no] grp-address A.B.C.D
+ [no] ssm-group <value>
- [no] grp-address A.B.C.D
- [no] mode {exclude | include}

- [no] source-list <value>
- [no] mvr-mode {dynamic | static}

- [no] mvr-source-ip A.B.C.D
- [no] mvr-vlan <vlan-id>
- [no] explicit-tracking {false | true}

- [no] fast-leave {false | true}
- [no] mc-group <value>
- [no] mvr-type {receiver | source}
- [no] shutdown
- show multicast mvr [groups [<string> | dynamic] | members | ports]
Page 27
Table 2: MVR Commands
Command
Description
config terminal
multicast filter-mode source-specific
Enables the Source Specific Multicast feature

where datagram traffic is forwarded to receivers
from only those multicast sources to which the
receivers have explicitly joined.
no multicast filter-mode sourcespecific
Disables the feature
ethernet
mvr
Enables the MVR

Disabled
no mvr
Restores to default
mc-group <id>
Specifies the MVR multicast group ID:
no mc-group
asm-group <value>
id: a string of <1-16> characters
Removes the configured group

Specifies an Any Source Multicast (ASM) group
ID.
The ASM method allows multicast receiver to
listen to all traffic sent to the group, regardless of
who is sending the information.
no asm-group
ssm-group <value>
Specifies a Specific Source Multicast (SSM)

group ID.
The SSM method allows a multicast receiver to
detect only a specifically identified sender within
the multicast group.
no ssm-group
count <value>

Specifies a contiguous series of MVR group
addresses:
value: in the range of <1-256>.

The format is [A.B.C.D
A1.B1.C1.D12 AN.BN.CN.DN]
1
no count
Page 28
Restores to default
Command
Description
grp-address A.B.C.D
Specifies an IP multicast address of the MVR

group. Any multicast data sent to this address is
sent to all source ports on the switch and all
receiver ports that have elected to receive data
on that multicast address.
A.B.C.D: multicast groups IP

address
no grp-address
mode {exclude | include}
Specifies the multicast group traffic:
include: for a given multicast

group address, the user accepts
multicast traffic from sources IP
addresses on the list.
exclude: for a given multicast

group address, the user accepts
multicast traffic from all source
IP addresses except the ones on
the list.
Include
no mode
Restores to default
source-list <value>
Specifies a list of source IP addresses
value: in the range of <1-256>.

The format is [A.B.C.D
A1.B1.C1.D12 AN.BN.CN.DN]
1
no source-list
Restores to default
Page 29
Command
Description
mvr-mode {dynamic | static}
Specifies the MVR mode of operation:
dynamic: sends multicast data only

after sending a request from a
receiver port to join that
multicast group. The response in
this mode is slower than the
response in dynamic mode, but the
device is not loaded with traffic
from unused multicast groups.
The response to joins and channel zapping is

quick, at the expense of loading the device with
traffic from all the configured multicast groups all
the time.
If do not define a multicast group, the default is
224.0.0.1.
Under normal conditions, dynamic mode is
preferable.
static: the device forces the

multicast server to send all
configured multicast-group data to
the source port, without waiting
for join requests from receiver
ports. When a user on a receiver
port sends a join to a multicast
group, it immediately starts
receiving the multicast data.
Dynamic
no mvr-mode
Restores to default
mvr-source-ip A.B.C.D
Specifies an IP address to be used by the

device during packets generation:
A.B.C.D: devices IP address
0.0.0.0
no mvr-source-ip
Restores to default
mvr-vlan <vlan-id>
Specifies the VLAN in which the multicast traffic

is received. All source ports must belong to this
VLAN.
VLAN ID =1
no mvr-vlan
Restores to default
port UU/SS/PP
Specifies a port and enters MVR Port

configuration mode:
no port
explicit-tracking {false |
true}
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Removes the MVR port configuration

Configures the device to explicitly track each
individual host that is joined to a group:
true: enables the feature
false: disables the feature
True
Page 30
Command
Description
Restores to default
fast-leave {false | true}
Enable the Immediate Leave feature of MVR on

the port:
false: disables the feature
true: enables the feature
Disabled
no fast-leave
Restores to default
mc-group <value>
Specifies the MVR multicast group ID:
id:
a string of <1-16> characters
no mc-group
mvr-type {receiver | source}
Specifies an MVR port type:
source: configure uplink ports

that receive and send multicast
data as source ports. Subscribers
cannot be directly connected to
source ports. All source ports on
a switch belong to the single
multicast VLAN.
receiver: configure a port as a

receiver port if it is a
subscriber port and should only
receive multicast data. It does
not receive data unless it becomes
a member of the multicast group,
either statically or by using IGMP
leave and join messages. Receiver
ports cannot belong to the
multicast VLAN.
The default configuration is as a non-MVR

port.
no mvr-type
Restores to default
shutdown
Stops the MVR
no shutdown
Starts the MVR
show multicast mvr [groups [<string> |

dynamic] | members | ports]
Displays the MVR configuration, filtered by the

following option:
groups string: statically-defined

MVR multicast group
groups dynamic: dynamicallydefined MVR multicast group
members:
ports: MVR ports configuration
Page 31
In the following example, MVR is configured in dynamic mode. The multicast router that receives
and sends multicast data is connected to port 1/1/1. The multicast host that receives multicast data
is connected to port 1/1/2:
1.
Enter Configuration mode of the MVR source VLAN v10 with ID 10:
device-name(config-vlan-v10/10)#tagged 1/1/1
device-name(config-tagged-1/1/1)#commit
2.
Enter Configuration mode of the receiver VLAN v20 with ID 20:

device-name(config-untagged-1/1/2)#top
3.
Enable MVR on the specified ports and configure fast-leave on the receiver port:
device-name(config)#ethernet mvr
device-name(config-mvr)#no shutdown
device-name(config-mvr)#commit
device-name(config-mvr)#mvr-mode dynamic
device-name(config-mvr)#mvr-source-ip 11.11.11.11
device-name(config-mvr)#mvr-vlan 10
device-name(config-mvr)#port 1/1/1
device-name(config-port-1/1/1)#mvr-type source
device-name(config-port-1/1/2)#mvr-type receiver
device-name(config-port-1/1/2)#fast-leave true
4.
Display MVR mode, VLAN and source IP configuration:

device-name#show multicast mvr
=========================================================================
MVR status
: enabled
MVR mode
: dynamic
MVR vlan id
: 10
MVR Source IP
: 11.11.11.11
=========================================================================
5.
Display MVR port configuration:

device-name#show multicast mvr ports
=========================================================================
Multicast Vlan Replicaiton Interfaces
=========================================================================
Port id
: 1/1/1
MVR type
: Source
Explicit tracking
: Enabled
Fast leave
: Enabled
Page 32
Number of groups
: 0
Vlan list
: 10
V1 Querier Present Timer
: 0 secs
V2 Querier Present Timer
: 0 secs
------------------------------------------------------------------------Port id
: 1/1/2
MVR type
: Receiver
Explicit tracking
: Enabled
Fast leave
: Enabled
Number of groups
: 0
Vlan list
: 20
========================================================================
In the following example, MVR is configured in static mode. Static groups are configured. The
multicast router that receives and sends multicast data is connected to port 1/1/1. The multicast
host that receives multicast data is connected to port 1/1/2:
1.
Enter Configuration mode of the MVR source VLAN v10 with ID 10:
2.
Enter Configuration mode of the receiver VLAN v20 with ID 20:

device-name(config-untagged-1/1/2)#top
3.
Enable MVR on the specified ports:

device-name(config-mvr)#no shutdown
device-name(config-mvr)#commit
device-name(config-mvr)#mvr-mode static
device-name(config-mvr)#mvr-source-ip 11.11.11.11
device-name(config-mvr)#mvr-vlan 10
device-name(config-port-1/1/1)#mvr-type source
device-name(config-port-1/1/2)#mvr-type receiver
4.
Configure static group with ASM entry and apply it to the receiver port:
device-name(config-mvr)#mc-group k1
device-name(config-mc-group-k1)#asm-group 1 count 1 grp-address 224.2.2.2
device-name(config-asm-group-1)#commit
Page 33
device-name(config-asm-group-1)#exit
device-name(config-mc-group-k1)#exit
device-name(config-port-1/1/2)#mc-group k1
5.
Configure static group with SSM entry and apply it to the receiver port:
device-name(config-mvr)#mc-group k2
device-name(config-mc-group-k2)#ssm-group 1 grp-address 224.3.3.3 mode
include source-list 10.5.5.5
device-name(config-ssm-group-1)#commit
device-name(config-ssm-group-1)#exit
device-name(config-mc-group-k2)#exit
device-name(config-port-1/1/2)#mc-group k2
6.
Display configured static groups:

device-name#show multicast mvr groups
=========================================================================
Group name
: k2
ASM entries
: 0
SSM entries
: 1
Port list
: Empty
------------------------------------------------------------------------Group name
: k1
ASM entries
: 1
SSM entries
: 0
Port list
: 1/1/2
=========================================================================
Number of entries : 2
7.
Display port membership of the static groups:

device-name(config)#show multicast mvr members
=========================================================================
Multicast Vlan Replication Group members
=========================================================================
Group IP
: 224.2.2.2
Number of source entries : 0
Filter mode
: Exclude
Port list
: 1/1/2
------------------------------------------------------------------------Group IP
: 224.3.3.3
Number of source entries : 1
Source list
: 10.5.5.5
Filter mode
: Include
Port list
: 1/1/2
=========================================================================
Page 34

Features
Standards
MIBs
RFCs
IGMP Snooping
Not supported
Not supported
RFC 1112, Host

Extensions for IP
Multicasting
RFC 2236, Internet Group
Management Protocol,
Version 2
draft-ietf-magma-snoop11.txt
RFC3376, Internet Group
Management Protocol,
Version 3
Multicast VLAN
Registration (MVR)
Not supported
Not supported
Not supported
Page 35
Link Layer Discovery Protocol (LLDP)

Table of Contents
Table of Figures 1
List of Tables 1
Link Layer Discovery Protocol (LLDP) 2
LLDP Data Unit (LLDPDU) 2
TLV Format 2
LLDP Command Hierarchy 4
Table of Figures
Figure 1: LLDPDU Frame Structure................................................................................................... 3
Figure 2: Example for Configuring LLDP on two Devices............................................................. 8
List of Tables
Table 1: LLDP Commands ................................................................................................................... 4
Link Layer Discovery Protocol (LLDP) (Rev. 01)
Page 1
T-Marc3208SH
Link Layer Discovery Protocol (LLDP)

The Link Layer Discovery Protocol (LLDP) is a discovery Layer 2 protocol used by network
devices for advertising their identity, capabilities, interconnections, and store information about the
network. LLDP is a one hop protocol; the LLDP information can only be sent to and received
by devices that are directly connected to each other (neighbors) by the same link. It allows a device
to learn higher layer management reachability and connection endpoint information from adjacent
devices.
LLDP Data Unit (LLDPDU)

The LLDP frame contains a Link Layer Discovery Protocol Data Unit (LLDPDU) which is a set of
type-length-value (TLV) structures. The LLDPDU is enclosed into an Ethernet frame in which the
destination MAC address is set to multicast address 01:80:c2:00:00:0e and the Ethernet type is set to
0x88cc.
The device sends LLDP frames on each of its ports at a fixed frequency. It also sends LLDPDUs
when the local configuration changes to inform the neighboring devices. In any of the two cases, an
interval exists between two successive operations of sending LLDPDUs. This prevents the network
from being overwhelmed by LLDPDUs. The receiving of LLDP packets is implemented by
capturing the packet in hardware, using the L2 destination MAC and forwarding it to the CPU.
The information about a neighboring device maintained locally ages out when the corresponding
TTL expires. Only valid LLDP information is stored in the network devices.
TLV Format
In an LLDPDU, the chassis ID, port ID, and TTL TLV are the first three TLVs. The optional
TLVs are placed after the TTL TLV. The end of LLDPDU TLV is placed last. There is no
restriction regarding the length of LLDPDUs. The restriction comes from the transport layer, for
example in 802.3 MAC environments the maximum size of the PDU is 1500 bytes.
The figure below provides the LLDPDU structure and the mandatory LLDPDU TLV structure
details:
Page 2
Figure 1: LLDPDU Frame Structure
The mandatory TLVs contained in a LLDPDU are:
Chassis ID TLVThe MAC address associated with the local system
PortID TLVIdentifies the port from which the LLDPDU is transmitted
TTL TLVIndicates how long (in seconds) the LAN device's information received in the
LLDPDU is to be treated as valid information
End of LLDPDU TLVIndicates the end of TLVs of the LLDPDU frame
The optional TLVs defined as part of LLDP are grouped into Basic Management TLV Set (Port
description, System name, System description, System capabilities, Management address).
Page 3
LLDP Command Hierarchy

device-name#
+ config terminal
+ [no] ethernet
+ [no] lldp
- [no] advertise-basic {management-address | portdescription | system-capabilities | systemdescription | system-name}
- [no] mode {disabled | rx-only | rx-tx | tx-only}
- [no] reinit-delay <value>
- [no] shutdown
- [no] transmit-delay <value>
- [no] transmit-hold <value>
- [no] transmit-interval <value>
- show ethernet lldp local-system-data [interface UU/SS/PP]
- show ethernet lldp remote-system-data [interface UU/SS/PP]

- show ethernet lldp statistics [interface UU/SS/PP]
Table 1: LLDP Commands
Command
Description
config terminal
ethernet
lldp
Enables LLDP and enters LLDP Configuration

mode
no lldp
Removes the LLDP configuration details
Enters the LLDP Port Configuration mode:
no port {UU/SS/PP | agN}
Page 4
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Removes the LLDP configuration details from

port(s)
Command
Description
advertise-basic {managementaddress | port-description
| system-capabilities |
system-description |
system-name}
Configures the LLDP advertising:
port-description: configures an
LLDP-enabled port to advertise its
port description
management-address: configures an
LLDP-enabled port to advertise the
devices management address
system-capabilities: configures an
LLDP-enabled port to advertise its
system capabilities
system-description: configures an
LLDP-enabled port to advertise the
system description
system-name: configures an LLDPenabled port to advertise the

system name
no advertise-basic
{management-address | portdescription | systemcapabilities | systemdescription | system-name}
Disabled the process of advertising
mode {disabled | rx-only |

rx-tx | tx-only}
Specifies LLDP behavior:
disabled: port neither receives

nor transmits LLDP packets
rx-only: port only receives LLDP

packets
rx-tx: port both transmits and

receives LLDP packets
tx-only: port only transmits LLDP

packets
rx-tx
no mode
reinit-delay <value>
Restores to default
Specifies the minimum time an LLDP port waits
before reinitializing LLDP transmission:

seconds
2 seconds
no reinit-delay
shutdown
Disables the LLDP
no shutdown
Enables the LLDP
Page 5
Command
transmit-delay <value>
Description
Specifies the delay between successive LLDP
frame transmissions initiated by value/status
changes in the LLDP local systems MIB:

seconds
NOTE
Transmit-delay can be set only to
values smaller than (0.25 * transmitinterval).
2 seconds
no transmit-delay
transmit-hold <value>
Specifies the time the receiving device holds

LLDP remote information before marking it as old
and deleted. The device information on the
neighboring devices ages out and it discarded
when its corresponding TTL expires.

seconds
4 seconds
no transmit-hold
transmit-interval <value>
Specifies the time the device waits before

sending LLDP packets:

seconds
NOTE
Transmit-interval can be set only to
values bigger than (4 * transmitdelay).
The values of transmit-interval and
transmit-delay are mutually
dependent on each other:
transmit-interval is from 5 to
32768 (5 can be set when
transmit-delay is set to its
minimum value of 1)
transmit-delay is from 1 to 8192

(8192 can be set when
transmit-interval is set to its
maximum value of 32768)
30 seconds
no transmit-interval
show ethernet lldp local-system-data
[interface UU/SS/PP]

Displays LLDP global or port-specific
configuration settings for the device:
Page 6
interface UU/SS/PP: (optional)

1/1/1-1/1/4 and 1/2/1-1/2/8
Command
Description
show ethernet lldp remote-system-data

[interface UU/SS/PP]
Displays LLDP global or port-specific

configuration settings for remote devices
attached to an LLDP-enabled port:
show ethernet lldp statistics [interface

UU/SS/PP]
Displays statistical counters for all LLDP-enabled

ports or for a specific port:

1/1/1-1/1/4 and 1/2/1-1/2/8

1/1/1-1/1/4 and 1/2/1-1/2/8
Page 7
The following example shows how to configure LLDP on two devices.
Figure 2: Example for Configuring LLDP on two Devices
Device1 Configuration:
1.
Enable the LLDP:
device-name(config-ethernet)#lldp
device-name(config-lldp)#no shutdown
device-name(config-lldp)#commit
2.
Configure LLDP on port 1/1/1:

device-name(config-lldp)#port 1/1/1
device-name(config-port-1/1/1)#advertise-basic
Commit complete.
device-name(config-port-1/1/1)#end
3.
management-address
port-description
system-capabilities
system-description
system-name
Display the LLDP local database:

device-name#show ethernet lldp local-system-data
LLDP Local System Data
======================================================================
Page 8
Chassis Id Subtype
: MAC address
System ChassisId
: 00:a0:12:96:24:21
System Name
: device-name
System Description
: device-name Service Demarcation Switch
software version 2.4R3 Sun Jun 3 14:44:48 EEST 2012
System capabilities supported
: Bridge
Router
System capabilities enabled
: Bridge
Router
System Management addresses

---------------------------------------------------------------------Subtype
: ipV4
Address
: 001.000.000.010
Interface Numbering Subtype
: ifIndex
Interface ID
: 32
Subtype
Address
Interface ID
:
:
:
:
ipV4
010.003.155.009
ifIndex
2
LLDP Local System Data on port 1/1/1

======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:22
Port Description
: 1/1/1
======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:23
Port Description
: 1/1/2
======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:24
Port Description
: 1/1/3
4.
Display the LLDP remote database:

device-name#show ethernet lldp remote-system-data
LLDP Remote System Data received on port 1/1/1
======================================================================
Remote Data TTL
: 120
Remote Data Age
: 25
Chassis Id Subtype
: MAC address
Chassis Id
: 00:a0:12:96:20:91
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:20:92
System Name
: device-name
Page 9
System Description
software version 2.4.R3 Sun Jun 3 14:44:48 EEST 2012
Port Description
: 1/1/2
: Bridge
Router
: Bridge
Router

---------------------------------------------------------------------Address
: (IPv4) 1.0.0.100
: ifIndex
Interface ID
: 32
Address
Interface ID
: (IPv4) 10.3.155.8
: ifIndex
: 2
5.
Enable the LLDP:
device-name(config-ethernet)#lldp
device-name(config-lldp)#no shutdown
device-name(config-lldp)#commit
6.
Configure LLDP on port 1/1/2:

device-name(config-lldp)#port 1/1/2
Commit complete.
7.
management-address
port-description
system-capabilities
system-description
system-name
Display the LLDP local database:

device-name#show ethernet lldp local-system-data
LLDP Local System Data
======================================================================
Chassis Id Subtype
: MAC address
System ChassisId
: 00:a0:12:96:24:21
System Name
: device-name
System Description
software version 2.4R3 Sun Jun 3 14:44:48 EEST 2012
: Bridge
Router
Page 10
: Bridge
Router

---------------------------------------------------------------------Subtype
: ipV4
Address
: 001.000.000.010
: ifIndex
Interface ID
: 32
Subtype
Address
Interface ID
:
:
:
:
ipV4
010.003.155.009
ifIndex
2

======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:22
Port Description
: 1/1/1
======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:23
Port Description
: 1/1/2
======================================================================
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:24:24
Port Description
: 1/1/3
8.
Display the LLDP remote database:

device-name#show ethernet lldp remote-system-data
LLDP Remote System Data received on port 1/1/1
======================================================================
Remote Data TTL
: 120
Remote Data Age
: 25
Chassis Id Subtype
: MAC address
Chassis Id
: 00:a0:12:96:20:91
Port ID subtype
: MacAddress
Port ID
: 00:a0:12:96:20:a2
System Name
: device-name
System Description
software version 2.4.R3 3 14:44:48 EEST 2012
Port Description
: 1/1/1
: Bridge
Router
: Bridge
Router
Page 11

---------------------------------------------------------------------Address
: (IPv4) 1.0.0.100
: ifIndex
Interface ID
: 32
Address
Interface ID
Page 12
: (IPv4) 10.3.155.8
: ifIndex
: 2

Features
Standards
MIBs
RFCs
Link Layer
Discovery Protocol
(LLDP)
IEEE 802.1AB
Public MIB, 802.1AB

Section 12 (LLDP
MIB Definitions)
Not supported
Page 13
Access Control Lists (ACLs)

Table of Contents
Table of Figures 2
List of Tables 2
Overview 3
ACL Type 3
Processing Options 4
Access Control Groups (ACG) 4
ACL Processing Rules 4
Traffic Rate Limit 5
Single Rate Three Color Marker (RFC 2697) 5
Two Rate Three Color Marker (RFC 2698) 6
Exceed Action 6
Color-Blind and Color-Aware 6
Hierarchical Rate Limit (HRL) 6
ACLs Configuration Flow 7
Traffic Counting Command 7
Traffic Counting Command Hierarchy 7
Traffic Counting Command Descriptions 8
ACL Commands 8
ACLs Configuration Example 91
Configure Standard ACL 91
Configure Extended ACL 92
Configure Egress and VLAN ACLs 93
Apply ACG on a SAP port with Traffic Rate-limit 94
Apply ACG on a SAP Port 95
Access Control Lists (ACLs) (Rev. 01)
Page 1
Apply IPv6 ACG on Aggregated SAP Ports 96

Table of Figures
Figure 1: ACL Configuration Flow ...................................................................................................... 7
List of Tables
Table 1: Traffic Counting Commands................................................................................................. 8
Table 2: Monitoring Profile Commands ............................................................................................. 8
Table 3: IP ACLs Configuration Commands ................................................................................... 19
Table 4: IP ACLs Show Commands .................................................................................................. 35
Table 5: IPv6 ACLs Configuration Commands............................................................................... 40
Table 6: MAC ACLs Configuration Commands ............................................................................. 56
Table 7: MAC ACLs Show Commands ............................................................................................ 66
Table 8: EtherType ACLs Configuration Commands .................................................................... 73
Table 9: EtherType ACLs Show Commands ................................................................................... 84
Table 10: Traffic Types ........................................................................................................................ 84
Table 11: Monitoring Profiles ............................................................................................................. 85
Table 12: Valid ToS Values ................................................................................................................. 85
Table 13: Valid Precedence Values .................................................................................................... 85
Table 14: Valid ICMP Message Type Values ................................................................................... 86
Table 15: Valid ICMP Code Values ................................................................................................... 87
Table 16: Valid TCP Port Literal Values........................................................................................... 87
Table 17: Valid UDP Port Literal Values.......................................................................................... 88
Table 18: Valid FC Values ................................................................................................................... 90
Table 19: Known EtherType Values ................................................................................................. 90
Page 2
T-Marc3208SH
Overview
An Access Control List (ACL) is a set of numbered rules that are processed in sequential order.
Packet parameters are tested against conditions defined in the ACL; the first condition matched
determines the action taken by the port.
Using ACLs, system administrators can filter packets passing through the port according to defined
criteria. The main advantages to ACLs are as follows:
Security: Manage network security policies by forwarding or dropping traffic on ingress to the
port.
Traffic Control: Manipulate traffic flow, reduce bottlenecks, and congestion by enforcing
redirection rules.
Traffic Rate Limitation: Control traffic rates by port, by group of ports or by SAP, according
to user-defined criteria.
Quality of Service (QoS): Assign packet-handling priority to data flow by sorting into eight
priority queues based on ACL criteria. You can also use ACLs to remark VPT and ToS/DSCP
values.
ACL Type
Each ACL is identified by a unique name or a number. There are four basic ACL types and each
type matches specific fields in a packet:
ACL Type
Numerical Range
Matches
Standard IP
1-99
The source IP address
both the source and destination IP

addresses
Other parameters such as: protocol types

as well as TCP/UDP parameters
VPT and other Layer 2 and Layer 3 header

fields
both the source and destination IPv6

addresses
Other parameters such as: protocol types

as well as TCP/UDP parameters
VPT and other Layer 2 and Layer 3 header

fields
Both the source and destination MAC

addresses
VPT and other Layer 2 and Layer 3 Header

fields as well as traffic type (unicast,
multicast, broadcast)
Extended IP
IPv6
Extended MAC
100-199
400-499
Layer 3 DSCP field, VPT and other Layer 2

Header fields
Page 3
ACL Type
Numerical Range
Matches
EtherType
500-599
The EtherType of the packet

Layer 2 and Layer 3 header fields if the
EtherType is IP
Processing Options
Apply ACLs to both ingress (inbound) and egress (outbound) traffic:
Ingress: Process incoming packets to the port according to matched conditions defined with
the ACL. Packets that pass definied criteria are handled by the port. Packets that do not pass
the defined criteria are discarded, thereby reducing the load on the outbound interface.
Egress: Process packets at Egress mainly to shape traffic, remark, and collect statistics. To a
lesser extent, ACLs at the outbound port can also be used to filter traffic. As with packets
received at an inbound port, packets are matched to ACL conditions; packets that meet one of
the defined criteria are passed through the port.
Egress ACLs do not filter packets originated by the device (such as outgoing Telnet
session packets, NTP service packets, and various broadcast packets, such as ARP
request).
VLAN Traffic Redirection: Redirect ingress traffic according to conditions defined by an

Access Control Group (ACG) relating to VLAN assignment. Systems administrators can
change the VLAN ID in the VLAN tag header to forward traffic between VLANs.
NOTE
Egress and VLAN ACLs cannot be applied on SAP ports.
NOTE
IPv6 ACLs can be applied only with Ingress ACGs
Access Control Groups (ACG)

An ACG is a collection of ACLs applied to port(s), groups of ports, and SAP(s) that determine
processing of ingress or egress traffic. You can apply multiple ACGs on ports and SAP ports.
When multiple ACGs are applied on ports/SAP ports, traffic will be processed according to the
order in which the user first applied the ACGs.
ACL Processing Rules

To effectively use ACLs, you must first understand ACL processing rules. The maximum number
of rules contained within a single ACL is 250. Both the order of rules within the ACL and the order
in which ACLs are applied, via an ACG, is crucial.
Page 4
NOTE
Rules of the VLAN-ACL take precedence over any other configured ACLs.
Rules of Ingress and Egress ACLs are matched sequentially starting with the lowest
numbered rule.
Once created, users can remove existing rules and/or add new rules to the ACL.
The device tests packets only the first match is found. That match defines whether to permit
or deny the packet.
If the packet does not match any of the conditions defined for the ports ACLs:
On Ingress: The packet is denied because the last rule is an implicit deny statement.
On Egress: Packet is permitted (unless the user configures a rule to implicitly deny
packets that do not match any of the rules).
VLAN-based ACL (VLAN translation): Packet is permited.
Egress ACLs have no default rule. All options defined in an ACG are applied only on traffic
that is excplicitly defined in permit rule.
VLAN-based ACLs have no default rule. All options defined in ACG are applied only on
traffic that is excplicitly defined in permit rule.
VLAN-based ACLs are permit by default.
Processing occurs using the order in which the ACLs were applied (via ACGs).
Traffic Rate Limit

7B
During periods of heavy network traffic, congestion can cause incoming packets to be dropped. To
prevent congestion on provider networks, system administrators can allocate a specific bandwidth
per user port or traffic. A traffic rate limiter monitors the incoming traffic by:
forwarding conforming traffic (within the predefined rate)
dropping non-conforming traffic
marking non-conforming traffic as yellow or red
Single Rate Three Color Marker (RFC 2697)

13B
The Single Rate Three Color Marker (srTCM) meters a traffic stream and marks packets according
to three parameters:
Parameter
Description
Result
Committed Information Rate

(CIR)
Determines the long-term,

average transmission rate
Traffic within CIR always

confirms and is marked
green
Committed Burst Size (CBS)
Determines how large a traffic

burst can be before some of
the traffic exceeds the rate limit
Traffic above the CBS but

below EBS, is marked
yellow
Excess Burst Size (EBS)
Determines how large a traffic

burst can before all traffic
exceeds the rate limit
Traffic exceeding the EBS

is marked red or dropped
Page 5
Two Rate Three Color Marker (RFC 2698)

The two-rate Three Color Marker (trTCM) meters a traffic stream and marks packets according to
the following parameters.
Parameter
Description
Result

(CIR)
Determines the long-term

average transmission rate
Committed Burst Size (CBS)
Associated with CIR,

determines how large a traffic
burst can be before some of
the traffic exceeds the rate limit
Traffic within CIR and

CBS always conforms
and is marked green
Peak Information Rate (PIR)
Determines the long term

delimiter between yellow and
red packets
Peak Burst Size (PBS)
Associated with PIR,

determines the burst size
before traffic exceeds PIR.
Traffic that does not

conform to CIR and CBS
but does confirm to PIR
and PSB is marked
yellow
Traffic not conforming to

PIR and PBS is dropped
or marked red
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device either:
drops the packet
marks the packet as yellow or red
processes the packet based on congestion avoidance mechanisms,
Color-Blind and Color-Aware

Rate limiting operates in one of two modes:
Color-Blind:, Packets are considered green upon entering the metering process and are
marked as yellow or red if the traffic class exceeds the configured bandwidth limits
Color-Aware:Assumes the packet stream is colored, ingress by rate limiter, egress by rate
limiter or QoS policy, before entering the metering process. The device forwards green
packets. Yellow and red packets are forwarded according to the defined rate-limit.
Hierarchical Rate Limit (HRL)

HRL or Parent service applies a common rate limit to several classified flows, allowing them to
share bandwidth according to the preferences specified in the hierarchical rate limits. It is an
enhancement of the ACL Rate Limit feature.
Green traffic flow passes throught the device independently of the configured parent CIR.
Page 6
ACLs Configuration Flow
Figure 1: ACL Configuration Flow
Traffic Counting Command

Traffic Counting Command Hierarchy
#device-name
+ config terminal
+ system
- [no] traffic-counting-mode {L1 | L2}
Page 7
Traffic Counting Command Descriptions

Table 1: Traffic Counting Commands
Command
Description
config terminal
system
traffic-counting-mode {L1 | L2}
Performs precise traffic counting (in case of

packet capture) based on the packet type:
L1: calculation of rate limiting

relates to L1 packet headers,
including the entire packet, IPG
(inter-packet-gap) and preamble
L2: calculation of rate limiting

relates to L2 packet headers,
including the entire packet,
including Layer 2 header and CRC
L2
no traffic-counting-mode
Restores to default
ACL Commands
In this section, command hierarchies are described and definitions for individual commands are
provided. Also included are examples.
ACL Monitoring Profile Command Hierarchy

#device-name
+ config terminal
+ [no] access-group-monitoring-profile <profile-id>

- [no] enables-statistics PROFILE
- show running-config access-group-monitoring-profile [<profile-id>]

enable-statistics PROFILE
ACL Monitoring Profile Command Descriptions

Table 2: Monitoring Profile Commands
Command
Description
config terminal
access-group-monitoring-profile
<profile-id>
Defines a monitoring profile and enters the

specific Profile Configuration mode.
no access-group-monitoring-profile
[<profile-id>]
Page 8
profile-id: any number
Removes configured monitoring profiles:
profile-id: (optional) any

number
enable-statistics PROFILE
Defines statistics:
no enable-statistics [PROFILE]
Removes the definition:
show running-config access-group-monitoringprofile [<profile-id>] enable-statistics
PROFILE
PROFILE: see Table 11

PROFILE: (optional) see Table 11
Displays information about the monitoring

profiles:
PROFILE: see Table 11
IP ACL Command Hierarchy

#device-name
+ config terminal
+ [no] ip access-list standard {NAME | <acl-number>}

+ [no] rule <value>
- action {deny | permit}

- [no] dscp <value>
- [no] inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>]

- [no] inner-vpt <priority>
- source-ip A.B.C.D/MASK
- [no] untagged
- [no] vlan <vlan-id> [vlan-mask <vlan-mask>]

- [no] vpt <priority>
+ [no] ip access-list extended {NAME | <acl-number>}

+ [no] rule <value>
- destination-ip A.B.C.D/MASK

- [no] precedence TYPE
+ protocol TYPE
- [no] established
- [no] icmp-code <value>
- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>

- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source-ip A.B.C.D/MASK
Page 9
- [no] tos <value>

- [no] untagged

- [no] dscp <value>
port UU/SS/PP
+ [no] ip-access-group-standard {NAME | <acl-number>} in

- [no] fc <value>
- color {red | green | yellow}
- [no] monitoring-profile <profile-id>
+ [no] rate-limit {dual | single}

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] exceed-action {drop | mark-yellow |

mark-red}
- [no] redirect UU/SS/PP
- [no] set-green-to-fc <value>

- [no] set-red-to-fc <value>
- [no] set-yellow-to-fc <value>
- [no] copy-inner-vpt-to-outer-vpt
+ [no] ip-access-group-standard {NAME | <acl-number>} vlan

- [no] add-vlan <vlan-id>
+ [no] ip-access-group-standard {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>

Page 10
- [no] set-green-to-dscp <value>

- [no] set-green-to-vpt <value>
- [no] set-red-to-dscp <value>
- [no] set-red-to-vpt <value>
- [no] set-yellow-to-dscp <value>

- [no] set-yellow-to-vpt <value>
+ [no] ip-access-group-extended {NAME | <acl-number>} in

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
+ [no] ip-access-group-extended {NAME | <acl-number>}

vlan
+ [no] ip-access-group-extended {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>

Page 11


+ ethernet lag lag-id agN
+ [no] ip-access-group-standard {NAME | <acl-number>} in

- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}

+ [no] ip-access-group-standard {NAME | <acl-number>} vlan

+ [no] ip-access-group-standard {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>

Page 12


+ [no] ip-access-group-extended {NAME | <acl-number>} in

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}

+ [no] ip-access-group-extended {NAME | <acl-number>}

vlan
+ [no] ip-access-group-extended {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>

Page 13

- [no] service
- [no] parent <id> single-rate-limit {cbs <value> | cir

<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlan-id>

| all | untagged}
+ [no] access-groups-rule-sequence <number>
+ [no] ip-access-group-standard {NAME | <acl-number>}

in
- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>

out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

+ [no] ip-access-group-extended {NAME | <aclnumber>} in

+ [no] fc <value>
Page 14

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>
+ [no] ip-access-group-extended {NAME | <aclnumber>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
+ [no] dot1q <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlanid> | untagged}


in
+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>
Page 15

out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>


+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] vpls <vpls-id> sap {{UU/SS/PP | agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}
Page 16

in
- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] parent <id>


out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
Page 17
- [no] parent <id>


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- show port UU/SS/PP access-groups-rule-sequence <number> ip-accessgroup-standard [NAME | <acl-number>] [in | out | vlan] [monitoringprofile <profile-id> [statistics [fbrs-green-bps | fbrs-green-fps |
fbrs-match-counter-bps | fbrs-match-counter-fps | fbrs-not-green-bps
| fbrs-not-green-fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrsred-bps | fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | greenbps | green-fps | match-counter-bps | match-counter-fps | not-greenbps | not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps
| yellow-bps | yellow-fps]]]
- show port UU/SS/PP access-groups-rule-sequence <number> ip-accessgroup-extended [NAME | <acl-number>] [in | out | vlan] [monitoringprofile <profile-id> [statistics [fbrs-green-bps | fbrs-green-fps |
- show running-config ip access-list
- show running-config ip access-list standard [NAME | <acl-number>]

[description DESCRIPTION | rule {<rule> | {action {deny | permit} |
inner-vlan <vlan-id> [inner-vlan-mask <VLAN mask>] | inner-vpt
<priority> | source-ip A.B.C.D/MASK | untagged | vlan <vlan-id>
[vlan-mask <vlan-mask>] | vpt <priority>}}]
- show running-config ip access-list extended [NAME | <acl-number>]

[description DESCRIPTION | rule {<rule> | {action {deny | permit} |
destination-ip A.B.C.D/MASK | established | icmp-code <value> | icmptype <value> | inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>] |
inner-vpt <priority> | precedence TYPE | protocol <type> | source-ip
A.B.C.D/MASK | tcp-destination-port <value> | tcp-source-port <value>
| tos <value> | udp-destination-port <value> | udp-source-port
<value> | untagged | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
- show access-group-statistics {lag agN | port UU/SS/PP | service {tls
<service-id> sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}
[rule-sequence-id
<number>]
- show access-groups {ip-extended | ip-standard | lag | port | service}
Page 18
- show access-lists {ip-extended | ip-standard}
IP ACL Command Descriptions

Table 3: IP ACLs Configuration Commands
Command
Description
config terminal
ip access-list standard {NAME |

<acl-number>}
no ip access-list standard [NAME |

<acl-number>]
Specifies a standard IP ACL and enters standard

IP ACL Configuration mode:
NAME: a string of
<110> characters
acl-number: in the range of <1-99>
Removes the selected standard IP ACL:
NAME: (optional) a string of

<110> characters
acl-number: (optional) in the range

of <1-99>
Associates a description with the standard IP

ACL:
no description
<130> characters
Removes the description
rule <value>
Creates a standard IP ACL rule for filtering traffic

and enters the Rule Configuration mode:
no rule [<value>]
Removes the standard IP ACL rule:
value: (optional) in the range of

<1-250>
action {deny | permit}
Specifies rule conditions:
inner-vlan <vlan-id> [innervlan-mask <vlan-mask>]
no inner-vlan [<vlan-id>]
[inner-vlan-mask [<vlanmask>]]
deny: denies packets
permit: permits packets
Defines a specific VLAN ID and mask for the inner

vlan tag. Applying it on TLS SAP is meaningless.
It cannot be used in combination with the
untagged option.
vlan-mask: in hexadecimal format

FF:FF:FF:FF. Use 0 for meaningful
bits (exact-match) and F for
meaningless bits (any). The last 12
bits are meaningful.
Removes the selected inner-VLAN and innermask:
Page 19
Command
inner-vpt <priority>
Description
vlan-id: (optional) in the range of

<1-4094>
vlan-mask: (optional) in
hexadecimal format FF:FF:FF:FF
Specifies packet filtering by the VLAN Priority Tag

(VPT) in the inner-VLAN tag header:
no inner-vpt [<priority>]
priority: in the range of <0-7>
Removes the selected VPT:
priority: (optional) in the range

of <0-7>
source-ip A.B.C.D/MASK
Specifies the source address of the packet:
untagged
The ACL rule matches untagged packets only

Both tagged and untagged
no untagged
Restores to default
vlan <vlan-id> [vlan-mask

<vlan-mask>]
Denies a specific VLAN ID and mask for the outer

IP-header:
no vlan [<vlan-id>] [vlan-mask

[<vlan-mask>]]
vpt <priority>

Removes the selected outer-VLAN and outermask:

1-4094

(VPT) in the outer-VLAN tag header:
no vpt [<priority>]
dscp <value>
ip access-list extended {NAME |

<acl-number>}

of <0-7>
Specifies packet filtering by the DSCP value in the

IP header of the packet:
no dscp [<value>]
Page 20
A.B.C.D/MASK: source IPaddress/source mask. Use keyword

any when source IP-address/sourcemask is 0.0.0.0/32 (any host)
Removes the defined DSCP value
Specifies an extended IP ACL and enters the

extended IP ACL Configuration mode:
Command
no ip access-list extended [NAME |

<acl-number>]
Description
NAME: a string of
<110> characters
acl-number: in the range of <100199>
Removes the selected extended IP ACL:

<110> characters

of <100-199>
Associates a description with extended IP ACL:
no description
<130> characters
rule <value>
Creates an extended IP ACL rule for filtering

traffic and enters Rule Configuration mode:
no rule [<value>]
Removes the extended IP ACL rule:

<1-250>
destination-ip A.B.C.D/MASK
Specifies the destination address of the packet:
A.B.C.D/MASK: destination IPaddress/destination mask. Use

keyword any when destination IPaddress/destination-mask is
0.0.0.0/32 (any host)

untagged option.

meaningless bits (any. The last 12

<1-4094>
Page 21
Command
Description

no inner-vpt
Removes the priority
precedence TYPE
The ACL rule matches packets by literal

precedence values:
no precedence
TYPE: see Table 13
Removes the precedence value
protocol TYPE
Specifies the name or a number of an IP protocol:
established
(valid for TCP protocol only) indicates an

established connection. A match occurs if the
TCP datagram has the ACK or RST bits set.
Packets that do no match are TCP packets sent to
initialize a TCP session.
no established
(valid for TCP protocol only) Removes the

configured match of ACK or RST bits.
icmp-code <value>
( valid for ICMP protocol only) matches ICMP

packets by the ICMP message code:
value: in the range of <0255> or a

valid literal ICMP message code
(see Table 15)
no icmp-code
Removes the ICMP message code
icmp-type <value>
(valid for ICMP protocol only) matches ICMP

packets by the ICMP message type:

valid literal ICMP message type
(see Table 13)
no icmp-type
Removes the ICMP message type
tcp-source-port <value>
(valid for TCP protocol only) Specifies the decimal

number or a name of source TCP port. Use TCP
port names when filtering TCP packets only:
Page 22
TYPE: tcp, udp, ip, ipinip, igmp,

icmp or IP protocol numbers in the
range of <0255>, representing an
IP protocol number
(http://www.iana.org/assignments/pr
otocol-numbers (RFC5237)). To match
any Internet protocol, use the
keyword ip. Some protocols allow
further qualifiers, as described
below
value: in the range of <065535> or

a TCP port literal value (see Table
16)
no tcp-source-port
Removes the literal value of the TCP source port
tcp-destination-port <value>
(valid for TCP protocol only) Specifies the decimal

number or a name of destination TCP port. Use
Command
Description
TCP port names when filtering TCP packets only:

a TCP port literal value (see Table
16)
no tcp-destination-port
Removes the literal value of the TCP destination

port
udp-source-port <value>
(valid for UDP protocol only) Specifies the decimal

number or a name of source UDP port. Use UDP
port names when filtering UDP packets only:

a UDP port literal value (see Table
17)
no udp-source-port
Removes the literal value of the UDP source port
udp-destination-port <value>
(valid for UDP protocol only) Specifies the decimal

number or a name of a UDP destination port. Use
UDP port names when filtering UDP packets only:
no udp-destination-port

a UDP port literal value (see Table
17)
Removes the literal value of the UDP destination

port
source-ip A.B.C.D/MASK
Specifies the source-address of the packet:
tos <value>
A.B.C.D/MASK: source IPaddress/source mask. Use keyword

any when source IP-address/sourcemask is 0.0.0.0/32 (any host)
The ACL rule matches packets by the service

level type:

valid literal ToS value (See Table
12)
no tos
Removes the valid literal ToS value
untagged

no untagged
Restores to default

<vlan-mask>]
Specifies a specific VLAN ID and mask for the

outer IP-header:

[<vlan-mask>]]


<1-4094>
Page 23
Command
Description
vpt <priority>

no vpt [<priority>]
port UU/SS/PP

ethernet lag lag-id agN

of <0-7>

no dscp [<value>]
dscp <value>
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

Configuration mode:

<1-14>
service

parent <id> single-rate-limit {cbs
<value> | cir <value>}
no parent <id> single-rate-limit

{cbs | cir}
vpls <vpls-id> sap {{UU/SS/PP |
Specifies a parent rate-limiter, which allows you to

configure Hierarchical policers on the device.
id: in the range of <1-200>
single-rate-limit: configures a
rate limit for the parent group
cbs <value>: specifies the

Committed Burst Size (CBS), in the
range of <0-262144> KB
cir <value>: specifies the

Committed Information Rate (CIR),
in the range of, <11000000>
(depends on the link capacity) kbps
Removes the configured parent
Adds a client port to a specific VPLS instance and

vpls-id: in the range of <1

4294967295>
UU/SS/PP: the corresponding

physical port (unit, slot and port)
defined as SAP.(can be obtained
from the show port command)
Page 24
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
Command
Description
1/2/8
NOTE
For unqualified SAPs, options

inner-vpt and inner-vlan must
be used as a matching option.
For qualified SAPs, options

VPT and VLAN must be used
as a matching option.

<1-14>

<1-4094>



range of <1-64>

packets

control packets

no vpls <vpls-id> sap [{{UU/SS/PP
| agN}[:[igmp] | :[<vlanid>]:[igmp] |
]
Removes the SAP:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

<1-4094>



range of <1-64>

packets

control packets
Page 25
Command
Description
tls <service-id> sap {UU/SS/PP |

agN} c-vlan {<cvlan-id> | all
| untagged}
no tls [<service-id>] sap

[UU/SS/PP | agN] c-vlan
[<cvlan-id> | all | untagged]
dot1q <service-id> sap {UU/SS/PP

| agN} c-vlan {<cvlan-id> |
untagged}
Page 26

Configuration mode:

4294967295>
sap: creates a service access point

(SAP) and enters SAP Configuration
mode

1/1/1-1/1/4 and 1/2/1-1/2/8. This
of the S-VLAN.

<1-14>
c-vlan: specifies a customer VLAN

(C-VLAN) and enters C-VLAN
Configuration mode

traffic only
Removes the created TLS service:
service-id: (optional) in the range

of <14294967295>
sap: (optional) creates a service

access point (SAP) and enters SAP
Configuration mode

the range of 1/1/1-1/1/4 and 1/2/11/2/8. This port has to be an
untagged member of the S-VLAN.
agN: (optional) LAG ID. N is in the

range of <1-14>
c-vlan: (optional) Specifies a

customer VLAN (C-VLAN) and enters
C-VLAN Configuration mode
cvlan-id: (optional) in the range

of <1-4094>
all: (optional) tunnels all the

traffic
untagged:(optional) tunnels the

untagged traffic only
Enters 802.1Q service Configuration mode for the

specified SAP C-VLAN, creates a service access
point (SAP), and specifies a customer VLAN (C-
Command
Description
VLAN):

1/1/1-1/1/4, 1/2/1-1/2/8. This port
has to be an untagged member of the
S-VLAN.

<1-14>

traffic only
NOTE

SAP.

versa.

no dot1q [<service-id>] sap
[{UU/SS/PP | agN} c-vlan
{<cvlan-id> | untagged}]
<number>

used without a parameter, removes all configured
802.1Q services:

of <1-4294967294>

the range of 1/1/1-1/1/4, 1/2/11/2/8.

range of <1-14>

traffic only
Specifies the sequential order in which the ACL

rules are processed:
NOTE
Page 27
Command
Description

no access-groups-rule-sequence
[<number>]
ip-access-group-standard {NAME
| <acl-number>} {in | out |
vlan}
no ip-access-group-standard
[NAME | <acl-number>] [in
| out | vlan]
fc <value>
Assigns a IP ACG to a port/s and enters the IP

ACG Configuration mode:
NAME: a string of <110> characters
acl-number: in the range of <1-99>
in: filters the ingress traffic

only
out: filters the egress traffic

only
vlan: redirects the matching

ingress traffic to a VLAN
Removes the specified IP ACG:

<110> characters

of <1-99>
in: (optional) filters the ingress

traffic only
out: (optional) filters the egress

traffic only

Applies forwarding class (FC) mapping on ACG

(only the ingress traffic) and enters the FC
Configuration mode:
no fc [<value>]
monitoring-profile <profileid>
value: (optional) FC value
Specifies the conforming level:
red: the non-conforming drop level
green: the conforming drop level
yellow: the partially conforming

level
Enables fps and bps packet counters per ACL

rules:
Page 28
value: FC value (see Table 18)
Removes FC mapping:
color {red | green |

yellow}

<1-250>
profile-id: any number. Up to 24
Command
Description
profiles can be defined.
no monitoring-profile
[<profile-id>]
Disables fps and bps monitoring:
rate-limit {dual | single}
Applies a rate-limit on the ACG for the specified

port and enters Rate-Limit Configuration mode:
no rate-limit [dual | single]
cbs <value>
profile-id: (optional) any number
dual: the Two Rate Three Color

Marker (RFC 2698)
single: the Single Rate Three Color

Marker (RFC 2697)
Removes the rate limit from the configured ACG:
dual: (optional) the Two Rate Three

Color Marker (RFC 2698)
single: (optional)the Single Rate

Three Color Marker (RFC 2697)
Specifies the Committed Burst Size (CBS):

KB
100 KB
no cbs
Restores to default
cir <value>
Specifies the Committed Information Rate (CIR):
value: in the range of, <11000000>

1000 kbps
no cir
Restores to default
color-aware
Enables the color-aware mode

Color blind
no clor-aware
Restores to default
pbs <value>
(valid only for dual rate) Specifies the Peak Burst

Size (PBS):

KB
100 KB
no pbs
Restores to default
pir <value>
(valid only for dual rate) Specifies the Peak

Information Rate (PIR):

1000 kbps
no pir
Restores to default
ebs <value>
(valid only for single rate) Specifies the Excess

Burst Size (EBS):

KB
100 KB
no ebs
Restores to default
Page 29
Command
Description
exceed-action {drop |
mark-yellow | mark-red}
Specifies the action performed once the packet is

classified as exceeding a particular rate limit:
drop: drops the packet
mark-yellow: marks the packet as

yellow
mark-red: marks the packet as red
Drop
no exceed-action [drop |
mark-yellow | mark-red]
redirect UU/SS/PP
Restores to default
(valid only for ingress ACLs) Redirects matching
traffic to the specified port:
no redirect [UU/SS/PP]
Removes the traffic redirection from the specified

port:
vlan <vlan-id>
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

and 1/2/1-1/2/8
(Only for VLAN Traffic Redirection ACLs)

Redirects matching traffic to the specified VLAN
by changing the VLAN ID in the packet header.
NOTE
The port on which the newlytagged packets arrive must be a
tagged member of vlan on which
the packet arrives before being retagged.
no vlan [<vlan-id>]
add-vlan <vlan-id>

<1-4094>
Changes the DSCP value in the IP header of the

packet:
value: the new DSCP value in the

range of <0-63>
no dscp [<value>]
Changes the VLAN Priority Tag (VPT) in the

inner-VLAN tag header:
Page 30
Removes traffic redirection:
dscp <value>

<1-4094>

by adding a VLAN tag to the untagged frame, or
an additional VLAN tag to the VLAN-tagged
frame:
no add-vlan [<vlan-id>]
priority: the new VPT value in the
Command
Description
range of <07>
Removes the defined VPT:
vpt <priority>

outer-VLAN tag header:
no vpt [<priority>]

of <07>

range of <0-7>

of <07>
copy-inner-vpt-to-outer-vpt
Remarks the outer S-VLAN ID with the inner CVLAN ID

Disabled
no copy-inner-vpt-to-outervpt
Restores to default
ip-access-group-extended {NAME
| <acl-number>} {in | out |
vlan}
no ip-access-group-extended
[NAME | <acl-number>] [in |
out | vlan]
fc <value>
Assigns a IP ACG to a port/s and enters the IP

NAME: a string of
<110> characters

only

only

Removes the specified IP ACG:

110 characters

of <100-199>

traffic only

traffic only


(only the ingress traffic) and enters FC
Configuration mode:
no fc [<value>]
Removes FC mapping:

Page 31
Command
Description
yellow}

level

rules:

Disabled
[<profile-id>]

cbs <value>

Marker (RFC 2698)

Marker (RFC 2697)



KB
100 KB
no cbs
Restores to default
cir <value>

1000 kbps
no cir
Restores to default
color-aware

Color blind
no clor-aware
Restores to default
pbs <value>

Size (PBS):
v value: in the range of <0-262144>

KB
100 KB
no pbs
Restores to default
pir <value>

Page 32

Command
Description
1000 kbps
no pir
Restores to default
ebs <value>

Burst Size (EBS):

KB
100 KB
no ebs
Restores to default
parent <id>
(valid only for ingress ACLs) Applies the

configured parent rate-limiter:
no parent
Removes the applied parent


yellow
Drop
redirect UU/SS/PP
Restores to default
Removes traffic redirection from the specified

port:
vlan <vlan-id>
dscp <value>

<1-4094>

by adding tags to untagged traffic and adding an
additional tag to tagged traffic:
add-vlan <vlan-id>

and 1/2/1-1/2/8

by changing the VLAN ID in the packet header:
no vlan [<vlan-id>]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-4094>

packet:
Page 33
Command
Description
no dscp [<value>]
(for egress ACLs) Changes the VLAN Priority Tag

vpt <priority>

of <07>
(For VLAN and egress ACLs) Changes the VLAN

Priority Tag (VPT) in the outer-VLAN tag header:
no vpt [<priority>]

range of <07>

range of <0-7>

of <07>
(valid only for ingress ACLs)

Disabled
Restores to default
set-green-to-dscp <value>
(valid only for egress ACLs) Remarks the DSCP

value in the IP header for traffic marked green:
no set-green-to-dscp
set-green-to-vpt <value>
(valid only for egress ACLs) Remarks the CoS

priority value in the IP header for traffic marked
green:
no set-green-to-vpt
set-red-to-dscp <value>

value in the IP header for traffic marked red:
no set-red-to-dscp
set-red-to-vpt <value>

green:
no set-red-to-vpt
set-yellow-to-dscp <value>

no set-yellow-to-dscp
Page 34

range of <0-63>
Command
Description
set-yellow-to-vpt <value>

green:
no set-yellow-to-vpt
set-green-to-fc <value>
(valid only for ingress ACLs) Maps traffic marked

green to a Forwarding Class (FC):
no set-green-to-fc
set-red-to-fc <value>

red to a Forwarding Class (FC):
no set-red-to-fc
set-yellow-to-fc <value>

yellow to a Forwarding Class (FC):
no set-yellow-to-fc
Table 4: IP ACLs Show Commands

Command
Description
show port UU/SS/PP [access-groups-rulesequence <number>] ip-access-groupstandard [NAME | <acl-number>] [in |

out | vlan] [monitoring-profile
<profile-id> [statistics [fbrs-greenbps | fbrs-green-fps | fbrs-matchcounter-bps | fbrs-match-counter-fps |
fbrs-not-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps |
fbrs-red-bps | fbrs-red-fps | fbrsyellow-bps | fbrs-yellow-fps | green-bps
| green-fps | match-counter-bps | matchcounter-fps | not-green-bps | not-greenfps | not-red-bps | not-red-fps | red-bps
| red-fps | yellow-bps | yellow-fps]]]
Displays the standard IP ACGs configured on

ports:
UU/SS/PP: port number
number: the sequence number ,in

the range of <1-250>
NAME: a string of
<110> characters
in: only ingress ACGs
out: only egress ACGs
monitoring-profile statistics:
counts match packets
vlan: only VLAN traffic

redirection ACLs
NOTE
Statistics counters are reset
whenever a new ACL/monitoring
profile is applied on a port/SAP
port.
Page 35
Command
Description
show port UU/SS/PP [access-groups-rulesequence <number>] ip-access-groupextended [NAME | <acl-number>] [in |

out | vlan] [monitoring-profile
<profile-id> [statistics [fbrs-green-bps
| fbrs-green-fps | fbrs-match-counter-bps
| fbrs-match-counter-fps | fbrs-notgreen-bps | fbrs-not-green-fps | fbrsnot-red-bps | fbrs-not-red-fps | fbrsred-bps | fbrs-red-fps | fbrs-yellow-bps
| fbrs-yellow-fps | green-bps | green-fps
| match-counter-bps | match-counter-fps |
not-green-bps | not-green-fps | not-redbps | not-red-fps | red-bps | red-fps |
yellow-bps | yellow-fps]]]
Displays information about the extended IP

ACGs, filtered by the command arguments:

NAME: a string of
<110> characters
acl-number: in the range of

<100-199>

redirection ACLs
NOTE
port.
Page 36
show running-config ip access-list
Displays the configured IP ACLs
show running-config ip access-list standard

[NAME | <1-99>] [description
DESCRIPTION | rule {<1-250> | {action
{deny | permit} | inner-vlan <vlan-id>
[inner-vlan-mask <VLAN mask>] | innervpt <priority> | source-ip A.B.C.D/MASK
| untagged | vlan <vlan-id> [vlan-mask
<vlan-mask>] | vpt <priority>}}]
Displays information about standard IP ACLs,

filtered by command arguments
show running-config ip access-list extended

[NAME | <100-199>] [description
DESCRIPTION | rule {<1-250> | {action
{deny | permit} | destination-ip
A.B.C.D/MASK | established | icmp-code
<value> | icmp-type <value> | innervlan <vlan-id> [inner-vlan-mask <vlanmask>] | inner-vpt <priority> |
precedence TYPE | protocol <type> |
source-ip A.B.C.D/MASK | tcpdestination-port <value> | tcp-sourceport <value> | tos {<0-7> | maxreliability | max-throughput | min-delay
| min-monetary-cost | normal} | udpdestination-port <value> | udp-sourceport <value> | untagged | vlan <vlanid> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
Displays information about extended IP ACLs,

Command
Description
show access-group-statistics {lag agN | port

UU/SS/PP | service {tls <service-id>
UU1/SS1/PP1:<ces-circuit>:{ces | cesoos}}
[rule-sequence-id <number>]
Displays IP ACGs statistics filtered by

command arguments
show access-groups {ip-extended | ipstandard | lag | port | service}
Displays the current ACGs applied on ports,

show access-lists {ip-extended | ipstandard}
Displays all ACLs and their parameters

configured on the device, filtered by command
arguments
NOTE
port.
IPv6 ACL Command Hierarchy

#device-name
+ config terminal
+ system
+ [no] resource-management
- [no] ipv6-access-list
+ [no] ipv6 access-list NAME
+ [no] rule <value>
- destination-ip IPv6-PREFIX/LENGTH
- [no] dscp <value>

+ protocol TYPE
- [no] established
- [no] icmp-code <value>

- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>

- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source-ip IPv6-PREFIX/LENGTH
- [no] traffic-class <value>

- [no] untagged
Page 37
port UU/SS/PP
[no] access-groups-rule-sequence <number>

+ [no] ipv6-access-group NAME in
+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
Page 38
- [no] service

| all | untagged}

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
Page 39

+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- show access-lists ipv6
- show access-groups ipv6
- show port UU/SS/PP [access-groups-rule-sequence <number>] ipv6access-group NAME [in] [monitoring-profile <profile-id> [statistics
[fbrs-green-bps | fbrs-green-fps | fbrs-match-counter-bps | fbrsmatch-counter-fps | fbrs-not-green-bps | fbrs-not-green-fps | fbrsnot-red-bps | fbrs-not-red-fps | fbrs-red-bps | fbrs-red-fps | fbrsyellow-bps | fbrs-yellow-fps | green-bps | green-fps | matchcounter-bps | match-counter-fps | not-green-bps | not-green-fps |
not-red-bps | not-red-fps | red-bps | red-fps | yellow-bps | yellowfps]]]
- show running-config ipv6 access-list
IPv6 ACL Command Descriptions

Table 5: IPv6 ACLs Configuration Commands
Command
Description
config terminal
system
resource-management
Page 40

Enters the Resource Management Configuration
mode
Command
Description
no resource-management
Removes specific resource management

configurations
ipv6-access-list
Enables the IPv6 ACLs functionality.

The command takes effect only after
performing the commit command and
reloading the device.
Disabled
no ipv6-access-list
Disables the IPv6 ACLs functionality.

The command takes effect only after
performing the commit command and
reloading the device.
ipv6 access-list NAME
Specify an IPv6 ACL and enter IPv6 ACL

Configuration mode:
no ipv6 access-list [NAME]
Removes the selected IPv6 ACL:

<110> characters
Associates a description with IPv6 ACL:
no description
NAME: a string of <110>

characters
<130> characters
rule <value>
Creates an IPv6 ACL rule for filtering traffic and

enters the Rule Configuration mode:
no rule [<value>]
Removes the IPv6 ACL rule:

<1-250>
dscp <value>
permit: permits packets to pass

the configured ACL
Specifies packet filtering by the DSCP value in

the IP header of the packet:
no dscp [<value>]
Removes the defined DSCP value:
inner-vlan <vlan-id> [inner-vlanmask <vlan-mask>]

<0-63>
Defines a specific VLAN ID and mask for the

inner vlan tag. Applying it on TLS SAP is
meaningless. It cannot be used in combination
with the untagged option.
Page 41
Command
Description
meaningless bits (any). The last
12 bits are meaningful.
no inner-vlan <vlan-id> [innervlan-mask <vlan-mask>]

of <1-4094>
Specifies packet filtering by the VLAN Priority

Tag (VPT) in the inner-VLAN tag header:
no inner-vpt <priority>

of <0-7>
destination-ip IPv6-
PREFIX/LENGTH
Specifies the destination IPv6 network or class of

networks for which to set deny or permit
conditions:
IPv6-PREFIX/LENGTH: destination
IPv6 network, in hexadecimal and
using 16-bit values between colons
(documented in RFC 3513). Enter
any as an abbreviation for the
IPv6 prefix ::/0.
protocol TYPE
Specifies the name or a number of an IP

protocol:
established
(valid for TCP protocol only) indicates an

established connection. A match occurs if the
TCP datagram has the ACK or RST bits set.
Packets that do no match are TCP packets sent
to initialize a TCP session.
no established
(valid for TCP protocol only) Removes the

configured match of ACK or RST bits.
icmp-code <value>
( valid for ICMP protocol only) matches ICMP

packets by the ICMP message code:
Page 42
TYPE: tcp, udp, ip, ipinip, igmp,

ospf, pim, icmp or IP protocol
numbers in the range of <0255>,
representing an IP protocol number
(http://www.iana.org/assignments/p
rotocol-numbers (RFC5237)). To
match any Internet protocol, use
the keyword ip. Some protocols
allow further qualifiers, as
described below

a valid literal ICMP message code
(see Table 13)
Command
Description
no icmp-code
Removes the ICMP message code
icmp-type <value>
(valid for ICMP protocol only) matches ICMP

packets by the ICMP message type:

a valid literal ICMP message type
(see Table 11)
no icmp-type
Removes the ICMP message type
tcp-source-port <value>
(valid for TCP protocol only) Specifies the

decimal number or a name of source TCP port.
Use TCP port names when filtering TCP packets
only:

or a TCP port literal value (see
Table 14)
no tcp-source-port
Removes the literal value of the TCP source port
tcp-destination-port <value>
(valid for TCP protocol only) Specifies the

decimal number or a name of destination TCP
port. Use TCP port names when filtering TCP
packets only:

or a TCP port literal value (see
Table 14)
no tcp-destination-port
Removes the literal value of the TCP destination

port
udp-source-port <value>
(valid for UDP protocol only) Specifies the

decimal number or a name of source UDP port.
Use UDP port names when filtering UDP packets
only:

or a UDP port literal value (see
Table 15)
no udp-source-port
Removes the literal value of the UDP source port
udp-destination-port <value>
(valid for UDP protocol only) Specifies the

decimal number or a name of a UDP destination
port. Use UDP port names when filtering UDP
packets only:
no udp-destination-port

or a UDP port literal value (see
Table 15)
Removes the literal value of the UDP destination

port
source-ip IPv6-PREFIX/LENGTH
Specifies the source IPv6 network or class of

networks for which to set deny or permit
conditions:
IPv6-PREFIX/LENGTH: source IPv6

network, in hexadecimal and using
16-bit values between colons
(documented in RFC 3513). Enter
Page 43
Command
Description
any as an abbreviation for the
IPv6 prefix ::/0.
vlan <vlan-id> [vlan-mask <vlanmask>]

[<vlan-mask>]]
vpt <priority>
Specifies a specific VLAN ID and mask for the

outer IP-header:


of <1-4094>

Tag (VPT) in the outer-VLAN tag header:
no vpt [<priority>]
traffic-class <value>

of <0-7>
Specifies the traffic class that matches the traffic

class field in the IPv6 header
no traffic-class [<value>]
Removes the configured value:

<0-255>
untagged

no untagged
Restores to default
port UU/SS/PP
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

Configuration mode:

<1-14>
service

agN} c-vlan {<cvlan-id> | all |
untagged}
Page 44

Configuration mode:

4294967295>
sap: creates a service access

point (SAP) and enters SAP
Command
Description
Configuration mode


untagged}

of 1/1/1-1/1/4 and 1/2/1-1/2/8.

<1-14>

Configuration mode

traffic only

range of <14294967295>

Configuration mode

the range of 1/1/1-1/1/4 and
1/2/1-1/2/8. This port has to be
an untagged member of the S-VLAN.

the range of <1-14>


of <1-4094>

traffic

Enters 802.1Q service Configuration mode for

the specified SAP C-VLAN, creates a service
access point (SAP), and specifies a customer
VLAN (C-VLAN):

of 1/1/1-1/1/4, 1/2/1-1/2/8. This
of the S-VLAN.

<1-14>
Page 45
Command
Description

traffic only
NOTE

SAP.

versa.


agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<cescircuit>:{ces | ces-oos}}


range of <1-4294967294>

the range of 1/1/1-1/1/4, 1/2/11/2/8.

the range of <1-14>

traffic only

and enters SAP Configuration mode:

4294967295>
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
NOTE


Page 46
Command
Description
<1-14>

of <1-4094>



range of <1-64>

packets

control packets

no vpls <vpls-id> sap {{UU/SS/PP |
agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<cescircuit>:{ces | ces-oos}}
Removes the SAP:
UU/SS/PP: the
physical port
port) defined
obtained from
command)

<1-14>

of <1-4094>



range of <1-64>

packets

control packets
corresponding
(unit, slot and
as SAP.(can be
the show port

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
access-groups-rule-sequence <number>
Specifies the sequential order in which the ACL

rules are processed:
Page 47
Command
Description
NOTE
[<number>]

<1-250>
ipv6-access-group NAME in
Assigns a IPv6 ACG to a port/s and enters the

IPv6 ACG Configuration mode:
no ipv6-access-group [NAME] [in]
fc <value>
NAME: a string of <110>

characters

only
Removes the specified IPv6 ACG:

<110> characters

traffic only

(only the ingress traffic) and enters the FC
Configuration mode:
no fc [<value>]
Removes FC mapping:

yellow}

level

rules:
Page 48

[<profile-id>]


Marker (RFC 2698)
single: the Single Rate Three

Command
Description
cbs <value>
dual: (optional) the Two Rate



KB
100 KB
no cbs
Restores to default
cir <value>
value: in the range of, <1

1000000> (depends on the link
capacity) kbps
1000 kbps
no cir
Restores to default
color-aware

Color blind
no clor-aware
Restores to default
pbs <value>

Size (PBS):

KB
100 KB
no pbs
Restores to default
pir <value>


capacity) kbps
1000 kbps
no pir
Restores to default
ebs <value>

Burst Size (EBS):

KB
100 KB
no ebs
Restores to default
exceed-action {drop | markyellow | mark-red}


yellow
Drop
Page 49
Command
Description
Restores to default
no set-green-to-fc

no set-red-to-fc

no set-yellow-to-fc

Disabled
no copy-inner-vpt-to-outer-vpt
Restores to default
redirect UU/SS/PP

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Removes the traffic redirection from the specified

port:
Page 50

and 1/2/1-1/2/8
show access-lists ipv6
Displays all ACLs and their parameters

configured on the device
show access-groups ipv6
Displays the current ACGs applied on ports
show port UU/SS/PP [access-groupsrule-sequence <number>] ipv6access-group NAME [in] [monitoringprofile <profile-id> [statistics
[fbrs-green-bps | fbrs-green-fps |
fbrs-match-counter-bps | fbrs-matchcounter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-redbps | fbrs-not-red-fps | fbrs-redbps | fbrs-red-fps | fbrs-yellow-bps
| fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps |
match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | notred-fps | red-bps | red-fps |
Displays the IPv6 ACGs configured on ports:

NAME: a string of
<110> characters
NOTE
profile is applied on a port.
Command
Description
show running-config ipv6 access-list
Displays the configured IPv6 ACLs
MAC ACLs Commands Hierarchy

#device-name
+ config terminal
+ [no] mac access-list {NAME | <acl-number>}

+ [no] rule <value>

- [no] da-type <type>
- destination_mac HH:HH:HH:HH:HH:HH destination_mac_mask

HH:HH:HH:HH:HH:HH

- precedence TYPE
- source_mac HH:HH:HH:HH:HH:HH source_mac_mask

HH:HH:HH:HH:HH:HH
- [no] tos <value>

- [no] untagged

- [no] dscp <value>
+ port UU/SS/PP
+ [no] mac-access-group {NAME | <acl-number>} in

- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
Page 51

+ [no] mac-access-group {NAME | <acl-number>} vlan

+ [no] mac-access-group {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>




- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
Page 52
+ [no] mac-access-group {NAME | <acl-number>} vlan


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>


- [no] service

<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN}

id> | all | untagged}
c-vlan {<cvlan-

- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
Page 53
- [no] pbs <value>
- [no] pir <value>
- [no] parent <id>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>


+ [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] parent <id>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
Page 54


- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- show port UU/SS/PP [access-groups-rule-sequence <number>] mac-accessgroup [NAME | <acl-number>] [in | out | vlan] [monitoring-profile
<profile-id> [statistics [fbrs-green-bps | fbrs-green-fps | fbrsmatch-counter-bps | fbrs-match-counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrs-redbps | fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps | match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps |
- show running-config mac access-list
- show running-config mac access-list [NAME | <acl-number>] [description

DESCRIPTION | rule {<rule> | {action {deny | permit} | da-type
<type> | destination_mac HH:HH:HH:HH:HH:HH destination_mac_mask
HH:HH:HH:HH:HH:HH | inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>]
| inner-vpt priority> | precedence TYPE | source_mac
HH:HH:HH:HH:HH:HH source_mac_mask HH:HH:HH:HH:HH:HH | tos <value> |
untagged | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
Page 55
- show access-groups mac

- show access-lists mac
MAC ACL Command Descriptions

Table 6: MAC ACLs Configuration Commands
Command
Description
config terminal
mac access-list {NAME | <aclnumber>}
no mac access-list [NAME | <aclnumber>]
Specifies an MAC ACL and enters MAC ACL

Configuration mode:
NAME: a string of
<110> characters
Removes the selected MAC ACL:

<110> characters
acl-number: (optional) in the

range of <400-499>
Associates a description with MAC ACL:
no description
<130> characters
rule <value>
Creates an MAC ACL rule to filter traffic and

enters Rule Configuration mode:
no rule [<value>]
Removes the MAC ACL rule:

<1-250>
da-type <type>
Specifies traffic type:
no da-type [<type>]
type: see Table 10
Removes traffic type:
type: (optional) see Table 10
destination_mac
HH:HH:HH:HH:HH:HH
destination_mac_mask
HH:HH:HH:HH:HH:HH
Specifies the destination MAC address and mask

the packet is sent to:
Page 56
HH:HH:HH:HH:HH:HH: MAC address and

mask in hexadecimal format. The
any keyword that represents all
Command
Description
MAC addresses
Defines a specific VLAN ID and mask for the

inner vlan tag. Applying it on TLS SAP is
meaningless. It cannot be used in combination
with the untagged option.


of <1-4094>

Tag (VPT) in the inner-VLAN tag header:
precedence TYPE
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH
TYPE: see Table 13
Specifies the source MAC-address of the packet

and the mask:
tos <value>

of <0-7>

precedence values:
no precedence
HH:HH:HH:HH:HH:HH: MAC address and

mask in hexadecimal format. The
any keyword that represents all
MAC addresses
The ACL rule matches packets by the service

level type:

literal ToS value (See Table 12)
no tos
untagged

no untagged
Restores to default

<vlan-mask>]
Denies a specific VLAN ID and mask for the

outer IP-header:

Page 57
Command
Description

[<vlan-mask>]]
vpt <priority>

of <1-4094>

Tag (VPT) in the outer-VLAN tag header:
no vpt [<priority>]
dscp <value>
port UU/SS/PP

of <0-7>
Specifies packet filtering by the DSCP value in

the IP header of the packet:
no dscp [<value>]

Enters Port Configuration mode
Configuration mode:

<1-14>
service


{cbs | cir}
| ces-oos}}
Page 58
Specifies a parent rate-limiter, which allows you

to configure Hierarchical policers on the device.


(depends on the link capacity)
kbps

and enters SAP Configuration mode:

4294967295>
Command
Description
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
NOTE



<1-14>

of <1-4094>



range of <1-64>

packets

control packets

| ces-oos}}
]
Removes the SAP:
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

of <1-4094>


Page 59
Command
Description

range of <1-64>

packets

control packets

untagged}

Page 60

Configuration mode:

4294967295>

Configuration mode

of 1/1/1-1/1/4 and 1/2/1-1/2/8.

<1-14>

Configuration mode

traffic only

range of <14294967295>

Configuration mode

the range of 1/1/1-1/1/4, 1/2/11/2/8. This port has to be an

the range of <1-14>


of <1-4094>
Command

untagged}
Description

traffic
untagged: (optional) tunnels the

Enters 802.1Q service Configuration mode for

the specified SAP C-VLAN, creates a service
access point (SAP), and specifies a customer
VLAN (C-VLAN):

of 1/1/1-1/1/4, 1/2/1-1/2/8. This
of the S-VLAN.

<1-14>

traffic only
NOTE

SAP.

versa.

<number>


range of <1-4294967294>

the range of 1/1/1-1/1/4, 1/2/11/2/8.

the range of <1-14>

traffic only

are processed:
Page 61
Command
Description
NOTE
[<number>]
mac-access-group {NAME | <aclnumber>} {in | out | vlan}
no mac-access-group [NAME |
<acl-number>] [in | out |
vlan]
fc <value>
Assigns a MAC ACG to a port/s and enters MAC

NAME: a string of
<110> characters

only

only

Removes the specified MAC ACG:

<110> characters
acl-number: (optional) in the

range of <400-499>

traffic only

traffic only


(only the ingress traffic) and enters FC
Configuration mode:
no fc [<value>]
Page 62
Removes FC mapping:

yellow}

<1-250>

level
Command
Description

rules:

[<profile-id>]

cbs <value>

Marker (RFC 2698)
single: the Single Rate Three

dual: (optional) the Two Rate



KB
100 KB
no cbs
Restores to default
cir <value>

capacity) kbps
1000 kbps
no cir
Restores to default
color-aware

Color blind
no clor-aware
Restores to default
pbs <value>

Size (PBS):

KB
100 KB
no pbs
Restores to default
pir <value>


capacity) kbps
1000 kbps
no pir
Restores to default
ebs <value>
Page 63
Command
Description
Burst Size (EBS):

KB
100 KB
no ebs
Restores to default

yellow
Drop
parent <id>
Restores to default
(valid only for ingress ACLs) Applies the
configured parent rate-limiter:
no parent
redirect UU/SS/PP

Page 64

of <1-4094>

packet:
no dscp [<value>]
dscp <value>

of <1-4094>

add-vlan <vlan-id>

and 1/2/1-1/2/8

no vlan [<vlan-id>]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

port:
vlan <vlan-id>

range of <0-63>
Command
Description

vpt <priority>

of <07>

no vpt [<priority>]

range of <07>

range of <0-7>

of <07>

Disabled
no copy-inner-vpt-to-outer-vpt
Restores to default


green:
no set-green-to-vpt

no set-red-to-dscp

green:
no set-red-to-vpt


green:
Page 65
Command
Description

no set-green-to-fc

no set-red-to-fc

no set-yellow-to-fc
Table 7: MAC ACLs Show Commands

Command
Description
show port UU/SS/PP [access-groups-rulesequence <number>] mac-access-group [NAME

| <acl-number>] [in | out | vlan]
[monitoring-profile <profile-id>
[statistics [fbrs-green-bps | fbrs-greenfps | fbrs-match-counter-bps | fbrsmatch-counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-bps |
fbrs-not-red-fps | fbrs-red-bps | fbrsred-fps | fbrs-yellow-bps | fbrs-yellowfps | green-bps | green-fps | matchcounter-bps | match-counter-fps | notgreen-bps | not-green-fps | not-red-bps |
not-red-fps | red-bps | red-fps | yellowbps | yellow-fps]]]
Displays the MAC ACGs:
number: the sequence number, in

NAME: a string of
<110> characters
acl-number: in the range of

<400-499>
monitoring-profile: the rate, in

frame per second and bytes per
second, of transmitted packets
that are marked as red, green,
or yellow on a selected port
statistics: counts match packets

redirection ACLs
NOTE
Statistics counters will be reset
port.
show running-config mac access-list
Page 66
Displays information about the extended MAC

ACLs
Command
Description
show running-config mac access-list [NAME |

<acl-number>] [description DESCRIPTION
| rule {<value> | {action {deny |
permit} | da-type <type> |
destination_mac HH:HH:HH:HH:HH:HH
destination_mac_mask HH:HH:HH:HH:HH:HH
| inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt priority> |
precedence TYPE | source_mac
HH:HH:HH:HH:HH:HH source_mac_mask
HH:HH:HH:HH:HH:HH | tos {<0-7> | maxreliability | max-throughput | min-delay
| min-monetary-cost | normal} | untagged
| vlan <vlan-id> [vlan-mask <vlanmask>] | vpt <priority>}}]
Displays information about the extended MAC

ACLs, filtered by command arguments
show access-groups mac
Displays information about MAC ACGs
show access-lists mac
Displays information about MAC ACLs
Page 67
Ethertype ACLs Commands Hierarchy

#device-name
+ config terminal
+ [no] ether-type access-list {NAME | <acl-number>}

+ [no] rule <rule>
- [no] ether-type <type> [ether-type-mask <mask>]

- [no] precedence TYPE
- [no] tos <value>

- [no] untagged
+
- [no] dscp <value>
port UU/SS/PP
+ [no] ether-type-access-group {NAME | <acl-number>} in

- [no] fc <value>

- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>

mark-red}
+ [no] ether-type-access-group {NAME | <acl-number>} vlan

Page 68

+ [no] ether-type-access-group {NAME | <acl-number>} out

- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- [no] dscp <value>



+ [no] ether-type-access-group {NAME | <acl-number>} in

- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}

+ [no] ether-type-access-group {NAME | <acl-number>} vlan

Page 69

+ [no] ether-type-access-group {NAME | <acl-number>} out

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- [no] dscp <value>


+ [no] service

<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN}

id> | all | untagged}
c-vlan {<cvlan-
+ [no] ether-type-access-group {NAME | <acl-number>}

in
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>
Page 70

out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>


in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>

out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
+ [no] vpls <vpls-id> sap{{UU/SS/PP | agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}

Page 71

in
- [no] fc <value>

- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
- [no] parent <id>


out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>
- show port UU/SS/PP [access-groups-rule-sequence <number>] ether-typeaccess-group [NAME | <acl-number>] [in | out | vlan] [monitoringprofile <profile-id> [statistics [fbrs-green-bps | fbrs-green-fps |
- show running-config ether-type access-list
- show running-config ether-type access-list [NAME | <acl-number>]

[description DESCRIPTION | rule {<value> | {action {deny | permit} |
ether-type <type> | inner-vlan <vlan-id> [inner-vlan-mask <vlanmask>] | inner-vpt <priority> | precedence TYPE | tos <value> | vlan
<vlan-id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
- show access-groups ether-type

- show access-lists ether-type
Page 72
EtherType ACL Command Descriptions

Table 8: EtherType ACLs Configuration Commands
Command
Description
config terminal
ether-type access-list {NAME | <aclnumber>}
no ether-type access-list {NAME |

<acl-number>}
Specifies an EtherType ACL and enters

EtherType ACL Configuration mode:
NAME: a string of
<110> characters
Removes the selected EtherType ACL:

<110> characters

of <500-599>
Associates a description with EtherType ACL:
no description
<130> characters
rule <value>
Creates an EtherType ACL rule for filtering traffic

and enters Rule Configuration mode:
no rule [<value>]
Removes the EtherType ACL rule:

<1-250>
ether-type <type> [ether-typemask <mask>]
no ether-type [<type>] [ethertype-mask [<mask>]]
Matches the hexadecimal value specifying the

EtherType:
type: see Table 19
ether-type-mask: (Optional) allows

a range of EtherTypes to be
specified together
mask: hexadecimal number in the

range of <0-FFFF>. An EtherType
mask of 0 requires an exact match
of the EtherType.
Removes the specified EtherType:
Page 73
Command
Description
type: (optional) see Table 19
ether-type-mask: (Optional) allows

a range of EtherTypes to be
specified together
mask: (Optional) hexadecimal number

in the range of <0-FFFF>

untagged option.


<1-4094>

precedence TYPE

of <0-7>
Supported only when the value of the

EtherType field of the Ethernet frame is
0x0800.
precedence values.
TYPE: see Table 13
no precedence
tos <value>

0x0800.
The ACL rule matches packets by service level
type:
Page 74

valid literal ToS value (See Table
12)
no tos

<vlan-mask>]
Denies a specific VLAN ID and mask for the outer

IP-header:
Command
Description

[<vlan-mask>]]
vpt <priority>

<1-4094>

0x8100.
no vpt [<priority>]

of <0-7>
untagged

no untagged
Restores to default
dscp <value>

0x0800.
no dscp [<value>]
port UU/SS/PP

Enters Port Configuration mode
Configuration mode:

<1-14>
service

Specifies a parent rate-limiter, which allows you to

configure Hierarchical policers on the device.


Page 75
Command
Description

{cbs | cir}


4294967295>

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
NOTE



<1-14>

<1-4094>



range of <1-64>

packets

control packets

]
Removes the SAP:

Page 76
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Command
Description
<1-14>

<1-4094>



range of <1-64>

packets

control packets

agN} c-vlan {<cvlan-id> | all
| untagged}


Configuration mode:

4294967295>
sap: creates a service access point

(SAP) and enters SAP Configuration
mode

1/1/1-1/1/4, 1/2/1-1/2/8. This port
S-VLAN.

<1-14>

Configuration mode

traffic only

of <14294967295>

Configuration mode

the range of 1/1/1-1/1/4, 1/2/11/2/8. This port has to be an
Page 77
Command

untagged}
Description

range of <1-14>
c-vlan: (optional) specifies a


of <1-4094>

traffic

Enters 802.1Q service Configuration mode for the

specified SAP C-VLAN, creates a service access
point (SAP), and specifies a customer VLAN (CVLAN):

1/1/1-1/1/4, 1/2/1-1/2/8. This port
S-VLAN.

<1-14>

traffic only
NOTE

SAP.

versa.

Page 78

used without a parameter, removes all configured
802.1Q services:

of <1-4294967294>

the range of 1/1/1-1/1/4, 1/2/11/2/8.

range of <1-14>
Command
Description
<number>

traffic only

are processed:
NOTE
[<number>]
ether-type-access-group {NAME |
<acl-number>} {in | out |
vlan}
no ether-type-access-group
[NAME | <acl-number>] [in
| out | vlan]
fc <value>
Assigns an EtherType ACG to a port/s and enters

EtherType ACG Configuration mode:
NAME: a string of
<110> characters

only

only

Removes the specified EtherType ACG:

<110> characters

of <500-599>

traffic only

traffic only


(only ingress traffic) and enters FC Configuration
mode:
no fc [<value>]
Removes FC mapping:

<1-250>
Page 79
Command
Description
yellow}

level

rules:

[<profile-id>]

port and enters the Rate-Limit Configuration
mode:
cbs <value>

Marker (RFC 2698)

Marker (RFC 2697)



KB
100 KB
no cbs
Restores to default
cir <value>

1000 kbps
no cir
Restores to default
color-aware

Color blind
no clor-aware
Restores to default
pbs <value>

Size (PBS):

KB
100 KB
no pbs
Restores to default
pir <value>

Page 80
Command
Description
1000 kbps
no pir
Restores to default
ebs <value>

Burst Size (EBS):

KB
100 KB
no ebs
Restores to default


yellow
Drop
Restores to default
parent <id>
Applies the configured parent rate-limiter:
no parent
redirect UU/SS/PP


and 1/2/1-1/2/8

no vlan [<vlan-id>]
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

port:
vlan <vlan-id>

<1-4094>

Disabled
Restores to default
add-vlan <vlan-id>

Page 81
Command
Description
dscp <value>

<1-4094>

packet:

range of <0-63>
no dscp [<value>]

vpt <priority>

range of <0-7>

of <07>

no vpt [<priority>]

range of <07>

of <07>


green:
no set-green-to-vpt

no set-red-to-dscp

green:
no set-red-to-vpt

Page 82
Command
Description

green:

no set-green-to-fc

no set-red-to-fc

no set-yellow-to-fc
Page 83
Table 9: EtherType ACLs Show Commands

Command
Description
show port UU/SS/PP [access-groups-rulesequence <number>] ether-type-accessgroup [NAME | <500-599>] [in | out |
vlan] [monitoring-profile <profileid> [statistics [fbrs-green-bps |
fbrs-green-fps | fbrs-match-counterbps | fbrs-match-counter-fps | fbrsnot-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps |
fbrs-red-bps | fbrs-red-fps | fbrsyellow-bps | fbrs-yellow-fps | greenbps | green-fps | match-counter-bps |
match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | notred-fps | red-bps | red-fps | yellowbps | yellow-fps]]]
Displays information about the EtherType ACGs,

filtered by command arguments:
number: the sequence number ,in the

range of <1-250>
NAME: a string of
<110> characters
monitoring-profile: the rate, in

frame per second and bytes per
second, of transmitted packets that
are marked as red, green, or yellow
on a selected port
statistics: counts match packets
vlan: only VLAN traffic redirection

ACLs
NOTE
Statistics counters will be reset
port.
show running-config ether-type accesslist
Displays information about EtherType ACLs
show running-config ether-type accesslist [NAME | <500-599>] [description

DESCRIPTION | rule {<1-250> |
{action {deny | permit} | ether-type
<type> | inner-vlan <vlan-id>
[inner-vlan-mask <vlan-mask>] |
inner-vpt <priority> | precedence
TYPE | tos {<0-7> | max-reliability |
max-throughput | min-delay | minmonetary-cost | normal} | vlan <vlanid> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
Displays information about EtherType ACLs,

show access-groups ether-type
Displays information about EtherType ACGs
show access-lists ether-type
Displays information about EtherType ACLs
Table 10: Traffic Types
Page 84
Traffic Type
Description
unknown-unicast
(Optional, supported for ingress ACLs only)

matches unknown traffic.
Traffic Type
Description
known-unicast

matches known-unicast traffic.
known-multicast

matches already known multicast traffic.
unknown-multicast

matches unknown multicast traffic.
broadcast

matches broadcast traffic.
Table 11: Monitoring Profiles

Profile
Meaning
match-counter-fps
Counter for transmitted packets, in frames
match-counter-bps
Counter for transmitted packets, in bytes
rate-limit-statistics-red-notred-fps
Counter for red and not red packets, in frames
rate-limit-statistics-red-notred-bps
Counter for red and not red packets, in bytes
rate-limit-statistics-green-notgreen-fps
Counter for green and not green packets, in

frames
rate-limit-statistics-green-notgreen-bps
Counter for green and not green packets, in

bytes
rate-limit-statistics-green-red-fps
Counter for green and red packets, in frames
rate-limit-statistics-green-red-bps
Counter for green and red packets, in bytes
rate-limit-statistics-green-yellow-fps
Counter for green and yellow packets, in frames
rate-limit-statistics-green-yellow-bps
Counter for green and yellow packets, in bytes
rate-limit-statistics-red-yellow-fps
Counter for red and yellow packets, in frames
rate-limit-statistics-red-yellow-bps
Counter for red and yellow packets, in bytes
Table 12: Valid ToS Values

Valid Literal Value
Description
Value
max-reliability
Max reliable TOS
max-throughput
Max throughput TOS
min-delay
Min delay TOS
min-monetary-cost
Min monetary cost TOS
normal
Normal TOS
Table 13: Valid Precedence Values

Valid Literal Value
Description
critical
Critical precedence
flash
Flash precedence
Page 85
Valid Literal Value
Description
flash-override
Flash override precedence
immediate
Immediate precedence
internet
Internetwork control precedence
network
Network control precedence
priority
Priority precedence
routine
Routine precedence
Table 14: Valid ICMP Message Type Values
Page 86
Valid Literal Value
Description
Value
alternate-address
Alternate Host Address
conversion-error
Datagram Conversion Error
31
domain name reply
Domain Name Reply
35
domain name request
Domain Name Request
36
echo
Echo (ping)
echo-reply
Echo reply
information-reply
Information replies
16
information-request
Information requests
15
ipv6-i-am-here
IPv6 I-Am-Here
34
ipv6-where-are-you
IPv6 Where-Are-You
33
mask-reply
Address mask replies
17
mask-request
Address mask requests
18
mobile-redirect
Mobile Host Redirect
32
mobile-registration-reply
Mobile Registration Reply
35
mobile-registrationrequest
Mobile Registration Request
36
parameter-problem
Parameter Problem
12
photuris
Photuris
40
redirect
All redirects
router-advertisement
Router Advertisement
router-solicitation
Router Solicitation
10
skip
SKIP
39
source-quench
Source Quench
time-exceeded
Time Exceeded
11
timestamp-reply
Timestamp Reply
14
timestamp-request
Timestamp
13
traceroute
Traceroute
30
unreachable
Destination unreachable
Table 15: Valid ICMP Code Values

Valid Literal Value
Description
Value
administrativelyprohibited
Communication is administratively prohibited
13
dod-host-prohibited
Communication with destination host is

administratively prohibited
10
dod-net-prohibited
Communication with destination network is

administratively prohibited
host-isolated
Source host is isolated
host-precedenceunreachable
Host precedence violation
14
host-tos-unreachable
Destination host ToS is unreachable
12
host-unknown
Destination host is unknown
host-unreachable
Host is unreachable
net-tos-unreachable
Destination network ToS is unreachable
11
net-unreachable
Net is unreachable
network-unknown
Destination network is unknown
packet-too-big
Fragmentation needed but fragmentation is not set
port-unreachable
Port is unreachable
precedence-cutoff
Precedence cutoff is in effect
15
protocol-unreachable
Protocol is unreachable
source-route-failed
Source route failed
Table 16: Valid TCP Port Literal Values

Valid Literal Value
Description
Value
bgp
Border Gateway Protocol
179
chargen
Character generator
19
daytime
Daytime
13
discard
Discard
domain
Domain name service
53
echo
Echo
exec
Exec (rsh)
512
finger
Finger
79
ftp
File Transfer Protocol
21
ftp-data
FTP data connections (used infrequently)
20
gopher
Gopher
70
hostname
NIC hostname server
102
ident
Ident protocol
113
Page 87
Valid Literal Value
Description
Value
irc
Internet Relay Chat
194
klogin
Kerberos login
543
kshell
Kerberos shell
544
login
Login (rlogin)
513
lpd
Printer service
515
nntp
Network News Transport Protocol
119
pim-auto-rp
PIM Auto-RP
496
pop2
Post Office Protocol v2
109
pop3
Post Office Protocol v3
110
smtp
Simple Mail Transport Protocol
25
sunrpc
Sun Remote Procedure Call
111
syslog
Syslog
514
tacacs-ds
TAC Access Control System
49
talk
Talk
517
telnet
Telnet
23
time
Time
37
uucp
Unix-to-Unix Copy Program
540
whois
Nickname
43
www
World Wide Web (HTTP)
80
Table 17: Valid UDP Port Literal Values
Page 88
Valid Literal Value
Description
Value
biff
Biff (mail notification, comsat)
512
bootps
Bootstrap Protocol (BOOTP) server
67
bootpc
Bootstrap Protocol (BOOTP) client
68
discard
Discard
dnsix
DNSIX security protocol auditing
195
domain
Domain name service
53
echo
Echo
isakmp
Internet Security Association and Key Management

Protocol
500
mobile-ip
Mobile IP registration
434
nameserver
IEN116 name service (obsolete)
42
netbios-dgm
NetBios datagram service
138
netbios-ns
NetBios name service
137
netbios-ss
NetBios session service
139
ntp
Network Time Protocol
123
Valid Literal Value
Description
Value
pim-auto-rp
PIM Auto-RP
496
rip
Routing Information Protocol
520
snmp
161
snmptrap
SNMP Traps
162
sunrpc
Sun Remote Procedure Call
111
syslog
Syslog
514
tacacs-ds
TAC Access Control System
49
talk
Talk
517
tftp
Trivial File Transfer Protocol
69
time
Time
37
who
Who service
513
xdmcp
X Display Manager Control Protocol
177
Page 89
Table 18: Valid FC Values

FC
Description
be
The FC to be mapped is the Best-Effort Forwarding Class
l2
The FC to be mapped is the Low-2 Forwarding Class
af
The FC to be mapped is the Assured Forwarding Class
l1
The FC to be mapped is the Low-1 Forwarding Class
h2
The FC to be mapped is the High-2 Forwarding Class
ef
The FC to be mapped is the Expedited Forwarding Class
h1
The FC to be mapped is the High-1 Forwarding Class
nc
The FC to be mapped is the Network Control Forwarding Class
Table 19: Known EtherType Values

Value
Description
0x00000x05DC
IEEE 802.3 length
0x0800
IP (Internet Protocol)
0x0806
ARP (Address Resolution Protocol)
0x8035
DRARP (Dynamic RARP)

RARP (Reverse Address Resolution Protocol)
0x80F3
AARP (AppleTalk Address Resolution Protocol)
0x8137
IPX (Internet Packet Exchange)
0x86DD
IPv6 (Internet Protocol version 6)
0x880B
PPP (Point-to-Point Protocol)
0x880C
GSMP (General Switch Management Protocol)
0x8847
MPLS (Multi-Protocol Label Switching) unicast
0x8848
MPLS (Multi-Protocol Label Switching) multicast
0x8863
PPPoE (PPP Over Ethernet) Discovery Stage
0x8864
PPPoE (PPP Over Ethernet) PPP Session Stage
0x88BB
LWAPP (Light Weight Access Point Protocol)
0x8E88
EAPOL (EAP over LAN)
0xFFFF
Reserved
NOTE
Permitting EtherType code 0x8XXX allows tagged traffic since EtherType 0x8100 is
used.
Page 90
ACLs Configuration Example

Configure Standard ACL
1.
Define a standard IP ACL:

device-name(config)#ip access-list standard 3
device-name(config-standard-3)#
2.
Define the rule for the standard IP ACL:

device-name(config-standard-3)#rule 3 action permit source-ip 1.0.0.3/32
3.
Define the VLAN:

device-name(config-rule-3)#vlan 11 vlan-mask 00:00:00:0F
4.
Define the VPT:

device-name(config-rule-3)#vpt 3
5.

device-name(config-rule-3)#commit
Commit complete.
6.
Define the rate limit on port 1/1/1:

device-name(config-port-1/1/1)#access-groups-rule-sequence 1
device-name(config-access-groups-rule-sequence-1)#ip-access-group-standard
3 in
device-name(config-ip-access-group-standard-3/in)#rate-limit single cir
5000 cbs 300
device-name(config-rate-limit-single)#commit
Commit complete.
7.
Display information about the standard IP ACL:

device-name#show running-config ip access-list standard 3
ip access-list standard 3
rule 3
action
permit
source-ip 1.0.0.3/32
vlan
11
vlan-mask 00:00:00:0f
vpt
3
!
!
8.
Display information about the standard IP ACG per port 1/1/1:

device-name#show running-config port 1/1/1
port 1/1/1
Page 91
duplex
auto
no shutdown
qos-ingress-policy
defInPol
qos-egress-policy
defEgPol
access-groups-rule-sequence 1
ip-access-group-standard 3 in
rate-limit single
cir 5000
cbs 50
!
exit
!
exit
!
!
Configure Extended ACL

1.
Define an extended IP ACL:

device-name(config)#ip access-list extended 110
2.
Define the rule for the extended IP ACL:

device-name(config-extended-110)#rule 5 action permit protocol tcp sourceip 1.0.0.2/32 destination-ip 2.0.0.4/32
3.
Define the TCP-port, ToS, VLAN, VPT and precedence level:

device-name(config-rule-5)#tcp-source-port 33
device-name(config-rule-5)#tos max-throughput
device-name(config-rule-5)#vlan 22 vlan-mask 00:00:00:00
device-name(config-rule-5)#precedence critical
4.

Commit complete.
5.
Define the rate limit on port 1/1/2:

device-name(config-access-groups-rule-sequence-1)#ip-access-group-extended
110 in
device-name(config-ip-access-group-extended-110/in)#rate-limit dual cir
3000 cbs 100 pir 6000 pbs 300
device-name(config-rate-limit-dual)#commit
Commit complete.
6.
Display information about the extended IP ACL:

device-name#show running-config ip access-list extended 110
Page 92
ip access-list extended 110

rule 5
action
permit
protocol
tcp
source-ip
1.0.0.2/32
destination-ip 2.0.0.4/32
tcp-source-port 33
tos
max-throughput
precedence
critical
vlan
22
vlan-mask
00:00:00:00
vpt
2
!
!
7.
Display information about the extended IP ACG per port 1/1/2:

device-name#show running-config port 1/1/2
port 1/1/2
duplex
full
speed
10000
no shutdown
qos-ingress-policy
defInPol
qos-egress-policy
defEgPol
ip-access-group-extended 110 in
rate-limit dual
cir 3000
pir 6000
pbs 300
!
exit
!
exit
!
!
Configure Egress and VLAN ACLs

1.
Define an extended IP ACL:

2.
Define a rule for the extended IP ACL:

device-name(config-extended-100)#rule 1 action permit source-ip 1.0.0.1/32
destination-ip 2.0.0.4/32 protocol tcp
Commit complete.
3.
Apply the configured ACL on port 1/1/1 and redirect the matching traffic to the VLAN 200
Page 93
100 vlan
device-name(config-ip-access-group-extended-100/vlan)#vlan 200
device-name(config-ip-access-group-extended-100/vlan)#commit
Commit complete.
4.
Apply the configured ACL on port 1/1/2 and limit the outgoing traffic to 5M, and remark
dscp value with 44:
device-name(config-port-1/1/2)#
100 out
device-name(config-ip-access-group-extended-100/out)#rate-limit single cir
5000 cbs 16
device-name(config-rate-limit-single)#exit
device-name(config-ip-access-group-extended-100/out)#dscp 44
device-name(config-ip-access-group-extended-100/out)#commit
Commit complete.
Apply ACG on a SAP port with Traffic Rate-limit

1.
Define a monitoring profile and statistics:

device-name(config)#access-group-monitoring-profile 5
device-name(config-access-group-monitoring-profile-5)#enable-statistics
rate-limit-statistics-green-red-bps
device-name(config-enable-statistics-rate-limit-statistics-green-redbps)#access-group-monitoring-profile 10
device-name(config-access-group-monitoring-profile-10)#enable-statistics
rate-limit-statistics-red-notred-fps
device-name(config-enable-statistics-rate-limit-statistics-red-notredfps)#commit
Commit complete.
2.
Create ACLs:
device-name(config-standard-66)#rule 1
device-name(config-rule-1)#action permit
device-name(config-rule-1)#source-ip 1.0.0.1/32
device-name(config-rule-1)#ip access-list standard 67
device-name(config-rule-1)#ip access-list standard 68
Page 94
Commit complete.
3.
Apply ACGs (on the ingress traffic only) on a SAP port with defined traffic rate-limit:
device-name(config-vpls-2)#sap 1/1/1:20:
device-name(config-sap-1/1/1:20:)#access-groups-rule-sequence 1
66 in
device-name(config-ip-access-group-standard-66/in)#monitoring-profile 10
device-name(config-ip-access-group-standard-66/in)#access-groups-rulesequence 2
67 in
device-name(config-ip-access-group-standard-67/in)#access-groups-rulesequence 3
68 in
5000 cbs 16
Commit complete.
Apply ACG on a SAP Port

1.
Apply ACGs (on ingress traffic only) on a SAP port with defined traffic rate-limit::
device-name(config-service)#tls 1
device-name(config-sap-1/1/1)#c-vlan 12
device-name(config-c-vlan-12)#access-groups-rule-sequence 1
100 in
device-name(config-ip-access-group-extended-100/in)#rate-limit dual
device-name(config-rate-limit-dual)#cir 1000
device-name(config-rate-limit-dual)#cbs 16
device-name(config-rate-limit-dual)#pir 2000
device-name(config-rate-limit-dual)#pbs 16
device-name(config-rate-limit-dual)#exceed-action mark-yellow
device-name(config-rate-limit-dual)#color-aware
device-name(config-rate-limit-dual)#monitoring-profile 10
device-name(config-monitoring-profile-10)#sdp s-vlan 10
device-name(config-s-vlan-10)#port 1/1/2
device-name(config-port-1/1/2)#commmit
2.
Display the configuration:

device-name#show running-config service tls 1 sap 1/1/1
Page 95
service
tls 1
sap 1/1/1
c-vlan 12
ip-access-group-extended 100 in
rate-limit dual
cir
1000
cbs
16
pir
2000
pbs
16
exceed-action mark-yellow
color-aware
!
monitoring-profile 10
!
!
!
!
!
!
!
Apply IPv6 ACG on Aggregated SAP Ports

1.
Apply ACGs (on ingress traffic only) on a group of SAP ports:

device-name(config)#ipv6 access-list 1000
device-name(config-access-list-1000)#rule 1
device-name(config-rule-1)#source-ip 2001::1/128
device-name(config-rule-1)#destination-ip 2001::4/126
device-name(config-rule-1)#top
device-name(config-rule-1)#exit
device-name(config-rule-2)#action deny
device-name(config-rule-3)#top
Page 96
device-name(config-rule-1)#destination-ip 2001::a/128
2.
Apply IPv6 ACLs:

device-name(config-port-1/1/4)#top
device-name(config)#service vpls 14
device-name(config-vpls-14)#mode pe-rs
device-name(config-vpls-14)#sap ag1:100
device-name(config-sap-ag1:100:200)#access-groups-rule-sequence 1
device-name(config-access-groups-rule-sequence-1)#ipv6-access-group 1000
in
device-name(config-ipv6-access-group-1000/in)#top
in
device-name(config-ipv6-access-group-2000/in)#top
in
device-name(config-ipv6-access-group-3000/in)#commit
Page 97
Page 98
Feature
Standards
MIBs
RFCs
Access Control
Lists (ACLs)
No standards are
supported by this
feature.
Private MIB,
PRVT-SWITCHACCESS-LISTMIB.mib
RFC 2697, A Single Rate

Three Color Marker
RFC 2698, A Two Rate Three
Color Marker
Quality of Service (QoS)

Table of Contents
Table of Figures 2
List of Tables 2
Port-Based Quality of Service (QoS) 3
Traffic Analysis for QoS Deployment 3
Port-Based QoS Architecture 4
QoS Mechanisms 4
Sorting Packets for QoS Handling 5
Forwarding Class (FC) 6
Profiles 7
Port-Related Policies 7
Relevant Scaling Numbers 8
Order of Configuration 8
Trust Mode for the Port 8
Traffic Scheduling 9
Traffic Shaping 12
QoS Default Configuration 13
Service-Based Quality of Service (QoS) 14
Service QoS Architecture 15
Service-Based QoS Mechanisms 15
Policy-Based QoS Management 16
Profiles 16
Port-Related Policies16
Service-Related Policies 17
Relevant Scaling Numbers 17
Order of Configuration 17
QoS Default Configuration 18
QoS Configuration Flow 19
Quality of Service (QoS) (Rev. 01)
Page 1
QoS Commands 21
Table of Figures
Figure 1: Port-based QoS Architecture ............................................................................................... 4
Figure 2: 802.1p Priority Header Fields .............................................................................................. 5
Figure 3: Type of Service (ToS) Header Fields .................................................................................. 6
Figure 4: Strict Priority Queuing ........................................................................................................ 10
Figure 5: Weighted Round-Robin Queuing ...................................................................................... 11
Figure 5: Service Ingress QoS Architecture ...................................................................................... 15
Figure 6: Combining Service Ingress QoS and Port-based QoS ................................................... 15
Figure 7: QoS Configuration Flow .................................................................................................... 20
List of Tables
Table 1: Modified Deficit Round-Robin Queuing Algorithms...................................................... 12
Table 2: QoS Default Configuration ................................................................................................. 13
Table 3: QoS Default Configuration ................................................................................................. 18
Table 4: QoS Profiles Configuration Commands ............................................................................ 22
Table 5: QoS Policy Configuration Commands .............................................................................. 32
Table 6: QoS Port Configuration Commands.................................................................................. 36
Table 7: QoS Display Configuration Commands ............................................................................ 38
Page 2
T-Marc3208SH
Port-Based Quality of Service (QoS)

Todays networks transmit data streams for various applications using many different protocols.
Different types of traffic sharing a data path through the network can interact in ways that affect
application performance. Traffic prioritization becomes especially important when delay-sensitive,
interactive applications are supported across the network. In many cases a guaranteed level of
throughput is part of contractual obligations between the network operator and customers or thirdparty service providers.
QoS controls congestion by determining the order in which packets are transmitted based on
priorities assigned to those packets. QoS queuing policies can protect bandwidth for important
categories of applications, or specifically limit the bandwidth associated with less critical traffic. For
example, if Voice over IP (VoIP) traffic requires a reserved amount of bandwidth to function
properly, QoS policies can reserve sufficient bandwidth and at the same time, limit bandwidth for
less critical applications.
Basic QoS implementation for BiNOX devices is port-based. During periods of light traffic, QoS
policies have little effect, and packets are transmitted as soon as they arrive. During periods of
congestion, outbound packets accumulating at a port are sorted into eight queues. Packets are
transmitted from the queues according to the scheduling mechanism configured for the port.
Traffic Analysis for QoS Deployment

To effectively configure QoS, the user must analyze traffic types to determine the relative
bandwidth demand of each port. The user should also evaluate sensitivity to latency, jitter, and
packet loss of the supported applications.
General guidelines for each traffic type are given below. Consider them as general guidelines and
not strict recommendations. Once QoS parameters are set, the user can monitor performance to
determine if the actual behavior of the application matches user expectations.
Voice applications demand small amounts of bandwidth. However, the bandwidth must be
constant and predictable because voice applications are typically sensitive to latency (interpacket delay) and jitter (variation in inter-packet delay).
Video applications have similar needs as voice applications with the exception that bandwidth
requirements are somewhat larger depending on encoding.
Some applications can transmit large amounts of data for multiple streams in one spike with
the expectation that the end-stations will buffer significant amounts of video-stream data. This
behavior presents a problem since the network infrastructure must be capable of buffering
transmitted spikes where there are speed differences involved (for example, going from
Gigabit Ethernet to Fast Ethernet).
Database applications such as those associated with ERP, typically do not demand significant
bandwidth and are tolerant of delay. The user can establish a minimum bandwidth using a
lower priority than that needed for delay-sensitive applications.
Web browsing applications cannot be generalized into a single category. Casual and
application-oriented traffic can be distinguished from each other by server source and
destination.
Page 3
Most browser-based applications have an asymmetric data flow (small data flows from
the browser client and large data flows from the server to the browser client). An
exception to this pattern may be created by some Java -based applications.
Web-based applications are generally tolerant of latency, jitter, and some packet loss:
however, small packet-loss may have a large impact on perceived performance due to the
nature of TCP.
File server applications typically pose the greatest demand on bandwidth. File server
applications are very tolerant of latency, jitter, and some packet loss depending on the network
operating system and the use of TCP or UDP.
Port-Based QoS Architecture

Figure 1 shows how QoS affects traffic flow during the switching process.
On ingress, the traffic is:
Classified (mapped) according to policy mapping tables
Policed based on ACLs (optional)
Re-mapped based on ACLs (optional)
On egress, traffic is:
Distributed into eight priority queues based on the classification
Entered into queues after Congestion Avoidance enforcement
Transmitted according to a scheduling algorithm
Shaped on a per queue/egress port basis
Figure 1: Port-based QoS Architecture
QoS Mechanisms
The user can control Quality of Service behavior through the following mechanisms:
Page 4
Mapping inbound packets into eight Forwarding classes that correspond to eight outbound
queues. Existing QoS markers such as VPT and DSCP values can be used for mapping
purposes.
Policing ingress traffic rate using rate-limit ACLs.
Overriding mapping using rate-limit ACLs.
Controlling queue overflow states using the Congestion Avoidance and color-aware
mechanisms.
Scheduling packet trasmissions out of the outbound queues. Several basic scheduling
mechanisms are provided:
Strict Priority (SP)
Weighted Round-Robin (WRR)
Deficit Round-Robin (DRR)
In addition, several hybrid scheduling schemes are available, which combine the
Weighted/Deficit Round-Robin and Strict Priority mechanisms.
Shaping egress traffic rates per queue and per port.
Sorting Packets for QoS Handling

The following methods are available to sort packets:
Packet Sorting by 802.1p Priority Values (see below)
Packet Sorting by DiffServ Values (on page 6)
Packet Sorting by 802.1p Priority Values

The device supports the standard 802.1p priority bits that are part of a tagged Ethernet packet. The
802.1p bits can be used to prioritize the packet. 802.1p priority bits, which are part of a tagged
Ethernet packet, can be used to prioritize incoming packets. The device examines the 802.1p
priority field and assigns the packet to a specific QoS queue for transmission. The 802.1p priority
field is located directly after the 802.1Q type field and before the 802.1Q VLAN ID, as shown in
Figure 2.
Figure 2: 802.1p Priority Header Fields
The device maps ingress traffic containing 802.1p prioritization information, to hardware queues
on the egress port of the device. The transmitting hardware queue determines bandwidth
management and priority characteristics used in packet transmission and exact mapping depends on
the employed trust mode.
By default, 802.1p priority information is not replaced or manipulated. Priority information
observed on ingress is preserved during packet transmission and is not affected by the switching or
routing configuration of the device. The device is capable of using the 802.1p priority information
Page 5
of incoming traffic for internal QoS mapping and handling or ignore it (default untrusted mode)
changing, however in any case the 802.1p priority information is kept during transmission of an
802.1Q tagged frame (unless the device is configured to remark it)
Packet Sorting by DiffServ Values

The device uses the IP Type of Service (ToS) field contained in every IP packet header to
determine the type of service provided to the packet.
The application software can use ToS/DiffServ values to sort packets into QoS queues. Individual
ToS values, or ranges of values, are mapped to 802.1p priority values. Packets are sorted into QoS
queues based on this derived priority value. Figure 3 shows the ToS fields in the IP packet header.
Figure 3: Type of Service (ToS) Header Fields
The device examines the first six of eight ToS bits, known as the Differentiated Services Code
Point (DSCP), for incoming packets arriving on the ingress port. Depending on the trust mode
assigned to the packet and based on the DSCP, the device can assign the QoS priority used to
subsequently transmit the packet. QoS priority:
Controls the hardware queue used to transmit packets out of the device
Determines the forwarding classof a particular DSCP
Advantages to using the DSCP field include:
Class of service information can be carried throughout the network infrastructure without
repeated complex traffic policies at each device location
End stations can perform packet marking on an applicationspecific basis.
Application software can observe and manipulate DSCP information without performance
penality.
Forwarding Class (FC)

VPT and DSCP QoS values are mapped to internal priority values known as Forwarding Classes
(FC). The mapping process might be referred to as Class of Service (CoS) assignment.
Page 6
This classification is performed according to the configured mapping profile and the trust mode for
the port. During this process, a "color" is assigned to each packet in addition to the FC.
The FC value determines the transmission queue and the color will be used for the Congestion
Avoidance mechanism.
There are eight FC values representing eight transmission queues with different priorities (low to
high):
be queue 1
l2 queue 2
af queue 3
l1 queue 4
h2 queue 5
ef queue 6
h1 queue 7
nc queue 8
A single packet can be assigned to one of the eight queues for transmission. The order of packet
transmission out of the queues occurs according to the configured QoS scheduling algorithm (Strict
Priority by default).
For example, a packet received with VPT 2 and classified as the Forwarding Class be (and by
extension, to transmission queue 1), will be served in queue1 but it will egress the device with the
received VPT 2.
By default, the QoS markers (VPT \DSCP) for incoming traffic to a port are ignored (untrusted
mode) and all traffic is mapped to FC "be", assigned with "green" color and transmitted via queue
1.
Profiles
A profile includes a set of configurable values that can be applied within a QoS policy. The device
supports the following QoS Profile types:
Mapping Profile: Maps L2(VPT or L3 (DSCP) marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
Scheduling Profile: Specifies the queuing/scheduling algorithm to apply to a queue.
Shaper Profile: Specifies the shaping algorithm to apply to a port or a queue.
Remarking profile: Specifies the VPT or DSCP remarking per egress according to FC and
color.
Port-Related Policies
The device supports the following port-related QoS policies:
Port Ingress Policy

Applied per port.
Page 7
Applies mapping of VPT/DSCP values to Forwarding Class (FC) and traffic color
through a mapping profile.
Applies trust mode of the VPT/DSCP values to the ingress traffic.
Port Egress Policy

Applied per port
Applies scheduling algorithms through a scheduling profile.
Applies shaper per port/per queue or both trough a shaper profile.
Relevant Scaling Numbers

Number
Description
Maximum Number of Profiles
Mapping profiles: 64 (including two defaults: global and

defMapProf )
Shaper profiles: 8
Port ingress policies: 64 (including one default policy)
Maximum Number of Policies
Scheduling profiles: 8 (including SP default profile)

Remarking profiles
Port egress policies: 64 (including one default policy)
Order of Configuration
1.
Define and configure the following profiles:

Mapping profiles
Shaper profiles
Scheduling profiles
Remarking profile
2.
Define and configure the ingress/egress policies.

Port Ingress Policy: Map VPT and DSCP bits for incoming traffic to internal Forwarding
Class (FC), color, and trust mode. The FC groups in ingress policies are mapped to
queues.
Port Egress Policy: Define the queueing mechanism (scheduling) and shaper profile.
Apply the configured policies to ports. Once applied, QoS profiles and policies can be
modified. For updating the configuration of any port, the applied policies must first be
first removed from that configuration. You are not able to delete profiles and polices
attached to port.
Trust Mode for the Port

An ingress port can work in several modes which determine the sorting of incoming traffic.
Page 8
Untrusted (default): For incoming traffic, VPT\DSCP fields are ignored and all incoming
traffic is mapped to a single Forwarding Class and color, according to untrust-to-fc command
configuration.
VPT-trusted: Incoming traffic carrying VPT will be mapped according to a "global" or userdefined mapping profile.
DSCP-trusted: Incoming traffic carrying DSCP will be mapped according to a "global" or

user defined mapping profile.
VPT and DSCP trusted: VPT and DSCP incoming traffic will be mapped according to a
"global" or user defined mapping profile.
Traffic Scheduling
Traffic scheduling controls congestion by determining transmission order for packets based on
assigned priorities. Traffic scheduling requires:
Assignment of packets to port queues based on packet mapping
Setting the method for timing the transmission of packet out of the queues
Using scheduling features, packets accumulate at port queues waiting for transmission. Packets are
scheduled for transmission according to their assigned priority and the configured queuing
mechanism. The device determines the order of packet transmission by controlling which packets
are placed in which queue and how those queues are serviced with respect to each other.
Scheduling Methods
The following scheduling methods are available:
Strict Priority Scheduling (SP)
Weighted Round-Robin Scheduling (WRR)
Hybrid Scheduling
Deficit Round Robin Scheduling (DRR)
Modified Deficit Round Robin Scheduling (MDRR)
Strict Priority Scheduling (SP)

With Strict Priority (SP) queue handling, queues are ranked in order. The highest ranking queue,
queue8, is serviced first. When queue8 is empty, the lower queues (specifically, queue7, queue6,
queue5, queue4, queue3, queue2 and queue1 in that order) are serviced in sequence. Strict Priority
Scheduling, which provides absolute preferential treatment to high priority traffic, ensures that
mission-critical traffic, traversing various WAN links, gets priority treatment. In addition, SP
provides a faster response time than other queuing methods.
Use the SP mechanism to guarantee a fixed portion of available bandwidth to one type of
application for example, interactive multimedia applications possibly at the expense of less
critical traffic.
Using SP can mean that lower priority traffic is denied bandwidth in favor of higher priority traffic.
As a result, use of Strict Priority could, in the worst case, result in lower priority traffic never being
transmitted. To avoid inflicting this condition on lower priority traffic, use rate-limit to control the
rate of the higher priority traffic.
Figure 4: illustrates the Strict Priority mechanism in a four-queue architecture.
Page 9
Figure 4: Strict Priority Queuing
Strict Priority Scheduling provides absolute preferential treatment to high priority traffic ensuring
that mission-critical traffic traversing various WAN links gets priority treatment. In addition, SP
provides a faster response time than do other methods of queuing.
Weighted Round-Robin Scheduling (WRR)

In the Weighted Round-Robin Scheduling method, a weighting factor for each queue determines
how many bytes of data the system delivers from the queue before moving on to the next queue.
The WRR mechanism cycles through the queues. For each queue, packets are sent until the number
of bytes transmitted exceeds the bandwidth determined by the queue weighting factor or the queue
is empty. The WRR mechanism moves to the next queue. If a queue is empty, the router will send
packets from the next queue that has packets ready to send.
Note that if packet length exceeds the queue-allowed bandwidth, the packet is still transmitted
during its time slot. The quota, however, is overdrawn so that on the next time slot, the queue
receives a smaller allotment. This mechanism guarantees a minimum bandwidth to each queue but
allows the minimum to be exceeded if one or more of the port other queues are idle). When all of
the queues are loaded, each is limited to its maximum bandwidth according to its assigned weight
no queue achieves more than a predetermined proportion of overall capacity when the line is under
stress.
Weighting factors are defined as relative percentages. The value for all of the queues must be
positive and must add up to ten or 100.
Relative percentages are calculated by byte counts rather than by packets, thus providing a greater
degree of bandwidth fairness. For example, suppose one protocol has 500-byte packets, another
has 300-byte packets, and a third has 100-byte packets. If the user wants to split the bandwidth
evenly across all three protocols, the user might choose to specify byte counts of 200, 200, and 200
for each queue. However, this configuration does not result in a 33/33/33 ratio of bandwidth
usage. When the router services the first queue, it sends a single 500-byte packet; when it services
the second queue, it sends a 300-byte packet; and when it services the third queue, it sends two 100byte packets. The effective ratio is 50/30/20 - setting the byte count too low can result in an
unintended bandwidth allocation.
Figure 5 shows how WRR queuing behaves in a four-queue architecture.
Page 10
Figure 5: Weighted Round-Robin Queuing
Hybrid Scheduling
The Hybrid Scheduling method combines Strict Priority queuing and Weighted Round Robin
scheduling. Queues with higher priority are serviced with SP while the remaining queues are
serviced in accordance with WRR once the higher priority queues are empty.
SP/WRR hybrid scheduling guarantees immediate delivery of packets from high-ranking queues
while avoiding starvation of the lowest-ranking queues.
Table 2 explains the available hybrid scheduling algorithms.
Table 2: Hybrid Scheduling Algorithms
Algorithm Name
Algorithm Description
Hybrid 1
Assigns WRR scheduling to txq1-txq7 and SP scheduling to txq8.
Hybrid 2
Assigns WRR scheduling to txq1-txq6 and SP scheduling to txq7-txq8.
Hybrid 3
Hybrid 4
Hybrid 5
Hybrid 6
Deficit Round Robin Scheduling (DRR)

Deficit Round Robin (DRR) is a modified version of Weighted Round Robin (WRR) scheduling.
WRR allocates bandwidth in terms of packets and works well when the average packet size is
known for each QoS queue flow. However, in most cases, packet size is traffic dependent and can
vary over time. In DRR, where the size of individual packets is not known, the maximum packet
size is subtracted from the packet length. Packets exceeding that number are held back until the
next visit of the scheduler.
With DRR scheduling, you can send frames from non-empty queues one after the other, in roundrobin. Each time frames are sent from a queue, a fixed amount of data is de-queued and the
Page 11
algorithm sends from the next queue. When sending frames from a queue, DRR keeps track of the
number of data bytes de-queued in excess of the configured value.
When sending from the queue again, less data is de-queued to compensate for the excess data
previously sent. As a result, the average amount of data de-queued per queue is close to the
configured value.
Two variables define each DRR/MDRR queue:
Quantum Value: An average number of bytes served in each round. The quantum value is 2
KB.
Deficit Counter:Tracks the number of transmitted bytes per queue in each round. Initially,
the counter holds the quantum value.
For each queue, the mechanism sends packets as long as the deficit counter is greater than zero.
Each sent packet decreases the deficit counter by a value equal to its length in bytes. You cannot
send a queue after the deficit counter drops to zero or moves into negative numbers. DRR serves
more packets at a time if the packet size is less than the quantum value.
Each DRR queue can receive a relative weight with one of the queues from the group defined as a
priority queue. The weights assign relative bandwidth for each queue when the port is congested.
NOTE
DRR scheduling using fixed packet size behaves the same as Weighted Round
Robin.
Modified Deficit Round Robin Scheduling (MDRR)

Modified Deficit Round Robin Scheduling combines Strict Priority queuing and Deficit Round
Robin scheduling. Service one or more queues with strict priority and then service the remaining
queues using the MDRR algorithm. MDRR queuing guarantees immediate delivery of packets from
high-ranking queues while avoiding starvation of lowest-ranking queues.
Table 1 explains the available MDRR scheduling algorithms.
Table 1: Modified Deficit Round-Robin Queuing Algorithms
Algorithm Name
Algorithm Description
MDRR 1
Assigns DRR queuing to txq1-txq7 and SP queuing to txq8.
MDRR 2
Assigns DRR queuing to txq1-txq6 and SP queuing to txq7-txq8.
MDRR 3
MDRR 4
MDRR 5
MDRR 6
Traffic Shaping
When congestion occurs, output or egress traffic is shaped on a per-port, per-service, and perqueue basis. Output traffic monitoring verifies that the traffic conforms to the rate configured for
the device. When excessive traffic is detected on the device, the output port applies traffic shaping
and controls excess traffic. If the device queues overflow, traffic is dropped.
Page 12
The shaping implementation in the device uses CIR to limit the traffic rate and CBS to allow
temporary bursts to breach the CIR as part of the Service Level Agreement.
QoS Default Configuration

Table 6 shows the default QoS configuration.
Table 2: QoS Default Configuration
Feature
Default Value
Default mapping profile
defMapProf
Global
This profile implements the default mapping on device, see Table 8:
Mapping Profile Default Configuration
QoS scheduling
algorithm
Strict Priority
Port trust mode
untrust
Drop level per user

priority
green
User priority
fc=be
DSCP value
Specified in the default mapping profiles
DSCP drop level
Traffic shaping
Disabled
Port policies profiles

configuration
See Table 10: Port Policies Profiles Default Configuration
Table8: Mapping Profile Default Configuration

Profile
defMapProf
Global
Priority
Mapping
VPT
FC
Color
be
green
DSCP
untrust
Page 13
Table 9: Mapping Profile Default Configuration

Profile
global
Priority
Mapping
VPT
DSCP
FC
Color
be
green
l2
green
af
green
l1
green
h2
green
ef
green
h1
green
nc
green
0-7
be
green
8-15
l2
green
16-23
af
green
24-31
l1
green
32-39
h2
green
40-47
ef
green
48-55
h1
green
56-63
nc
green
Table 10: Port Policies Profiles Default Configuration

Policy
Policy Type
Profile Type/Name
Mapping
Scheduling
Trust Mode
defInPol
ingress
defMapProf
untrust
defEgPol
egress
Service-Based Quality of Service (QoS)

Service-based Quality of Service (QoS) provides per customer queuing, scheduling, and shaping for
service ingress (with eight queues per service). A Service Level Agreement (SLA) describes service
levels where multiple customers can be connected to each port and each customer can be
subscribed to multiple services.
Service-based QoS enables enhanced services with flexible SLAs and better bandwidth utilization.
The better bandwidth utilization allows the carrier to sell available bandwidth to more customers
(usually more profitable than selling more bandwidth to each customer) while also allowing each
customer to save on bandwidth expenses.
Page 14
Service QoS Architecture

Figure 1 shows how QoS affects traffic flow during the service ingress process.
On service ingress, the traffic is:
Classified according to policy mapping tables
Policed and reclassified based on ACLs (optional)
Distributed into eight priority queues based on the assigned classification
Entered into the queues after Congestion Avoidance enforcement
Transmitted according to a scheduling algorithm
Shaped on a per queue/per service basis
Figure 5: Service Ingress QoS Architecture
Figure 6: Combining Service Ingress QoS and Port-based QoS
Service-Based QoS Mechanisms

Service-based QoS mechanisms are similar to the Port-based QoS mechanisms except for the fact
that there are eight transmission queues per service SAP (Service Access Point) instead of per port.
The same mechanisms that are applied per port in port-based QoS are applied per service in
service-based QoSfor example, shaping per queue and per service.
Page 15
It is possible to combine Service-based QoS and Port-based QoS on the same device to gain
enhanced and granular Service Level Agreement requirements as in the preceding figure.
Policy-Based QoS Management

In Policy-based QoS, a carrier usually provides a limited number of packages to its customers.
Multiple customers can purchase the same package and most of the Service Level Agreements for
these customers would be based on these packages as templates.
For example, a Premium Business package could be a true VPN and triple-play package that
includes VPN, Voice, Video and Internet with 10Mb/s of overall bandwidth. On the other hand, a
Basic Business package might include VPN and Internet only with lower overall bandwidth
allocation (such as 3Mb/s).
Once a customer subscribes to a package, the network allocates the required resources both for the
service(s) and for the QoS implementation. For QoS implementation, a set of resources (such as
queues, schedulers, buffer space, etc.) will be allocated inside the device. In Telco QoS terminology,
this is called instantiation of a Policy. Once another customer has subscribed to the same package,
the same Policy will be instantiated again, meaning allocation of anadditional, identical set of
resources.
In some cases a Policy instance can be shared between multiple customers, a useful technique that
saves resources. Sharing resources also means that no true per-customer SLA assurance can be
performed (for example, these customers will share the same shapers and eventually the same
allowed bandwidth).
The device supports several types of Policies (described in detail in the following subsections). Each
Policy type includes parameters related to a different set of QoS features.
In addition, some of the features are configured using Profiles. Unlike Policies, Profiles are lowlevel templates, each defining parameters for a single distinctive QoS feature. Profiles are used
not to allocate resources, but rather to configure resources that have already been allocated.
Profiles
A profile includes a set of configurable values that can be applied within a QoS policy. The device
supports the following QoS Profile types:
Mapping Profile: Maps L2(VPT or L3 (DSCP) marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
Scheduling Profile: Specifies the queuing/scheduling algorithm to apply to a queue.
Shaper Profile: Specifies the shaping algorithm to apply to a port or a queue.
Port-Related Policies
The device supports the following port-related QoS policies:
Page 16
Port Ingress Policy

Applied per port.
Applies mapping of VPT/DSCP values to Forwarding Class (FC) and traffic color
through a mapping profile.
Applies trust mode of the VPT/DSCP values to the ingress traffic.
Port Egress Policy

Applied per port
Applies scheduling algorithms through a scheduling profile.
Applies shaper per port/per queue or both trough a shaper profile.
Service-Related Policies
The device supports the following service-related QoS policies:
Service Ingress Policy

Applies shaper profile per SAP or per queue.
Applies scheduling algorythms through a scheduling profile.
Relevant Scaling Numbers

Number
Description
Maximum Number of Profiles
Mapping profiles: 64 (including two defaults: global and

defMapProf )
Shaper profiles: 8
Port ingress policies: 64 (including one default policy)
Maximum Number of Policies
Scheduling profiles: 8 (including SP default profile)

Remarking profiles
Port egress policies: 64 (including one default policy)
Order of Configuration
3.
Define and configure the following profiles:

Mapping profiles
Shaper profiles
Scheduling profiles
Remarking profile
4.
Define and configure the ingress/egress policies and service ingress policies.
Port Ingress Policy: Map VPT and DSCP bits for incoming traffic to internal Forwarding
Class (FC), color, and trust mode. The FC groups in ingress policies are mapped to
queues.
Port Egress Policy: Define the queueing mechanism (scheduling) and shaper profile.
Service ingress policy includes configuring the shaper and scheduling profiles.
5.
Apply the configured policies to ports/Service SAP. Once applied, QoS profiles and policies
can be modified. For updating the configuration of any service or port, the applied policies
must first be first removed from that configuration. You are not able to delete profiles and
polices attached to port or SAP.
Page 17
QoS Default Configuration

Table 6 shows the default QoS configuration.
Table 3: QoS Default Configuration
Feature
Default Value
Default mapping profile
defMapProf
Global
This profile implements the default mapping on device, see Table 8:
Mapping Profile Default Configuration
QoS scheduling
algorithm
Strict Priority
Port trust mode
untrust
Drop level per user

priority
green
User priority
fc=be
DSCP value
DSCP drop level
Traffic shaping
Disabled
Port policies profiles

configuration
See Table 10: Port Policies Profiles Default Configuration
Table8: Mapping Profile Default Configuration

Profile
defMapProf
Global
Page 18
Priority
Mapping
VPT
FC
Color
be
green
DSCP
untrust
Table 9: Mapping Profile Default Configuration

Profile
global
Priority
Mapping
VPT
DSCP
FC
Color
be
green
l2
green
af
green
l1
green
h2
green
ef
green
h1
green
nc
green
0-7
be
green
8-15
l2
green
16-23
af
green
24-31
l1
green
32-39
h2
green
40-47
ef
green
48-55
h1
green
56-63
nc
green
Table 10: Port Policies Profiles Default Configuration

Policy
Policy Type
Profile Type/Name
Mapping
Scheduling
Trust Mode
defInPol
ingress
defMapProf
untrust
defEgPol
egress
QoS Configuration Flow

The following flow chart shows the process of configuring the QoS parameters.
Page 19
Figure 7: QoS Configuration Flow
Page 20
QoS Commands
QoS Profile Configuration Commands
Commands Hierarchy
+ config terminal
+ qos
- [no] dscp-remarking <value> fc {af | be | ef | h1 | h2 | l1 | l2

| nc}
+ [no] mapping-profile {| PROFILE-NAME}
- [no] any-dscp-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |

nc}
[no] any-vpt-to-fc color {green | yellow}
- [no] any-vpt-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |

nc}
+ dscp-to-fc <dscp-marking>
- [no] set-to-fc {be | l2 | af | l1 | h2 | ef | h1 | nc}
+ vpt-to-fc <vpt-marking>
- [no] color {green | yellow}
- [no] set-to-fc {be | l2 | af | l1 | h2 | ef | h1 | nc}
+ [no] remarking-profile PROFILE-NAME

+ [no] fc-to-dscp {be | l2 | af | l1 | h2 | ef | h1 | nc}

{green | yellow}
- dscp <value>
+ [no] fc-to-vpt {be | l2 | af | l1 | h2 | ef | h1 | nc}

{green | yellow}
- vpt <value>
+ [no] scheduling-profile [<profile-id>]
- scheduling-type {hybrid-1 | hybrid-2 | hybrid-3 | hybrid-4 |

hybrid-5 | hybrid-6 | mdrr-1 | mdrr-2 | mdrr-3 | mdrr-4 |
mdrr-5 | mdrr-6 | sp | wrr}
- [no] queue1-weight <value>

Page 21
+ [no] shaper-profile port <profile-id>

- [no] cbs <cbs>
- [no] cir <cir>
+ [no] shaper-profile service <profile-id>

- [no] cbs <cbs>
- [no] cir <cir>
Table 4: QoS Profiles Configuration Commands
Command
Description
qos
Enters QoS Configuration mode
dscp-remarking <value> fc {af | be | ef

| h1 | h2 | l1 | l2 | nc}
Enables the DSCP remarking for a FC to DSCP

priority combination:
value: dscp priority, in the

range of <0-63>
be: assigns be FC to the traffic
l2: assigns l2 FC to the traffic
af: assigns af FC to the traffic
h2: assigns h2 FC to the traffic
ef: assigns ef FC to the traffic
nc: assigns nc FC to the traffic
no dscp-remarking <value> fc {af | be |

ef | h1 | h2 | l1 | l2 | nc}
Disables the DSCP remarking
mapping-profile {| PROFILE-NAME}
Specifies a mapping profile to configure and

enters configuration mode for that profile:
PROFILE-NAME: name of the mapping

profile, a string of <1-32>
characters
Global default mapping profile

no mapping-profile [ | PROFILE-NAME]
Deletes the specified mapping:
Page 22

profile to delete
Command
any-dscp-to-fc fc {be | l2 | af | l1
| h2 | ef | h1 | nc}
Description
Assigns the specified Forwarding Class (FC) to
all DSCP-marked ingress traffic, without
reference to its actual DSCP-marking:
no any-dscp-to-fc fc
Restores to default
any-vpt-to-fc color {green |

yellow}
Assigns the specified color to all VPT-marked

ingress traffic, without reference to its actual
VPT-marking:
green: assigns green color to the

traffic
yellow: assigns yellow color to

the traffic
no any-vpt-to-fc color
Restores to default
any-vpt-to-fc fc {be | l2 | af | l1
| h2 | ef | h1 | nc}
Assigns the specified FC to all VPT-marked

ingress traffic, without reference to its actual
VPT-marking:
no any-vpt-to-fc fc
Restores to default
Assigns a description to the configured profile:

characters
no description
Removes the assigned description
dscp-to-fc <dscp-marking>
Enters the DSCP-to-FC mode for the specified

DSCP marking for configuring the mapping of
the ingress traffic bearing that marking to a
particular color and forwarding class:
dscp-marking: specified DSCP

marking of the ingress traffic,
the valid range is <0-63>
Page 23
Command
no dscp-to-fc [<dscp-marking>]
Description
Deletes from profile the DSCP-to-FC/color
mapping for the specified DSCP marking or,
when used without a parameter, deletes all
configured DSCP-to-FC/color mappings.
set-to-fc {be | l2 | af | l1 | h2
| ef | h1 | nc}
no set-to-fc
vpt-to-fc <vpt-marking>
Maps the traffic with the configured DSCP

marking to the specified FC:
Restores to default
Enters the VPT-to-FC mode for the specified
VPT marking for configuring the mapping of the
ingress traffic bearing that marking to a
particular color and forwarding class:
no vpt-to-fc [<vpt-marking>]
no color
Page 24
vpt-marking: specified VPT

Deletes from profile the VPT-to-FC/color

mapping for the specified VPT marking or, when
used without a parameter, deletes all configured
VPT-to-FC/color mappings.
color {green | yellow}
dscp-marking: specified DSCP

the valid range is <0-63>
vpt-marking: specified VPT

Maps the traffic with the configured VPT

marking to the specified color:

traffic

the traffic
Restores to default
Command
set-to-fc {be | l2 | af | l1 | h2
| ef | h1 | nc}
remarking-profile PROFILE-NAME
Description
Maps the traffic with the configured VPT
marking to the specified FC:
Specifies a remarking profile to configure and

no remarking-profile [PROFILE-NAME]
Deletes the specified remarking profile or, when

used without a parameter, deletes all remarking
profiles.
PROFILE-NAME: name of the

remarking profile, the valid
range is <1-64> characters

remarking profile to delete

characters
no description DESCRIPTION
fc-to-dscp {be | l2 | af | l1 | h2 |
ef | h1 | nc} {green | yellow}
Maps the packets from specific FC and with

specific color to user-defined DSCP precedence
on the egress interface and enters the FC-toDSCP remarking configuration node.
be: specifies be FC
l2: specifies l2 FC
af: specifies af FC
l1: specifies l1 FC
h2: specifies h2 FC
ef: specifies ef FC
h1: specifies h2 FC
nc: specifies nc FC
green: selects the packets

colored in green
yellow: selects the packets

colored in yellow
If queues are not explicitly remarked to userdefined DSCP values, the queues are
remarked with dscp 0.
Page 25
Command
no fc-to-dscp {be | l2 | af | l1 |
h2 | ef | h1 | nc} {green |
yellow}
dscp <value>
Description
Removes the configured FC-to-DSCP
remarking:
be: specifies be FC for the

FC/color combination
l2: specifies l2 FC for the

af: specifies af FC for the


h2: specifies h2 FC for the

ef: specifies ef FC for the


nc: specifies nc FC for the

green: selects green-colored

traffic
yellow: selects yellow-colored

traffic
Enables remarking of the traffic bearing the

configured FC/color combination with the
specified DSCP priority:
no dscp
fc-to-vpt {be | l2 | af | l1 | h2 |
ef | h1 | nc} {green | yellow}
Page 26
Disables the specified DSCP remarking for the

configured FC/color node
Maps the packets from specific FC and with
specific color to user-defined VPT priority on the
egress interface and enters the FC-to-VPT
remarking configuration node.
be: specifies be FC
l2: specifies l2 FC
af: specifies af FC
l1: specifies l1 FC
h2: specifies h2 FC
ef: specifies ef FC
h1: specifies h2 FC
nc: specifies nc FC
green: selects the packets

colored in green
yellow: selects the packets

colored in yellow
Command
no fc-to-vpt {be | l2 | af | l1 | h2
| ef | h1 | nc} {green | yellow}
vpt <value>
Description
Removes the configured FC-to-VPT remarking:
be: specifies be FC for the

remarking to be removed

af: specifies af FC for the



ef: specifies ef FC for the


nc: specifies nc FC for the

green: selects green-colored

traffic
yellow: selects yellow-colored

traffic
Enables remarking of the traffic with the

configured FC/color combination with the
specified VPT priority:
no vpt
scheduling-profile <profile-id>
Disables the specified VPT remarking for the

configured FC/color node
Specifies a scheduling profile to configure and
no scheduling-profile [<profile-id>]
profile-id: ID of the mapping

profile, the valid range is <1-8>
Deletes the specified scheduling profile or,

mapping profiles.
scheduling-type {hybrid-1 | hybrid-2

| hybrid-3 | hybrid-4 | hybrid-5
| hybrid-6 | mdrr-1 | mdrr-2 |
mdrr-3 | mdrr-4 | mdrr-5 | mdrr-6
| sp | wrr}
value: the valid range is <0-7>
profile-id: (optional) ID of the

scheduling profile to delete
Specifies the type of queuing/scheduling to be

employed by the configured profile. For an
explanation of the algorithm behind each
scheduling type, see " Modified Deficit Round
Robin " and "Hybrid Scheduling".
hybrid-1: specifies scheduling

according to the first hybrid
algorithm

according to the second hybrid
algorithm

according to the third hybrid
Page 27
Command
Description
algorithm
queue1-weight <value>

according to the fourth hybrid
algorithm

according to the fifth hybrid
algorithm

according to the sixth hybrid
algorithm
mdrr-1: specifies scheduling

according to the first Modified
Deficit Round-Robin (MDRR)
algorithm

according to the second MDRR
algorithm

according to the third MDRR
algorithm

according to the fourth MDRR
algorithm

according to the fifth MDRR
algorithm

according to the sixth MDRR
algorithm
sp: specifies Strict Priority

(SP) scheduling
wrr: specifies Weighted RoundRobin (WRR) scheduling
Specifies the weighting factor for the queue:
no queue1-weight
Removes the configured weigh
no queue1-weight
no queue1-weight
no queue1-weight
Page 28
Command
Description
no queue1-weight
no queue1-weight
no queue1-weight

shaper-profile port <profile-id>
Specifies a port shaper profile to configure and

profile-id: ID of the port shaper
profile, the valid range is <1-8>
Deletes the specified port shaper profile or,

when used without a parameter, deletes all port
shaper profiles.
cbs <cbs>

characters
no shaper-profile port [<profile-id>]
profile-id: (optional) ID of the

port shaper profile to delete
Specifies the Committed Burst Size (CBS) for

the shaper profile, in kilobytes:

KB
100 KB
no cbs
Restores to default
cir <cir>
Specifies the Committed Information Rate (CIR)

for the shaper profile, in kilobytes per second:
value: in the range of <1

capacity) kbps
1000 kbps
no cir
Restores to default
shaper-profile service <profile-id>

Specifies a service shaper profile to configure
and enters configuration mode for that profile:

characters
profile-id: ID of the service

shaper profile, the valid range
is <1-48>
Page 29
Command
no shaper-profile service [<profileid>]
Description
Deletes the specified service shaper profile or,
service shaper profiles.
cbs <cbs>
profile-id: ID of the service

shaper profile to delete
Specifies the Committed Burst Size (CBS) for

the shaper profile, in kilobytes:

KB
100 KB
no cbs <cbs>
Restores to default
cir <cir>
Specifies the Committed Information Rate (CIR)

for the shaper profile, in kilobytes per second:

capacity) kbps
1000 kbps
no cir <cir>
Restores to default
Page 30

characters
QoS Policy Configuration Commands

Commands Hierarchy
+ config terminal
+ qos
+ [no] port-egress-policy POLICY-NAME

+ [no] queue <queue-id>
[no] shaper-profile <profile-id>
- [no] scheduling-profile <profile-id>
- [no] shaper-profile <profile-id>
- [no] remarking-profile <profile-id>
+ [no] port-ingress-policy POLICY-NAME

- [no] mapping-profile PROFILE-NAME
- [no] trust-mode {trust-dscp | trust-priority | trustpriority-and-dscp | untrust}
- [no] untrust-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |

nc} color {green | yellow}
+ [no] service-ingress-policy POLICY-NAME

+ [no] queue <queue-id>
- [no] scheduling-profile <profile-id>

Page 31
Table 5: QoS Policy Configuration Commands
Command
Description
qos
Enters QoS Configuration mode
port-egress-policy POLICY-NAME
Specifies a port egress policy to configure and

enters configuration mode for that policy:
POLICY-NAME: name of the

specified policy, a string of <164> characters
defEgPol: name of the default egress

policy
no port-egress-policy POLICY-NAME
Deletes the specified port egress policy:
Assigns a description to the configured policy:

characters
no description
queue <queue-id>
Assigns queue to the configured policy and

enters queue configuration mode for that
queue:
no queue <queue-id>
shaper-profile <profile-id>
queue-id: ID of the queue to

remove from the policy
Specifies shaper profile to apply to the queue.

The profile is selected from the available
shaper profiles:
no shaper-profile
queue-id: ID of the assigned

queue, the valid range is <1-8>
Removes the specified queue from the

configured policy:
profile-id: ID of the specified

profile
Removes from the queue the applied shaper

profile
Assigns scheduling profile to the configured
policy. The profile is selected from the
available scheduling profiles.
profile-id: ID of the assigned

profile
no scheduling-profile
Removes the assigned scheduling profile from

the policy
Assigns a shaper profile to the configured

available shaper profiles.
no shaper-profile
Page 32

specified policy

profile
Removes the shaper profile from the policy
Command
remarking-profile <profile-id>
Description
Assigns a remarking profile to the configured
available remarking profiles.
no remarking-profile
port-ingress-policy POLICY-NAME

profile
Removes the remarking profile from the policy

Specifies a port ingress policy to configure and
enters configuration mode for that policy:

defInPol: name of the default ingress

policy; for details, refer to Default
Settings
no port-ingress-policy POLICY-NAME
Deletes the specified port ingress policy:


characters
mapping-profile PROFILE-NAME
Assigns mapping profile to the configured

available mapping profiles.

assigned profile
no mapping-profile
Removes the mapping profile from the policy
trust-mode {trust-dscp | trustpriority | trust-priority-and-dscp

| untrust}
Specifies the ingress traffic trust mode to be

applied by the configured policy:
trust-dscp: trusts all DSCPmarked ingress traffic
trust-priority: trusts the outer

VPT value in the VLAN tag, in
case of double-tagged ingress
traffic. In case of single-tagged
traffic, the system trusts the
only one existing VPT in the VLAN
tag.
trust-priority-and-dscp: trusts
all DSCP- and VPT-marked ingress
traffic; the DSCP-marked traffic
has higher precedence than the
VPT traffic
untrust: untrusts all ingress

traffic
Untrust (the packets priority for the

ingress traffic (VPT/DSCP) is 0)
no trust-mode
Restores to default
Page 33
Command
untrust-to-fc fc {be | l2 | af | l1 |
h2 | ef | h1 | nc} color {green |
yellow}
no untrust-to-fc fc {be | l2 | af |
l1 | h2 | ef | h1 | nc} color
{green | yellow}
service-ingress-policy POLICY-NAME
Description
Assigns a specific FC and color to all untrusted
ingress traffic:

traffic

the traffic
Removes the configured FC and color
Specifies a service ingress policy to configure

and enters configuration mode for that policy:
no service-ingress-policy POLICY-NAME
Deletes the specified service ingress policy:

specified policy

characters
Removes the assigned description.
queue <queue-id>
Assigns queue to the configured policy and

enters queue configuration mode for that
queue:
no queue <queue-id>
queue-id: ID of the queue to

remove from the policy
Specifies shaper profile to apply to the queue.

The profile is selected from the available
shaper profiles:
no shaper-profile
queue-id: ID of the assigned

queue, the valid range is <1-8>
Removes the specified queue from the

configured policy or, when used without a
parameter, removes queues assigned to the
policy.
Page 34

profile-id: ID of the specified

profile
Removes from the queue the applied shaper

profile.
Command
Description
Assigns scheduling profile to the configured

available scheduling profiles.

profile
no scheduling-profile
Removes the assigned scheduling profile from

the policy
Assigns a shaper profile to the configured

available shaper profiles.
no shaper-profile

profile
Removes the shaper scheduling profile from

the policy
QoS Port and Service Configuration Commands

Commands Hierarchy
device-name#
+ config terminal
+ port UU/SS/PP
- [no] qos-egress-policy POLICY-NAME
- [no] qos-ingress-policy POLICY-NAME
+ service
- [no] qos-ingress-policy POLICY-NAME
+ [no] sap {UU/SS/PP | agN}
- [no] c-vlan {<cvlan-id> | all | untagged}

- [no] apply-qos-policy
Page 35
Table 6: QoS Port Configuration Commands
Command
Description
config terminal
port UU/SS/PP
Specifies a port to configure with port

ingress/egress policies and enters QoS port
configuration mode for that port:
qos-egress-policy POLICY-NAME
Specifies port egress policy to apply to the

configured port. The policy is selected from the
available port egress policies.

no qos-egress-policy
Restores the default port egress policy on the

specified port.
qos-ingress-policy POLICY-NAME
Specifies the port ingress policy to apply to the

configured port. The policy is selected from the
available port ingress policies.
no qos-ingress-policy
service

Removes service ingress policy on the specified

port
Enters Service Configuration Mode
tls <service-id>
Enters TLS Service Configuration mode for the

specified service:
no tls <service-id>
qos-ingress-policy POLICY-NAME
no qos-ingress-service-policy
POLICY-NAME
service-id: service ID to be used

as a reference SAP configuration

Specifies the QoS service ingress policy to
apply to the configured service. The policy is
selected from the available service ingress
policies.
Page 36
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

Restores the default service ingress policy on

the specified service
Command
Description
Creates a service access point (SAP) and

UU/SS/PP: SAP port is in the

range of 1/1/1-1/1/4, 1/2/11/2/8. This port has to be an

<1-14>
NOTE

SAP.

versa.


untagged}
no c-vlan {<cvlan-id> | all |

untagged}
UU/SS/PP: (optional) SAP port is

in the range of 1/1/1-1/1/4,
1/2/1-1/2/8

<1-14>
Specifies a customer VLAN (C-VLAN) and

enters C-VLAN Configuration mode:
cvlan-id: in the range of <14094>

traffic only

traffic only
apply-qos-policy
Applies to the specific sap with C-VLAN the

QoS policy already configured for the service
no apply-qos-policy
Removes the specified QoS service policy from

the specified C-VLAN(s)
Page 37
QoS Configuration Display Commands

Commands Hierarchy
device-name#
- show running-config qos service-ingress-policy POLICY-NAME
- show qos mapping-profile [PROFILE-NAME]
- show qos port-egress-policy [POLICY-NAME]
- show qos port-ingress-policy [POLICY-NAME]
- show qos remarking-profile [PROFILE-NAME]

- show qos shaper-profile [<profile-id>]
- show qos scheduling-profile [<profile-id>]
- show qos service-ingress-policy POLICY-NAME

- show qos port UU/SS/PP [ingress | egress]
Table 7: QoS Display Configuration Commands
Command
Description
show running-config qos service-ingresspolicy POLICY-NAME
Displays the specified service ingress policy or,

when used without a parameter, displays all
configured service ingress policies.
show qos mapping-profile [PROFILE-NAME]
Displays the specified mapping profile or, when

used without a parameter, displays all
configured mapping profiles.
show qos port-egress-policy [POLICY-NAME]
PROFILE-NAME: Name of the

remarking profile to display
Displays all configured shaper profiles:
Page 38
POLICY-NAME: name of the policy

to display
Displays the specified remarking profile or,

configured remarking profiles.
show qos shaper-profile [<profile-id>]
POLICY-NAME: name of the policy

to display
Displays the specified port ingress policy or,

configured port ingress policies.
show qos remarking-profile [PROFILE-NAME]

profile to display
Displays the specified port egress policy or,

configured port egress policies.
show qos port-ingress-policy [POLICYNAME]
POLICY-NAME: name of the service

ingress policy to display
profile-id: ID of the shaper

profile to display
Command
Description
show qos scheduling-profile [<profileid>]
Displays the specified scheduling profile or,

configured scheduling profiles.
show qos service-ingress-policy POLICY-
NAME
Displays the specified service ingress policy or,

configured service ingress policies.
show qos port UU/SS/PP [ingress | egress]
show service
profile-id: ID of the scheduling

profile to display
POLICY-NAME: name of the service

ingress policy to display
Displays the QoS configuration of the specified

port, including the ingress/egress policies
applied to it or, when used without a parameter,
displays the configuration for all ports.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
ingress, egress: displays

ingress/egress port policies
Displays the currently configured services,

including the policies applied per TLS service
Configuring QoS Shaper per Port
1.
Create port shaper profile:

device-name(config)#qos
device-name(config-qos)#shaper-profile port 1 cir 6000 cbs 16
device-name(config-port-1)#commit
Commit complete.
device-name(config-port-1)#
2.
Apply shaper profile per egress policy:

device-name(config-qos)#port-egress-policy 22
device-name(config-port-egress-policy-22)#shaper-profile 1
device-name(config-port-egress-policy-22)#commit
Commit complete.
device-name(config-port-egress-policy-22)#
3.
Apply egress policy per egress port:

device-name(config-port-1/1/3)#qos-egress-policy 22
Commit complete.
device-name(config-port-1/1/3)#
Page 39
Configuring QoS Shaper per Queue

1.
Create port shaper profile:

device-name(config)# qos
device-name(config-qos)#shaper-profile port 1 cir 6000 cbs 16
2.
Apply shaper profile per queue per egress policy:

device-name(config)# qos
device-name(config-qos)#port-egress-policy 22
device-name(config-port-egress-policy-22)#queue 1
device-name(config-queue-1)#shaper-profile 1
3.
Apply egress policy per egress port:

device-name(config-port-1/1/1)#qos-egress-policy 22
Commit complete.
Creating a Complete QoS Configuration per Service

The following example demonstrates how to create QoS and apply QoS service policy.
1.
Create QoS service policy:

device-name(config-qos)#shaper-profile service 22 cir 5000 cbs 16
device-name(config-service-22)#exit
device-name(config-qos)#service-ingress-policy 22
device-name(config-service-ingress-policy-22)#shaper-profile 22
device-name(config-service-ingress-policy-22)#commit
Commit complete.
2.
Create a TLS service and apply the QoS service policy on one of the SAPs:
device-name(config)#service tls 100
device-name(config-tls-100)#qos-ingress-policy 22
device-name(config-tls-100)#sdp s-vlan 100 interface 1/1/1
device-name(config-interface-1/1/1)#sap 1/1/2 c-vlan 33 apply-qos-policy
device-name(config-c-vlan-33)#sap 1/1/2 c-vlan 44
device-name(config-c-vlan-44)#commit
Commit complete.
3.
Create ACLs to match the SAPs/C-VLAN:

device-name(config)#ip access-list standard 70 rule 1 action permit
source_ip any vlan 100 inner-vlan 33
device-name(config-rule-1)#ip access-list standard 71 rule 1 action permit
source_ip any vlan 100 inner-vlan 44
Commit complete.
4.
Configure both ACLs to match only the traffic from the configured C-VLANs; apply rate limit
on physical port 1/1/2 which is also a SAP in C-VLAN 33:
device-name(config-rule-1)#port 1/1/2
Page 40
device-name(config-port-1/1/2)#access-groups-rule-sequence 1 ip-accessgroup-standard 70 in
device-name(config-ip-access-group-standard-70/in)#commit
Commit complete.
device-name(config-ip-access-group-standard-70/in)#exit
device-name(config-port-1/1/2)#access-groups-rule-sequence2 ip-accessgroup-standard 71 in
7000 cbs 16
Commit complete.
NOTE
On SAP 1/1/2:33:, QoS service policy with shaper 5M has been configured,
and, on sap 1/1/2:44:ACL with rate-limit 7M.
5.
Apply rate limit on physical port 1/1/2 which is also a SAP in C-VLAN 44:
device-name(config-port-1/1/2)#access-groups-rule-sequence 3 ip-accessgroup-standard 70 in
2000 cbs 16
Commit complete.
NOTE
Because the rate limit is lower than the shaper, on SAP 1/1/2:33:, rate-limit of 2M
applied instead of the shaper per ingress of 5M.
Page 41
Page 42
Feature
Standards
MIBs
RFCs
Quality of Service
(QoS)
MEF-10
(Ethernet Services
Attributes Phase I)
Private MIB,
PRVT-QOSMIB.mib
Not supported
Operations, Administration, and

Maintenance (OAM)
Table of Contents
Table of Figures 3
List of Tables 3
802.1ag Connectivity Fault Management (OAM-CFM) 5
CFM-OAM Protocol Functionality 5
CFM Purpose 6
Ethernet 802.1ag OAM Mechanisms 6
Discovery and Connectivity 7
Fault Verification (Loopback Messages) 8
Fault Isolation (Linktrace Messages) 8
Fault Notification and Alarm Suppression (Fault Alarms) 9
CFM Configuration Flow 11
CFM Commands12
802.3ah Ethernet in the First Mile (OAM-EFM)28
EFM-OAM Configuration Flow 35
EFM-OAM Commands 36
ITU-T G.8032v2 Ring Automatic Protection Switching (R-APS) 49
R-APS Mechanism 49
Timing Configuration 50
R-APS Configuration Flow 52
R-APS Commands 53
Operations, Administration, and Maintenance (OAM) (Rev. 01)
Page 1
ITU-T G.8031 Ethernet Protection Switching (EPS) 63

Switchover Options63
EPS Configuration Flow 64
EPS Commands65
ITU-T Y.1564 Next-Generation Carrier-Ethernet Out-of-Service Test70
Overview70
Key Objectives 70
Test Rates 71
Methodology 71
Bidirectional Test 71
Y.1564 Commands 71
ITU-T Y.1731 SAA In-Service Test 83
ITU-T Y.1731 SAA In-Service Configuration Flow 84
ITU-T Y.1731 SAA In-Service Configuration Commands85
RFC 2544 SAA Out-of-Service Throughput Test 95
Overview95
SAA Unidirectional Throughput Test 95
SAA Bi-Directional Throughput Test 96
SAA Out-of-Service Throughput Configuration Flow 97
SAA Out-of-Service Throughput Configuration Commands 98
ITU-T Y.1731-SLM SAA In-Service Test 109
ITU-T Y.1731-SLM SAA In-Service Configuration Commands 110
Example 117
Event Propagation 120
Event Propagation Configuration Flow 121
Event Propagation Command Hierarchy 122
Page 2
Table of Figures
Figure 1: OAM Ethernet Tools ............................................................................................................ 6
Figure 2: MEP1 and MEP3 Send a Multicast CC Frame ................................................................. 7
Figure 3: MEP4 and MEP2 Send a Multicast CC Frame ................................................................. 7
Figure 4: Loopback Operation ............................................................................................................. 8
Figure 5: Link Trace Operation ............................................................................................................ 9
Figure 6: CFM Configuration Flow ................................................................................................... 11
Figure 7: End-to-End OAM Configuration ..................................................................................... 28
Figure 8: Managing Provider Devices Using the EFM 802.3ah Standard ................................... 29
Figure 9: Managing Customer Devices (Passive) Using the EFM 802.3ah Standard ................. 30
Figure 10: EFM-OAM Configuration Flow ..................................................................................... 35
Figure 11: Example Configuring of Two Devices using EFM-OAM .......................................... 45
Figure 12: Network with two R-APS Instances (Traffic flowing in different directions) ......... 50
Figure 13: R-APS Configuration Flow .............................................................................................. 52
Figure 14: Protecting Services Using EPS ........................................................................................ 63
Figure 15: EPS Configuration Flow................................................................................................... 64
Figure 16: ITU-T Y.1731 SAA In-Service Configuration Flow .................................................... 85
Figure 17: Two Devices in SAA In-Service Test Mode.................................................................. 92
Figure 18: Unidirectional Test ............................................................................................................ 95
Figure 19: End-to-End Unicast Loopback Test .............................................................................. 96
Figure 20: SAA Out-of-Service Throughput Configuration Flow ................................................ 97
Figure 21: Two Devices in SAA Out-of-Service Throughput Test Mode ................................. 105
Figure 22: ITU-T Y.1731-SLM In-Service Configuration Flow .................................................. 110
Figure 23: Event Propagation Configuration Flow ....................................................................... 121
Figure 24: Example for Configuring Event Propagation ............................................................. 126
List of Tables
Table 1: Defects and Priorities ........................................................................................................... 10
Table 2: CFM Configuration Commands ......................................................................................... 15
Table 3: CFM Display Commands..................................................................................................... 25
Table 4: EFM Configuration Commands ......................................................................................... 37
Table 5: EFM Display Commands .................................................................................................... 42
Table 6: Log messages employed by the EFM-OAM protocol..................................................... 43
Table 7: R-APS Commands ................................................................................................................ 54
Table 8: EPS Commands .................................................................................................................... 65
Table 9: Y.1564 Test Commands ....................................................................................................... 73
Table 10: ITU-T Y.1731 SAA In-Service Test Commands ........................................................... 86
Table 11: SAA Out-of-Service Throughput Commands ................................................................ 99
Table 12: ITU-T Y.1731-SLM SAA In-Service Test Commands ............................................... 111
Table 13: Event Propagation Commands ....................................................................................... 122
Page 3
T-Marc3208SH

OAM is a family of standards providing reliable, remotely-managed, service-assurance (SA)
mechanisms for both the provider and customer networks as well as automatic, periodic, networkwide, service assurance and quality verification.
This chapter includes the configuration instructions for the following OAM standards:
Page 4
802.1ag Connectivity Fault Management (OAM-CFM)

This standard refers to the ability of a network to monitor the health of an end-to-end
service delivered to customers (as opposed to just links or individual bridges).
802.3ah Ethernet in the First Mile (OAM-EFM)

This standard specifies the protocols and Ethernet interfaces for using Ethernet over
access links as a first-mile technology and transforming it into a highly reliable
technology.
ITU-T G.8032v2 Ring Automatic Protection Switching (R-APS)

The R-APS ring uses a dedicated VLAN for CCM and APS communication within a
dedicated MA, configured as the ring protection. These CCMs can be used also for CFMOAM but not for customer traffic.

EPS is a method of protecting point-to-point Ethernet service connection over VLAN
transport networks, assuring traffic transport between the two service ends.
ITU-T Y.1564 Next-Generation Carrier-Ethernet Out-of-Service Test

The ITU-T Y.1564 methodology is a new test standard, which goal is to verify the
configuration and performance of Ethernet-based services.
ITU-T Y.1731 SAA In-Service Test and RFC 2544 SAA Out-of-Service Throughput Test
SAA tests provider automate pro-active testing of all service elements.

The Y1731-SLM is used to periodically measure Frame Loss Ratio and Delay.
Measurements are made between 2 MEPs belonging to the same ME using synthetic
measurements.
Event Propagation
The Event Propagation feature allows you to configure automatic actions executed upon
the occurrence of specific events.
802.1ag Connectivity Fault Management (OAMCFM)

The pre-standard IEEE 802.1ag CFM feature, called MAC ping/trace route, defines the end-to-end
OAM capabilities that are intrinsic to Ethernet technology, enabling service providers to monitor
the Ethernet service that the customer receives.
IEEE 802.1ag Connectivity Fault Management (802.1ag CFM) supports monitoring by the
network of the health of an end-to-end service delivered to customers as opposed to links or
individual bridges. 802.1ag CFM specifies the protocols, procedures, and managed objects used to
support transport fault management:
Discovery and verification of the frame path addressed to and from specified network users
Detection and isolation of a connectivity fault to a specific bridge or LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for point-to-point and
multipoint Ethernet Virtual Connections (EVC) that span one or more links.
CFM-OAM Protocol Functionality

CFM-OAM supports the following basis functionalities:
Discovery and Connectivity: Discovery of other CFM-OAM enabled devices and

verification of connectivity to these devices
Fault Verification: Verification and quality testing of the service delivered
Fault Isolation: Identification and isolation of the fault point within the service path
Page 5
CFM Purpose
Bridges are used increasingly in networks operated by multiple, independent organizations. In such
networks, each organization maintains restricted access to its equipment. CFM assists in detection,
verification, and isolation of connectivity failures in networks where multiple organizations are
involved in the provision and use of Ethernet services such as customers, service providers, and
operations.
Customers purchase Ethernet service from service providers who in turn may utilize their own
network or the network of other operators to provide connectivity for the requested service.
Customers themselves may be service providers. For example, a customer may be an Internet
service provider that sells Internet connectivity.
Figure 1: OAM Ethernet Tools
Operators need minimal Ethernet OAM as opposed to providers that need more comprehensive
Ethernet OAM for themselves as well as the ability to provide their customers with better
monitoring functionality.
In order to validate service quality and perform fault verification on Maintenance End Points
(MEP) and Maintenance Intermediate Points (MIPs) belonging to the organization, each
organization defines its own maintenance domain. MEPs and MIPs are then linked to the relevant
domain creating a Maintenance Association (MA).
Ethernet 802.1ag OAM Mechanisms

The mechanisms supported by CFM include Connectivity Check Messages (CCM), Loopback,
Link Trace and Alarm Indication Signal (AIS).
CFM allows for end-to-end fault management that is generally reactive (through Loopback, Link
Trace messages, and Alarm Indication Signals) as well as connectivity verification that is proactive
(through Connectivity Check messages).
Page 6
Discovery and Connectivity

To discover the devices in a domain, each MEP transmits a periodical CCM to the MIPs and
MEPs through the entire domain.
A CCM is a periodic hello message multicast by a MEP within the MA at a defined rate. The
receiving MEPs build a MEP database that catalogs a list of the various MAs, including their MEPs
and MIPs (indicating the MAC Address for each entity) as functional points.
The database includes MEP Destination MAC Address (DA) and port (format: MEP DA, Port)
entities.
Figure 2: MEP1 and MEP3 Send a Multicast CC Frame
Figure 3: MEP4 and MEP2 Send a Multicast CC Frame
A CCM timeout is used to detect connectivity faults (such as a software failure, memory corruption,
or problems with configuration). A CCM loss is assumed when a MEP does not receive the next
CCM from a remote MEP within the CCM timeout.
If a MEP on a local bridge (local MEP) stops receiving periodic CCMs from a peer MEP on a
remote bridge (remote MEP), the receiving MEP assumes that a failure in the remote bridge or in
the continuity of the path has occurred. If the MEP does not receive three consecutive CCMs, the
MEP declares a connectivity loss.
Page 7
In this case, the bridge can notify the network management application about the failure and initiate
fault verification and fault isolation either automatically or by operator command.
Since a short CCM interval rate is a key point in ensuring fast connection-failure detection, the
systems administrator can define a CCM interval rate of down to 3.3 milliseconds.
In cases where a MEP is deliberately taken out of commission, status indication for the MEP is sent
to other peer MEPs to avoid triggering false fault detections.
CFM also provides an alarm suppression mechanism in cases where a network fault affects more
than one VLAN and where different MEPs generate an alarm for the same common fault.
Fault Verification (Loopback Messages)

To verify connectivity between a MEP and its peer MEP or MIP, a unicast Loopback Message
(LBM) is initiated by the MEP using the destination address of either a peer MEP or MIP. The
receiving MEP/MIP responds to the LBM with a Loopback Reply (LBR).
To identify the precise fault location along an MA, a Loopback message is issued by a MEP to a
given MIP. The appropriate MIP before the fault responds with a Loopback Replay; however, the
MIP after the fault does not. For Loopback to work, the MEP must know the MAC address of the
MIP to ping.
Figure 4: Loopback Operation
In the Figure 4 two maintenance entities are shown: one comprising the yellow MEPs and MIPs, the
other comprising orange MEPs and MIPs.
Fault Isolation (Linktrace Messages)

To isolate the exact fault point, a MEP initiates Linktrace, a mechanism used to isolate faults at the
Ethernet MAC layer.
The originating MEP sends a Linktrace Message (LTM) using one of the multicast MAC Addresses
reserved by the domain, that traverses hop-by-hop along the domain trace path. Each Maintenance
Point (MP), whether a MEP or MIP, along the trace path intercepts, processes and forwards this
LTM on to the next hop until the LTM reaches the destination MEP.
Page 8
Each MP along the path returns a unicast Linktrace Reply (LTR) back to the originating MEP. The
MEP then sends a single LTM to the next hop along the trace path. In this way, the MEP
determines the MAC Address and location, in relation to the originating MEP, for all MIPs along
the MA.
Figure 5: Link Trace Operation
For the Ethernet, fault isolation is more challenging since MAC addresses age and erase the
information needed to locate the fault. Possible ways to address this issue are:
Carry out Linktrace within the age-out time frame
Maintain information about the destination MEP at the MIPs along the path using CCMs
Maintaining the path visibility at the source MEPs through periodic LTMs (in intervals larger
than the CCM rate interval)
You can also use Linktrace to:
Discover normal data paths through the network when the network is fault-free. Path
discovery can prove helpful when Linktrace cannot provide the information needed to isolate
a fault.
Issue LBMs to MPs along normal data paths to retrieve additional information.
Fault Notification and Alarm Suppression (Fault Alarms)

With Fault Alarm enabled, when a MEP detects a defect that exceeds a predefined time threshold,
Fault Alarm generates and sends SNMP notification to a designated address. The MEP cannot
transmit further Fault Alarms until a defined time period has passed during without further
indications of a defect.
A MEP maintains a number of separate defects, such as accidental cross-connection between two
different MAs or defects confined to a single MA, and ranks those defects by priority. After
transmitting a Fault Alarm for a lower priority defect, if a higher priority defect occurs, the MEP
can transmit another Fault Alarm.
With this mechanism, the operator can reliably prioritize Fault Alarms. For example, cross-connect
errors are typically of greater concern in a Service Provider environment than connectivity loss
errors. Only the highest-priority defect is reported in the Fault Alarm. In order of priority, the
defects are:
Page 9
DefRDICCM: Last CCM received by the MEP from a remote MEP contained the RDI bit
DefMACstatus: Last CCM received by the MEP from a remote MEP indicating that the
MAC Address associated with the transmitting MEP is reporting an error status
DefRemoteCCM: The MEP is not receiving CCMs from one of the MEPs in its configured
list
DefErrorCCM: The MEP is receiving invalid CCMs
DefXconCCM: The MEP is receiving CCMs from a different MA
The following table shows the relationship between variables:
Variable: The name of the variable as defined by the 802.1ag standard
HighestDefect: Represents the highest priority defect currently detected by the MEP
HighestDefectPri: Represents the priority of the defect, expressed as an integer, named in the
HighestDefect variable
Importance: Describes the severity of the defect
Table 1: Defects and Priorities

Defect
Page 10
Priority
Variable
HighestDefect
HighestDefectPri
Disable
Disable
xconCCMdefect
DefXconCCM
errorCCMdefect
DefErrorCCM
someRMEPCCMdefect
DefRemoteCCM
someMACstatusDefect
DefMACstatus
someRDIdefect
DefRDICCM
Importance
most
least
CFM Configuration Flow
Figure 6: CFM Configuration Flow
Page 11
CFM Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] cfm
+ [no] shutdown
+ [no] domain DOMAIN-NAME

- level <level>
+ ma MA-NAME
- [no] ais-lck-receive
+ [no] ais-lck-transmit
- [no] ais-lck-interval {1min | 1sec}

- [no] ais-lck-level <level>
- [no] ais-lck-priority <priority>
- [no] ais-lck-vlan <vlan-id>
- format {icc | ieee | primaryVid}

- [no] hello-interval <value>
+ [no] mep <id>
- bind-to {UU/SS/PP:[<svlan-id>]:[<cvlanid>]: | UU/SS/PP:[<cvlan-id>]: |

{UU/SS/PP | agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<cescircuit>:{ces | ces-oos}}
- [no] shutdown
- direction {up | down}

- [no] ccm-enabled
- [no] ccm-priority <priority>
- [no] fault-notification-delay <value>
- [no] fault-notification-minimal-defect
{all-defects | broken-ccm | crossconnect | mac-status | none | remotefailure}
- [no] fault-notification-reset-delay
<value>
- [no] mip-policy {default | defer | explicit |

none}
- [no] sender-id-content {hostname | defer |
all | management-address | none}
- [no] service <id>
Page 12
- format {none | string}
- [no] mip-policy {default | explicit | none}
- [no] sender-id-content {hostname | defer | all |

management-address | none}
- [no] service <id>
+ [no] threshold-profile <id>
- [no] one-way-jitter-error <value>
- [no] one-way-jitter-warning <value>
- [no] one-way-jitter-monitoring <true | false>
- [no] frame-loss-error <threshold>
- [no] frame-loss-warning <threshold>

- [no] frame-loss-monitoring
- [no] round-trip-jitter-error <value>
- [no] round-trip-jitter-error-period <value>

- [no] round-trip-jitter-warning <value>
- [no] round-trip-jitter-warning-period <value>
- [no] round-trip-jitter-monitoring
- [no] round-trip-latency-error <value>
- [no] round-trip-latency-error-period <value>

- [no] round-trip-latency-warning <value>
- [no] round-trip-latency-warning-period <value>
- [no] round-trip-latency-monitoring
- [no] results-bucket-size <size>

- [no] rate <rate>
- [no] description <string>
- [no] payload-size <value>

- [no] description <string>
- [no] update-interval <value>
- [no] test <id> DOMAIN-NAME MA-NAME
- [no] threshold-profile-id <id>

- [no] repeat-interval <value>
- [no] shutdown
- oam cfm linktrace domain DOMAIN-NAME ma MA-NAME mep <id> {target-mep

<target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} {timeout <value> | ttl
<value>}
- oam cfm loopback domain DOMAIN-NAME ma MA-NAME mep <id> {target-mep

<target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} [timeout <value> |
payload <value> | delay <value> | number <value>]
- clear oam cfm remote-mep-table domain-name NAME ma NAME [remote-mep

<id>]
Page 13
- show oam cfm
- show oam cfm connectivity [domain-name DOMAIN-NAME] [ma MA-NAME]
- show oam cfm connectivity [extended]

- show oam cfm domain level <level>
- show oam cfm update-interval
- show oam cfm {interface UU/SS/PP | interfaces}

- show oam cfm test [id <id>]
- show oam cfm threshold-profile [id <id>]
- show oam cfm linktrace-results domain-name DOMAIN-NAME [ma MA-NAME]
Page 14
Table 2: CFM Configuration Commands
Command
Description
config terminal
oam
Enters OAM Protocol Configuration mode
no oam
Removes the OAM configurations
cfm
Enters CFM Protocol Configuration mode
no cfm
Removes all CFM configurations
shutdown
Disables CFM
no shutdown
Enables CFM
domain DOMAIN-NAME
Creates a Maintenance Domain (MD) and

enters a specific MD mode:
no domain DOMAIN-NAME
DOMAIN-NAME: a string of <1-22>

characters
Removes the maintenance domain
level <level>
Specifies a MD level:
The MD levels are:
Operator Maintenance Association (MA)

levels: 02
Provider MA levels: 34
Customer MA levels: 57
ma MA-NAME
Creates a Maintenance Association (MA) and

enters a Specific MA configuration mode:
MA-NAME: a string of <1-22>

characters
service <id>
Specifies a unique service identifier:
no service [<id>]
id: in the range of

<14294967295>
Removes the defined service identifier
vlan <vlan-id>
Specifies a unique VLAN identifier:
no vlan [<vlan-id>]
vlan-id: in the range of

<14094>
Removes the defined VLAN identifier
Page 15
Command
Description
ais-lck-receive
Enables Alarm Indication Signal (AIS) and Lock

Signal (LCK) functions of Y.1731. MEPs send
AIS packets during signal failure detection and
LCK packets during tests.
no ais-lck-receive
Disables AIS and LCK functions of Y.1731
ais-lsk-transmit
Enters AIS-LCK Configuration mode
no ais-lsk-transmit
Removes the AIS-LCK configuration details
ais-lck-interval {1min |
1sec}
Specifies a time interval between two

successively sent AIS or LCK packets:
1min: 1 minute interval
1sec: 1 second interval
1sec
no ais-lck-interval
Restores to default
ais-lck-level <level>
Specifies a domain level for sending AIS and

LCK packets (AIS-LCK level). This level must
be higher than the CFM domain level:
no ais-lck-level
Removes the configured AIS-LCK level
ais-lck-priority
<priority>
Specifies the priority for sending AIS packets:
6
no ais-lck-priority
Restores to default
ais-lck-vlan <vlan-id>
Specifies a VLAN to which the AIS signal is

sent in case of an AIS condition:
no ais-lck-vlan
format {icc | ieee |
primaryVid}
Removes the configured VLAN

Specifies the MA format:
icc: domain name format complying

to ITU-T Y.1731 standard
specifications
ieee: domain name format

complying to IEEE 802.1ag
standard specifications
primaryVid: primary VLAN ID
ieee
hello-interval <value>
Specifies the time interval between two

successive CCMs sent by a MEP that is a
member of the MA:
value: 1m, 1s, 10m, 10ms, 10s,

100ms, and 300Hz
1 second
no hello-interval
Restores to default
mep <id> UU/SS/PP
Specifies the maintenance end point (MEP) ID:
Page 16
id: in the range of <08191>
Command
Description
no mep <id>
bind-to
{UU/SS/PP:[<svlanid>]:[<cvlan-id>]: |
UU/SS/PP:[<cvlanid>]:
| {UU/SS/PP |
agN}[:[igmp] |
UU1/SS1/PP1:<cescircuit>:{ces | cesoos}}
Removes the configured MEP from the MA
Adds a local port, member of 802.1Q, TLS, or

VPLS service, as MEP to a specific MA:
UU/SS/PP: a local MEP port (unit,

slot and port)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
cvlan-id: (optional) specifies a

customer VLAN (C-VLAN), in the
range of <1-4094
svlan-id: (optional) service VLAN

ID, in the range of <1-4094>

of <1-4094>



range of <1-64>

packets

control packets

shutdown
Disables the MEP

Disabled
no shutdown
Enables the MEP
direction {up | down}
Specifies the direction the MEP faces the

bridge port:
up, down: direction
ccm-enabled
Enables CCM message generation by the MEP
no ccm-enabled
Restores to default
Disabled
ccm-priority
Specifies the VLAN priority assigned to all CCM

and LTM packets for a particular MEP:
6
no ccm-priority
Restores to default
Page 17
Command
Description
fault-notification-delay
<value>
Specifies the length of time defects must be

present before a local MEP generates a Fault
Alarm:

in hundredths of a seconds
250 hundredths of a second

no fault-notificationdelay
Restores to default
fault-notificationreset-delay <value>
Specifies the length of time that defects must

be absent before enabling a Fault Alarm again:

hundredths of a second
1000 hundredths of a second

no fault-notificationreset-delay
Restores to default
fault-notificationminimal-defect {alldefects | broken-ccm

| cross-connect | macstatus | none |
remote-failure}
Specifies defect priority for generating Fault

Alarms. Defects can be either loss of CCMs or
reception of cross connected CCMs:
all-defects: Fault alarms are

generated when any of the bellow
defects occur
broken-ccm: Fault alarms are

generated when the MEP is
receiving invalid CCMs
cross-connect: Fault alarms are

generated when the MEP is
receiving CCMs from a different
MA
mac-status: Fault alarms are

generated when the last CCM
received by this MEP from a
remote MEP indicated that the
transmitting MEPs associated MAC
is reporting an error status
none: no Fault alarms are

generated when
remote-failure: Fault alarms are

generated when the MEP is not
receiving CCMs from one of the
MEPs in its configured list
Defect priority is all-defects and alarms

are generated for all defect conditions
no fault-notificationminimal-defect
Restores to default
mip-policy {default | defer

| explicit | none}
Page 18
Specifies the conditions under which MIPs are

automatically created on ports:
default: always creates MIPs
defer: adopts the setting of the

enclosing domain
explicit: creates MIPs only if a
Command
Description
MEP exists on a lower MD Level
none: does not create any MIPs

for the specified MA
defer
no mip-policy
Restores the default MIP policy setting
sender-id-content {hostname
| defer | all |
management-address |
none}
Specifies the content of the Type Length Value

(TLV) of the Sender ID included in most of the
CFM packets sent by MEPs:
hostname: the Sender IDs TLV

includes only the device
hostname: the local hostname is
visible to all remote sites on
the MA but the local management
address is hidden

enclosing domain
all: the Sender IDs TLV includes

both the hostname and the
management address of the device
management-address: the Sender ID

TLVs includes only the devices
management address: the local
management mechanism and
management address are visible to
all remote sites on the MA, but
the local hostname is hidden
none: does not send the Sender

IDs TLV to remote MEPs: the
chassis ID and management
information are hidden from all
remote sites
defer
no sender-id-content
format {none | string}
mip-policy {default | explicit

| none}
Restores to default
Specifies the format of the domain name:
none: the name will not appear in

the MA ID
string: the name will appear in

the MA ID as string
Specifies the conditions in which MIPs are

automatically created on ports:
default: always creates MIPs
explicit: creates MIPs only if a

MEP exists on a lower MD Level
none: does not create any MIPs

for the specified MA
none
no mip-policy
Restores to default
Page 19
Command
Description
sender-id-content {hostname
| defer | all |
management-address |
none}
Specifies the content of the Type Length Value

(TLV) of the Sender ID included in most of the
CFM packets sent by MEPs:
hostname: the Sender IDs TLV

includes only the device
hostname: the local hostname is
visible to all remote sites on
the MA but the local management
address is hidden

enclosing domain
all: the Sender IDs TLV includes

both the hostname and the
management address of the device
management-address: the Sender ID

TLVs includes only the devices
management address: the local
management mechanism and
management address are visible to
all remote sites on the MA, but
the local hostname is hidden
none: does not send the Sender

IDs TLV to remote MEPs: the
chassis ID and management
information are hidden from all
remote sites
defer
no sender-id-content
Restores to default
threshold-profile <threshold-
Creates a CFM profile with a specified name

and enters Monitoring Profile Configuration
mode:
profile id>
threshold-profile id: in the

range of <1-64>
When the CFM protocol is enabled, a

default profile is created automatically
no threshold-profile [thresholdprofile id]
one-way-jitter-error <value>
Restores to default
Specifies one-way jitter error monitoring:

milliseconds
350 milliseconds
no one-way-jitter-error
Restores to default
one-way-jitter-warning <value>
Specifies the one-way jitter warning monitoring:

milliseconds
300 milliseconds
Page 20
no one-way-jitter-warning
Restores to default
one-way-jitter-monitoring
Enables the one-way jitter monitoring
Command
Description
no one-way-jitter-monitoring
Disables the one-way jitter monitoring
frame-loss-error <error
Specifies the threshold for two-way frame loss

error monitoring:
threshold>
errorthreshold: in the range of

<1-99>, in percent
10% frame loss

no frame-loss-error
frame-loss-warning <warning
Specifies the threshold for two-way frame loss

warning monitoring:
threshold>
warningthreshold: in the range

of <0-99>, in percent. If you
specify a value that is higher
than the frame-loss-error value,
the frame-loss-warning will be
disabled
8% frame loss
no frame-loss-warning
Restores to default
frame-loss-monitoring
Enables frame loss monitoring

Enabled
no frame-loss-monitoring
Disables frame loss monitoring
round-trip-jitter-error
Specifies error value of two-way jitter error

monitoring:
<value>

milliseconds
700 milliseconds
no round-trip-jitter-error
Restores to default
round-trip-jitter-error-period
Specifies the duration of a two-way jitter error:
<value>

seconds
90 seconds
no round-trip-jitter-errorperiod
Restores to default
round-trip-jitter-warning
Specifies the warning value for two-way jitter

warning monitoring:
<value>

milliseconds
600 milliseconds
no round-trip-jitter-warning
Restores to default
round-trip-jitter-warningperiod <value>
Specifies the duration of a two-way jitter

warning:

seconds
180 seconds
no round-trip-jitter-warningperiod
Restores to default
round-trip-jitter-monitoring
Enables round-trip jitter monitoring
Page 21
Command
Description
<true | false>
True
no round-trip-jitter-monitoring
round-trip-latency-error
Specifies the threshold for two-way latency

error monitoring:
<value>

milliseconds
2000 milliseconds
no round-trip-latency-error
Restores to default
round-trip-latency-error-period
Specifies the duration of a latency error

increase:
<value>

seconds
90 seconds
no round-trip-latency-errorperiod
Restores to default
round-trip-latency-warning
Specifies the threshold for a two-way latency

warning:
<value>

milliseconds
1600 milliseconds
no round-trip-latency-warning
Restores to default
round-trip-latency-warningperiod <value>
Specifies the duration of a latency warning

increase:

seconds
180 seconds
no round-trip-latency-warningperiod
Restores to default
round-trip-latency-monitoring
Enables round-trip latency monitoring
no round-trip-latencymonitoring
Disables round-trip latency monitoring
results-bucket-size <size>
Specifies the number of results to be stored for

jitter calculation:
size: in the range of <2-255>
20 results
no results-bucket-size
Restores to default
priority <priority>
Specifies the 802.1p class-of-service:
0
no priority
Restores to default
rate <rate>
Specifies the number of Loopback Request

packets:
rate: in the range of <1-3>
1 packet
Page 22
Command
Description
no rate
Restores to default
payload-size <value>
Specifies the loopback request packets size:

bytes
0
no payload-size
Restores to default
description <string>
Specifies CFM profile name
no description
update-interval <value>
string: in the range of <1-255>
Removes the specified description

Specifies the time interval for updating
monitoring parameters (one-way jitter, two-way
jitter, latency, and frame loss):

seconds. A value 0 suspends the
monitoring task and a value
different from 0 resumes it
20 seconds
no update-interval
test <id> DOMAIN-NAME MA-
NAME
Restores to default
Tests connectivity:
DOMAIN-NAME:
characters

characters
a string of <1-22>
no test DOMAIN-NAME MA-NAME
Stops the testing
threshold-profile-id <id>
Specifies CFM monitoring profile ID:
no threshold-profile-id
Removes the configured profile
repeat-interval <value>
Specifies CFM monitoring process repetition

interval:
no repeat-interval number
Removes the configured interval
shutdown
Stops the test
no shutdown
Starts the test
oam cfm linktrace domain DOMAIN-NAME ma

MA-NAME mep <id> {target-mep <targetmep-id> | target-mip
HH:HH:HH:HH:HH:HH} [timeout <value> |
ttl <value>]
Sends a linktrace message to a specified MEP

or MIP in the domain:

characters

characters
mep <id>: the source MEP ID, in

target-mep <target-mep-id>: the
Page 23
Command
Description
linktrace destination MEP ID, in
target-mip HH:HH:HH:HH:HH:HH: the

MAC address of the linktrace
destination MIP
timeout <value>: (optional) the

linktrace reply (LTR) timeout, in
the range of <160> seconds
2 seconds
oam cfm loopback domain DOMAIN-NAME ma

MA-NAME mep <id> {target-mep <targetmep-id> | target-mip
HH:HH:HH:HH:HH:HH} [timeout <value> |
payload <value> | delay <value> |
number <value>]
ttl <value>: (optional) the

initial TTL field value, in the
range of <1255>
Sends a loopback message to a specific MEP

or MIP in a specified domain:

characters

characters
mep <id>: the source MEP ID, in

target-mep <target-mep-id>: the

loopback destination MEP ID, in
target-mip HH:HH:HH:HH:HH:HH: the

MAC address of the loopback
destination MIP
timeout <value>: (optional) the

loopback reply (LBR) timeout, in
the range of <160> seconds
2 seconds
payload <value>: (optional) the

loopback message PDU size, in the
range of <01462> bytes
0 bytes
delay <value>: (optional) the

delay between 2 consecutive
loopback messages, in the range
of <060> seconds
5 seconds
number <value>: (optional)

specifies the number of loopback
messages sent, in the range of
<11024>
3 messages
clear oam cfm remote-mep-table domain-name
NAME ma NAME remote-mep <id>
Page 24
Clears a remote MEP connectivity table:
DOMAIN-NAME: clears table for a

domain name string, in the range
ma NAME: clears table for a MA

name string, in the range of <145> characters
Command
Description
remote-mep <id>: clears table for

a specific MEP, in the range of
<08191>. A value of 0 clears all
remote MEPs
Table 3: CFM Display Commands

Command
Description
show oam cfm
Displays the current CFM configuration and

CFM status
show oam cfm connectivity [domain-name

DOMAIN-NAME] [ma MA-NAME]
Displays connectivity statistics for all configured

domains:
show oam cfm connectivity [extended]
DOMAIN-NAME: displays
connectivity statistics for the
specified domain
MA-NAME: displays connectivity

statistics for the specified MA
Displays information extracted from the TLV of

the Port ID in CCMs:
show oam cfm domain level <level>
extended: (optional) displays

additional information, as remote
device management address and
name
Displays information for MD:
show oam cfm update-interval
Displays the update interval value, in seconds
show oam cfm {interface UU/SS/PP |

interfaces}
Displays the CFM configuration per interface
show oam cfm test [id <id>]
Displays information about performed test(s):
show oam cfm threshold-profile [id <id>]
Displays information about CFM profile(s):
show oam cfm linktrace-results domain-name

DOMAIN-NAME [ma MA-NAME]

Displays linktrace results for a management

domain and maintenance association:
domain-name DOMAIN-NAME: a
string of <1-22> characters
ma MA-NAME: (optional) a string

1.
Enable CFM:
device-name(config)#oam cfm
device-name(config-cfm)#no shutdown
Page 25
2.
Create a maintenance domain with a specified name d7 and level 7 and create a MA ma7 within
a specified domain:
device-name(config-cfm)#domain d1 level 1
device-name(config-domain-d7)#ma ma1 vlan 501
3.
Specify the identification data sent to the remote MEPs creation policy on the specified MA:
device-name(config-ma-ma7)#sender-id-content all
device-name(config-ma-ma7)#mip-policy explicit
4.
Add port 1/1/1 as MEP with an ID
10 to a specified MA and specify the CCM flow direction:
device-name(config-ma-ma1)#mep 601
device-name(config-mep-601)#bind-to 1/1/2
device-name(config-mep-601)#ccm-enabled
device-name(config-mep-601)#no shutdown
device-name(config-mep-601)#exit
device-name(config-ma-ma1)#exit
device-name(config-domain-d1)#exit
5.
Create a profile with ID 4 and configure the profile priority, rate, round-trip jitter, frame loss,
and latency errors monitoring:
device-name(config-cfm)#threshold-profile 4
device-name(config-threshold-profile-4)#priority 2
device-name(config-threshold-profile-4)#rate 2
device-name(config-threshold-profile-4)#round-trip-jitter-error 100
device-name(config-threshold-profile-4)#frame-loss-error 20
device-name(config-threshold-profile-4)#no frame-loss-monitoring
device-name(config-threshold-profile-4)#round-trip-latency-error 200
device-name(config-cfm)#commit
Commit complete.
device-name(config-cfm)#end
6.
Display the current CFM configuration and status:

device-name#show oam cfm
Domain: d1
Domain Name Format: string
Level: 1
Mip Policy: none
Sender ID Content: none
Maintenance association: ma1
MA Name Format: string
VLAN ID: 501
CCM Priority: 6
Hello interval (ms): 1000
Mip Policy: defer
Sender ID Content: all
Local MEPs
=======================================================
| MEP |
Port
| Adm
|CCM| Oper | Alarm | CCM
|
|
|
| State |En | State | Level |Priority|
|-----+----------+-------+---+-------+-------+--------+
Page 26

| 601|
1/1/2|
Up |Yes|
Up |
1
|
6
|
=======================================================
device-name#show oam cfm connectivity
Domain: d1
Level: 1
Maintenance association: ma1
VLAN ID: 501
Hello interval (ms): 1000
Remote MEPs discovered by local MEP 10
=================================================================
| MEP |
MAC-address
| Adm
| Oper |
Last State
|RDI|
|
|
| State | State |
Change
|Bit|
|-----+-------------------+-------+-------+-----------------+---|
| 561| 00:E0:0C:11:95:02 |
Up|
Up |
1days 01:00:10| 0|
=================================================================
device-name#show oam cfm threshold-profile id 4
Profile ID/name: 4/none
Priority: 2; Rate: 2; Payload size: 0; Bucket size: 20;
Thresholds (value<ms>/duration<s>):
1W Jitter error:
350
1W Jitter warning:
300
2W Jitter error:
100/90
2W Jitter warning: 600/180
Latency error:
200/90
Latency warning:
1600/180
Frame loss error[disabled]: 20%
Frame loss warning[disabled]: 8%
Page 27
T-Marc3208SH
802.3ah Ethernet in the First Mile (OAM-EFM)

The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming it into a
highly reliable technology.
By using the Ethernet in the First Mile solution, you gain broadcast Internet access in addition to
services (such as Layer 2 transparent LAN services, Voice services over Ethernet Access networks,
Video, and multicast applications) reinforced by security and Quality of Service (QoS) control to
build a scalable network.
The in-band management specified by this standard defines the operations, administration, and
maintenance (OAM) mechanisms needed for the advanced monitoring and maintenance of
Ethernet links in the first mile. OAM capabilities facilitate network operation and troubleshooting
for both the provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link. The 802.3ah (Clause
57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units (OAMPDUs).
OAMPDUs are standard-size frames, including information such as the destination MAC address,
EtherType and subtype, sent at a predefined rate (a limitation necessary for reducing the impact on
the usable bandwidth).
EFM OAM is optional and can be enabled or disabled per physical port.
Figure 7: End-to-End OAM Configuration
Page 28
Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices (defined as passive
devices) without utilizing an IP layer. Instead, they can utilize link-layer SNMP counter request and
reply, loopback testing, and other techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE passive device) using
the 802.3ah standard.
Figure 8: Managing Provider Devices Using the EFM 802.3ah Standard
Page 29
The configuration below illustrates how to manage customer devices using EFM 802.3ah.
Figure 9: Managing Customer Devices (Passive) Using the EFM 802.3ah Standard
EFM-OAM Protocol Functionality

EFM-OAM supports the following basic functionality:
Page 30
Discovery: Ability of the local Data Terminating Entity (DTE) to discover other EFM-OAM
enabled DTEs and exchange information about OAM entities, capabilities, and configuration
Link Monitoring: Process used to detect and indicate link faults to a peer
Remote Failure Detection: Used by the OAM device to convey error conditions to its peer via
a flag in the OAMPDUs
Response to MIB Variable Retrieval: Retrieves information for a management information

base
Organizing Specific Enhancements: Provides vendor-specific enhancements to the protocol
Discovery
In the first phase, EFM-OAM enabled DTEs identify other DTEs along with their OAM
capabilities using Information OAMPDUs, advertising the following information:
OAM configuration (capabilities): OAM capabilities of the local DTE. Using this
information, a peer can determine what functions are supported and accessible (for example,
loopback capability).
OAM mode: OAM mode of the DTE, also used to determine DTE functionality:
Active Mode: The DTE instigates OAM communications and issues queries and
commands to the remote device.
Passive Mode: The DTE generally waits for the peer DTE to instigate OAM
communications and then responds. The DTE does not instigate commands and queries.
For more information about the rules for active and passive mode DTEs, refer to Rules
for Active Mode and Rules for Passive Mode below.
The mode combinations are:
One active and one passive OAM DTE
Two active OAM DTEs
OAMPDU Configuration: Includes the maximum size of OAMPDUs delivered. This

information, in combination with a limited rate of ten frames per second, is used to limit the
bandwidth allocated to OAM traffic.
Platform Identity: Platform identity is a combination of an Organization Unique Identifier

(OUI), the first three bytes of the MAC address, and 32-bits of vendor-specific information.
IEEE controls OUI allocation.
Once OAM support is detected and OAM expectations are met, both ends of the link exchange
the above information and enable OAM on the link. However, the link loss or failure to receive
OAMPDUs for a predefined interval causes the discovery process to start again.
Timers
Two configurable timers control the protocol:
Hello Timer: Determines the rate at which OAMPDUs are sent
Keep-Alive Timer: Determines the time interval during which OAMPDUs are expected from
the peer
An additional one-second, non-configurable timer is used for error aggregation. This timer is
necessary for the Link Monitoring Process to generate link quality events.
Page 31
Flags
Each OAMPDU includes a Flags field that describes the discovery process status. There are three
possible status values:
Discovering: Discovery is in progress
Stable: Discovery is complete. The remote device can start sending any type of OAMPDU.
Unsatisfied: Mismatches in OAM configuration prevented OAM from completing the

discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect OAM on a remote
DTE. Once OAM support is detected, both ends of the link exchange state and configuration
information (such as mode, PDU size, loopback support, etc.). If both DTEs are satisfied with the
settings, OAM is enabled on the link. However, link loss or failure to receive OAMPDUs during
the defined, keep alive time interval (for example, 5 seconds) may cause the discovery process to
restart.
DTEs may either be in active or passive mode:
Active mode DTEs instigate OAM communications and can issue queries and commands to a
remote device.
Passive mode DTEs generally wait for the peer device to instigate OAM communications and
respond to, but do not instigate, commands and queries.
Rules of what DTEs in active or passive mode can do are discussed in the following sections.
Rules for Active Mode

The Active mode DTE:
Page 32
Initiates the OAM Discovery process
Sends Information PDUs
Sends Event Notification PDUs
Sends Variable Request/Response PDUs
Sends Loopback Control PDUs
Responds to Variable Request PDUs (does not respond to Variable Request PDUs from devices
in Passive mode)
Reacts to Loopback Control (does not react to Loopback Control PDUs from devices in Passive
mode)
Rules for Passive Mode

The Passive mode DTE:
Waits for the remote device to initiate the Discovery process
Sends Information PDUs
Sends Event Notification PDUs
Responds to Variable Request PDUs
Reacts to received Loopback Control PDUs
Cannot send Variable Request or Loopback Control OAMPDUs
Link Monitoring Process

The Link Monitoring process is used to detect occurrences where defined thresholds are crossed
and send an Event Notification OAMPDU to notify the remote device.
Events detected by the Link Monitoring process:
Errored Symbol per second: The number of coding symbol errors, such as a violoation of
4B/5B coding, occurring during a specific period exceeds the defined threshold.
Errored Frame per second: The number of frame errors detected during a specific period
exceeds the defined threshold.
802.3ah OAM does not guarantee delivery of OAMPDUs. As a result, to reduce the probability of
losing a notification, the Event Notification OAMPDU can be sent multiple times. The Event
Notification OAMPDU has a sequence number so that duplicate events can be recognized. .
The Link Monitoring process operates on all enabled EFM OAM links.
Remote Failure Indication

Ethernet faults, caused by slow deterioration of quality, are more difficult to detect than a
completely disconnected link. A flat in the OAMPDU allows an OAM entity to send failure
conditions to its peer. Failure conditions are defined as follows:
Link Fault: Link Fault condition is detected when the receiver loses the signal. This condition
is sent once per second in the Information OAMPDU.
Dying Gasp: Detected when the receiver goes down. The Dying Gasp condition is considered
as unrecoverable. Conditions for dying gasp:
Management of the reload command
Device power down (incidental / deliberate)
Critical Event: When a critical event occurs, the device is unavailable, resulting from a
malfunction, and must be restarted by you. Critical events can be sent immediately and
continually. Conditions for critical events:
Fatal error mess any task on the device (suspend)
When a link receives no signal from its peer at the physical layer (for example, if the laser
is malfunctioning), the local entity sets this flag to let the peer know that the transmit path
is inoperable.
Page 33
Since these conditions are severe, OAMPDUs updated with these flags are not subject to normal
rate limiting policy.
Storm Loopback
Employs hardware-created frames at wire-speed to test the link under extreme, high-load
conditions. Upon return from the remote peer, hardware-created frames are discarded on the active
device. Storm Loopback tests and displays counters for both the local and remote peer.
CAUTION
Starting EFM-OAM loopback on a xSTP Ring topology with traffic forwarding
enabled, can cause serious problems.
Page 34
EFM-OAM Configuration Flow
Figure 10: EFM-OAM Configuration Flow
Page 35
EFM-OAM Commands
Command Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] efm
+ [no] shutdown
- [no] event-config UU/SS/PP
- [no] critical-event-enable
- [no] dying-gasp-enable
- [no] error-frame-event-notification-enable
- [no] error-frame-threshold <framethreshold>
- [no] error-frame-window <value>
- [no] error-symbol-period-event-notification-enable
- [no] error-symbol-period-threshold <period
threshold>
- [no] error-symbol-period-window <value>
- [no] hello-interval <value>
- [no] history-limit <value>
- [no] keep-alive-interval <value>
- [no] log-events
- [no] multiple-pdu-count <pdu-count>

- [no] priority <priority-level>
- [no] remote-event
- oam efm ping port UU/SS/PP [delay-time <value> | echo-number

<value> | timeout <value>]
- oam efm loopback port UU/SS/PP storm [count <value> | delay-time

<value> | packet-size <value> | timeout <value>]
+ port UU/SS/PP
- [no] efm mode [basic | enhanced]
- [no] efm accept-loopback-commands
- [no] efm event-forward-status UU/SS/PP
- [no] efm event-forward-shutdown UU/SS/PP
- [no] efm event-return-shutdown <number-of-attempts>
- [no] efm role [active | passive]

- [no] efm shutdown
- show oam efm [details]

- show oam efm event-log
Page 36
- show oam efm peer
- show oam efm statistics
- show port UU/SS/PP efm statistics
Table 4: EFM Configuration Commands
Command
Description
config terminal
oam
no oam
Removes OAM configurations
efm
Enters EFM Protocol Configuration mode
no efm
Restores to default the configuration set in

OAM-EFM Configuration mode. The command
does not affect configurations made per port,
that is, in EFM Interface Configuration mode.
shutdown
Disables EFM
no shutdown
Enables EFM. By default, EFM is enabled on

the device
event-config
To configure thresholds and manage event

notifications, accesses Event Configuration
Mode for a specific interface:
no event-config
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Removes configured thresholds and event

notifications for all interfaces
critical-event-enable
Enables the local OAM entity to send critical

events notifications to its OAM peer
no critical-event-enable
Disables sending critical events notifications
dying-gasp-enable
Enables the local OAM entity to send dying

gasps notifications to its OAM peer
no dying-gasp-enable
Disables sending dying gasps notifications
error-frame-event-notificationenable
Enables the OAM entity to send an event

notification OAMPDU whenever an Errored
Frame Event occurs
no error-frame-eventnotification-enable
Disables sending event notifications
error-frame-threshold <frame
Specifies the Errored Frame Event threshold.

Threshold used for frame error testing and
reporting on a specific interface. Provided the
error-frame-event-notification-enable
option has been configured, once the threshold
is reached, the device generates an Errored
Frame Event message that is sent to the
remote peer. The message is written both to the
threshold>
Page 37
Command
Description
system log and to the feature history.
Additionally, the event counters are updated.
framethreshold: the valid range

is <1-1488000>
256
no error-frame-threshold
error-frame-window value>
Monitoring interval for frame errors, in seconds:
20
no error-frame-window
Restores to default
error-symbol-period-eventnotification-enable
Enables the OAM entity to send an event

notification OAMPDU whenever an error
symbol period event occurs
no error-symbol-period-eventnotification-enable
Restores to default
error-symbol-period-threshold
Specifies the symbol errors threshold within a

given window. Once the threshold is reached, a
notification is triggered if the error-symbolperiod-event-notification-enable
option has been configured.
<periodthreshold>
periodthreshold: the valid range

is <1-1488000>
256
no error-symbol-periodthreshold
Restores to default
error-symbol-period-window
Monitoring interval for symbol errors, in

seconds:
<value>

seconds
20 seconds
no error-symbol-period-window
hello-interval <value>
Restores to default
Specifies the hello interval.
The hello interval is the time interval between
two PDUs, expressed in milliseconds. This
mechanism is used to inform the neighboring
device that the local device is operative. When
the local device receives no PDU within the
defined keep-alive interval, the neighboring
device is considered inoperative.
value: the valid range is <1005000> milliseconds
1000 milliseconds
Page 38
Command
Description
NOTE
The standard hello interval is 1000
milliseconds. However, to reduce
overload, in some cases, it is possible
to set the range to up to 5000
milliseconds even though doing so
violates the standard.
NOTE
The keep-alive interval (keepalive-interval) must be twice as
long as the hello-interval.
no hello-interval
Restores to default
history-limit <value>
Specifies the maximum number of entries in the

efm-oam history log:
value: the valid range is <100010000>
5000
no history-limit
keep-alive-interval <value>
Specifies keep-alive interval.

The keep-alive interval is the aging interval for
the neighboring device that last sent packets. If
the neighboring device does not send a PDU
within the defined keep-alive interval, it is
considered inoperative.
value: the valid range is <10015000> milliseconds
5000 milliseconds
no keep-alive-interval
Restores to default
log-events
Enables sending threshold notification

messages to the local system log
no log-events
Disables sending threshold notification

messages to the local system log
multiple-pdu-count <pdu-count>
Specifies number of identical PDUs to send

when local event occurs:
pdu-count: the valid range is <110>
5
no multiple-pdu-count
Restores to default
priority <priority-level>
Specifies EFM-OAM PDU priority. Priority is

effective only if the port is a tagged member of
the default VLAN.
priority-level: the valid range

is <0-7> (The highest the number,
the highest the priority)
0
no priority
Restores to default
Page 39
Command
Description
remote-event
Enables sending local event notifications to the

remote peer
no remote-event
Disables sending local event notifications to the

remote peer
oam efm ping port UU/SS/PP [delay-time

<value> | echo-number <value> |
timeout <value>]
oam efm loopback port UU/SS/PP storm

[count <value> | delay-time <value> |
packet-size <value> | timeout <value>]
Pings an EFM port:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
delay-time <value>: (optional)

the delay between packets, in the
range of <0600> seconds
echo-number <value>: the number

of echo packets sent, in the
range of <110>
timeout <value>: the timeout for

receiving a response, in the
range of <1600> seconds
Enables the EFM-OAM monitoring on a port, by

setting the remote device into a loopback mode
and generating test traffic:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
storm: sets the remote peer port

into a loopback mode, stops the
local data flow to this port, and
the local CPU generates a packet
burst. When the remote peer sends
the burst back, the local device
validates it and displays the
burst statistics.
count <value>: (Optional)

specifies the number of packets
sent in the Storm loopback, in
the range of <12147483646>.
100 packets
delay-time <value>: (Optional)

specifies the delay between
packets, in the range of <1600>
seconds
there is no delay
packet-size <value>: (Optional)

specifies the test-packets size,
in the range of <641512> bytes
64 bytes
timeout <value>: (Optional) the

reply timeout, in the range of
<1600> seconds
2 seconds
Page 40
duration <value>: (optional)

specifies the burst loopback
duration, in the range of <1600>
seconds
Command
Description
10 seconds
port UU/SS/PP
Accesses Interface Configuration Mode for the

specified port:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
efm accept-loopback-commands
Enables the processing of OAM loopback

control PDUs from peers
Disabled
no efm accept-loopback-commands
Restores to default
efm mode [basic | enhanced]
Enables/disables the organization-specific

EFM-OAM enhancements on a specific
interface or interface range. Depending on the
required variable used, this command specifies
one of the following two alternative EFM
modes:
Basic: Does not employ organizationspecific extensions
Enhanced: Allows definition and retrieval

of all SNMP variables on the remote
device.
If the remote device is not an organization
device, Basic mode is used, even when
Enhanced mode is configured; configure both
devices with Enhanced mode for the devices to
exchange their hostname.
basic: enables Basic mode
enhanced: enables Enhanced mode
Enhanced
no efm mode
Returns the default EFM mode configuration
efm event-forward-status UU/SS/PP
Enables sending a Link Event Notification from

a target port to its EFM peer whenever the link
status changes on the source port:
UU/SS/PP: the target port in the

range of 1/1/1-1/1/4 and 1/2/11/2/8
no efm event-forward-status
Disable sending a Link Event Notification
efm event-forward-shutdown UU/SS/PP
Enables shutting down a target port whenever

the link status changes on the source port.
In order to restore the UP state of the target
port, previously disabled by the efm eventforward-shutdown command, perform the
following procedure:
Step 1. Disable the target port by the shutdown
command.
Step 2. Enable the target port by the no shutdown
command.
UU/SS/PP: the target port in the

range of 1/1/1-1/1/4 and 1/2/1-
Page 41
Command
Description
1/2/8
no efm event-forward-shutdown
Disables shutting down a target port
efm event-return-shutdown <number-
Enables the Event Return feature. This feature

determines the number of discovery attempts
prior to administratively shutting down the port.
of-attempts>
number-of-attempts: number of
discovery attempts before
shutting down the port; the valid
range is <010> (0 disables the
feature)
0
no efm event-return-shutdown
Disables shutting down a target interface
efm role [active | passive]
Enables EFM-OAM on a specific interface and

specifies one of the following two alternative
modes:
Active: Device sends Hello packets over

this interface to initiate EFM-OAM
discovery process.
Passive: Device cannot use this interface

to initiate EFM-OAM discovery process.
The valid mode combinations are either
one active and one passive OAM interface
active: specifies the devices

role as Active for uplinks and
user interfaces.
passive: enables Enhanced mode.
two active OAM interfaces

When both peer interfaces are in Passive
mode, Remote Status information is not
updated and might be inaccurate.
passive
no efm role
Restores to default
efm shutdown
Disables the EFM-OAM protocol for the

configured interface. Though disabled, the
EFM-OAM configuration for the interface is
preserved and can be restored with the no efm
shutdown command.
no efm shutdown
Enables the EFM-OAM protocol for the

configured interface. This command restores
the EFM-OAM configuration, previously
disabled with the efm shutdown command, for
the interface.
Table 5: EFM Display Commands

Command
Description
show oam efm [details]
Displays the current EFM configuration and

EFM status:
Page 42
details: displays EFM details
Command
Description
show oam efm event-log
Displays the EFM-OAM event log
show oam efm peer
Displays the EFM-OAM peer
show oam efm statistics
Displays local and remote counters and all

EFM-OAM statistics for all interfaces
show port UU/SS/PP efm statistics
Displays EFM-OAM statistics for a specific

interface:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Table 6: Log messages employed by the EFM-OAM protocol

Message
Severity
Description
EFM-OAM-RemoteCriticalEvent
Error
An event generated on interface UU/SS/PP.
EFM-OAM-RemoteDyingGasp
Error
A Dying Gasp event generated on interface

UU/SS/PP.
EFM-OAM-RemoteLinkFault
Warning
A fault event generated on interface

UU/SS/PP.
EFM-OAM-RemoteSpecificEvent
Notification
An organization specific event generated on

interface UU/SS/PP.
EFM-OAM-RemoteRateExceeded
Warning
The PDU quantity exceeded the allowed rate

on interface UU/SS/PP.
EFM-OAM-RemoteErrored-Symbol-Event
Warning
Port UU/SS/PP:
EFM-OAM-RemoteErrored-Frame-Event
NOTE
This error requires special
attention
Warning
Remote, Errored Frame, Symbol Period,

Event Received
Date: Thu Jan 1 01:09:57 2009

Window: 45.1 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Port UU/SS/PP:
Remote, Errored Frame, Frame Event

Received
Date: Thu Jan 1 01:09:57 2009

Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Page 43
Message
Severity
Description
EFM-OAM-RemoteErrored-Period-Event
Warning
Port UU/SS/PP:
EFM-OAM-RemoteErrored-Seconds-Event
Warning
Remote, Errored Frame, Period Event

Received
Date: Thu Jan 1 01:09:57 2009

Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Port UU/SS/PP:
Remote, Errored Frame, Seconds Event

Received
Date: Thu Jan 1 01:09:57 2009

Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-LocalDyingGasp
Fatal
EFM-OAM detected a local Dying Gasp event.
EFM-OAM-Local-LinkFault
Error
Link Fault occurred on the local device, on

interface UU/SS/PP.
EFM-OAM-Local-ErroredSymbol-Event
Warning
Port UU/SS/PPLocal Errored Frame Symbol

Period Event sent:
EFM-OAM-Local-ErroredFrame-Event
Warning
Date: Thu Jan 1 01:09:57 2009

Window: 45 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Port UU/SS/PPLocal Errored Frame Frame

Event sent:
Page 44
Window: 45.1 seconds
Date: Thu Jan 1 01:09:57 2009

Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Message
Severity
Description
EFM-OAM-RemoteErrored-Seconds-Event
Warning
Port UU/SS/PPLocal Errored Frame

Seconds Event sent:
Date: Thu Jan 1 01:09:57 2009

Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
The following example, based on Figure 11, demonstrates how to configure an Ethernet network
using the EFM-OAM protocol.
Figure 11: Example Configuring of Two Devices using EFM-OAM
Configuring Device1:
1.
Verify if the EFM-OAM protocol is enabled on the device (default):

Device1#show oam efm
===========================================================================
EFM-OAM
===========================================================================
Administrative Status : Enabled
Local MAC
: 00:a0:12:27:0d:e1
History Count
: 0
Hello Interval
: 1000 milliseconds
Page 45
Keep-alive Interval
: 5000 milliseconds
Remote Event
: True
Log Events
: True
Packets Counter
: Sent = 0, Received = 0
===========================================================================
Device1#
2.
Access EFM Configuration Mode:

Device1#configure terminal
Device1(config)#oam
Device1(config)#efm
Device1(config-efm)#
3.
Specify the number of OAMPDUs:

Device1(config-efm)#multiple-pdu-count 3
4.
Enable sending local event notifications to the remote device:

Device1(config-efm)#remote-event
5.
Define OAMPDU priority:

Device1(config-efm)#priority 3
6.
Define the aging interval in seconds for the neighboring device that last sent packets:
Device1(config-efm)#keep-alive-interval 3000
Device1(config-efm)#exit
Device1(config-oam)#exit
7.
Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config-port-1/1/1)#efm role active
Configuring Device2:
1.
Verify if the EFM-OAM protocol is enabled on the device (default):
2.
Access EFM Configuration Mode:
3.
Specify the number of OAMPDUs:

Device2(config-efm)#multiple-pdu-count 3
4.
Enable sending local event notifications to the remote device:

Device2(config-efm)#remote-event
5.
Define OAMPDU priority:

Device2(config-efm)#priority 3
6.
Define the aging interval in seconds for the neighboring device that last sent packets:
Device2(config-efm)#keep-alive-interval 3000
Device2(config-efm)#exit
Device2(config-oam)#exit
Device2(config)#
7.
Page 46
Enable EFM-OAM on the specified interface and set its mode to active:
Device2(config-port-1/1/1)#efm role active
Device2(config-port-1/1/1)#
Displaying Interface Statistics on Device1:
Device1#show port 1/1/1 efm statistics

===============================================================================
EFM-OAM Statistics
===============================================================================
Port 1/1/1
Counter Name
Counter Value
------------------------------------------------------------------------------information-tx
73
information-rx
60
unique-event-notification-tx
0
unique-event-notification-rx
0
duplicate-event-notification-tx
0
duplicate-event-notification-rx
0
loopback-control-tx
0
loopback-control-rx
0
variable-request-tx
0
variable-request-rx
5
variable-response-tx
5
variable-response-rx
0
organization-specific-tx
2
organization-specific-rx
2
unsupported-codes-tx
0
unsupported-codes-rx
0
frames-lost-due-to-oam
0
===============================================================================
Displaying EFM details on Device1:
Device1#show oam efm details

===============================================================================
EFM-OAM Details
===============================================================================
Port 1/1/1
------------------------------------------------------------------------------Local Role
: Passive
Local Status
: Unknown
Remote Port
: N/A
Remote Mac
: 00:00:00:00:00:00
Remote Role
: Unknown
Remote Status
: Unknown
Remote Hostname
: Unknown
------------------------------------------------------------------------------Port 1/1/2
------------------------------------------------------------------------------Local Role
: Passive
Local Status
: LinkFault
Page 47
Remote Port
: N/A
Remote Mac
: 00:00:00:00:00:00
Remote Role
: Unknown
Remote Status
: Unknown
Remote Hostname
: Unknown
------------------------------------------------------------------------------Port 1/1/3
------------------------------------------------------------------------------Local Role
: Active
Local Status
: Stable
Remote Port
: 1/2/8
Remote Mac
: 00:a0:12:9a:1d:ad
Remote Role
: Active
Remote Status
: Stable
Remote Hostname
: device-name
-------------------------------------------------------------------------------
Page 48
T-Marc3208SH
ITU-T G.8032v2 Ring Automatic Protection

Switching (R-APS)
G.8032, Ring Automatic Protection Switching (R-APS), creates a fault tolerant ring topology by
configuring a primary and secondary path for each VLAN. Upon failure of the primary path traffic
is forwarded via the secondary path.
You can connect up to 10 sub-ring instances to each main R-APS instance. Each sub-ring instance
inherits the control and monitored VLANs as well as the CFM level from the main R-APS
instance. The sub-ring instance has only one port.
To minimize management overhead, R-APS utilizes existing CFM-OAM CCMs. These CCMs can
be used also for CFM-OAM but not for customer traffic.
G.8032 currently does not support ladder and mesh topologies.
NOTE
You must disable xSTP protocols on all the ports in the ring to use this feature.
R-APS Mechanism
Definitions
Ring Protection Link: one ring link is configured as the Ring Protection Link (RPL). To
prevent loops, this link is disabled under normal conditions. The RPL is disabled as long as the
primary path is active.
RPL Owner: A node adjacent to the RPL responsible for blocking its end of the ring under
normal conditions (when the ring is established and no requests are present in the ring). The
RPL Owner is also responsible for reverting the ring from the protected path to the primary.
RPL Neighbor: A node adjacent to the RPL that is responsible for blocking its end of the
ring under normal conditions like the RPL Owner. However, this node is not responsible for
reverting the ring.
Simple Node: all other nodes that participate only in the R-APS ring.
Ring Protection
A dedicated maintenance association (MA) is configured as the ring protection.
The R-APS ring uses a dedicated VLAN for Continuity Check Message (CCM) and Automatic
Protection Switching (APS) communication within this MA.
Each device in the MA must be configured with two Maintenance Association End Point (MEP)s,
both MEPs must be assigned to the dedicated VLAN.
Operation
Upon a failure detection, a signal-fail status bit is enabled in the APS messages sent
throughout the ring Upon receipt of an APS signal-fail message, the RPL Owner sends a
Page 49
switchover command to all the devices in the ring and enables RPL. Traffic is now sent via the
secondary path.
Figure 12: Network with two R-APS Instances (Traffic flowing in different directions)
Behavior of the system following recovery of the primary path is configurable. There are two
options:
Revertive Operation: When the primary path recovers, traffic is switched over to the primary
path and the RPL is blocked again. This mode is used in scenarios in which the primary path is
an optimized path, at the expense of an additional traffic interruption for switching back to this
path.
Non-Revertive Operation: Traffic continues to use the RPL, even when the primary path
recovers. This mode is used when there is no advantage in reverting to the primary path and
avoids a second traffic interruption.
Timing Configuration
The following configurable timers control aspects of R-APS behavior:
Guard Timer: To reduce the possibility of receiving outdated R-APS packets, R-APS packets
are blocked for a specified length of time after receiving a signal failure or clear message.
Wait-to-Restore Timer: Used in Revertive Mode, the Wait-To_Restore Timer defines the
length of time to wait after recovery of the primary path before reverting traffic. This timer
prevents flapping in case of frequent failures.
Hold-Off Timer: The amount of time to wait while attempting fault recovery before
declaring a signal-fail condition. This timer prevents flapping in case of short failures.
NOTE
Configuring timer values is optional. If not configured, the default values are
used.
Page 50
Page 51
R-APS Configuration Flow
Figure 13: R-APS Configuration Flow
Page 52
R-APS Commands
Commands Hierarchies
device-name#
+ config-terminal
+ ethernet
+ [no] ring-aps
+ [no] instance <value>
- cfm-domain-level <value>
- control-vlan <vlan-id>
- disable-virtual-channel
- [no] description
- [no] guard-timer <value>
- [no] hold-off-timer <value>
- [no] mode {version1 | version2}

+ [no] monitor-vlan <vlan-range>
+ [no] port <id>
- [no] mep <value>
- [no] port-id UU/SS/PP
- [no] rpl-port
- [no] revertive-mode
- [no] ring-id <id>
- [no] role {rpl-neighbor | rpl-owner | simple-node}

- [no] shutdown
+ [no] subring <id>
- [no] control-vlan
- [no] description
- [no] guard-timer <value>
- [no] hold-off-timer <value>
- [no] propagate-topology-changes
- [no] revertive-mode
- [no] ring-id <id>
- [no] role {rpl-neighbor | rpl-owner | simplenode}

- [no] shutdown
- [no] subring-port UU/SS/PP

- [no] mep <value>
- [no] rpl-port
Page 53
- [no] virtual-channel-vlan
- [no] wait-to-restore-timer <value>
- [no] wait-to-restore-timer <value>
- ethernet ring-aps instance <value> clear
- ethernet ring-aps instance <value> port <id> manual-switch

- ethernet ring-aps instance <value> port <id> forced-switch
- ethernet ring-aps instance <value> subring <id> clear
- ethernet ring-aps instance <value> subring <id> manual-switch

- ethernet ring-aps instance <value> subring <id> forced-switch
- show ethernet ring-aps [instance <value>]
- show service ring-aps [detailed [instance <value> [subring <value>]]]

- show running-config ethernet ring-aps
Table 7: R-APS Commands
Command
Description
config terminal
ethernet
ring-aps
Enters Ring Automatic Protection Switching (RAPS) Configuration mode
no ring-aps
Removes R-APS configuration
instance <value>
Specifies an R-APS instance and enters R-APS

Configuration mode:
no instance [<value>]
Removes R-APS instances:
cfm-domain-level <value>

<1-10>
Specifies a CFM domain, identified by the

domain level:
The domain's levels are:
description STRING
Operators Maintenance Association (MA)

levels: 02
Providers MA levels: 34
Specifies the R-APS instance ring description:
no description
Page 54
Customers MA levels: 57
STRING: string of up to 256
characters
Command
Description
control-vlan <vlan-id>
Specifies a control VLAN used for the CCM

traffic. You should not direct any other traffic
through this VLAN.
disable-virtual-channel
Specifies a virtual channel for an R-APS ring. RAPS packets are forwarded through the blocked
ports ensuring that R-APS packets reach all
nodes in the ring. Otherwise, the ring becomes
segmented because R-APS packets cannot
reach all nodes in the ring.
no disable-virtual-channel
Removes the defined virtual channel
guard-timer <value>
Specifies the length of time to block R-APS

packets after receiving a signal-failure or clear
message.
NOTE
Configure this timer to a value
bigger than the maximum delay
an R-APS packet can have in
order to traverse the entire
sunring.

milliseconds, in increments of 10
milliseconds
500 milliseconds
no guard-timer
Restores to default
hold-off-timer <value>
Specifies the length of time needed to attempt

fault recovery before declaring a signal-fail
condition:

milliseconds
0 milliseconds
no hold-off-timer
Restores to default
mode {version1 | version2}
Specifies the version of G.8032 standard used:
version1: G.8032v1 (compatibility) mode

only
version2: G.8032v2 (this version supports

revertive mode)
version2
no mode
Restores to default
monitor-vlan <vlan-range>
Selects a list of customer VLANs monitored by

R-APS:
no monitor-vlan [<vlanrange>]
vlan-range: VLANs should be

defined with space. VLAN IDs are
in the range of <14094>.
Removes the specified VLAN ranges:
vlan-range: (optional) VLANs

should be defined with space.
Page 55
Command
Description
port <id>
Specifies a port that participates in R-APS and

enters the R-APS Port Configuration mode. The
configured port generates signal-failure
messages towards the R-APS Owner in case of
a connectivity failure.
no port [<id>]
Removes the configured port:
mep <value>
id: R-APS port ID in the range of

<0-1>
id: (optional) R-APS port ID in
the range of <0-1>
Specifies the MED ID for port monitoring:
no mep [<value>]
Removes the configured MEP ID
port-id UU/SS/PP
Selects a port:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
No ports are selected

no port-id [UU/SS/PP]
Restores to default:

and 1/2/1-1/2/8
rpl-port
Specifies the selected port as a Ring Protection

Link (RPL).
Valid only for the RPL Owner or RPL Neighbor.
You can designate only one port as RPL.
no rpl-port
Removes the RPL role from the port
revertive-mode
Specifies whether the R-APS should revert to

the primary path after recovering from a failure
no revertive-mode
Configure a non-revertive R-APS
ring-id <id>
Specifies the Ring ID used to separate rings.

The Ring ID is reflected in the multicast
destination MAC, used for sending R-APS
packets (01-19-A7-00-00-[Ring ID]).
1
no-ring-id [<id>]
Restores to default
role {rpl-neighbor | rpl-owner

| simple-node}
Specifies the role of the device within the R-APS

ring:
rpl-neighbor: devices role (see

R-APS Mechanism)
rpl-owner: devices role (see RAPS Mechanism)
simple-node: devices role (see RAPS Mechanism)
simple node
Page 56
Command
Description
no role [rpl-neighbor | rplowner | simple-node]
rpl-neighbor: optional
rpl-owner: optional
simple-node: optional
shutdown
Disables the configured R-APS instance. A

disabled instance does not send R-APS packets
and does not respond to R-APS packets
received
no shutdown
Enables an R-APS instance
subring <id>
Specifies an R-APS Subring Instance ID and

enters R-APS Subring Configuration mode:
no subring [<id>]
Removes subring instances:
guard-timer <value>

id: (optional) in the range of <110>
Specifies the amount of time to block R-APS

packets after receiving a signal-failure or clear
message. The timer value has to be bigger than
the maximum delay of an R-APS packet in order
to traverse the entire sunring.

milliseconds
500 milliseconds
no guard-timer
Restores to default
Specifies the length of time needed to attempt

recovery from a fault before declaring a signalfail condition:

milliseconds
0 milliseconds
no hold-off-timer
Restores to default
propagate-topology-changes
Propagates flushing to the main ring when a

topology change notification happens in the
subring
no propagate-topologychanges
Disable propagation
revertive-mode
Specifies whether the R-APS subring should

revert to the primary path after recovering from a
failure
no revertive-mode
Configure a non-revertive R-APS
Page 57
Command
Description
ring-id <id>
Specifies the Ring ID used to separate rings.

The Ring ID is reflected in the multicast
destination MAC used to send R-APS packets
(01-19-A7-00-00-[Ring ID]).
1
no-ring-id [<id>]
Restores to default
role {rpl-neighbor | rplowner | simple-node}
Specifies the role of the device within the R-APS

subring:
rpl-neighbor: devices role (see

R-APS Mechanism)
rpl-owner: devices role (see RAPS Mechanism)
simple-node: devices role (see RAPS Mechanism)
simple node
no role [rpl-neighbor |
rpl-owner | simple-node]
rpl-neighbor: optional
rpl-owner: optional
simple-node: optional
shutdown
Disables the configured R-APS subring instance.
no shutdown
Enables an R-APS subring instance
subring-port UU/SS/PP
Selects a port to participate in R-APS and enters

R-APS Subring Port Configuration mode. The
ports generate and send signal-failure messages
to the R-APS Owner in case of a connectivity
failure.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
No ports are selected

no subring-port [UU/SS/PP]
mep
Specifies the MED ID of the neighboring device:
Page 58
UU/SS/PP: (optional) removes only

the specified port from the R-APS
subring
no mep
Removes the configured MEP ID
rpl-port
Specifies the selected port as Ring Protection

Link (RPL).
Valid only for the RPL Owner or RPL Neighbor.
You can designate only one port as RPL.
no rpl-port
Removes the RPL role from the port
Command
Description
virtual-channel-vlan <vlan-
id>
Uses the R-APS virtual channel over the main

ring.
In order to transmit RAPS packets from one
interconnection node to other, the R-APS
packets of the subring are encapsulated with
virtual channel VLAN tag in order to be
forwarded through the main ring. The R-APS
packets reach the other interconnection node
where the virtual channel VLAN tag is stripped
and the packets are transmitted in the subring
with the control VLAN tag.
no virtual-channel-vlan
[<vlan-id>]
Removes the configured virtual channel:
wait-to-restore-timer
<value>
Specifies the length of time to wait after recovery

before reverting to the primary path:

of <14094>

minutes
5 minutes
no wait-to-restore-timer
wait-to-restore-time <value>
Restores to default
Specifies the length of time to wait after recovery
before reverting to the primary path:

minutes
5 minutes
no-wait-to-restore-timer
[<value>]
Restores to default
ethernet ring-aps instance <value> clear
Triggers a revertive behavior, in case revertive

mode is not used or in case the wait-to-restore
timer is active
ethernet ring-aps instance <value> port

<id> manual-switch
Enables the manual switch option for R-APS

ring.
In the absence of a failure, block one of the ring
ports in a ring node to perform maintenance on
that link.
(The command is reverted by the clear
command.)

<0-1>
Page 59
Command
Description
ethernet ring-aps instance <value> port

<id> forced-switch
Enables the forced switch option for R-APS ring.

that link.
command.)

<0-1>
ethernet ring-aps instance <value> subring

<id> clear
Triggers revertive behavior, in case revertive

mode is not used or in case the wait-to-restore
timer is active in sub ring.

<id> manual-switch
Enables the manual switch option for R-APS

subring.
that link.
command.)

<id> forced-switch
show ethernet ring-aps [instance <value>]
Enables the forced switch option for R-APS

subring.
that link.
command.)
Displays R-APS status information:

<1-10>
show service ring-aps [detailed [instance

<value> [subring <value>]]]
Displays detailed R-APS status information,

filtered by the commands arguments
show running-config ethernet ring-aps
Displays R-APS configuration.
1.
Enable R-APS:
device-name(config-ethernet)#ring-aps
2.
Specify an instance to configure (instance 1):

device-name(config-ring-aps)#instance 1
3.
Page 60
Specify the CFM domain level for this instance (level 1):
device-name(config-instance-1)#cfm-domain-level 1
4.
Specify the control VLAN ID for this instance (10):

device-name(config-instance-1)#control-vlan 10
5.
Specify the monitored VLAN ID. You can configure single VLAN, several VLAN or range of
VLAN:
device-name(config-instance-1)#monitor-vlan 23
device-name(config-instance-1)#exit
6.
Specify the role of the device (simple-node configured):

device-name(config-instance-1)#role simple-node
7.
Configure the hold-off timer value (50 milliseconds configured):

device-name(config-instance-1)#hold-off-timer 50
8.
Configure the wait-torestore timer (3 minutes configured):

device-name(config-instance-1)#wait-to-restore-timer 3
9.
Configure the guard timer value (30 milliseconds configured):

device-name(config-instance-1)#guard-timer 30
10. Specify the ring-ID that the instance belongs to (100 configured):
device-name(config-instance-1)#ring-id 100
11. Enable the virtual channel:

device-name(config-instance-1)no disable-virtual-channel
12. Configure Port 0 as a port (configured as port 1/1/2, MEP 200, and as the rpl-port):
device-name(config-instance-1)#port 0
device-name(config-port-0)#port-id 1/1/2
device-name(config-port-0)#mep 200
device-name(config-port-0)#rpl-port
device-name(config-port-0)#exit
13. Configure Port 1 as a port (configured as port 1/1/1, MEP 300):

device-name(config-instance-1)#port 1
device-name(config-port-1)#port-id 1/1/1
device-name(config-port-1)#mep 300
14. Specify no shutdown to enable this R-APS instance:

Device-name(config-instance-1)#no shutdown
15. Commit current configuration (You may commit when R-APS instance (without Sub ring) is
configured or R-APS instance and Sub ring are configured):
Device-name(config-instance-1)#commit
16. Configure the device as a member of a sub-ring (configured as sub-ring 2).

device-name(config-instance-1)#subring 2
17. Configure the port of the subring (port 1/2/3 ) NOTE only one sub ring port per sub-ring:
Page 61
device-name(config-subring-2)#subring-port 1/2/3
device-name(config-subring-port-1/2/3)#mep 500
18. Enter exit to exit the port configuration:

19. Specify the role of the device in the sub-ring:

device-name(config-subring-2)#role rpl-neighbor
20. Specify the ring-id:

device-name(config-subring-2)#ring-id 99
21. Specify the virtual channel VLAN. Virtual Channel VLAN must be a monitored VLAN of the
main ring instance:
device-name(config-subring-2)#virtual-channel-vlan 23
22. Configure the timers:

device-name(config-instance-1)#guard-timer 20
device-name(config-instance-1)#wait-to-restore-timer 6
device-name(config-instance-1)#hold-off-timer 500
23. Select to set device in revertive-mode:

device-name(config-subring-2)#no revertive-mode
24. Select propagate topology changes:

Device-name(config-subring-2)#propagate-topology-changes
25. Specify no shutdown to enable this R-APS subring:

Device-name(config-subring-2)#no shutdown
26. Commit the current configuration:

Device-name(config-subring-2)#commit
Page 62

EPS protects point-to-point Ethernet service connection over VLAN transport networks, assuring
traffic transport between the two service ends. This method is based on the ITU-T G.8031
standard.
The EPS method defines two transport paths (entities) based on existing CFM-OAM MEPs:
Primary (normally active) path through which traffic is sent
Backup (protection) path used by the EPS in case the primary path fails
Figure 14: Protecting Services Using EPS
Once these paths are determined, EPS periodically sends CFM-OAM CCMs (for more
information, see CFM-OAM Protocol Functionality).
Switchover Options
EPS switches the traffic over from one path to another in the following cases:
When there is a signal failure (SF) in the active path
On user request
A request from the remote device
System administrators can lock the switchover, preventing traffic from switching over to the
backup path in any of the above cases.
In order to minimize unnecessary traffic, switchovers administrators can define a Hold off timer: This
timer postpones the switchover for a specified time. If the transport path does not recuperate by
the end of this time period, traffic is switched over.
Page 63
EPS Configuration Flow
Figure 15: EPS Configuration Flow
Page 64
EPS Commands
EPS Commands Hierarchy
device-name#
+ config terminal
+ service

- [no] eps
- [no] admin-freeze
- [no] cfm-domain-level <level>
- [no] hold-off-timer <timer>
- [no] primary-path {local-mep <mep-id> | remote-mep

<mep-id>}
- [no] revertive
- [no] secondary-path {local-mep <mep-id> | remotemep <mep-id>}
- [no] shutdown
- [no] signal-degrade-cfm-test-id <id>
- [no] wait-to-restore-timer {0 | <timer>}
- show eps service <service-id> [detailed]
EPS Command Descriptions

Table 8: EPS Commands
Command
Description
config terminal
service
Enters Service mode
tls <service-id>

Configuration mode:
no tls <service-id>

4294967295>
eps
Enables EPS on the specified service and

enters EPS Configuration mode
Disabled
no eps
Restores to default
admin-freeze
Blocks the service protection. In admin-freeze

mode, no commands are accepted.
no admin-freeze
Unblocks the state-change requests
Page 65
Command
Description
cfm-domain-level <value>
Specifies the CFM domain level used by EPS:
no cfm-domain-level
Removes the configured level
Specifies the hold off timeout. The timer

postpones the switchover for a specified time. If
the transport path does not recuperate by the
end of this time period, traffic is switched over.

milliseconds, in increments of
100 milliseconds
0 seconds
no hold-off-timer
Restores to default
primary-path {local-mep
<value> | remote-mep
<value>}
Specifies the CFM pair of MEPs used to monitor

the primary path:
no primary-path {local-mep |
remote-mep}
local-mep <value>: the service

MEP ID of the local device, in
remote-mep <value>: the

discovered service MEP ID of the
remote device, in the range of
<1-8191>
Removes the configured MEPs:
local-mep: MEP of the local

device
remote-mep: MEP of the remote

device
revertive
Enables the revertive mode for the protection. In

case of a signal failure when the primary
transport is repaired, the traffic is automatically
moved to the primary transport after the wait-torestore timer expired.
no revertive
Disables the revertive mode
secondary-path {local-mep
<value> | remote-mep
<value>}
Specifies the CFM pair of MEPs used to monitor

the secondary path:
no secondary-path {local-mep |
remote-mep}
Page 66
local-mep <value>: the service

MEP ID of the local device, in
remote-mep <value>: the

discovered service MEP ID of the
remote device, in the range of
<1-8191>
Removes the configured MEPs:
local-mep: MEP of the local

device
remote-mep: MEP of the remote

device
shutdown
Deactivates EPS for the configured service
no shutdown
Activates EPS for the configured service
Command
Description
signal-degrade-cfm-test-id
<value>
Specifies the signal degrade test for EPS:
no signal-degrade-cfm-test-id
Removes the configured test
wait-to-restore-timer <value>
Specifies the wait-to-restore timeout. The timer

is disabled when the revertive mode is disabled.
value: CFM monitoring process, in

value: in the range of <512>, or

value 0, in minutes. Value of 0
reverts immediately, without
waiting the wait-to-restore
timerto expire.
5 minutes
no wait-to-restore-timer
show eps service <service-id> [detailed]
Restores to default
Displays the status of the EPS service for all
configured TLS services:
service-id: TLS service instance,

detailed: additional information

displayed
device-name (config-tls-1024)#sdp s-vlan 2048 port 1/1/1 precedence primary
device-name(config-s-vlan-2048)#exit
device-name(config-tls-1024)#sdp s-vlan 4000 port 1/1/2 precedence backup
device-name(config-tls-1024)#sap 1/1/24 c-vlan 3000
Commit complete.
device-name(config-c-vlan-3000)#top
device-name(config)#no shutdown
device-name(config-cfm)#domain d4
device-name(config-domain-d4)#level 4
device-name(config-domain-d4)#ma ma4
device-name(config-domain-d4)#service 1024
device-name(config-ma-ma4)#mep 1000 bind-to 1/1/24:3000: direction up ccmenabled
device-name(config-mep-1000)#commit
Commit complete.
Page 67
device-name(config-mep-1000)#top
device-name(config-tls-1024)#eps
device-name(config-eps)#cfm-domain-level 4
device-name(config-eps)#hold-off-timer 100
device-name(config-eps)#primary-path local-mep 1000 remote-mep 2000
device-name(config-eps)#secondary-path local-mep 1000 remote-mep 2000
device-name(config-eps)#revertive
device-name(config-eps)#wait-to-restore-timer 0
device-name(config-eps)#no shutdown
device-name(config-eps)#commit
Commit complete.
device-name(config-eps)#end
device-name#show eps detailed
===============================================================================
Ethernet Protection Switching Detailed Information
===============================================================================
-----------------------------------------------------------------------------Service ID 1024
-----------------------------------------------------------------------------Admin Status: Enabled
Operational Status: Down
CFM Level: 4
SD CFM test ID: N/A
Hold off timer (ms): 100
Wait to restore timer (minutes): 0
Protection counter: 0
State changes: Allowed
Defects present: None
Last Event: unknown
Primary link - Local Mep: 1000, Remote Mep: 2000 - Status: Failed
Backup link - Local Mep: 1000, Remote Mep: 2000 - Status: Failed
APS data
LOCAL
REMOTE
Active state:
NoRequest
None
Active transport:
working
N/A
APS channel requested: Yes
N/A
APS connection type:
bidirectional
N/A
Protection Type:
1To1
N/A
Revertive mode:
Yes
N/A
===============================================================================
device-name(config-tls-1024)#sdp s-vlan 2048 port 1/1/1 precedence primary
device-name(config-tls-1024)#sdp s-vlan 4000 port 1/1/2 precedence backup
Page 68
Commit complete.
device-name(config-c-vlan-3000)#top
device-name(config)#no shutdown
device-name(config-domain-d4)#service 1024
device-name(config-ma-ma4)#mep 2000 bind-to 1/1/2:3000: direction up ccmenabled
device-name(config-mep-2000)#commit
commit complete.
device-name(config-mep-2000)#top
device-name(config-tls-1024)#eps
device-name(config-eps)#cfm-domain-level 4
device-name(config-eps)#hold-off-timer 100
device-name(config-eps)#primary-path local-mep 2000 remote-mep 1000
device-name(config-eps)#secondary-path local-mep 2000 remote-mep 1000
device-name(config-eps)#revertive
device-name(config-eps)#wait-to-restore-timer 0
device-name(config-eps)#no shutdown
device-name(config-eps)#commit
Commit complete.
device-name(config-eps)#end
device-name#show eps detailed
===============================================================================
Ethernet Protection Switching Detailed Information
===============================================================================
-----------------------------------------------------------------------------Service ID 1024
-----------------------------------------------------------------------------Admin Status: Enabled
Operational Status: Up
CFM Level: 4
SD CFM test ID: N/A
Hold off timer (ms): 100
Wait to restore timer (minutes): 0
Protection counter: 0
State changes: Allowed
Defects present: None
Last Event: unknown
Primary link - Local Mep: 2000, Remote Mep: 1000 - Status: Ok
Backup link - Local Mep: 2000, Remote Mep: 1000 - Status: Ok
APS data
LOCAL
REMOTE
Active state:
NoRequest
NoRequest
Active transport:
working
working
APS channel requested: Yes
Yes
APS connection type:
bidirectional
bidirectional
Protection Type:
1To1
1To1
Revertive mode:
Yes
Yes
Page 69
T-Marc3208SH
ITU-T Y.1564 Next-Generation Carrier-Ethernet

Out-of-Service Test
Overview
The ITU-T Y.1564 defines an out-of-service test methodology as a new test standard, which goal is
to verify the configuration and performance of Ethernet-based services. Services are traffic streams
with specific attributes identified by different classifiers, such as 802.1q VLAN, 802.1ad and class of
service (CoS) profiles. These services are defined at the user-to-network interface (UNI) level with
different frame and bandwidth profiles, such as the services maximum transmission unit (MTU) or
frame size, committed information rate (CIR) and excess information rate (EIR).
Y.1564 focuses on the following indicators for service quality:
Bandwidth - this is a bit rate measure of the available or consumed data communication
resources expressed in bits/second or multiples of it (kilobits/s, megabits/s, etc.).
Frame transfer delay (FTD) (latency) - this is a measurement of the time delay between the
transmission and the reception of a frame. Typically this is a round-trip measurement, meaning
that the calculation measures both the near-end to far-end and far-end to near-end directions
simultaneously.
Frame delay variations (packet jitter) - this is a measurement of the variations in the time delay
between packet deliveries. As packets travel through a network to their destination, they are
often queued and sent in bursts to the next hop. There may be prioritization at random
moments, also resulting in packets being sent at random rates. Packets are therefore received at
irregular intervals. The direct consequence of this jitter is stress on the receiving buffers of the
end nodes where buffers can be overused or underused when there are large swings of jitter.
Frame loss - this is a measurement of the number of packets lost over the total number of
packets sent. Frame loss can be due to a number of issues such as network congestion or
errors during transmissions.
Key Objectives
The ITU-T Y.1564 methodology has the following main objectives:
Page 70
To serve as a network service-level-agreement (SLA) validation tool, ensuring that a service

meets its guaranteed performance settings in a controlled test time.
To ensure that all services carried by the network meet their SLA objectives at their maximum
committed rate, proving that under maximum load, network devices and paths can support all
the traffic as designed.
To perform medium- and long-term service testing, to validate that network elements can
properly carry all services while under stress during a soaking period.
Test Rates
ITU Y.1564 defines three test rates based on the MEF service attributes for Ethernet virtual circuit
(EVC) and UNI bandwidth profiles.
CIR denes the maximum transmission rate for a service where it is guaranteed certain
performance objectives; these objectives are typically defined and enforced via SLAs.
EIR denes the maximum transmission rate above the committed information rate
considered as excess traffic. This excess traffic is forwarded as the capacity allows and is not
subject to meeting any guaranteed performance objectives (best effort forwarding)
Overshoot rate denes a testing transmission rate above CIR or EIR and is used to ensure
that the DUT or network under test does not forward more traffic than specified by the CIR
or EIR of the service.
Methodology
The ITU-T Y.1564 is built around two key subtests, the service-configuration test and the serviceperformance test, which are performed in order:
Service configuration test-the test is designed to measure the ability of the device or the
network under test to properly forward in three different states:
In the CIR phase, where performance metrics for the service are measured and compared
to the SLA performance objectives
In the EIR phase, where performance is not guaranteed and the services transfer rate is
measured to ensure that CIR is the minimum bandwidth
In the discard phase, where the service is generated at the overshoot rate and the expected
forwarded rate is not greater than the committed information rate or excess rate
Service performance test-the test measures the ability of the device or network under test to
forward multiple services, while maintaining SLA conformance for each service. Services are
generated at the CIR, where performance is guaranteed, and pass/fail assessment is performed
on the key performance indicators (KPI) values for each service according to its SLA.
Bidirectional Test
The user can perform round-trip measurements with a loopback device. In this case, the results
reflect the average of both test directions, from the test set to the loopback point and back to the
test set. In this scenario, the loopback functionality can be performed by another test instrument in
Loopback mode or by a network interface device in Loopback mode.
Y.1564 Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] saa
Page 71
+ [no] profile PROFILE-NAME

- type y1564
+ [no] y1564
- [no] frame-delay <value>
- [no] frame-loss-ratio <value>
+ [no] test TEST-NAME TEST-OWNER

- profile PROFILE-NAME
- type y1564
- [no] shutdown
+ [no] y1564
- [no] domain DOMAIN-NAME
- [no] ma MA-NAME
- [no] mep <value>
- mode bi-test-loopback
- mode bi-test-head
- [no] c-vlan <vlan-id>
- [no] c-vlan-drop-eligible
- [no] c-vlan-priority <value>
- [no] cir <value>
- [no] cir-steps <value>
- [no] configuration-step-duration <value>

- [no] custom-data-size <value>
- [no] data-size <value>
- [no] domain DOMAIN-NAME

- [no] eir <value>
- [no] function {both | configuration | performance}

- [no] loopback-type {mac-swap | oam}
- [no] ma MA-NAME
- [no] mep <value>
- [no] pattern {none | null | null-crc | prbs |

prbs-crc}
- [no] performance-test-duration <value>
- [no] s-vlan-drop-eligible
- [no] s-vlan-priority <value>
- [no] target-type {mac | mep}

- [no] target-mep <value>
- [no] target-mac HH:HH:HH:HH:HH:HH

- [no] traffic-policing
- show profile name [NAME]
Page 72
- show test name [NAME] owner [NAME]
Table 9: Y.1564 Test Commands
Command
Description
config terminal
saa
Enters SAA Configuration mode
no saa
Removes SAA configurations such as profiles

and tests
profile PROFILE-NAME
Creates a SAA monitoring profile (up to 64

profiles) and enters SAA Profile mode:
no profile PROFILE-NAME
PROFILE-NAME: up to 32
characters, numbers and/or
letters
Removes the configured SAA profile
NOTE
You cannot remove a profile
associated with a running test.
type y1564
Selects the Y.1564 test.

The Y.1564 test measures performance
monitoring parameters:
Frame Delay and Frame Delay Variation

Frame Loss Ratio
y1564
Enters SAA Y1564 Profile Configuration mode
no y1564
Exits SAA Y1564 Profile Configuration mode
frame-delay <value>
Specifies the frame-loss ratio threshold for the

Y.1564 test:
value: in the range of <160000000> microseconds
1000000us
no frame-delay
Restores to default
frame-loss-ratio <value>
Specifies the frame-loss ratio threshold for the

Y.1564 test:
value: in the range <0-100> %,

with resolution of 0.001%
8.000%
no frame-loss-ratio
Restores to default
Page 73
Command
Description
test TEST-NAME TEST-OWNER
Specifies a SAA test and enters SAA Test

mode:
no test TEST-NAME TEST-OMNER
TEST-NAME: up to 32 characters
TEST-OWNER: the test-owner's

name
Removes the configured SAA test
type y1564
Selects the Y.1564 test.

The Y.1564 test measures performance
monitoring parameters:
Frame Delay and Frame Delay Variation

Frame Loss Ratio
Applies a profile to the specified Y.1564 test.
letters
y1564
Enters SAA Y1564 Configuration mode
no y1564
Exits SAA Y1564 Configuration mode
mode bi-test-loopback
Enters Y.1564 Test Loopback mode and

initiates the test Loopback (bidirectional).
mode bi-test-head
Enters Y.1564 Test Head mode and initiates

the test Head.
c-vlan <cvlan-id>
Specifies the C-VLAN ID in the generated test

packets:
c-vlan-id: in the range of <14094>
no c-vlan
Removes the configured C-VLAN ID
c-vlan-drop-eligible
Specifies the eligibility of the packets to be

discarded when congestion conditions are
encountered.
Packets are marked as drop ineligible
no c-vlan-drop-eligible
Restores to default
c-vlan-priority <value>
Specifies the C-VLAN priority of the packets:
6
no c-vlan-priority
Page 74
Restores to default
Command
Description
cir <value>
Specifies the maximum Committed

Information Rate (CIR) of the test packets:
value: in the range of <641000000> kbps
500000 kbps
no cir
Restores to default
cir-steps <value>
Specifies the number of steps in the CIR test:
4
no cir-step
Restores to default
configuration-step-duration
<value>
Specifies the Y.1564 test duration:

seconds
1 second
no configuration-step-duration
Restores to default
data-size <value>
Selects a pre-defined PDU size for which the

test is executed:
value: 64, 128, 256, 512, 1024,

1280, 1518, 1522, 1526, 1530,
1534, 2000, and 9000 bytes.
Use the below format to specify
more than one value:
Example:
data-size [ 64 128 1530]
no data-size <value>
Removes some of the selected values.
custom-data-size <value>
Specifies the size of the data packets:
no custom-data-size <value>
Removes some of the configured values.
domain DOMAIN-NAME
Selects a Maintenance Domain (MD) for the

test to operate on:
eir <value>
DOMAIN-NAME: up to 22
letters
Specifies the EIR value of test packets. This

value must be smaller than CIR value.

1000000> Kbps
0 Mbps
no eir
Restores to default
Page 75
Command
Description
function {both | configuration |
performance}
Specifies the test function:
configuration: performs cir

measurements with cir variations
specified by command cir-steps
for period 1 second to 1 minute
performance: performs cir

measurements with duration
specified by command
performance-test-duration.
The test is performed with a
single cir value.
both: performs both measurements
Both
no function
Restores to default
loopback-type {mac-swap | oam}
Specifies the type of the loopback testing:
mac-swap: swaps MAC source and

destination addresses of the
packet before looping it back.
The OpCode field remains the
same.
oam: swaps MAC source and

The OpCode field is changed from
LoopBack Message (LBM) to
LoopBack Reply (LBR).
The OpCode is a 1-octet field that identifies

the OAM PDU type.
OAM
no loopback-type
Restores to default
ma MA-NAME
Selects a Maintenance Association (MA) for

the test:
MA-NAME: up to 22 characters,
numbers and/or letters
mep <value>
Specifies the MEP ID of the test-head device:
Page 76
Command
Description
pattern {none | null | null-crc
| prbs | prbs-crc}
Specifies the test packet's pattern type:
none: arbitrary pattern
null: null signal without Cyclic

Redundancy Check (CRC)-32
null-crc: null signal with

Cyclic Redundancy Check (CRC)-32
prbs: Pseudo-Random Byte

Sequence (PRBS) without Cyclic
prbs-crc: Pseudo-Random Byte

Sequence (PRBS)with Cyclic
PRBS
no pattern
Restores to default
performance-test-duration
<value>
Specifies the duration of a test:
value: the valid values are 15

and 30 minutes
15 minutes
no performance-test-duration
Restores to default
s-vlan-drop-eligible

encountered.
NOTE
The throughput test priority
must be lower than the CCM
priority.
no s-vlan-drop-eligible
Restores to default
s-vlan-priority <value>
Specifies the S-VLAN priority of the packets:
6
no s-vlan-priority
Restores to default
target-type {mac | mep}
Specifies the target type of the remote device:
target-mep <value>
mac: the destination is MAC

address
mep: the destination is MEP ID
Specifies the remote devices MEP ID:
no target-mep
Removes the configured MEP
target-mac HH:HH:HH:HH:HH:HH
Specifies the MAC address of the remote

device:
HH:HH:HH:HH:HH:HH: the MAC

address in a hexadecimal format
Page 77
Command
Description
no target-mac
Removes the configured MAC address
timeout <value>
Specifies the maximum timeout of the Y.1564

test packets:
value: In the range of <0-10000>

msec
1000 msec
no timeout
Restores to default
traffic-policing
Allows you to specify the test information rate

above CIR and EIR
Disabled
no traffic-policing
Restores to default
show profile name [NAME]
Displays information about the configured

Y.1564 test profiles:
show test name [NAME] owner [NAME]
profile name NAME: specific

profile
Displays results of Y.1564 tests:
test name NAME: specific test
owner NAME: specific owner
The following example demonstrates how to configure Y.1564 test.
1.
Configure theY.1564 head device:
Configure the packet size of the selected port:

Configure VLAN 300 on which the Y.1564 test is configured:

device-name(config)#vlan 300
device-name(config-vlan-300)#name v300
device-name(config-vlan-300)#no management
device-name(config-vlan-300)#tagged 1/1/1
device-name(config-tagged-1/1/1)#exit
device-name(config-vlan-300)#exit
Configure CFM:
device-name(config)#oam
device-name(config-oam)#cfm
Configure CFM domain:

Page 78
Configure MA:
device-name(config-ma-ma6)#vlan 300
Configure CFM:
Configure Y.1564 test profile thresholds:

device-name(config)#saa
device-name(config-saa)#profile 4
device-name(config-profile-4)#type y1564
device-name(config-profile-4)#y1564
device-name(config-y1564)#frame-loss-ratio 100000
device-name(config-y1564)#exit
device-name(config-profile-4)#exit
Configure Y.1564 test and apply Y.1564 test profile:

device-name(config-saa)#test LAB_TEST John
device-name(config-test-LAB_TEST/John)#type y1564
device-name(config-test-LAB_TEST/John)#profile 4
Configure Y.1564 test parameters:

device-name(config-test-LAB_TEST/John)#y1564
device-name(config-y1564)#mode bi-test-head
device-name(config-y1564)#domain d6
device-name(config-y1564)#ma ma6
device-name(config-y1564)#mep 3209
device-name(config-y1564)#target-type mep
device-name(config-y1564)#target-mep 3208
device-name(config-y1564)#cir 1000000
device-name(config-y1564)#cir-steps 1
device-name(config-y1564)#data-size [ 64 128 256 512 1024 1280 1518 1522
1526 1530 1534 2000 9000 ]
device-name(config-y1564)#custom-data-size 2500
2.
Configure theY.1564 loopback device:

Configure the packet size of the selected port:
Configure VLAN 300 on which the Y.1564 test is configured:

device-name(config-vlan-300)#name v300
device-name(config-vlan-300)#no management
Page 79
Configure CFM:
Configure CFM domain:

Configure MA:
Configure CFM:
Configure Y.1564 test parameters:

device-name(config-saa)#test LAB_TEST John
device-name(config-test-LAB_TEST/John)#type y1564
device-name(config-test-LAB_TEST/John)#y1564
device-name(config-y1564)#mode bi-test-loopback
Display configuration results:

device-name#show saa profile
=======================
Name
|Type
--------------+-------1
|y1731
2
|rfc2544
3
|rfc2544
4
|y1564
device-name#show saa profile name 4
Profile name
: 4
Profile type
: y1564
FrameLoss
:
FrameDelay
:
FrameDelayVariation :
100.000 %
1000000 us
300000 us
device-name#show saa test

==============================================================================
Name
|Owner
|Profile
|Type
|State
|Status
----------------+----------------+----------------+--------+---------+--------
Page 80
2
3
20
Y1
RFC_John
LAB_TEST
device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Function
Profile name
Cfm domain
Cfm ma
Source mep
Target mep
CIR
CIR steps
EIR
Traffic Policing
Pattern
Priority
DE flag
C-vlan Id
C-vlan Priority
C-vlan DE flag
Config duration
Perform duration
Timeout
Loopback type
Datasize
2000, 9000
Custom Datasize
|2
|3
|20
|1
|John
|John
|2
|2
|N/A
|1
|3
|4
|rfc2544
|rfc2544
|rfc2544
|y1731
|rfc2544
|y1564
|Shutdown
|Shutdown
|Shutdown
|Shutdown
|Shutdown
|Enabled
|N/A
|N/A
|N/A
|N/A
|Stopped
|Finished
saa test name LAB_TEST owner John

: LAB_TEST
: John
: y1564
: bi-test-head
: Enabled
: Finished
: Configuration
: 4
: d6
: ma6
: 3209
: 3208
: 1000000
: 2
: 0
: Not set
: prbs
: 5
: Not set
: Not set
: 0
: Not set
: 1 seconds
: 15 min
: 1.0 seconds
: oam
: 64, 128, 256, 512, 1024, 1280, 1518, 1522, 1526, 1530, 1534,
: 2500
-----------------------------------------------------------------------| Step 1
CIR: 50000Kbps
Status: Pass
|
-----------------------------------------------------------------------| Size |
IR
|
FLR
|
FTD
|
FDV
|
+--------+-------------+-----------+-----------------+-----------------+
|
64 | 500000Kbps |
0.000 % |
17.354 us |
2.560 us |
+--------+-------------+-----------+-----------------+-----------------+
|
128 | 500000Kbps |
0.000 % |
21.335 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
|
256 | 500000Kbps |
0.000 % |
29.798 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
|
512 | 500000Kbps |
0.001 % |
46.169 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1024 | 500000Kbps |
0.003 % |
78.985 us |
1.024 us |
Page 81
+--------+-------------+-----------+-----------------+-----------------+
| 1280 | 500000Kbps |
0.004 % |
95.378 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1518 | 500000Kbps |
0.004 % |
110.517 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1522 | 500000Kbps |
0.004 % |
111.008 us |
2.048 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1526 | 500000Kbps |
0.004 % |
111.168 us |
1.536 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1530 | 500000Kbps |
0.004 % |
111.547 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1534 | 500000Kbps |
0.004 % |
111.692 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 2000 | 500000Kbps |
0.006 % |
141.074 us |
0.512 us |
+--------+-------------+-----------+-----------------+-----------------+
| 2500 | 500000Kbps |
0.008 % |
174.080 us |
0.000 us |
+--------+-------------+-----------+-----------------+-----------------+
| 9000 | 500000Kbps |
0.043 % |
446.637 us |
1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
Result: Pass
-----------------------------------------------------------------------| Step 2
CIR: 50000Kbps
Status: Pass
|
-----------------------------------------------------------------------| Size |
IR
|
FLR
|
FTD
|
FDV
|
+--------+-------------+-----------+-----------------+-----------------+
|
64 | 1000000Kbps | 99.646 % |
127.395 us |
786.944 us |
+--------+-------------+-----------+-----------------+-----------------+
Result: Pass
Page 82
ITU-T Y.1731 SAA In-Service Test

Service Assurance Application (SAA) in-service tests monitor and analyze network performance
and service quality.
Following are the performance monitoring parameters:
Frame Delay and Frame Delay Variation Measurement (ETH-DM)

One-way ETH-DM (using 1DM PDU)
Two-way ETH-DM (using DMM and DMR PDUs)
Frame Loss (ETH-LM)

Based on in-profile service frame counters
Dual-ended ETH-LM (using CCM PDU)
Single-ended ETH-LM (using LMM and LMR PDUs)
An SAA includes measurements are specified by the ITU-T Y-1731 standard and interpreted by the
Metro Ethernet Forum (MEF) standards group.
SAA compares test results to predefined SLA thresholds and sends notification when the threshold
is crossed.
In case of simultaneously working SAA tests, it is recommended to use one second
interval. Otherwise high CPU use occurs.
Frame Loss (ETH-LM)

Frame Loss Measurement function (ETH-LM) maintains counters of received and transmitted
service frames between a pair of MEPs. These counters are used to calculate frame loss ratio, which
is a ratio of the number of service frames not delivered, divided by the total number of service
frames during a time interval. The number of service frames not delivered is the difference between
the number of service frames arriving at the ingress Ethernet flow point and the number of service
frames delivered at the egress Ethernet flow point in a point-to-point Ethernet connection.
Dual-ended LM and single-ended LM are two ways ETH-LM can be performed. To perform dualended LM, each MEP proactively sends periodic CCM frames to its peer MEP. Each peer MEP
terminates the CCM frames and performs near-end and far-end loss measurements using local
counters and counter values in the received CCM frames.
To perform single-ended LM, a MEP sends LM request (LMM) frames to its peer MEP upon an
on-demand administrative trigger. The peer MEP responds with LM reply (LMR) frames. Using
counter values in LMR frames and its local counter value, a MEP performs near-end and far-end
loss measurements. The following are the dual-ended and single-ended frame loss formulas.
Page 83
ETH-DM Frame Delay and Frame Delay Variation Measurement

(ETH-DM)
When a MEP is enabled to perform the frame delay and frame delay variation measurement
function (ETH-DM), it periodically sends frames with ETH-DM information to its peer MEP. It
receives frames with ETH-DM information from its peer MEP. MEPs can use one of two
methods to perform ETH-DM, one-way ETH-DM or two-way ETH-DM.
For one-way ETH-DM to work properly, clocks on the peer MEPs must be synchronized. The
sending MEP sends 1DM frames including timestamp at transmission time. The receiving MEP
calculates the frame delay using the timestamp at the reception of the 1DM frame and the
timestamp in the 1DM frame. For one-way frame delay variation measurement, clock
synchronization on the peer MEPs is not required. The out-of-phase period can be removed by the
difference of subsequent frame delay variation measurements. If clocks on peer MEPs are not
synchronized, a MEP can measure frame delay using two-way ETH-DM. When two-way DM is
enabled, a MEP sends ETH-DM request (DMM) frames including timestamp at transmission time.
The receiving MEP copies the timestamp into ETH-DM Reply (DMR) and sends that DMR back
to the sending MEP. The sending MEP receives the DMR and calculates the two-way frame delay
using the timestamp in the DMR and the timestamp at reception of the DMR. Frame delay
variation measurement is done by calculating the difference between two subsequent two-way
frame delay measurements.
ITU-T Y.1731 SAA In-Service Configuration Flow
Page 84
Figure 16: ITU-T Y.1731 SAA In-Service Configuration Flow
ITU-T Y.1731 SAA In-Service Configuration Commands

This section defines the command hierarchy for the SAA In-Service test and provides a list of
Command Hierarchy
device-name#
+ config terminal
+ [no] saa
- type {y1731 | y1731-slm}

+ [no] y1731
- [no] delay-far-end <value>
- [no] delay-near-end <value>
- [no] frameloss-far-end <value>
- [no] frameloss-near-end <value>

- [no] jitter-far-end <value>
- [no] jitter-near-end <value>

- type y1731
+ [no] y1731
- mode {loopback | test}
- [no] delay-method {average | ppercentile}

- [no] delay-p-value <value>
- [no] frequency <value>
- [no] function {both | delay-measurement

| loss-measurement}
- [no] history <value>
- [no] interval <value>
- [no] jitter-method {p-percentile | peakto-peak | variance}

- [no] jitter-p-value <value>
- domain DOMAIN-NAME
- mep <value>
- [no] mode {loopback | test}

- [no] period <value>
Page 85

- target-type {mac | mep}

- [no] ma MA-NAME
- [no] shutdown
- show saa test [name TEST-NAME owner TEST-OWNER]
- show saa profile [name PROFILE-NAME]
Table 10: ITU-T Y.1731 SAA In-Service Test Commands
Command
Description
config terminal
saa
no saa

and tests

letters
NOTE
type y1731
Selects SAA Y1731 test

y1731
no y1731
delay-far-end <value>
Specifies the one-way delay threshold from

the test-loopback to the test-head device:

60000000> microseconds
1000000 microsecond
no delay-far-end
Restores to default
delay-near-end <value>

the test-head to the test-loopback device:

1000000 microsecond
no delay-near-end
Page 86
Restores to default
Command
Description
frameloss-far-end <value>
Specifies the one-way frame loss ratio from


100000>. The resolution is
0.001%.
8%
no frameloss-far-end
Restores to default
frameloss-near-end <value>


0.001%.
8%
no frameloss-near-end
Restores to default
jitter-far-end <value>
Specifies the one-way jitter threshold from the

test-loopback to the test-head device:

300000 microseconds
no jitter-far-end
Restores to default
jitter-near-end <value>

test-head to the test-loopback device:

300000 microseconds
no jitter-near-end
Restores to default

mode:

name
type y1731
Selects SAA Y1731 test

letters
y1731
no y1731
Page 87
Command
Description
mode {loopback | test}
Specifies type of test:
loopback: enters Loopback mode

and initiates the test Tail,
which is the passive part of the
SAA test.
The test Tail receives delay measurement

messages (DMM) and loss measurement
messages (LMM) and replies to them by
sending delay measurement replies (DMR)
and loss measurement replies (LMR).
test: enters Test mode and

initiates the test Head, which
is the active part of the SAA
test.
The test Head sends DMM and LMM packets

to the Tail, and gathers statistics for near-end
(NE) and far-end (FE) frame loss, one-way
and two-way delay and jitter.
The test Head replies to DMM and LMM
packets sent by another test Head.
function {both | delaymeasurement | lossmeasurement}
Supported only for Loopback mode and

Test mode.
Specifies the test function:
delay-measurement: performs only

delay measurements
loss-measurement: performs only

loss measurements
both: performs loss and delay

measurements
Both loss and delay measurements are

calculated
no function
Restores to default
domain DOMAIN-NAME
Specifies a Maintenance Domain (MD) for the

test.
letters
mep <value>
Specifies the test's source MEP ID:
ma MA-NAME

the test to operate on:
Page 88
Command
Description
delay-method {average | ppercentile}
Supported only for Test mode.

Specifies the delay calculation method:
average: selects a delay

average, measured by all packets
p-percentile: selects the OAM ppercentile method
Average
no delay-method
Restores to default
delay-p-value <value>
Supported only for Test mode and when

the OAM p-percentile method is used.
Specifies the OAM p-percentile method:
value: in the range of <1100>,

in percent
50%
no delay-p-value
Restores to default
frequency <value>

Specifies the time interval for repeating the
SAA test:

seconds
1 second
no frequency
Restores to default
history <value>

Specifies the number of test results kept in the
history database:
96
no history
Restores to default
interval <value>

Specifies the time interval used by the SAA
test to collect data before calculating results.
The results are stored in the history database.

seconds
900 seconds
no interval
Restores to default
Page 89
Command
Description
jitter-method {ppercentile | peak-topeak | variance}
Specifies the jitter threshold calculation

method:
p-percentile: specifies the OAM

p-percentile method
variance: specifies a simple

variance of all packets' delays
peak-to-peak: specifies the

difference between the maximum
and minimum frame delay
Variance
no jitter-method
Restores to default
jitter-p-value <value>
Supported only for Test mode and when

the OAM p-percentile method is used.
Specifies the OAM p-percentile method:
value: in the range of <1100>,

in percent
50%
no jitter-p-value
Restores to default
mode {loopback | test}
Switches between modes.
period <value>

Specifies the time interval between packets,
sent by the SAA test:
value: in the range of <10010000> milliseconds
1000 millisecond
no period
Restores to default
priority <value>

Specifies the packets priority, sent by the test:
NOTE
To measure configured priority
correctly, change QoS traffic trust
mode from untrust to trust-priority on
the test-head devices, test-tail devices,
and all devices between.
no priority
Restores to default
target-mep <value>

no target-mep
Page 90
Command
Description
target-mac
HH:HH:HH:HH:HH:HH

device:
no target-mac


timeout <value>

address

Specifies the timeout interval for each packet.
If a reply is not received within the timeout
period, the packet is assumed to be lost.

seconds
3 seconds
no timeout
Restores to default
shutdown
Disables a SAA test

All tests are in disabled state
no shutdown
Enables a SAA test
NOTE
Before enabling the SAA test,
use the commit command to
save the unapplied SAA test
configuration. After enabling
the SAA test, use again the
commit command to confirm
the change.
show saa test [name TEST-NAME owner TESTOWNER]
show saa profile [name PROFILE-NAME]
Displays the SAA test configurations:
name TEST-NAME: (optional)

displays a specific test
configuration and results if the
mode is set to test
owner TEST-OWNER: (optional)

displays SAA text configuration
and results if the mode is set
to test for the selected tests
owner
Displays the SAA profile configuration:
name PROFILE-NAME: (optional)

displays a specific profile
configuration
Note: You cannot change configuration for an enabled test.
Page 91
The following example shows how to configure the SAA In-Service test on two devices.
Figure 17: Two Devices in SAA In-Service Test Mode
Configuring the Test-Head Device
1.
Configure the SAA In-Service test profile:

device-name(config-saa)#profile prof1
device-name(config-profile-prof1)#type y1731
device-name(config-profile-prof1)#y1731
device-name(config-y1731)#delay-near-end 1000
device-name(config-y1731)#delay-far-end 1000
device-name(config-y1731)#jitter-near-end 1200
device-name(config-y1731)#jitter-far-end 1500
device-name(config-y1731)#frameloss-near-end 9999
device-name(config-y1731)#frameloss-far-end 9999
device-name(config-y1731)#commit
Commit complete.
device-name(config-profile-prof1)#exit
2.
Enable the SAA In-Service test:

device-name(config-saa)#test test1 user
device-name(config-test-test1/user)#type y1731
device-name(config-test-test1/user)#profile prof1
device-name(config-test-test1/user)#y1731
device-name(config-y1731)#mode test
device-name(config-y1731)#delay-method average
device-name(config-y1731)#frequency 60
device-name(config-y1731)#function both
Page 92
device-name(config-y1731)#history 50
device-name(config-y1731)#interval 60
device-name(config-y1731)#jitter-method variance
device-name(config-y1731)#period 1000
device-name(config-y1731)#priority 6
device-name(config-y1731)#target-type mep
device-name(config-y1731)#target-mep 7124
device-name(config-y1731)#timeout 5
Commit complete.
device-name(config-test-test1/user)#no shutdown
device-nameconfig-test-test1/user)#commit
Commit complete.
device-name(config-test-test1/user)#end
3.
Display SAA In-Service test results:

device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Profile name
Cfm domain
Cfm ma
Source mep
Target mep
Frequency
Timeout
History
Clocks in sync
Interval
Period
Priority
Functions
Delay method
Jitter method
saa test name test1 owner user

: test1
: user
: y1731
: test
: Enabled
: Started
: prof1
: d6
: ma6
: 3208
: 7124
: 60
: 5 seconds
: 50
: No
: 60 sec
: 1000 msec
: 6
: both
: average
: variance
Interval Id: 2
Results
Timeouts: 0
Errors: 0
Delay
(NE):
Jitter
(NE):
FrameLoss (NE):
Sent Pkts (NE):
Rcvd Pkts (NE):
gathered: 120
Sent Pkts: 120
1.234 us
Delay
0.050 us
Jitter
0.001 %
FrameLoss
1000000
Sent Pkts
200000
Rcvd Pkts
(FE):
(FE):
(FE):
(FE):
(FE):
1.234 us
0.020 us
0.000 %
200000
999999
Configuring the Test-Loopback Device
Page 93
4.
Configure the SAA In-Service test:

device-name(config)#saa profile prof1
device-name(config-profile-prof1)#type y1731
device-name(config-profile-prof1)#y1731
device-name(config-y1731)#delay-far-end 1000
device-name(config-y1731)#delay-near-end 1000
device-name(config-y1731)#frameloss-far-end 9999
device-name(config-y1731)#frameloss-near-end 9999
device-name(config-y1731)#jitter-far-end 1500
device-name(config-y1731)#jitter-near-end 1200
Commit complete.
device-name(config-profile-prof1)#exit
5.
Enable the SAA In-Service test:

device-name(config-saa)#test test1 user
device-name(config-test-test1/user)#type y1731
device-name(config-test-test1/user)#profile prof1
device-name(config-test-test1/user)#y1731
device-name(config-y1731)#mode loopback
device-name(config-y1731)#function both
Commit complete.
device-name(config-test-test1/user)#no shutdown
device-name(config-test-test1/user)#commit
Commit complete.
device-name(config-test-test1/user)#end
6.
Display SAA In-Service test results:

device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Cfm domain
Cfm ma
Source mep
Functions
Page 94
saa test name test1 owner user

: test1
: user
: y1731
: loopback
: Enabled
: Started
: d6
: ma6
: 7124
: both
RFC 2544 SAA Out-of-Service Throughput Test

Overview
Service Assurance Application (SAA) out-of-service throughput tests use RFC 2544 methodologies
to measure and evaluate the performance of a device connection. These tests determine the
maximum bandwidth in which the device receives and forwards packets with frame loss lower than
a specified threshold.
To perform throughput measurement, a MEP sends test frames at increasing rate until frames start
getting dropped. The rate at which the frames start getting dropped is reported. Frame size is
configurable.
Two types of SAA Out-of-Service Throughput tests are supported:
Unidirectional type
Bi-directional type
CAUTION
Initiating these tests stops all traffic for evaluated services on test devices.
NOTE
Due to the heavy traffic flow, only one SAA throughput test can run on a test device at a
time.
SAA Unidirectional Throughput Test

The SAA unidirectional throughput test provides measurements of different rates (duration,
maximum rate of test packets, maximum timeout, and list of data sizes) for egress traffic (see the
following figure). This test measures the frame loss ratio between the test packets sent by the testhead and the ones received by the test-tail. The results are compared with a predefined threshold.
Figure 18: Unidirectional Test
Page 95
To perform the SAA Unidirectional Throughput test, define the following parameters:
Test-head (source) and test-tail (target) within an existing domain
PDU sizes for the selected test: the test calculates performance for each PDU size (64, 128,
256, 512, 1024, 1280, 1518, 2000, 9000 bytes), and displays the results per PDU size.
Maximum traffic rate and the ratio between constant and burst traffic: the test sends two
traffic streams from the test-head simultaneously:
Stream 1: The constant traffic rate (simulating the Committed Information Rate (CIR)).
The stream uses 90% of the maximum traffic rate by default.
Stream 2: The burst traffic rate (simulating the Committed Burst Size [CBS]). The stream
uses the remaining ten percent of the maximum traffic rate by default.
Burst size (in kbps) for Stream 2, the CBS size
Test duration per selected PDU size
When performing a Unidirectional Throughput test:
The test-tail calculates the packet count for each test sequence and sends the results to the testhead. The test-head reduces the test rate or continues to the next PDU size.
To ensure notification delivery, the test-tail keeps sending results until the test-head sends a
reply to the test-tail or until it reaches the configured timeout.
The test ends if the test-head does not receive the message.
SAA Bi-Directional Throughput Test

The SAA Bi-Directional Throughput test is based on the end-to-end unicast loopback test (see the
following figure). This test measures the frame loss ratio between test packets sent by the test-head
and ones received by the test-loopback. The results are compared with a predefined threshold.
Figure 19: End-to-End Unicast Loopback Test
The bi-directional throughput test generates test frames using 802.1ag LBM/LBR format.
To perform the SAA Bi-Directional throughput test, define the following parameters:
Page 96
Test-head (source) and test loopback (target) within an existing domain
PDU sizes for the selected test. The test calculates performance for each PDU size (64, 128,
256, 512, 1024, 1280, 1518, 1530, 2000, 9000 bytes), and displays test results per PDU size.
Committed Information Rate (CIR), expressed in Mbps
The test duration per selected PDU size

Select one of the following loopback types:

MAC-Swap: Swaps the MAC source and destination addresses of the packet before
looping the packet back. The OpCode field remains the same.
OAM: Swaps the MAC source and destination addresses of the packet before looping the
packet back. The OpCode field is changed from LoopBack Message (LBM) to LoopBack
Reply (LBR).
When performing a Bi-Directional Throughput test:
The test transmits PDUs at the defined CIR rate for the test duration to determine whether
the frame loss differs from the threshold.
After completing packet transmission, the test is suspended for a length of time equal to the
maximum latency at which all packets arrive.
Transmitted PDU has an ID (sequence number) and timestamp used for statistics calculation.
If frame loss is higher than the maximum frame loss percentage, the test-head repeats the test
at a lower rate until frame loss is within the configured SLA range.
SAA Out-of-Service Throughput Configuration Flow
Figure 20: SAA Out-of-Service Throughput Configuration Flow
Page 97
SAA Out-of-Service Throughput Configuration Commands

This section defines the command hierarchy for the SAA Out-of-Service Throughput test and
provides a list of available commands. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ [no] saa

- type rfc2544
+ [no] rfc2544
[no] frameloss <value>

- type rfc2544
- [no] shutdown
+ [no] rfc2544
- mode bi-test-head
- mode bi-test-loopback
- mode uni-test-head
- mode uni-test-tail
- [no] burst-percentage <value>
- [no] c-vlan <cvlan-id>
- [no] c-vlan-drop-eligible
- [no] c-vlan-priority <value>
- [no] cir <value>
- [no] cbs <value>
- [no] data-size <value>
- [no] custom-data-size <value>
- [no] duration <value>
- [no] loopback-type {mac-swap | oam}

- ma MA-NAME
- mep <value>
- mode {bi-test-head | bi-test-loopback | uni-testhead | uni-test-tail}

- [no] pattern {none | null | null-crc | prbs |
prbs-crc}
- [no] result-ack-timeout <value>
- [no] s-vlan-drop-eligible
Page 98
- [no] s-vlan-priority <value>


Table 11: SAA Out-of-Service Throughput Commands
Command
Description
config terminal
saa
no saa
Removes SAA configuration details such as

profiles and tests
Creates a monitoring SAA profile (up to 64

characters
NOTE
type rfc2544
Selects the RFC2544 test.

The RFC2544 test measures throughput,
delay and variation across Ethernet networks.
rfc2544
Enters SAA RFC2544 Profile Configuration

mode
no rfc2544
Exits SAA RFC2544 Profile Configuration

mode
frameloss <value>
Supported only for unidirectional and bidirectional test-heads.

Specifies the allowed frame loss ratio
threshold in hundredths of the percent:
0
no frameloss
Restores to default
Page 99
Command
Description

mode:

name
type rfc2544
Selects the RFC2544 test.

The RFC2544 test measures throughput,
delay and variation across Ethernet networks.
Applies a profile to the specified RFC2544

test:
letters
rfc2544
Enters SAA RFC2544 Test Configuration

mode
no rfc2544
Exits SAA RFC2544 Test Configuration mode
mode {bi-test-head | bi-testloopback | uni-test-head |

uni-test-tail}
burst-persentage <value>
Specifies the type of the SAA RFC2544 test:
bi-test-head: bi-directional
throughput test
bi-test-loopback: test-loopback
functionality during a bidirectional test
uni-test-head: unidirectional
throughput test
uni-test-tail: test-tail
functionality during a
unidirectional throughput test
Supported only for the unidirectional testhead.

Specifies the amount of bursty traffic:
value: in the range of <0-100>,

in percent
10%
no burst-persentage
Restores to default
c-vlan <cvlan-id>
Specifies the C-VLAN ID in the generated test

packets:
no c-vlan
Page 100
c-vlan-id: in the range of <14094>
Removes the configured C-VLAN ID
Command
Description
c-vlan-drop-eligible

encountered.
no c-vlan-drop-eligible
Restores to default
c-vlan-priority <value>

Specifies the C-VLAN priority of the packets:
6
no c-vlan-priority
Restores to default
cbs <value>
Supported only for the unidirectional testhead.


KB
1 MB
no cbs
Restores to default
cir <value>

Specifies the maximum Committed
Information Rate (CIR) of the test packets:
value: in the range of <641000000> kbps
500000 kbps
no cir
Restores to default
data-size <value>

Selects a pre-defined PDU size for which the
test is executed:
value: 64, 128, 256, 512, 1024,

1280, 1518, 1522, 1526, 1530,
1534, 2000, and 9000 bytes.
Use the below format to specify
more than one value:
Example:
data-size [ 64 128 1530]
no data-size <value>
Removes some of the selected values.
custom-data-size <value>
Specifies the size of the data packets:
no custom-data-size <value>
Removes some of the configured values.
Page 101
Command
Description
domain DOMAIN-NAME
Selects a Maintenance Domain (MD) for the

test to operate on:
duration <value>
letters

Specifies the test duration:

seconds
5 seconds
no duration
Restores to default
loopback-type {mac-swap | oam}
Supported only for bi-directional testheads.

Specifies the type of the loopback testing:
mac-swap: swaps MAC source and

The OpCode field remains the
same.
oam: swaps MAC source and

The OpCode field is changed from
LoopBack Message (LBM) to
LoopBack Reply (LBR).
The OpCode is a 1-octet field that identifies

the OAM PDU type (see the ITU-T
Recommendation Y.1731).
OAM
no loopback-type
Restores to default
ma MA-NAME

the test:
mep <value>
Specifies the MEP ID of the test-head device:
Page 102
Command
Description
uni-test-tail}
pattern {none | null | null-crc

| prbs | prbs-crc}
Specifies the type of the SAA RFC2544 test:
throughput test
throughput test
unidirectional throughput test

Specifies the test packet's pattern type:
none: arbitrary pattern
null: null signal without Cyclic

null-crc: null signal with

Cyclic Redundancy Check (CRC)-32
prbs: Pseudo-Random Byte

Sequence (PRBS) without Cyclic
prbs-crc: Pseudo-Random Byte

Sequence (PRBS)with Cyclic
PRBS
no pattern
Restores to default
result-ack-timeout <value>
Supported only for unidirectional testhead.

Specifies the time the test-head waits for an
inform acknowledgment from the test-tail. If no
acknowledgment is received within the
timeout period, the test-head stops the test.

seconds
5 seconds
no result-ack-timeout
Restores to default
Page 103
Command
Description
s-vlan-drop-eligible

encountered.
NOTE
The throughput test priority
must be lower than the CCM
priority.
no s-vlan-drop-eligible
Restores to default
s-vlan-priority <value>

Specifies the S-VLAN priority of the packets:
6
no s-vlan-priority
Restores to default
target-mep <value>
no target-mep
target-mac HH:HH:HH:HH:HH:HH

device:
no target-mac


timeout <value>

address
Specifies the timeout interval for the test

packet. If a reply is not received within the
timeout period, the packet is assumed to be
lost.

x100 milliseconds
1 seconds
no timeout
Page 104
Restores to default
Command
Description
shutdown
Disables a SAA test

all tests are in a disabled state
no shutdown
Enables a SAA test
NOTE
Before enabling the SAA test, use
the commit command to save the
unapplied SAA test configuration.
After enabling the SAA test, use
again the commit command to
confirm the change.
Displays the SAA test configuration:

mode is set to test

owner

configuration
Note: You cannot change configuration for an enabled test.
The following example shows how to configure the SAA Out-of-Service Throughput test on two
devices.
Figure 21: Two Devices in SAA Out-of-Service Throughput Test Mode
Page 105
Configuring the Test-Head Device
1.
Configure a profile for SAA Out-of-Service test:

device-name(config-profile-1)#type rfc2544
device-name(config-profile-1)#rfc2544
device-name(config-rfc2544)#frameloss 10000
device-name(config-rfc2544)#commit
Commit complete.
device-name(config-rfc2544)#exit
2.
Enable the SAA Out-of-Service test:

device-name(config-saa)#test 2 2
device-name(config-test-2/2)#type rfc2544
device-name(config-test-2/2)#profile 1
device-name(config-test-2/2)#shutdown
device-name(config-test-2/2)#rfc2544
device-name(config-rfc2544)#mode bi-test-head
device-name(config-rfc2544)#domain d6
device-name(config-rfc2544)#ma ma6
device-name(config-rfc2544)#mep 3208
device-name(config-rfc2544)#target-type mep
device-name(config-rfc2544)#target-mep 7124
device-name(config-rfc2544)#cir 1000000
device-name(config-rfc2544)#data-size 64
device-name (config-rfc2544)#data-size 9000
device-name(onfig-rfc2544)#commit
Commit complete.
device-name(config-test-2/2)#no shutdown
ddevice-name(config-test-2/2)#commit
Commit complete.
device-name(config-test-2/2)#end
3.
Display SAA Out-of-Service test results:

device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Page 106
saa test name 2 owner 2

: 2
: 2
: rfc2544
: bi-test-head
: Enabled
: Finished
Profile name
Cfm domain
Cfm ma
Source mep
Target mep
CIR
Pattern
Priority
DE flag
Duration
Timeout
Datasize
Loopback type
:
:
:
:
:
:
:
:
:
:
:
:
:
1
d6
ma6
3208
7124
1000000
prbs
6
0
5 seconds
10 seconds
64, 128, 256, 512, 1024, 1280, 1518, 2000, 9000
oam
---------------------------------------------------------------| Size | Successful rate | Net Successful rate | Frame-loss |

+--------+-----------------+---------------------+-------------+
|
64 |
1000000Kbps
|
761904Kbps
|
1.576 % |
|
128 |
1000000Kbps
|
864864Kbps
|
0.513 % |
|
256 |
1000000Kbps
|
927536Kbps
|
0.015 % |
|
512 |
1000000Kbps
|
962406Kbps
|
0.004 % |
| 1024 |
1000000Kbps
|
980842Kbps
|
0.000 % |
| 1280 |
1000000Kbps
|
984615Kbps
|
0.473 % |
| 1518 |
1000000Kbps
|
986996Kbps
|
0.008 % |
| 2000 |
1000000Kbps
|
990099Kbps
|
0.000 % |
| 9000 |
1000000Kbps
|
997782Kbps
|
0.000 % |
+--------+-----------------+---------------------+-------------+
---------------------------------------------------------------| Size |
Min Delay
|
Avg Delay
|
Max Delay
|
+--------+-----------------+-----------------+-----------------+
|
64 |
14.336 us |
47.807 us |
53.760 us |
|
128 |
16.384 us |
66.643 us |
78.336 us |
|
256 |
19.456 us |
95.708 us |
125.440 us |
|
512 |
28.160 us |
133.010 us |
221.184 us |
| 1024 |
44.544 us |
151.638 us |
258.048 us |
| 1280 |
51.712 us |
158.837 us |
264.704 us |
| 1518 |
59.904 us |
167.333 us |
273.408 us |
| 2000 |
74.240 us |
181.933 us |
287.744 us |
| 9000 |
294.400 us |
400.991 us |
506.880 us |
+--------+-----------------+-----------------+-----------------+
The Successful traffic rate is the total number of physically transferred bits per second over the
communication link, including useful data as well as protocol overhead.
The Net Successful rate is the capacity excluding the physical layer protocol overhead; it is
calculated by the following formula:
NetSuccRate = SuccRate*PDUSIZE/(PDUSIZE+160),
where SuccRate is the measured Successful traffic rate, PDUSIZE is the packets size, and the 160
bytes includes 96 interframe gap (IFG) bites, and 64 preamble bytes.
Page 107
Configuring the Test-Loopback Device
1.
Configure a profile for SAA Out-of-Service test:

device-name(config-profile-1)#type rfc2544
device-name(config-rfc2544)#frameloss 10000
2.
Enable the SAA Out-of-Service test:

device-name(config-saa)# test 2 2
device-name(config-test-2/2)#type rfc2544
device-name(config-test-2/2)#profile 1
device-name(config-test-2/2)#shutdown
device-name(config-test-2/2)#rfc2544
device-name(config-rfc2544)#mode bi-test-loopback
device-name(config-rfc2544)#domain d6
device-name(config-rfc2544)#ma ma6
device-name(config-rfc2544)#mep 3208
Commit complete.
device-name(config-test-2/2)#no shutdown
device-name(config-test-2/2)#commit
Commit complete.
device-name(config-test-2/2)#end
3.
Display SAA Out-of-Service test configuration:

device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Cfm domain
Cfm ma
Source mep
Page 108

: 2
: 2
: rfc2544
: bi-test-loopback
: Enabled
: Running
: d6
: ma6
: 3208

Synthetic Frame Loss Measurement (ETH-SLM)
Synthetic Loss Measurement (SLM) is an extension of the existing Y.1731 feature, and makes use
of an additional functionality defined in the latest version of the ITU-T Y.1731 (2011) standard.
SLM measures frame loss and delay using synthetic frames instead of data traffic.
Ethernet Synthetic Loss Measurement (ETH-SLM) collects counter values applicable for ingress
and egress synthetic frames where the counters maintain a count of transmitted and received
synthetic frames between a pair of MEPs. ETH-SLM transmits synthetic frames with ETH-SLM
information to a peer MEP and similarly receives synthetic frames with ETH-SLM information
from the peer MEP.
Single-ended ETH-SLM
Each MEP transmits periodic dual-ended synthetic frames with ETH-SLM information to its peer
MEP in a point-to-point ME and facilitates frame loss measurements at the peer MEP.
Dual-ended ETH-SLM
The MEP sends frames with the ETH-SLM request information to its peer MEPs and receives
frames with ETH-SLM reply information from its peer MEPs to measure synthetic loss and delay.
Page 109
ITU-T Y.1731-SLM SAA Configuration Flow
Figure 22: ITU-T Y.1731-SLM In-Service Configuration Flow
ITU-T Y.1731-SLM SAA In-Service Configuration

Commands
This section defines the command hierarchy for the SAA In-Service test and provides a list of
Command Hierarchy
device-name#
+ config terminal
+ [no] saa

- type y1731-slm
Page 110
+ [no] y1731-slm
- [no] delay-far-end <value>
- [no] delay-near-end <value>
- [no] frameloss-far-end <value>
- [no] frameloss-near-end <value>

- [no] jitter-far-end <value>
- [no] jitter-near-end <value>

- type y1731-slm
+ [no] y1731-slm
- [no] mode {bi-test-head | bi-test-loopback |

uni-test-head | uni-test-tail}

- mep <value>
- ma MA-NAME
- [no] mode {bi-test-head | bi-testloopback | uni-test-head | uni-testtail}


- [no] interval <value>
- [no] drop-eligible
- [no] history <value>
- [no] pdu-size <value>
- [no] test-id <value>
- [no] gathering-interval <value>

- [no] include-delay-measurement
- [no] shutdown
Table 12: ITU-T Y.1731-SLM SAA In-Service Test Commands
Command
Description
config terminal
Page 111
Command
Description
saa
no saa

and tests

letters
NOTE
type y1731-slm
Selects SAA Y1731-SLM test

y1731-slm
Enters SAA Y1731-SLM Profile Configuration

mode
no y1731-slm
Exits SAA Y1731-SLM Profile Configuration

mode
delay-far-end <value>


1000000 microsecond
no delay-far-end
Restores to default
delay-near-end <value>


1000000 microsecond
no delay-near-end
Restores to default
frameloss-far-end <value>


0.001%.
8%
no frameloss-far-end
Restores to default
frameloss-near-end <value>


0.001%.
8%
Page 112
Command
Description
no frameloss-near-end
Restores to default
jitter-far-end <value>

test-loopback to the test-head device:

300000 microseconds
no jitter-far-end
Restores to default
jitter-near-end <value>

test-head to the test-loopback device:

300000 microseconds
no jitter-near-end
Restores to default

mode:

name
type y1731-slm
Selects SAA Y1731-SLM test

letters
y1731-slm
Enters SAA Y1731-SLM Profile Configuration

mode
no y1731-slm
Exits SAA Y1731-SLM Profile Configuration

mode

uni-test-tail}
Specifies the type of the SAA Y1731-SLM

test:
Y1731-SLM test
Y1731-SLM test
unidirectional Y1731-SLM test
Page 113
Command
Description
domain DOMAIN-NAME
Specifies a Maintenance Domain (MD) for the

test.
letters
mep <value>
Specifies the test's source MEP ID:
ma MA-NAME

the test to operate on:
frequency <value>
Supported only for Uni-test-tail mode and

Bi-test-head mode.
Specifies the time interval for repeating the
SAA test:

seconds
1 second
no frequency
Restores to default
history <value>
Supported only for Bi-test-head mode and

Uni-test-tail mode.
Specifies the number of test results kept in the
history database:
96
no history
Restores to default
interval <value>

Uni-test-tail mode.
Specifies the time interval used by the SAA
test to collect data before calculating results.
The results are stored in the history database.

seconds
900 seconds
no interval
Restores to default
period <value>

Uni-test-head mode.
Specifies the time interval between packets,
sent by the SAA test:
value: in the range of <10010000> milliseconds
1000 millisecond
Page 114
Command
Description
no period
Restores to default
priority <value>

Uni-test-head mode.
Specifies the packets priority, sent by the test:
NOTE
To measure configured priority
correctly, change QoS traffic trust
mode from untrust to trust-priority on
the test-head devices, test-tail devices,
and all devices between.
no priority
Restores to default
target-mep <value>
Supported only for Bi-test-head mode.

no target-mep
target-mac

Uni-test-head mode.
device:
HH:HH:HH:HH:HH:HH
no target-mac


Uni-test-head mode.

address
drop-eligible

Uni-test-head mode.
Specifies the eligibility of the synthetic packets
to be discarded when congestion conditions
are encountered.
no drop-eligible
Restores to default
pdu-size <value>

Uni-test-head mode.
Specifies the synthetic packets size:
value: in the range of <64-9000> bytes
128 bytes
Page 115
Command
Description
no pdu-size
Restores to default
test-id <value>

Uni-test-tail mode.
Specifies Y1831-SLM test ID:
no test-id
Removes the configured test ID
gathering-interval <value>
Supported only for Bi-test-head mode, Bitest-loopback mode, Uni-test-tail mode,

and Uni-test-head mode.
Specifies a time period at which the SAA
application gets refreshed counters from the
hardware.
value: 1sec,
2sec or
3sec
no gathering-interval
Removes the configured interval
mode {bi-test-head | bitest-loopback | unitest-head | uni-testtail}
Supported only for Bi-test-head mode, Bitest-loopback mode, Uni-test-head mode,

and Uni-test-tail mode.
Switches between modes.
include-delay-measurement
Supported only for Bi-test-head mode

(Y1731-SLM).
Includes delay measurement in the Y1731SLM test
Not included
no include-delaymeasurement
Restores to default
shutdown
Disables a SAA test

All tests are in disabled state
no shutdown
Enables a SAA test
NOTE
Before enabling the SAA test,
use the commit command to
save the unapplied SAA test
configuration. After enabling
the SAA test, use again the
commit command to confirm
the change.
Page 116
Displays the SAA test configurations:

mode is set to test

owner
Command
Description

configuration
Example
The following example demonstrates how to configure bi-directional Y1731-SLM test:
1.
Configure the Test-head device:

Device-name#config terminal
Device-name(config)#service tls 111
Device-name(config-tls-111)#no shutdown
Device-name(config-tls-111)#sap 1/1/1 c-vlan 1111
Device-name(config-c-vlan-1111)#sdp s-vlan 111 port 1/1/2
Device-name(config-port-1/1/2)#top
Device-name(config)#oam cfm
Device-name(config-cfm)#no shutdown
Device-name(config-cfm)#domain SLM level 1
Device-name(config-domain-SLM)#ma 11 service 111
Device-name(config-ma-11)#hello-interval 1s
Device-name(config-ma-11)#mep 1 bind-to 1/1/1:1111: direction up ccmenabled
Device-name(config-mep-1)#no shutdown
Device-name(config-mep-1)#top
Device-name(config)#saa profile SLM
Device-name(config-profile-SLM)#type y1731-slm
Device-name(config-profile-SLM)#top
Device-name(config)#saa test 111 111
Device-name(config-test-111/111)#type y1731-slm
Device-name(config-test-111/111)#profile SLM
Device-name(config-test-111/111)#y1731-slm
Device-name(config-y1731-slm)#mode bi-test-head
Device-name(config-y1731-slm)#include-delay-measurement
Device-name(config-y1731-slm)#domain SLM
Device-name(config-y1731-slm)#interval 60
Device-name(config-y1731-slm)#period 1sec
Device-name(config-y1731-slm)#gathering-interval 1sec
Device-name(config-y1731-slm)#history 1
Device-name(config-y1731-slm)#mep 1
Device-name(config-y1731-slm)#ma 11
Device-name(config-y1731-slm)#priority 6
Device-name(config-y1731-slm)#target-type mep
Device-name(config-y1731-slm)#target-mep 2
Device-name(config-y1731-slm)#pdu-size 1024
Device-name(config-y1731-slm)#test-id 111
Device-name(config-y1731-slm)#exit
Device-name(config-test-111/111)#no shutdown
Device-name(config-test-111/111)#commit
Page 117
Commit complete.
Device-name(config-test-111/111)#
2.
Configure the Test-loopback device:

Device-name(config)#service tls 111
Device-name(config-tls-111)#no shutdown
Device-name(config-tls-111)#sap 1/1/3 c-vlan 1111
Device-name(config-c-vlan-1111)#sdp s-vlan 111 port 1/1/4
Device-name(config)#oam cfm
Device-name(config-cfm)#no shutdown
Device-name(config-cfm)#domain SLM level 1
Device-name(config-domain-SLM)#ma 11 service 111
Device-name(config-ma-11)#hello-interval 1s
Device-name(config-ma-11)#mep 2 bind-to 1/1/3:1111: direction up ccmenabled
Device-name(config-mep-2)#no shutdown
Device-name(config-mep-2)#top
Device-name(config)#saa profile SLM
Device-name(config-profile-SLM)#type y1731-slm
Device-name(config-profile-SLM)#top
Device-name(config)#saa test 111 111
Device-name(config-test-111/111)#type y1731-slm
Device-name(config-test-111/111)#profile SLM
Device-name(config-test-111/111)#y1731-slm
Device-name(config-y1731-slm)#mode bi-test-loopback
Device-name(config-y1731-slm)#domain SLM
Device-name(config-y1731-slm)#mep 2
Device-name(config-y1731-slm)#ma 11
Device-name(config-y1731-slm)#test-id 111
Device-name(config-y1731-slm)#exit
Device-name(config-test-111/111)#no shutdown
Device-name(config-test-111/111)#commit
Commit complete.
3.
Display the Y1731-SLM configuration:

Device-name#show
Test name
Test owner
Test type
Test mode
State
Status
Profile name
Cfm domain
Cfm ma
Cfm mep
Target mep
Frequency
History
Clocks in sync
Page 118

: 111
: 111
: y1731-slm
: bi-test-head
: Enabled
: Running
: SLM
: SLM
: 1
: 11
: 2
: 1
: 1
: No
Interval
Period
Priority
Test-id
Pdu-size
DE flag
Gathering-int
Include-delay
Delay method
Jitter method
:
:
:
:
:
:
:
:
:
:
60 sec
1000 msec
6
111
1024
Unset
1 seconds
Yes
average
variance
Interval Id: 2
Delay
(NE):
Jitter
(NE):
FrameLoss (NE):
Sent Pkts (NE):
Rcvd Pkts (NE):
Results gathered: Thu Oct 1 14:29:07 2009

15.360 us
Delay
(FE):
0.181 us
Jitter
(FE):
0.000 %
FrameLoss (FE):
59
Sent Pkts (FE):
59
Rcvd Pkts (FE):
15.360 us
0.181 us
0.000 %
59
59
Page 119
T-Marc3208SH
Event Propagation
The Event Propagation feature allows you to configure automatic actions executed upon the
occurrence of specific events.
The feature acts upon receiving events from the events provider. It matches the received events
with pre-configured pairs of event-action and then forwards the matched action to the related
action performer.
To configure this feature, you have to define profiles grouping the event-action pairs. Profiles are
applied to various targets, such as SAPs or physical ports.
By enabling event propagation, the device:
detects a remote link failure or a local ports down status
disconnects a link to a peer device
restores the link to the peer device in case the event is reversed
To avoid flapping events, you can configure two timers per profile:
Event timer (hold-off): the interval from the time the event starts before the event propagation
disconnects a link or sends LDP MAC address withdraw message.
Revertive timer (wait-to-restore): the interval from the time the event is reversed before reversing the
Event Propagation action.
This feature is based on TLS and the CFM-OAM functionality. Therefore, it can function only on
devices where these features are enabled.
Page 120
Event Propagation Configuration Flow
Figure 23: Event Propagation Configuration Flow
Page 121
Event Propagation Command Hierarchy

device-name#
+ config terminal
+ [no] event-propagation profile <id>
- action {link-drop | mac-withdraw | none}
- event {ais-lck | con-lost | none | rcvd-tc-bpdu |

down}
status-
- [no] reverse {link-restore | none}
- [no] source {local-mep <id> | local-port {UU/SS/PP | agN} |

rem-mep <id>}
- [no] timer {hold-off <value> | wait-to-restore <value>}

- [no] threshold <value>
+ port {UU/SS/PP | agN}
- [no] event-propagation-profile <id>
+ service

| all | untagged}
- [no] event-propagation-profile <id>
- show event-propagation [profile <id> | session]
Table 13: Event Propagation Commands

Command
Description
config terminal
event propagation profile <id>
Specifies an event propagation profile and

enters Event Propagation Profile Configuration
mode:
no event propagation profile [<id>]
Removes the configured profiles:
action {link-drop | mac-withdraw |

none}
event {ais-lck | con-lost | none |

rcvd-tc-bpdu | status-down}
Page 122
id: a string of up to 32
letters
id: (optional) removes a specific
event-propagation profile
Specifies an action, the event-propagation

profile performs upon the configured event:
link-drop: drops the link
mac-withdraw: sends LDP MAC

address withdraw message
none: no action is performed
Specifies the expected event type:
Command
reverse {link-restore | none}
Description
ais-lck: the AIS (Alarm

Indication Signal) bit is
received
con-lost: the connectivity is

lost
none: no expected event
rcvd-tc-bpdu: xSTP-topologychange BPDU is received
status-down: the port is in down

state
Specifies the reverse action to be performed

when the configured event stops processing:
link-restore: restores the link
none: no action is performed
None
no reverse [link-restore | none]
source {local-mep <id> | local-port

{UU/SS/PP | agN} | rem-mep <id>}
Specifies the source from which the eventpropagation profile receives the configured
event:
Removes the configured action
local-mep <id>: receives events

from a local MEP with ID, in the
range of <18191>
local-port UU/SS/PP or agN:

receives events from a local port
or a group of ports
rem-mep <id>: receives events

from a remote MEP with ID, in the
range of<18191>
no source [local-mep | local-port |

rem-mep]
timer {hold-off <value> | wait-torestore <value>}
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Removes the configured event source:
local-mep: receives events from a

local MEP
local-port: receives events from

a local port
rem-mep: receives events from a

remote MEP
Specifies profile timers:
hold-off <value>: defines the

hold off timeout, in the range of
<0600000> milliseconds, in 100millisecond increments. The timer
postpones the switchover for a
specified time. If the transport
path does not recuperate by the
end of this time period, the link
Page 123
Command
Description
is dropped or LDP MAC address
withdraw message is sent.
0 milliseconds
wait-to-restore <value>: defines

the wait-to-restore timeout, in
the range of <0-600> seconds. If
the revertive mode is disabled,
this timer is also disabled.
0 seconds
no timer {hold-off | wait-torestore}
Restores to defaults
threshold <value>
Supported only for source port.

Specifies a threshold for a given source port.
Once the threshold is reached, the event action
is triggered.
1
no threshold
event-propagation-profile
<id>
Restores to default
Enters Configuration Mode for a specific port:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>
Applies the selected event-propagation profile

on a port:
no event-propagationprofile
service
untagged}
Page 124
id: id: a string of up to 32

letters
Removes the event-propagation profile from the

port

Configuration mode:

4294967295>

Configuration mode:

of 1/1/1-1/1/4 and 1/2/1-1/2/8.

<1-14>

Command
Description
Configuration mode


traffic only

range of <14294967295>

Configuration mode:
UU/SS/PP: (optional) SAP port in

the range of 1/1/1-1/1/4 and
1/2/1-1/2/8. This port has to be
an untagged member of the S-VLAN.

<1-14>
c-vlan: (optional) specifies a


of <1-4094>

traffic

event-propagation-profile <id>
Applies the selected event-propagation profile

on a SAP port:
no event-propagation-profile
show event-propagation [profile <id> |
session]
id: id: a string of up to 32

letters
Removes the event-propagation profile from the

SAP port
Displays event-propagation information:
profile <id>: displays the

configured parameters for the
specified profile with ID in the
range of <1-32>
session: displays the source each

profile is allocated to and its
parameters
Page 125
The following example shows how to configure event propagation on two devices (Device 1 and
Device 4).
Provider side is in domain 5 level 5 VLAN 10.
Customer side is in domain 6 level 6 VLAN 10.
In case of problem on level 5, you will receive ais-lck event on level 6. So if you receive such issue
an automatic action can be triggered in Device1 or Device2 based on above mentioned event.
Figure 24: Example for Configuring Event Propagation
Configure Device 1:
Configure CFM:
Commit complete.
device-name(config-ma-ma6)#ais-lck-receive
device-name(config-ma-ma6)#ais-lck-transmit
device-name(config-ais-lck-transmit)#ais-lck-level 7
device-name(config-ais-lck-transmit)#ais-lck-priority 3
device-name(config-ais-lck-transmit)#ais-lck-vlan 10
device-name(config-ais-lck-transmit)#mep 602
device-name(config-mep-602)#direction up
device-name(config-mep-602)#ccm-priority 5
Page 126
Configure an event-propagation profile and apply it on a port:

device-name(config)#event-propagation profile 1
device-name(config-profile-1)#source local-mep 602
device-name(config-profile-1)#event ais-lck
device-name(config-profile-1)#action link-drop
device-name(config-profile-1)#reverse link-restore
device-name(config-profile-1)#commit
device-name(config-port-1/1/4)#event-propagation-profile 1
Configure Device 2:
Configure CFM:
Commit complete.
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-level 6
device-name(config-ais-lck-transmit)#exit
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-priority 7
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-vlan 10
device-name(config-ma-ma5)#mep 1 bind-to 1/1/2 direction up
Configure Device 3:
Configure CFM:
Page 127
Commit complete.
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-level 6
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-priority 7
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-vlan 10
device-name(config-ma-ma5)#mep 2 bind-to 1/1/2 direction up
Configure Device 4:
Configure CFM:
device-name(config-tagged-1/1/1)#ex
Commit complete.
device-name(config-ma-ma6)#ais-lck-transmit
device-name(config-ais-lck-transmit)#ais-lck-level 7
device-name(config-ais-lck-transmit)#ais-lck-priority 3
device-name(config-ais-lck-transmit)#ais-lck-vlan 10
device-name(config-ais-lck-transmit)#mep 601
Page 128
device-name(config-mep-601)#direction up
Configure an event-propagation profile and apply it on a port:

device-name(config)#event-propagation profile 1
device-name(config-profile-1)#source local-mep 601
device-name(config-profile-1)#event ais-lck
device-name(config-profile-1)#action link-drop
device-name(config-profile-1)#reverse link-restore
device-name(config-profile-1)#commit
device-name(config-port-1/1/4)#event-propagation-profile 1
Page 129
Page 130
Features
Standards
MIBs
RFCs
802.1ag
Connectivity Fault
Management (CFM)
IEEE 802.1ag-2007
(draft 8.1)Virtual
Bridged Local Area
Networks (Amendment
5: Connectivity Fault
Management).
Connectivity Fault
ManagementAn
Update on Bridging
Technologies (IEEE
Tutorial, July 18, 2005).
Public MIB,
IEEE8021-CFM-MIB
Private MIB,
PRVT-CFM-MIB.mib
These MIBs are used
for the Connectivity
Fault Management
(CFM) module for
managing IEEE
802.1ag.
RFC 2544,
Benchmarking
Methodology for
Network Interconnect
Devices
Intermediate
802.3ah EFM-OAM
IEEE Std 802.3ah-2004
Public MIB: DOT3OAM-MIB.mib

Private MIB: PRVTSWITCH-EFM-OAMMIB.mib
Not supported
ITU-T G.8032v2
Ring Automatic
Protection
Switching (R-APS)
ITU-T G.8032 standard
Private MIB: PRVTRAPS-MIB.mib
Not supported
ITU-T G.8031
Ethernet Protection
Switching (EPS)
ITU-T G.8031 standard
Private MIB, PRVTEPS-MIB.mib
Not supported RFCs
ITU-T Y.1564 NextGeneration CarrierEthernet Testing
ITU-T Y.1564 standard
Not supported
Not supported
SAA tests
SOAM (Service OAM)

based on the IEEE
802.1ag-2007 (draft
8.1)
ITU-T
Recommendation
Y.1731
Public MIB,
ping.mib
Private MIB,
PRVT-SAA-MIB.mib
RFC 2544
RFC 2925 allows
functionality for
creating of ping and
traceroute tests that
can be carried out
periodically on the
remote host.
Event Propagation
IEEE 802.1ag-2007
(Connectivity Fault
Management)
Not supported
Not supported
Synchronous Ethernet (SyncE)

Table of Contents
Table of Figures 1
List of Tables 2
Synchronization in SDH/SONET and Ethernet Networks 3
Quality Levels in Synchronization 3
Physical Structure of Network Synchronization 5
Clock Synchronization in Traditional Ethernet 6
Clock Synchronization in Synchronous Ethernet 6
Ethernet Synchronization Messaging Channel (ESMC) Protocol 7
How Synchronization Works on the Individual Device Level 9
Synchronization on the T-Marc 3208SH Device 10
DPLLs 10
Clock Sources 10
Selecting a Clock Reference11
Output Clocks 11
SyncE Commands 11
Table of Figures
Figure 1: SDH/SONET Network Synchronization Hierarchy ....................................................... 3
Figure 2: Clock Transmission over Traditional Ethernet ................................................................. 6
Figure 3: Clock Transmission over Synchronized Ethernet ............................................................ 7
Figure 4: Schematic Presentation of the System Synchronization Concept ................................ 10
Synchronous Ethernet (SyncE) (Rev. 01)
Page 1
List of Tables
Table 1: Hierarchy of Quality Levels in Option I Synchronization Networks ............................. 5
Table 2: Hierarchy of Quality Levels in Option II Synchronization Networks ............................ 5
Table 3: ESMC PDU Format ............................................................................................................... 8
Table 4: General Structure of the TLV Field ..................................................................................... 9
Table 5: Structure and Content of TLV Field Containing an SSM ................................................. 9
Table 6: SyncE Commands ................................................................................................................. 13
Page 2
T-Marc3208SH
Synchronization in SDH/SONET and Ethernet

Networks
Synchronous Ethernet (SyncE) refers to a set of technologies and protocols for Ethernet networks
used to transport services that rely on precise frequency synchronization such as Mobile
Backhauling. Using SyncE, the device transmits a precise timing signal to synchronize the reference
frequency at network endpoints (such as Mobile Base Stations) without the necessity of dedicated
TDM lines.
SyncE uses the physical interface to pass timing signals from node to node in the same way that
timing passes in SONET/SDH or T1/E1 networks. SyncE-based networks deliver cost effective,
time-critical services as reliably as SONET-/SDH- and T1-/E1-based networks.
Quality Levels in Synchronization

Synchronous Ethernet (SyncE), based on the principles of Synchronous Digital Hierarchy (SDH)
and Synchronous Optical Network (SONET), depends on clock hierarchy or quality levels (QL).
SyncE utilizes a timing-source signal either provided by special synchronization equipment, with a
cesium clock, or received from a cesium clock-controlled system such as Global Positioning
Systems (GPSs). GPS emits a high quality, stable signal used to create the first synchronization
input in the clock hierarchy, an output clock known as the Primary Reference Clock (PRC).
The PRC passes to devices that can maintain secondary synchronization, filter the clock, and
provide holdover capability Synchronization Supply Units (SSUs) and Building Integrated
Timing Supplies (BITS). Holdover capability ensures continued generation of an accurate clock, of
satisfactory quality, in the event of PRC failure and subsequent synchronization loss for a period of
at least twenty-four hours.
Each SDH network element contains an SDH Equipment Clock (SEC) with a holdover capability
of 15 seconds after source clock failure. The lowest quality level used in synchronization is the SDH
Equipment Clock (SEC) or SONET Minimum Clock (SMC) called EEC in Synchronous
Ethernet networks.
The following figure illustrates the QL clock hierarchy with the most accurate clock at the top:
Figure 1: SDH/SONET Network Synchronization Hierarchy
While PRC/PRS and SSU/BITS are usually implemented as standalone products with timing
functionality only (no data transmission), SEC/SMC/EEC are almost exclusively embedded in
networking products.
Page 3
ITU-T Recommendation G.781 specifies the following clock source quality levels corresponding to
4 base levels of synchronization quality for SDH networks or Synchronous Ethernet networks that
connect to or replace SDH (option I):
QL-PRC: A synchronization trail transporting timing quality generated by a Primary

Reference Clock as defined in Recommendation G.811
QL-SSU-A: A synchronization trail transporting timing quality generated by a transit slave

clock as defined in Recommendation G.812, Types I and V
QL-SSU-B: A synchronization trail transporting a timing quality generated by a local slave

clock as defined in Recommendation G.812, Type VI
QL-SEC: A synchronization trail transporting a timing quality generated by an SDH

Equipment Clock (SEC) as defined in Recommendation G.813, Option I, or Ethernet
Equipment Clock (EEC) as defined in Recommendation G.8262, Option I.
QL-DNU: While not used for synchronization, this signal is used when clock quality of the
source is either unknown, too low, or when use of the source risks formation of a
synchronization loop.
QL-INVx, -FAILED, -UNC, -NSUPP: Internal QLs inside the network equipment that are
never generated at an output port.
The following clock-source quality-levels are defined in the synchronization selection process of an
option II network corresponding to second generation quality levels.
QL-PRS: PRS-traceable ([ITU-T G.811])
QL-STU: synchronizedtraceability unknown
QL-ST2: traceable to stratum 2 ([ITU-T G.812], type II)
QL-TNC: traceable to transit node clock ([ITU-T G.812], type V)
QL-ST3E: traceable to stratum 3E ([ITU-T G.812], type III)
QL-ST3: traceable to stratum 3 ([ITU-T G.812], type IV)
QL-SMC: traceable to SONET clock self timed ([ITU-T G.813] or [ITU-T G.8262], option
II)
QL-ST4: traceable to stratum 4 freerun (only applicable to 1.5 Mbit/s signals)
QL-PROV: provisionable by the network operator
QL-DUS: not used for synchronization

NOTE
First generation quality levels do not define QL-ST3E and QL-TNC as separate
quality levels and QL-PROV was identified as QL-RES.
Table 1 and Table 2 show the clock source quality levels for SDH networks and for Synchronous
Ethernet networks that connect to or replace SONET, as specified by ITU-T Recommendation
G.781 (as option I and option II networks, respectively).
Page 4
Table 1: Hierarchy of Quality Levels in Option I Synchronization Networks

Quality Level
QL-PRC
Relative Quality
highest
QL-SSU-A
QL-SSU-B
QL-SEC
QL-DNU
QL-INVx, -FAILED, -UNC, -NSUPP
lowest
Table 2: Hierarchy of Quality Levels in Option II Synchronization Networks

Quality Level
QL-PRS
Relative Quality
highest
QL-STU
QL-ST2
QL-TNC
QL-ST3
QL-ST3E
QL-SMC
QL-ST4
QL-PROV (default position)
QL-DUS
QL-DNU
QL-INVx, -FAILED, -UNC, -NSUPP
lowest
Physical Structure of Network Synchronization

SONET/SDH/SyncE networks are synchronized by phase-locking SECs/EECs to one or more
PRCs (usually serving as backup). The timing signal, which is transmitted from one SEC/EEC to
another, achieves synchronization over the entire network. Some higher order SEC/EECs act as
masters to lower-order SECs/EECs.
Because SEC/EEC signals tend to degrade in quality with each hop, SSUs are placed at certain
nodes in the network topology to stabilize and recover clock quality. SSUs, utilizing a GPS
reference, provide a PRC-quality clock that effectively splits the synchronization network into
several, smaller networks. As a result, synchronization chains are shortened and overall clock quality
along the chain remains as high as possible.
The clock-source selection process may be controlled by external commands. When no overriding
external commands are active, the algorithm selects the reference according to the following
guidelines:
Input with the highest quality level not experiencing a signal fail condition
Page 5
When multiple inputs have the same high quality level, the device selects the input with the
highest priority
When multiple inputs have the same high priority and quality level, the existing reference is
maintained when that reference belongs to the same group
Otherwise, the reference with the lowest Index in the group is selected.
If no clock source could be selected, the local clock oscillator is selected as reference.
Clock Synchronization in Traditional Ethernet

Transmission of asynchronous data traffic does not require a synchronization signal to pass from
the source to the destination. The requirement to synchronize data packet flow is relatively new.
The older 10 Mbps (10 Base-T) Ethernet is not capable of synchronized signal transmission over
the physical layer interface.
Faster Ethernets (100 Mbps, 1 Gbps, and 10 Gbps), which have the means to synchronize traffic
between two devices, make good use of idle periods through continuous pulse transitions that are
utilized for continuous, high-quality, clock recovery at the receiving end. In an older, 10 Mbps
Ethernet, the pulse signal transmits every 16 milliseconds. Because 16 milliseconds is too infrequent
for clock recovery at the receiving end, utilization of the idle pulse signal impossible.
Figure 2 shows how physical layer synchronization operates on traditional Ethernet: First, the master
and slave are determined through an auto-negotiation process. (The master is randomly assigned
through a seed value, however, the master can also be set manually.) Once the roles are established,
the master generates a transmit clock locally using its own free-running crystal oscillator (that is,
internally generating clock). The slave recovers the master clock from the received data stream and
uses that clock for data transmission. As a result, synchronization occurs during a hop between two
adjacent nodes but does not pass from hop to hop.
Figure 2: Clock Transmission over Traditional Ethernet
Clock Synchronization in Synchronous Ethernet

Synchronization in traditional Ethernet exists only between adjacent devices. Synchronous
Ethernet, however, can transmit the received clock between hops and make possible travel across
remote devices and interconnected networks. A synchronization chain forms when the clock
recovered from the node receiving synchronization feeds all nodes capable of transmitting
synchronization signals. The chain uses a primary reference clock source that mimics the
Page 6
hierarchical synchronization mode employed by SONET/SDH or T1/E1 networks. A Phase

Locked Loop (PLL) mechanism removes jitter and wander generated by the clock recovery circuit
before the recovered SyncE clock is fed to the transmitting device (see Figure 3).
Figure 3: Clock Transmission over Synchronized Ethernet
For 1000Base-T networks, manually configure ports to alternate the master and slave function
(in the clock path).
On 1000Base-X (fiber) and 10GBASE-X (10 gigabit) networks, where there is no bidirectional transmission on a single fiber, one fiber is always used for transmission and the
other for reception.
Gigabit or 10-Gigabit Ethernet Physical Layer Devices (PHYs) devices, which are capable of
providing recovered clock on one of their output pins, support SyncE. The recovered clock is
cleaned by the PLL and fed to the 25MHz crystal oscillator input pin on the PHY device. Newer
Ethernet PHY devices provide a dedicated pin for synchronization input. The advantage of this
approach is that frequency input can be higher than 25MHz resulting in lower jitter and avoidance
of potential timing loop problems within the PHY device.
Ethernet Synchronization Messaging Channel

(ESMC) Protocol
The Ethernet Synchronization Messaging Channel (ESMC) protocol communicates the current
reference clock quality over Ethernet networks. ESMC serves as a communication channel for
Synchronization Status Messages (SSMs) and makes possible interworking with existing
SONET/SDH infrastructure by allowing SyncE links to convey SSM quality level as defined in
ITU-T G.707, G.781, Telcordia GR-253-CORE, and ANSI T1.101. ESMC is based on an
Ethernet protocol called Organization Specific Slow Protocol (OSSP) and uses its Protocol Data
Unit (PDU).
The ESMC protocol is event-driven and has two message types:
Event Messages: An event message is sent whenever the clock quality level changes.
Information Messages. An information message is sent every second to signal that the
system is alive and working properly.
Page 7
Despite the fact that the average message rate is about one message/second, this messaging
arrangement ensures a short reaction time. If an information message (alive signal) is not received
within a five-second period, the clock considers the incoming ESMC protocol as having failed.
The ESMC protocol payload uses Type-Length-Values (TLVs) for content format. The clock
quality level is transmitted in a TLV containing the standard 4-bit, SSM quality level values defined
by ITU- T, ANSI and Telcordia.
The ESMC protocol is a unidirectional transmission channel. The Tx phase provides the necessary
information and clock states; the Rx phase always receives that information and states, but the
device may choose whether to use or ignore the information depending upon configuration.
ESMC contains:
the standard Ethernet header for OSSP
the ITU-T Organization Unique Identifier (OUI)
a specific ITU-T subtype
an ESMC-specific header
a flag field
a Type-Length-Value (TLV) field.
The use of flags and TLVs is aimed at improving SyncE link management and the associated
timing change. Table 3 presents the ESMC PDU format. Note that in the TLV field, padding
bits are added to ensure that the field length is an integer number of bytes and covers the
required minimum of 64 bytes.
Table 3: ESMC PDU Format
Page 8
Octet Number
Field
Size
Content (HEX)
1-6
Destination Address
6 octets
Destination Address
=01-80-C2-00-00-02
(hex)
7-12
Source Address
6 octets
Ports MAC address
13-14
Slow Protocol
Ethertype
2 octets
Slow Protocol
Ethertype = 88-09
(hex)
15
Slow Protocol Subtype
1 octet
Slow Protocol Subtype

=0A (hex)
16-18
ITU OUI
3 octets
ITU-OUI = 00-19-A7
(hex)
19-20
ITU Subtype
2 octets
01
21
Version
4 bits
01
Event Flag
1 bit
0 for Information PDU

1 for Event PDU
Reserved
3 bits
Reserved
22-24
Reserved
3 octets
Reserved
25-1532
TLV (data and

padding)
36-1490 octets
See Table
Octet Number
Field
Size
Content (HEX)
Last 4
Frame Check
Sequence (FCS)
4 octets
FCS
Table 4 and Table 5 show the structure of the TLV field, respectively its general structure and the
structure and content when containing an SSM. The ability to use TLV fields keeps the ESMC
protocol open to accommodating future extensions.
Table 4: General Structure of the TLV Field
Field
Size
Type
1 octet
Length
2 octets
Data and padding
up to 1387 octets
Table 5: Structure and Content of TLV Field Containing an SSM

Field
Size
Content (HEX)
Type
1 octet
01
Length
2 octets
04
Unused
4 bits
SSM
4 bits
SSM code
How Synchronization Works on the Individual

Device Level
A synchronous network uses a Digital Phase Locked Loop (DPLL) mechanism to:
Select and clean-up jitter/wander in the incoming reference clock
Generate a proper output frequency
Implement smooth fail-over between reference clocks
Implement stable holdover when all references fail
System synchronization consists mainly of locking a DPLL onto one of its clock references. There
can be multiple DPLLs in a device and there can be multiple clock sources connected to the
system. Potentially, any clock source can be configured as a clock reference for one or both DPLLs.
Each DPLL generates various internal/external output clocks that may have different frequencies
but are all locked onto a selected reference (see Figure 4).
In the process, the DPLL also cleans up any accumulated jitter/wander. If no acceptable reference
is currently available, the DPLL may go into holdover mode. In holdover mode, the DPLL trying
to preserve the lock on the last available clock reference based on collected history and use of a
clock oscillator (TCXO) available with the device. Before locking onto the first reference after
startup, the DPLL runs in Freerun mode, locked onto the internal TCXO generated clock.
Page 9
Figure 4: Schematic Presentation of the System Synchronization Concept
Synchronization on the T-Marc 3208SH Device

DPLLs
T-Marc 3208SHEach physical DPLL is represented by a logical DPLL entity. Both DPLLs can
receive all reference clocks but differ in output generation capabilities:
DPLL 0: Generates all output clocks
DPLL 1: Generates only BITS.
Clock Sources
The clock source is a logical entity corresponding to a physical input clock (Ethernet, BITS, etc.).
Specifics and configuration options depend on the input clock type. The T-Marc 3208SH supports
the following clock source types:
SyncE Clock Source
BITS Clock Source
SyncE Clock Source

The SyncE clock source can be received on any uplink (SFP-only) Ethernet port. The clock source
is identified by port number (UU/SS/PP). The SyncE clock source supports both static and
dynamic QLs (via ESMC).
BITS Clock Source

The device has two coaxial ports for receiving a Building Integrated Timing Supply (BITS) clock
source. Only static QLs can be received on a BITS port with frequencies up to 19.44MHz
(SONET). The frequency can be set manually or can be auto-detected by the device. The autodetection option is supported for E1/T1/SONET frequencies.
Page 10
Selecting a Clock Reference

The clock reference is a logical association between a DPLL and a clock source. There can be only
one reference per clock source per DPLL while a clock source may be associated with either one or
both of the device DPLLs. The clock reference identifier contains the name of the appropriate
clock source concatenated with the DPLL ID. The QL provided by the clock reference is inherited
from the clock source. Each clock reference can have a static priority configured by the user.
There are three DPLL reference selection modes:
Freerun: Uses internal oscillator as the only clock source
QL-Disabled: Reference selection based on priority only
QL-Enabled: Reference selection based on both priority and QL
There are also some special cases in which the reference is selected in a different manner:
Equal Reference: When the top-rated references have the same QL and priority, the
reference with lowest IfIndex (interface index) is selected.
Reference Lock-out: Reference cannot be selected temporarily.
Manual Switch: Used only to override the configured priority.
Forced Switch: Applied to any Reference that is enabled and not locked-out.
Output Clocks
The T-Marc 3208SH supports the following types of output clocks:
SyncE Output Clock
BITS Output Clock
SyncE Output Clock

The SyncE output clock is always generated by DPLL 0, can be transmitted through any Ethernet
port (1GE or 10GE), and supports ESMC generation.
BITS Output Clock

The device has one coaxial port for transmitting BITS clock (BITS-out port) with supported
frequencies up to 19.44MHz in 8kHz increments. The BITS output clock can be generated by both
DPLLs (0 and 1).
SyncE Commands
This section describes the command hierarchy for SyncE, lists available commands, and provides a
configuration example.
Page 11
Command Hierarchy
NOTE
SyncE is supported only on Gigabit Ethernet SFP ports (100 Mbps and 1 Gbps);
the valid range is <1/1/1-1/1/4.
device-name#
system sync-timing clear-timer clock-source-name UU/SS/PP timer-type

{hold-off | wait-to-restore}
system sync-timing reset module-id <id> reference-clock-name {UU/SS/PP

| bits-in<value>}
system sync-timing switch {module-id <id> | reference-clock-name

{UU/SS/PP | bits-in<value>} | mode {forced | clear | manual}}
+ config terminal
system
+ [no] sync-timing
- [no] ql-prov-position {before | after} {ql-dnu | ql-dus

| ql-inv | ql-prc | ql-prov | ql-prs | ql-sec | qlsmc | ql-ssu-a | ql-ssu-b | ql-st2 | ql-st3 | ql-st3e
| ql-stu | ql-tnc}
+ [no] clock-output {UU/SS/PP | bits-outout1}
- [no] dpll <module-id>
- [no] esmc
+ [no] clock-source {UU/SS/PP | bits-in<value>}

- [no] esmc
- [no] frequency {<value> | auto}
- [no] quality {ql-dnu | ql-dus | ql-inv | ql-prc |

ql-prov | ql-prs | ql-sec | ql-smc | ql-ssu-a |
ql-ssu-b | ql-st2 | ql-st3 | ql-st3e | ql-stu |
ql-tnc}
- [no] quality-change-notify
- [no] shutdown
- [no] debug {{assert | drv | management | selection}

{true | false}| packet {event {recv | send} |
informational {recv | send}}}
+ [no] dpll <module-id>
- [no] reference-change-notify
+ [no] reference-clock {UU/SS/PP | bits-in<1-2>}

- [no] lock-out
- [no] reference-selection {freerun | q781}

- quality-level {enable | disable}
- [no] status-change-notify
Page 12
- [no] shutdown
- [no] g781-option {I | II}

- [no] hold-off <value>
- [no] wait-to-restore <value>
- show system sync-timing [displaylevel <value>]
- show system sync-timing clock-source [displaylevel <value>]
- show system sync-timing clock-source {UU/SS/PP | bits-in<value>}

- show system sync-timing clo ck-source system-info
- show system sync-timing clock-output [displaylevel <value>]
- show system sync-timing clock-output {UU/SS/PP | bits-outout1}

- show system sy nc-timing clock-output system-info
- show system sync-timing dpll reference-clock {UU/SS/PP | bits-in<1-2>}
- show system sync-timing dpll reference-clock clock-reference-systeminfo [status-fail | displaylevel <value>]
- show system sync-timing dpll reference-clock [displaylevel <value>]

- show system sync-timing dpll <module-id>
- show system sync-timing dpll system-info
- show system sync-timing dpll [displaylevel <value>]
Table 6: SyncE Commands
Command
Description
config terminal
system sync-timing reset module-id <id>

reference-clock-name {UU/SS/PP | bitsin<value>}
For the selected DPLL, resets the enabled

reference clock for the port:
system sync-timing switch {module-id <id>

| reference-clock-name {UU/SS/PP |
bits-in<value>} | mode {forced | clear
| manual}}
module-id <id>: in the range of

<0-1>
UU/SS/PP: 1/1/1-1/1/4
bits-in<value>: bits-in port

number; the valid range is <1-2>
For the selected DPLL, manually reconfigures

the reference clock for the port:
mode: specifies the mode in which

the reference clock operates
forced: overrides the currently

selected reference clock
manual: selects the reference

clock
clear: clears the forced and

manual operations
module-id <id>: in the range of

<0-1>
Page 13
Command
Description
system sync-timing clear-timer clocksource-name UU/SS/PP timer-type {holdoff | wait-to-restore}
system
UU/SS/PP: 1/1/1-1/1/4

For the selected clock source on the specified

port, clears the hold-off timer or the wait-torestore timer:
hold-off: hold-off timer
wait-to-restore: wait-to-restore
timer
sync-timing
Enters SyncE Configuration mode
no sync-timing
Removes SyncE configuration
ql-prov-position {before | after}

{ql-dnu | ql-dus | ql-inv |
ql-prc | ql-prov | ql-prs |
ql-sec | ql-smc | ql-ssu-a |
ql-ssu-b | ql-st2 | ql-st3 |
ql-st3e | ql-stu | ql-tnc}
Specifies the position of the quality of the clock

source:
before: before the selected

quality level
after: after the selected quality

level
ql-dnu, ql-dus, ql-inv, ql-prc,

ql-prov, ql-prs, ql-sec, ql-smc,
ql-ssu-a, ql-ssu-b, ql-st2, qlst3, ql-st3e, ql-stu, ql-tnc: see
Table 2
ql-prov
no ql-prov-position [before |
after] [ql-dnu | ql-dus | qlinv | ql-prc | ql-prov | qlprs | ql-sec | ql-smc | qlssu-a | ql-ssu-b | ql-st2 |
ql-st3 | ql-st3e | ql-stu |
ql-tnc]
Restores to default
clock-output {UU/SS/PP |
out1}
Enables clock output through the configured

port and enters SyncE clock output
configuration node for the interface:
bits-
no clock-output [UU/SS/PP |
bits-out1]
dpll <module-id>
UU/SS/PP: 1/1/1-1/1/4
(automatically assigned to DPLL
0)
bits-out1: bits-out port number;

the valid value is 1
Disables clock output:
UU/SS/PP: 1/1/1-1/1/4
bits-out1: (optional) bits-out

port number; the valid value is 1
Assigns output clock to the specified DPLL (Bits

ports only.):
no dpll
Page 14
module-id: in the range of <0-1>
Removes the assigned output clock to the

specified DPLL (Bits ports only.):
Command
Description
esmc
Enables the ESMC protocol for clock output on

the configured port. (Ethernet ports only.) When
the ESMC protocol is enabled, Synchronization
Status Messages can be transmitted through
the port.
no esmc
Disables the ESMC protocol for clock output on

the ESMC protocol is disabled, no SSMs can be
transmitted through the port.
frequency {<value> | 0}
Configures the frequency of the transmitted

clock signal (Bits ports only.):

MHz
0: enables automatic
configuration of the clock
frequency
0
no frequency
clock-source {UU/SS/PP | bitsin<value>}
no clock-source [UU/SS/PP |
bits-in
<value>]
Restores to default
Enables clock source on the specified port:
UU/SS/PP: 1/1/1-1/1/4

Disables clock source:
UU/SS/PP: 1/1/1-1/1/4
bits-in<value>: (optional) bits-in

port number; the valid range is
<1-2>
esmc
Enables the ESMC protocol for clock input on

the ESMC protocol is enabled, SSMs can be
received on the port.
no esmc
Disables the ESMC protocol for clock input on

the configured port. (Ethernet ports only.) All
SSMs received on the port will be dropped.
frequency {<value> | 0}
Specifies the frequency of the clock source

signal (Bits ports only.):

MHz
0: enables automatic
configuration of the clock source
frequency
0
no frequency
Restores to default
quality {ql-dnu | ql-dus | qlinv | ql-prc | ql-prov |

ql-prs | ql-sec | ql-smc |
ql-ssu-a | ql-ssu-b | qlst2 | ql-st3 | ql-st3e |
Specifies a particular quality for the selected

clock source if ESMC is disabled. The variables
below are listed in the order of preference in
which they are used by the system (not counting
Page 15
Command
Description
ql-stu | ql-tnc}
Page 16
dnu):
ql-dnu: the signal should not be

used for synchronization. This
parameter is specific for Option
I.
ql-dus: the signal should not be

used for synchronization. This
II.
ql-inv: internal quality level.

This quality level cannot be set
on clock-source. It indicates
that an invalid ESMC message is
received on the clock-source.
ql-prc: the signal is traceable

to a primary reference clock.
This parameter is specific for
Option I.
ql-prov: provided at the

discretion of the network
operator and may take different
order positions. This parameter
is specific for Option II.
ql-prs: the signal is traceable

to a primary reference source.
This parameter is specific for
Option II.
ql-sec: the signal is traceable

to the SDH equipment clock. This
I.
ql-smc: the signal is traceable

to the SONET minimum clock
ql-ssu-a: THIS synchronization

trail transports a timing quality
generated by Types I or V slave
clock. This parameter is specific
for Option I.
ql-ssu-b: this synchronization

trail transports a timing quality
generated by a Type VI slave
clock. This parameter is specific
for Option I.
ql-st2: the signal is traceable

to the stratum 2 level. This
II.
ql-st3: the signal is traceable

to the stratum 3 level. This
II.
ql-st3e: the signal is traceable

to the stratum 3E level. This
Command
Description
II.
ql-stu: the signal is traceable

to unknown stratum level. This
II.
ql-tnc: the signal is traceable

to transit node clock. This
II.
dus
no quality
shutdown
no shutdown
debug {{assert | drv | management
| selection} {true | false}|
packet {event {recv | send} |
informational {recv | send}}}
no debug {{assert | drv |

management | selection} {true
| false}| packet {event {recv
| send} | informational {recv
| send}}}
Restores to default
Enables the clock source
Disables the clock source
Enables displaying of additional log messages
related to:
assert: critical events related

to memory space, hardware
problems with chips
drv: interactions with drivers
management: interactions with the

management interface
selection: clock-selection
mechanism
packet event,informational (recv,

send): sent/received packets
Disables displaying of additional log messages
quality-change-notify
Enables notification whenever clock quality

changes on the specified port
no quality-change-notify
Disables notification whenever clock quality

changes on the specified port
dpll <module-id>
Enters SyncE feature configuration mode for the

selected DPLL module:
no dpll <module-id>
Switches the configured DPLL module to

Freerun mode:
reference-change-notify
Enables notification whenever the selected

clock reference changes
no reference-change-notify
Disables notification whenever the selected

clock reference changes
reference-clock {UU/SS/PP |
bits-in<value>}
Enables reference clock on the specified port

and enters clock-reference configuration mode
for that port:
UU/SS/PP: 1/1/1-1/1/4
Page 17
Command
Description
no reference-clock [UU/SS/PP
| bits-in<value>]
priority <value>

Disables reference clock:
UU/SS/PP: 1/1/1-1/1/4
bits-in<value>: (optional) bits-in

port number; the valid range is
<1-2>
Specifies the priority of the configured DPLL

module for reference clock selection:
0
no priority [<value>]
Restores to default
lock-out
Locks the configured DPPL module. Once the

locking is committed, no further configuring of
the module is possible until the module is
explicitly unlocked.
no lock-out
Unlocks the configured DPPL module (if it has

been previously locked). Once the unlocking is
committed, configuring of the module is allowed
again.
reference-selection {freerun |
q781}
Specifies the operational mode of the DPLL

module:
freerun: configures the DPLL

module to operate in freerun
mode.
q781: configures automatic clock

source selection through the ESMC
protocol
freerun
no reference-selection
Restores to default
quality-level {enable |
disable}
Specifies if quality level should be used when

selecting the reference clock:
enable: enables using quality

level
disable: disables using quality

level
status-change-notify
Enables notification whenever the DPLL status

changes
no status-change-notify
Disables notification whenever the DPLL status

changes
g781-option {I | II}
Specifies the g781 option:
I: Configures g781 option 1
II: Configures g781 option 2
Page 18
no g781-option
Restores to default
hold-off <value>
Specifies the hold-off timer (in milliseconds):
Command
Description
value: the valid range is <3001800>
500
no hold-off
Restores to default
wait-to-restore <value>
Specifies the wait-to-restore timer (in minutes):
4
[no] wait-to-restore
show system sync-timing [displaylevel
<value>]
Restores to default
Displays current configuration for the SyncE
feature:
displaylevel <value>: (optional)

displays current SyncE
configuration up to a specified
level, in the range of <1-64>
show system sync-timing clock-source

[displaylevel <value>]
Displays current clock-source configuration:

{UU/SS/PP | bits-in<value>}
Displays current clock-source configuration

filtered by the command arguments

system-info
Displays current clock-source configuration in a

table format
show system sync-timing clock-output

[displaylevel <value>]
Displays current clock-output configuration:

{UU/SS/PP | bits-outout1}
Displays current clock-output configuration


system-info
Displays current clock-output configuration in a

table format
show system sync-timing dpll referenceclock {UU/SS/PP | bits-in<1-2>}
Displays currently configured clock-reference

show system sync-timing dpll referenceclock clock-reference-system-info

[status-fail | displaylevel <value>]
Displays current clock-reference configuration in

a table format
show system sync-timing dpll referenceclock [displaylevel <value>]
Displays current clock-reference configuration:
show system sync-timing dpll <module-id>
Displays currently configured DPLLs filtered by

the command arguments
show system sync-timing dpll system-info
Displays current DPLLs configuration in a table

format

displays current clock-source

displays current clock-output

displays current clock-reference
Page 19
Command
Description
show system sync-timing dpll [displaylevel

<value>]
Displays current DPLLs configuration:

displays current clock-source
DPLLs configuration up to a
specified level, in the range of
<1-64>
In the following example, multiple clock sources, Ethernet ports using ESMC for dynamic Quality
Level and BITS port with static Quality level, are configured and assigned to both DPLLs.
Output clocks (SyncE and BITS) are generated by the DPLLs.
1.
Enter SyncE Configuration mode:

device-name(config)#system sync-timing
2.
Enable clock source and ESMC protocol for clock input on port 1/1/2:
device-name(config-sync-timing)#clock-source 1/1/2
device-name(config-clock-source-1/1/2)#esmc
device-name(config-clock-source-1/1/2)#commit
Commit complete.
device-name(config-clock-source-1/1/2)#no shutdown
Commit complete.
3.
Enable clock source and ESMC protocol for clock input on port 1/1/3:
device-name(config-clock-source-1/1/2)#clock-source 1/1/3
Commit complete.
Commit complete.
4.
Enable clock source and ESMC protocol for clock input on port 1/1/4. Send notifications
whenever clock quality changes:
device-name(config-clock-source-1/1/3)#clock-source 1/1/4
Commit complete.
device-name(config-clock-source-1/1/4)#quality-change-notify
Commit complete.
5.
Configure bits-in ports and specify a particular quality for the selected clock source:
device-name(config-clock-source-1/1/4)#clock-source bits-in1
device-name(config-clock-source-bits-in1)#quality ql-ssu-
Page 20
device-name(config-clock-source-bits-in1)#commit
Commit complete.
device-name(config-clock-source-bits-in1)#no shutdown
device-name(config-clock-source-bits-in1)#clock-source bits-in2
device-name(config-clock-source-bits-in2)#quality ql-ssu-b
Commit complete.
device-name(config-clock-source-bits-in2)#no shutdown
Commit complete.
6.
Configure the DPLL 0 module:

device-name(config-clock-source-bits-in2)#exit
device-name(config-sync-timing)#dpll 0
device-name(config-dpll-0)#reference-clock 1/1/2
device-name(config-reference-clock-1/1/2)#reference-clock 1/1/3
device-name(config-reference-clock-1/1/4)#reference-clock bits-in1
device-name(config-reference-clock-bits-in1)#exit
device-name(config-dpll-0)#commit
Commit complete.
device-name(config-dpll-0)#reference-selection g781
Commit complete.
device-name(config-dpll-0)#no shutdown
device-name(config-dpll-0)#quality-level enable
device-name(config-dpll-0)#status-change-notify
Commit complete.
7.
Configure the DPLL
module:
device-name(config-dpll-0)#exit
device-name(config-sync-timing)#dpll 1
device-name(config-dpll-1)#reference-clock 1/1/2
device-name(config-reference-clock-1/1/2)#priority 10
device-name(config-reference-clock-1/1/4)#reference-clock bits-in2
device-name(config-reference-clock-bits-in2)#priority 25
device-name(config-reference-clock-bits-in2)#exit
device-name(config-dpll-1)#reference-selection g781
Commit complete.
device-name(config-dpll-1)#no shutdown
Commit complete.
8.
Configure clock output through ports 1/1/2 and 1/1/3:

device-name(config-dpll-1)#exit
device-name(config-sync-timing)#clock-output 1/1/2
Page 21
device-name(config-clock-output-1/1/2)#esmc
device-name(config-clock-output-1/1/2)#clock-output 1/1/3
device-name(config-clock-output-1/1/3)#esmc
device-name(config-clock-output-1/1/3)#clock-output bits-out1
device-name(config-clock-output-bits-out1)#dpll 1
device-name(config-clock-output-bits-out1)#exit
device-name(config-sync-timing)#commit
Commit complete.
9.
(Optional) Display the configuration to verify settings:

device-name(config-sync-timing)#show full
sync-timing
clock-source 1/1/3
no shutdown
esmc
!
clock-source 1/1/4
no shutdown
esmc
quality-change-notify
!
clock-source 1/1/2
no shutdown
esmc
!
clock-source bits-in1
no shutdown
frequency 256
quality ql-ssu-a
!
clock-source bits-in2
no shutdown
frequency 256
quality ql-ssu-b
!
clock-output 1/1/3
esmc
!
clock-output 1/1/2
esmc
!
clock-output bits-out1
dpll 1
!
dpll 0
no shutdown
reference-selection g781
quality-level enable
status-change-notify
reference-clock 1/1/3
!
Page 22
!
!
reference-clock bits-in1
!
!
dpll 1
no shutdown
reference-selection g781
quality-level disable
priority 20
!
priority 30
!
priority 10
!
reference-clock bits-in2
priority 25
!
!
!
Page 23

Feature
Standards
MIBs
RFCs
SyncE
The following ITU-T standards

are supported:
No private MIBs are

supported by this
feature.
No RFCs are
supported by this
feature
Page 24
G.8261
G.8262
G.8264
G.781
Routing Information and Protocols

Table of Contents
Table of Figures 2
List of Tables 2
IP Unicast Routing 4
Populating the Routing Table (FIB) 4
Special IP Interfaces 5
Route-Maps 5
Prefix-List 6
The IP Unicast Routing Default Configuration 6
IP Configuration Commands 7
Open Shortest Path First (OSPF) 12
Area types 12
Link State Advertisement 14
OSPF Neighbors 14
OSPF Network Types 15
Virtual Links 15
OSPF Configuration Flow 17
OSPF Commands18
Traffic Engineering (TE) 30
TE Commands 30
Bidirectional Forwarding Detection (BFD)34
BFD Mechanism 34
BFD Commands 36
Intermediate System-to-Intermediate System (IS-IS) 38
IS-IS Routers Types 38
Routing Information and Protocols (Rev. 01)
Page 1
Network Types 40
IS-IS Packet Types 40
IS-IS Configuration Flow 42
IS-IS Commands 43
Table of Figures
Figure 1: OSPF Topology ................................................................................................................... 13
Figure 2: Virtual Link Providing Redundancy.................................................................................. 16
Figure 3: OSPF Configuration Flow.................................................................................................. 17
Figure 4: OSPF Configuration Example ........................................................................................... 27
Figure 5: BFD session establishment ................................................................................................ 34
Figure 6: BFD fault detection ............................................................................................................. 35
Figure 7: Level 1, Level 2, and Level 1-2 Routers in an IS-IS Network Topology..................... 39
Figure 8: IS-IS Configuration Flow ................................................................................................... 42
List of Tables
Table 1: IP Unicast Routing Default Configuration.......................................................................... 6
Table 2: Default Administrative Distances of the Dynamic Routing Protocols ........................... 6
Table 3: Static Routes Commands ....................................................................................................... 7
Table 4: LSA Type Names and Numbers ......................................................................................... 14
Table 5: OSPF Commands ................................................................................................................. 19
Table 6: TE Commands ...................................................................................................................... 31
Table 7: BFD Commands ................................................................................................................... 36
Table 8: IS-IS Packet Types ................................................................................................................ 40
Table 9: IS-IS Hello PDU Fields ........................................................................................................ 41
Table 10: IS-IS Commands ................................................................................................................. 45
Page 2
T-Marc3208SH

This chapter focuses on the following routing protocols:
IP Unicast Routing
The section provides a technical overview of the principles of unicast routing.
Open Shortest Path First (OSPF)

OSPF protocol is an Interior Gateway (IG) protocol used to distribute routing
information within a single Autonomous System (AS).
Traffic Engineering (TE)

Traffic engineering (TE) brings traffic management capabilities into IP networks, which
still rely on OSPF.
Bidirectional Forwarding Detection (BFD)

BFD is a UDP-based layer-3 protocol that provides very fast routing protocol independent
detection of layer-3 next hop failures.
Intermediate System-to-Intermediate System (IS-IS)

ISIS is a link-state IGP similar to OSPF, in which routers exchange routing information
based on a single metric to determine the network topology.
Page 3
IP Unicast Routing
Populating the Routing Table (FIB)
The routing table is a database that stores and updates the locations (addresses) of other network
devices and the most efficient routes to them. It is used to directing routing.
The table is populated from the following sources:
Dynamic routes, typically learned from routing protocol packets (see Dynamic Routes)
Static routes, manually entered by the network administrator (see Static Routes). They include:
Default routes, configured by the network administrator
Local routes, of IP interface addresses assigned to the system
Other static routes, configured by the network administrator
Dynamic Routes
Dynamic routes are typically learned by the routing protocols (OSPF, IS-IS). Routers that use the
routing protocols exchange information in their routing tables by advertising. Using dynamic
routes, the routing table only contains accessible networks. Dynamic routes are deleted from the
table when either of the following occurs:
Page 4
An update for the network is not received for a period of time that is determined by the
routing protocol (i.e., the dynamic route is aged out of the table)
A neighbor sends a command to delete the dynamic routes advertised by the routing protocol
OSPF (by setting the route aging time to the maximum and flooding the Link-State
Advertisement (LSA) to the advertiser neighbors)
Static Routes
Static routes are manually entered into the routing table. Static routes are important in the following
cases:
When the router cannot build a route to a particular destination automatically
When, for security reasons, you need to make changes to the routing table of the router
When it is necessary to specify a gateway of last resort to which all unroutable packets will be
sent
Static routes are never aged out of the routing table.

A static route must be associated with a valid IP subnet and next hop IP address. When the IP
interface goes down, next hop IP address is not resolved. The static route using the next hop will
become inactive, although it will remain in the routing table.
The device remembers the static routes until they are manually removed. However, the static routes
decisions can be overridden by the dynamic routing information through prudent assignment of
administrative distance values. Each dynamic routing protocol has a default administrative distance,
as indicated in Table 2.
NOTE
If you want to override a static route by information received from a dynamic routing
protocol, simply ensure that the administrative distance of the static route is higher
than that of the dynamic protocol.
Special IP Interfaces
A permanent Layer 3 interface (sw0) is attached to the default VLAN. All available ports in the
system are attached to the default VLAN as untagged. For the device to be able to route between
the VLANs, the Layer 3 interfaces must be configured with an IP address.
The lo1-lo9 Layer 3 interfaces are not directly related to a VLAN. These interfaces can never be in
a down state. The packets sent through them are looped back to the IP stack and are then routed
on a destination-IP-address basis.
The outBand0 Layer 3 IP interface (OutBand interface) is destined for debugging purposes and
cannot be used to pass data.
Route-Maps
A route map provides an advanced filtering mechanism used to control and modify routing
information, and to specify the criteria for permitting or denying redistribution of routes between
routing devices. Route maps consist of a list of match and set clauses that specify the required
criteria and the actions to perform if these criteria are met.
Page 5
Prefix-List
Prefix-lists work like access lists for route advertisements (prefixes). Prefix-lists are used to match
routes as opposed to traffic. Two things are matched:
The prefix (the network itself)
The prefix-length (the length of the subnet mask). Two optional keywords (ge and le) can be
used to designate a range of prefix lengths to be matched.
Prefix lists work very similarly to access lists; a prefix list contains one or more ordered entries
which are processed sequentially. As with access lists, the evaluation of a prefix against a prefix list
ends as soon as a match is found.
An empty prefix list permits all prefixes. A prefix that does not match any entries of a prefix list is
denied.
The IP Unicast Routing Default Configuration

Table 1: IP Unicast Routing Default Configuration
Parameter
Default Value
Default IP address for sw0 IP interface
Not defined
The Default Administrative Distances of the

Dynamic Routing Protocols
See Table 2
IP Forwarding
Enabled
Table 2: Default Administrative Distances of the Dynamic Routing Protocols
Page 6
Route Source
Default Distance
Connected IP interface
OSPF
110
IS-IS
115
Unknown
255
IP Configuration Commands
Commands Hierarchy
device-name#
+ config terminal
+ router
- [no] static-route A.B.C.D/M A1.B1.C1.D1 <distance-value>

- [no] prefix-list NAME
- [no] rule ID
- [no] ge <value>
- [no] ip-prefix A.B.C.D/M
- [no] le <value>
- [no] type {deny | permit}
- [no] route-map NAME

- [no] rule ID
- [no] match {interface {outBand0 | loN | swN} | ipaddress-prefixlist NAME | ip-nexthop-prefixlist

NAME | metric <value> | tag <value>}
- [no] next-rule <value>
- [no] on-match {exit | goto | next}
- [no] set {metric-type {type-1 | type-2} | metric

<value> | tag <value>}
- [no] type {deny | permit}
- show routes [RouteEntry {flags {blackhole changed | deleted | ibgp |

internal | mpls_egress | mpls_ingress | outband | selected | self_ip
| selfroute | static | staticarp | vrrp_ip} | ifname NAME | metrics
<metric value> | NextHopFlags {active | fib | fibsetoutband |
notready | outband | recursive} | nexthoptype {ifindex | ifname |
ipv4 | ipv4_ifindex | ipv4_ifname ipv6 | ipv6_ifindex | ipv6_ifname}
| uptime <duration> | A.B.C.D/M}]
Table 3: Static Routes Commands
Command
Description
config terminal
router
no router
Page 7
router static-route A.B.C.D/M

A1.B1.C1.D1 <distance-value>
Specifies a static route
A.B.C.D/M: the destination IP

address and mask in dotted-decimal
(Ipv4) format
A1.B1.C1.D1: the gateway IP

address
distance-value: in the range of

<1-255>
Disabled
no router static-route [A.B.C.D/M
A1.B1.C1.D1 <distance-value>]
prefix-list NAME
Removes a specific static route or all configured

static routes
A.B.C.D/M: (optional) the

destination IP address and mask in
A1.B1.C1.D1: (optional)the gateway

IP address
distance-value: (optional)in the

range of <1-255>
Creates a prefix-list to filter the routing

information and enters Prefix-list Configuration
mode:
no prefix-list
rule ID
Removes the configured prefix-list

Creates a prefix-list rule ID and enters Prefix-list
Rule Configuration mode:
no rule
ge <value>
ID: in the range of <1-2147483647>
Removes the configured route-map rule

Specifies range limits on the prefix length used
for matching prefixes that are more specific than
the exact prefix length.
If only the ge attribute is specified, the range is
assumed to be from the ge value to 32:
no ge
ip-prefix A.B.C.D/M
Specifies the network address, and the length of

the network mask:
A.B.C.D/M: in dotted-decimal
format
no ip-prefix
Removes the configured address
le <value>
Specifies range limits on the prefix length used

for matching prefixes that are more specific than
the exact prefix length.
If only the le attribute is specified, the range is
assumed to be from the exact prefix length to the
le value.
If neither ge <value> nor le <value> is specified,
the matching criteria require an exact match of
the prefix length.
Page 8
NAME: prefix-list name of <1-20>

characters
no le
type {deny | permit}
Specifies the type of the action to be performed

on routes that match the route map criteria:
no type
route-map NAME
deny: rejects access to routes

with prefixes that match the
criteria
permit: permits access to routes

with prefixes that match the
criteria
Removes the configured rule type

Creates a route-map and enters Route-map
Configuration mode:
no route-map
rule ID
NAME: route-map name of <1-20>

characters
Removes the configured route-map

Creates a route-map rule and enters Route-map
Rule Configuration mode:
ID: in the range of <1-2147483647>
The ID indicates the position of the current rule in

the route map. Routes, tested by a route-map
with multiple rules pass in succession through
the sequence of instances until a match criterion
is met. If a match is found, the routing protocol
permits or denies the action specified in the
configuration of the instance that is matched. If
no match is found in any instance, the route is
rejected.
no rule
Removes the configured route-map rule
Page 9
match {interface {outBand0 |

loN | swN} | ip-addressprefixlist NAME | ipnexthop-prefixlist NAME |
metric <value> | tag
<value>}
Specify the criteria for matching route entries:
interface: IP interface type

A route-map entry is created to match routes
first-hop IP interface to the specified IP interface.
Valid interfaces are:
outBand0: an Ethernet network interface
swN: an IP interface number in the range of

<09999>
ip-address-prefixlist NAME:
specifies a prefix list used to
match against the IP address of
the route entries
ip-nexthop-prefixlist NAME:
specifies a prefix list used to
match against nexthop of the route
entries
metric <value>: matches the

specified metric, in the range of
<1-16777215>
tag <value>: matches the specified

tag
no match
Removes the configured criteria
next-rule <value>
Specifies the next rule to be applied:
no next-rule
Removes the configured next rule
on-match {exit | goto | next}
Specifies the action to be performed on the

current matching rule of the specified route map:
exit: exits the route map
goto: moves to rule specified by

next-rule
next: moves to next rule
no on-match
Removes the configured action on matching rule
set {metric {type-1 | type-2}

| metric <value> | tag
<value>}
Specifies which attribute of the route entry to be

set:
no set
Page 10
loN: an internal logical loopback IPinterface. N is in the range of <09>
metric (type-1 or type-2):

specifies the OSPF external type
metrics for redistributed routes
metric <value>: specifies metric

value for match routes, in the
range of <1-16777215>
tag <value>: in the range of <14294967295>
Removes the configured set operation
type {deny | permit}
Specifies the type of the action to be performed

on routes that match the route map criteria:
no type
show routes [RouteEntry {flags {blackhole
| changed | deleted | ibgp | internal
| mpls_egress | mpls_ingress | outband
| selected | self_ip | selfroute |
static | staticarp | vrrp_ip} | ifname
NAME | metrics <metric value> |
NextHopFlags {active | fib |
fibsetoutband | notready | outband |
recursive} | nexthoptype {ifindex |
ifname | ipv4 | ipv4_ifindex |
ipv4_ifname ipv6 | ipv6_ifindex |
ipv6_ifname} | uptime <duration> |
A.B.C.D/M}]
deny: rejects the routes that

match the route map criteria
permit: permits the routes that

match the route map criteria
Removes the configured rule type of action

Displays the static and directly connected (via
configured IP interfaces) routes.
Page 11
Open Shortest Path First (OSPF)

OSPF is an interior gateway protocol that routes (IP) packets solely within a single routing domain
(autonomous system (AS)). It gathers link state information from available routers and constructs a
topology map of the domain network.
Upon initialization, each device transmits a Link State Advertisement (LSA) on each of its IP
interfaces. OSPF exchanges the status of networks and links with every router in the network. Each
router collects the LSAs of all the routers within a common area, synchronizing their topological
databases, and updating their Link-State Database (LSDB). Using OSPF, all the routers within the
area maintain identical LSDBs.
Each router constructs a tree of shortest paths to each destination in the autonomous system (AS),
based on the LSDB. The cost of a route is described by a single metric (path cost). When several
equal-cost routes to a destination exist, traffic can be distributed among them.
The OSPF protocol uses the following algorithms:
Shortest Path First (SPF) algorithmcalculates configurable cost metrics and exchanging
routing information between routers in large networks.
Constrained Shortest Path First (CSPF) algorithm(optional) calculates a path that

meets, not only the, topology of the network but also the attributes of the Label Switched Path
LSP (refer to chapter MPLS Protocols and Services of this User Guide) and the links. It
minimizes congestion by intelligently balancing the network load. CSPF relies on a Traffic
Engineering Database (see Traffic Engineering (TE)) to do the calculations.
Area types
OSPF requires dividing the network into a logical star of areas.
Backbone area
Stub area
Normal Area
Not So Stubby area (NSSA)
The topology within an area is hidden from the rest of the AS. Hiding this information significantly
reduces LSA traffic and the calculations needed to maintain the LSDB. Routing within the area is
determined only by the topology.
Backbone Area
This area (also called Area 0) connects all other OSPF areas to each other. Any traffic
between areas must go through the backbone area. Due to its role, this area has to be
robust and stable. It should have internal redundancy and efficient bandwidth to handle
the traffic between areas.
Network areas should be contiguous (all in one connected piece). OSPF has a mechanism
for handling disconnections between network areas (other than Area 0) due to link
failures.
Page 12
The figure below shows a simple OSPF topology.
Figure 1: OSPF Topology
OSPF defines the following router types:

Internal Routers (IR)routers that all their IP interfaces are within the same area
Area Border Routers (ABR)routers that their IP interfaces are within in multiple areas. An
ABR is responsible for exchanging summary advertisements with other ABRs
Autonomous System Border Routers (ASBR)routers acting as gateways between OSPF and
other routing protocols or other ASs
The backbone allows ABRs to exchange summary information. Each ABR receives area
summaries from all other ABRs. Each ABR then adds the backbone distance to each
advertising router and forms a picture of the distance to all networks outside its area.
Stub Area
A stub area is connected to other areas; one of them may be the backbone area. External route
information is not distributed into stub areas. Stub areas are used to reduce memory consumption
and computation requirements on OSPF routers.
Normal Area
An area which is not Area 0 or a Stub area.
Not-So-Stubby-Area (NSSA)
NSSA is an optional area that does not flood all LSAs from the core into the area, but can import
and redistribute AS-external routes within the area.
Page 13
Link State Advertisement

LSA is a data unit describing the local state of a router or network. There are several types of LSAs,
designated by names and numbers, as described below:
Table 4: LSA Type Names and Numbers
LSA Number
LSA Name
LSA Description
Router-LSAs
Originated by all routers, a router-LSA describes the

collected states of the router IP interfaces to an area
Network-LSAs
Contains the list of routers connected to the network
3, 4
Summary-LSAs
A summary-LSA describes a route to a destination outside

the area, yet still inside the AS (an inter-area route).
It is originated by ABRs and flooded throughout the LSAs
associated area.
Type 3 summary-LSAs describe routes to networks
Type 4 summary-LSAs describe routes to ASBR
AS-externalLSAs
Originated by ASBR and flooded throughout the AS, each

AS-external-LSA describes a route to a destination in
another AS.
Default routes for the AS can also be described by ASexternal-LSAs.
OSPF Neighbors
Upon initialization, routers running OSPF attempt to locate neighboring routers to exchange LSAs.
Routers form adjacencies with neighboring routers before exchanging routing information. The
routers check details, such as subnet address, OSPF area number, network type, and authentication
passwords before forming an adjacency.
Page 14
On broadcast or point-to-point segments, the routers dynamically discover neighbors through

the OSPF multicast, 224.0.0.5, using the OSPF Hello protocol.
On Non-Broadcast Multiple Access (NBMA) networks the system administrators have to

configure neighbors manually before the Hello protocol initializes in a unicast fashion,
beginning the adjacency forming process.
OSPF Network Types

OSPF has defined standards for communicating across a diverse set of network media:
Broadcast
The Broadcast OSPF network type typically runs on multi-access broadcast IP interfaces such as
Ethernet, Token Ring, or FDDI.
Each Broadcast OSPF area includes one Designated Router (DR) and one Backup Designated
Router (BDR) elected dynamically on a broadcast segment with which all other routers form
adjacencies. The election criteria include router ID, loopback IP interface presence, and router IP
interface priority values.
The system administrators can manually configure these criteria to influence the selection process.
The DR and BDR are responsible for collecting link state information from all routers on the
broadcast segment, compiling, and distributing the resulting area map back to each router. This
prevents all routers on a common segment from exchanging link state information with every other
router on a segment, thus reducing the amount of traffic on a broadcast segment.
Point-to-Point
The point-to-point OSPF network type is typically implemented across dedicated WAN circuits,
such as T-1 links or on frame relay point-to-point sub-interfaces.
This network type does not have a designated router since each segment includes only two routers.
These routers exchange link state information and routes as peers across a common subnet.
Virtual Links
You can configure virtual links between any two backbone routers that have an IP interface to a
common non-backbone area. The protocol treats two routers joined by a virtual link as if they were
connected by a point-to-point connection in the backbone.
If you cannot physically connect an area to the backbone area, you can use a virtual link to connect
to the backbone through a non-backbone area, known as a transit area. The transit area must have
full routing information; therefore it cannot be a stub area.
In the image below if the connection between ABR1 and the backbone fails, the connection via
ABR2 provides redundancy, ensuring communication between ABR1 and the backbone using the
virtual link.
Page 15
Figure 2: Virtual Link Providing Redundancy
Page 16
OSPF Configuration Flow
Figure 3: OSPF Configuration Flow
Page 17
OSPF Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] router
+ [no] ospf
+ [no] area <id>
- [no] area-range <range-id> [advertise nssaexternal-link | do-not-advertise]

- [no] shortcut-configuration
+ [no] interface A.B.C.D
- [no] auth-key-md5 entry <value> word STRING
- [no] auth-key-simple STRING
- [no] auth-type {md5 | simple}

- [no] dead-interval <interval>
- [no] hello-interval <interval>
- [no] interface-type {broadcast | point-topoint}

- [no] metric <value>
- [no] passive
- [no] transit-delay <delay>
+ [no] nssa
- [no] summaries
+ [no] stub
- [no] default-metric <metric>
- [no] summaries
+ [no] virtual-link A.B.C.D
- [no] auth-key-md5 entry <value> word STRING
- [no] auth-key-simple STRING
- [no] auth-type {md5 | simple}

- [no] dead-interval <interval>
- [no] transit-delay <interval>
- [no] compatible-rfc-1583
+ [no] redistribute {connect | static}

- [no] metric-type1 <metric>
Page 18
- [no] route-map NAME
- [no] router-id A.B.C.D

+ [no] timers
- [no] spf-wait <delay>
- [no] lsa-generate <interval>

- [no] lsa-arrival <interval>
- [no] traffic-engineering
- [no] external-link-state-DB-size <size>
- [no] external-link-state-overflow-timer <timer>
- show router ospf database [area <area-id> | asbr-summary | external |

max-age | network | nssa-external | opaque | router | self-originate
| summary]
- show router ospf interface [name NAME]
- show router ospf neighbor [all [detail] | detail | id A.B.C.D |

interface swN [detail]]
- show router ospf opaque-database
- show router ospf route
- clear router ospf neighbour id A.B.C.D

- clear router ospf process
Table 5: OSPF Commands
Command
Description
config terminal
router
no router
ospf
Enables the OSPF routing and enters the

OSPF Router Configuration mode
Enabled
no ospf
Disables OSPF
area <id>
Specifies an OSPF area and enters the OSPF

Area Configuration mode:
id: OSPF areas ID, in dotted

decimal format (A.B.C.D) or in
decimal format, in the range of
<0-4294967295>
Not defined
no area [<id>]
Deletes OSPF areas:
id: (optional) deletes specific

OSPF area
Page 19
Command
Description
area-range <range-id>
[advertise nssa-external-link
| do-not-advertise]
Define ranges of addresses on the Area

Border Router (ABR) for the purpose of route
summarization or suppression, and enters the
OSPF Area-range Configuration mode:
range ID: the OSPF area range

ID. The OSPD area ID may be
expressed either as a decimal
number (<0-4294967295>) or in
dotted decimal (<0.0.0.0255.255.255.255>).
advertise nssa-external-link:
configures NSSA external linkstate advertisement (Type-7)
which can be flooded throughout
the NSSA area
do-not-advertise: prevents
advertisement of configured
networks
Advertise
no area-range [<range-id>]
Deletes OSPF area ranges:
range ID: (optional) deletes a

specific area range
shortcut-configuration
Allows OSPF to pass traffic from a backbone

area to a non-backbone area
Disabled
no shortcut-configuration
Restores to default
interface A.B.C.D
Specifies an OSPF interface:
A.B.C.D: OSPF interfaces IP

address
Not activated
no interface [A.B.C.D]
Deletes the OSPF interface configuration:
auth-key-md5 entry <value>

word STRING
Specifies a password for md5 authentication:
STRING: a string of <1-16>

characters
no auth-key-md5 entry
Removes the password
auth-key-simple STRING
Specifies a password for simple

authentication (RFC 2328):
no auth-key-simple
Page 20
A.B.C.D: (optional) deletes the

OSPF interface configuration for
a specific IP address

characters
Command
Description
auth-type {md5 | simple}
Specifies the authentication type:
md5: configured in accordance

with RFC 2328
simple: simple password (RFC

2328)
Simple
no auth-type
Restores to default
dead-interval <interval>
Specifies the time that a device must wait

before it declares a neighbor OSPF router
down. The minimum interval must be two
times the hello interval

65535> seconds
40 seconds
no dead-interval
Restores to default
hello-interval <interval>
Specifies the time between the hello packets

that the router sends on an IP interface:

65535> seconds
10 seconds
no hello-interval
Restores to default
interface-type {broadcast |
point-to-point}
Specifies the OSPF network type:
broadcast
point-to-point
Broadcast
no interface-type
Restores to default
metric <value>
Specifies the cost of sending a packet on the

OSPF IP interface:
10
no metric
Restores to default
passive
Sets the passive working mode
no passive
Exits the passive working mode
priority <priority>
Specifies the router priority for the configured

IP interface to help determine the OSPF
designated router for the network:
1
no priority
Restores to default
Page 21
Command
Description
transit-delay <delay>
Specifies the estimated number of seconds

taken to transmit a link state update packet on
an IP interface:
delay: in the range of <1-65535>

seconds
1 seconds
no transit-delay
Restores to default
nssa
Sets the OSPF not-so-stubby area (NSSA)

area type and enters the OSPF NSSA
Configuration mode
no nssa
Removes the defined type and exits the

OSPF NSSA Configuration mode
summaries
Enables sending summary (type 3)

advertisements into a Not So Stubby Area
(NSSA) on an Area Border Router (ABR)
no summaries
Disables sending summary route

advertisements. Only the default route is
advertised by the ABR
stub
Sets the OSPF Stub area type and enters the

OSPF Stub Configuration mode
no stub
Removes the defined type and exits the Stub

Configuration mode
summaries
Enables sending summary (type 3)

advertisements into a stub area on an Area
Border Router (ABR)
no summaries
Disables sending summary route

advertisements. Only the default route is
advertised by the ABR
default-metric <metric>
Specifies a default metric value for

redistributed routes:
metric: in the range of <0

16777215>
1
no default-metric
virtual-link A.B.C.D
Restores to default
Specifies a virtual link to connect the area
border routers to the backbone via a virtual
link and enters the OSPF Virtual Link
Configuration mode:
A.B.C.D: neighbor ID, in a

Not configured
no virtual-link
auth-key-md5 entry <value>
word STRING
Page 22
Removes the virtual link definitions

Specifies a password for md5 authentication:

characters
Command
Description
no auth-key-md5 entry
<value>
auth-key-simple STRING
Specifies a password for simple

authentication (RFC 2328):

characters
no auth-key-simple
auth-type {md5 | simple}
md5: configured in accordance

with RFC 2328
simple: simple password (RFC

2328)
Simple
no auth-type
Restores to default
dead-interval <interval>
Specifies the time that a device must wait

before it declares a neighbor OSPF router
down. The minimum interval must be two
times the hello interval.

65535> seconds
40 seconds
no dead-interval
Restores to default
Specifies the time between the hello packets

that the router sends on an IP interface:

65535> seconds
10 seconds
no hello-interval
Restores to default
transit-delay <delay>
Specifies the link state transmit delay:
delay: in the range of <0-3600>

seconds
1 second
no transit-delay
redistribute {connect | static}
Restores to default
Redistributes OSPF routes from one routing
domain into another routing domain and
enters the OSPF Redistribute Configuration
mode:
connect: interface routes of the

router
static: static routes
Disabled
no redistribute
Restores to default
Page 23
Command
Description
metric-type1 <metric>
Specifies the external link type 1 associated

with the default route advertised into the
OSPF routing domain. It can be:
metric: in the range of <016777215>
0
no metric-type1
Restores to default
route-map NAME
Specifies a configured route-map to apply on

redistributed routes in the OSPF area:
no route-map
router-id A.B.C.D
NAME: route-map name of <1-20>

characters
Removes the specified route-map

Specifies the OSPF fixed-router ID:
A.B.C.D: fixed-router ID in a
No OSPF routing process is defined

no router-id
Resets the OSPF fixed-router ID to the

highest IP address on any of its interfaces
timers
Enters the OSPF Timer Configuration mode
no timers
Exits the OSPF Timer Configuration mode
spf-wait <delay>
Specifies the delay time between when OSPF

receives a topology change and when it starts
an SPF calculation:
delay: in the range of <04294967295> seconds
5 seconds
no spf-wait
Restores to default
lsa-generate <interval>
Specifies the minimum interval between two

consecutive SPF calculations:
10 seconds
no lsa-generate
Restores to default
lsa-arrival <interval>
Specifies the maximum interval between two

consecutive SPF calculations:
10 seconds
no lsa-arrival
Page 24
Restores to default
compatible-rfc-1583
Enables OSPF summary and external route

calculations in compliance with RFC1583
Enabled
no compatible-rfc-1583
Disables the RFC 1583 compatibility and

returns to the default method of calculation
that is according to RFC 2328
Command
Description
Specifies a DSCP priority of the OSPF
packets:
no dscp-mapping
traffic-engineering
Enabling the Traffic Engineering (TE)
no traffic-engineering
Disables the Traffic Engineering (TE)
external-link-state-DB-size <size>
Assigns the upper limit to the number of nondefault AS-external-LSAs allowed in the
routers Link-State Database (LSDB). The
router enters Overflow state when the number
of non-default AS-external-LSAs in the
database reaches their maximum.
size: in the size of <02147483647>
10000
no external-link-state-DB-size
Restores to default
external-link-state-overflow-timer
<timer>
Specifies the time countdown, starting when

the router enters Overflow state, after which
the router attempts to resume transmitting
non-default AS-external-LSAs.
timer: in the range of <02147483647>, in seconds
0 seconds- the router does not leave

OverflowState until restarted.
no external-link-state-overflowtimer
show router ospf database [area <area-id> |
asbr-summary | external | max-age |
network | nssa-external | opaque | router
| self-originate | summary]
Restores to default
Displays the OSPF database:
area-id: in the range of

<0.0.0.0-255.255.255.255>
asbr-summary: the ASBR summary

link states
external: the external link

states
max-age: the LSAs in the MaxAge

list
network: the network link states
nssa-external : the NSSA

database content per area
opaque: the information about TE

opaque LSAs
router: the router link states
self-originate: the selforiginated link states
summary: the network summary

link states
Page 25
Command
Description
show router ospf interface name {outBand0 |

loN | swN}
Displays OSPF interfaces related information:
show router ospf neighbor [all [detail] |

detail | id A.B.C.D | interface swN
[detail]]

interface
loN: an internal logical

loopback IP-interface. N is in
the range of <09>
swN: an IP interface number in

Displays information on OSPF neighbors on a

per-interface basis:
all: (optional) information for

all neighbors that are in a down
state (neighbors not in full or
2-way state)
detail: (optional) detailed

information for all neighbors
id A.B.C.D: the neighbors IP

address
interface swN: an IP interface

number in the range of <09999>
show router ospf opaque-database
Display lists of information about the TE

opaque LSAs
show router ospf route
Displays all routes received through the OSPF

router
clear router ospf neighbour id A.B.C.D
Clears the established OSPF database

between two OSPF neighbors:
clear router ospf process
Page 26
id A.B.C.D: the neighbors IP

address
Resets the entire OSPF process, forcing

OSPF to re-create neighbors, database, and
routing table.
Figure 4 shows an example of a network that uses OSPF routing. The diagram is followed by
commands that create this network.
Figure 4: OSPF Configuration Example
RSW1 Configuration:
1.
Enable OSPF and set the OSPF Router ID:

RSW1#configure terminal
RSW1(config)#router ospf router-id 192.168.1.1
2.
Enable OSPF for the network 192.168.1.0/24 and assign the area 1 for the network:
RSW1(config)#router ospf area 0.0.0.1 interface 192.168.1.1
RSW1(config)#commit
RSW2 Configuration:
1.
Enable OSPF and Set the OSPF Router ID:

2.
RSW2(config)#commit
Page 27
RSW3 Configuration:
1.

2.
3.
Enable OSPF for the network 20.0.0.0/8 and assign the area 2.2.2.2 for the network:
4.
RSW3(config)#commit
RSW4 Configuration:
1.

2.
RSW4(config)#router ospf area 0.0.0.3 stub
RSW4 (config-area-0.0.0.3)# interface 192.168.0.1
3.
4.
RSW4(config)#commit
RSW5 Configuration:
1.

2.
3.
RSW5(config)#commit
RSW6 Configuration:
Page 28
1.

2.
RSW6(config)#router ospf area 0.0.0.3 stub
RSW6 (config-area-0.0.0.3)#interface 192.168.0.2
RSW6(config)#commit
Page 29
Traffic Engineering (TE)

OSPF propagates TE information in order CSPF to calculate network paths.
The OSPF traffic engineering (TE) feature currently deployed in IP networks is based on routing
metrics (cost metrics) which optimize system-wide measures of performance such as average
response time, delay, etc., discounting the diversity of QoS requirements from the mixture of
narrow- and broad-band applications carried by the new multi-service Internet.
The Traffic Engineering (TE) database stores network topology with detailed link information,
including total and reserved bandwidths. This database is filled in and kept up-to-date.
TE Commands
Commands Hierarchy
device-name#
- tool traffic-engineering admin-group {exclude <value> | include-any

<value> | include-all <value>}
- tool traffic-engineering clear-query
- tool traffic-engineering destination ip A.B.C.D
- tool traffic-engineering excluded-link start-ip A.B.C.D end-ip A.B.C.D
- tool traffic-engineering excluded-node ip A.B.C.D
- tool traffic-engineering intermediate-hop address A.B.C.D maximumbackup-hops <unsignedInt> maximum-hops <unsignedInt>

- tool traffic-engineering maximum-bandwidth value <value>
- tool traffic-engineering maximum-reserved-bandwidth value <value>
- tool traffic-engineering minimum-mtu value <unsignedInt>

- tool traffic-engineering originating ip A.B.C.D
- tool traffic-engineering relax-maximum-bandwidth value <unsignedInt>
- tool traffic-engineering unreserved-bandwidth-0 value <unsignedInt>

- tool traffic-engineering run
- tool traffic-engineering show
Page 30
Table 6: TE Commands
Command
Description
tool traffic-engineering admin-group

{exclude <value> | include-any <value>
| include-all <value>}
Excludes/includes an administrative group

unique value:
tool traffic-engineering clear-query
exclude <value>: excludes any

admin groups the link selects.
include-any <value>: includes

any admin groups the link
selects
include-all <value>: includes

all admin groups the link
selects
Clears the previously built CSPF query
tool traffic-engineering destination ip
A.B.C.D
Specifies the IP address of the destination

point (for example, system node, interfaces IP
address of this node, or network segment):
tool traffic-engineering excluded-link

start-ip A.B.C.D end-ip A.B.C.D
tool traffic-engineering excluded-node ip
A.B.C.D
Excludes the selected link from the queried

path:
start-ip A.B.C.D: the IP address

of the links start
end-ip A.B.C.D: the IP address

of the links end
Excludes the selected node from the queried

path:
tool traffic-engineering intermediate-hop

address A.B.C.D maximum-backup-hops
<unsignedInt> maximum-hops
<unsignedInt>
tool traffic-engineering maximum-bandwidth

value <string>
A.B.C.D: the nodes IP address
Specifies the intermediate hop through which

a packet mandatory passes to reach the
destination point:
A.B.C.D: the intermediate hops

IP address
maximum-backup-hops
<unsignedInt>: in range of <11000> for the backup route.
Value 0unlimited number of
hops
maximum-hops <unsignedInt>: in
range of <1-1000> for the path.
Value 0unlimited number of
hops
Specifies the maximum amount of bandwidth

required per an outgoing link:
A.B.C.D: destination points IP

address
string: in the range of

<0x00000000-0xffffffff>
Page 31
Command
Description
tool traffic-engineering maximum-reservedbandwidth value <string>
Specifies the minimum level of the maximum

reserved bandwidth required per all links:
tool traffic-engineering minimum-mtu value

<unsignedInt>
string: in the range of

<0x00000000-0xffffffff>
Specifies the maximum transmission unit

(MTU) size per an outgoing link:
tool traffic-engineering originating ip
A.B.C.D
Specifies the IP address of the starting point

(originator) of the queried path:
tool traffic-engineering relax-maximumbandwidth value <unsignedInt>
Specifies the maximum bandwidth deviation:
tool traffic-engineering unreservedbandwidth-0 value <unsignedInt>
Specifies the minimum level of the unreserved

bandwidth of priority level 0, required per all
links:

links:

links:

links:

links:
unsignedInt: in the range of <0100> %

links:
Page 32
A.B.C.D: originator points IP

address

links:
Command
Description

links:
tool traffic-engineering run
Executes the specified CSPF query
tool traffic-engineering show
Displays the current CSPF query configuration
Page 33
Bidirectional Forwarding Detection (BFD)

The Bidirectional Forward Detection (BFD) protocol provides a fast failure detection mechanism.
It has the following benefits:
Detects failures on any bidirectional forwarding paths, such as direct physical link, virtual link,
tunnel, MPLS LSP, multi-hop path, and unidirectional link, between network devices.
Provides consistent fast fault detection time for upper-layer applications.
Provides a failure detection time of less than one second for faster network convergence, short
application interruptions, and enhanced network reliability.
BFD Mechanism
BFD establishes a session between two network devices to detect failures on the bidirectional
forwarding paths between the devices and provide services for other protocols.
After a session is established, if no BFD control packet is received from the peer within the
specified interval, BFD notifies the protocol that a failure has occurred, and the protocol takes
appropriate measures.
Figure 5: BFD session establishment
Page 34
Figure 6: BFD fault detection
Page 35
BFD Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] router
+ [no] ospf
+ [no] area <id>
+ [no] interface A.B.C.D

+ [no] bfd
- [no] receive-interval <interval>
- [no] multiplier <value>
- [no] send-interval <interval>
- show bfd-session
- [no] shutdown
Table 7: BFD Commands
Command
Description
config terminal
router
no router
ospf
Enables OSPF and enters the OSPF Router

Configuration mode
Enabled
no ospf
Disables OSPF
area <id>
Specifies an OSPF area and enters the OSPF

Area Configuration mode:
id: OSPF areas ID, in dotted

decimal format (A.B.C.D) or
decimal format, in the range of
<0-4294967295>
Not defined
no area [<id>]
Deletes OSPF areas:
interface A.B.C.D
id: (optional) deletes specific

OSPF area
Specifies an OSPF interface:

address
Not activated
Page 36
Command
Description
no interface [A.B.C.D]
Deletes the OSPF interface configuration:

address
bfd
Enables BFD
no bfd
receive-interval
<interval>
Disabled BFD
Specifies the minimum time-interval at which
BFD peers receive BFD packets:
<interval>: in the range of <55000> milliseconds
100 milliseconds
no receive-interval
Restores to default
multiplier <value>
Specifies the number of BFD packets that

BFD peer miss before declaring that peer
unavailable:
3
no multiplier
Restores to default
send-interval <interval>
Specifies the time-interval at which BFD peers

send BFD packets:
interval: in the range of <55000> milliseconds
100 milliseconds
no send-interval
Restores to default
shutdown
Stops the BFD session
no shutdown
Starts the BFD session
show bfd-session
Displays BFD sessions information
Page 37
Intermediate System-to-Intermediate System (IS-IS)

Intermediate system to intermediate system (IS-IS) is an Interior Gateway Protocol (IGP) used in
an administrative domain or network. When IS-IS routers exchange topology information with the
nearest neighbors, a topological representation of the network is built. The created map indicates
the IP subnets which each IS-IS router can reach, and IP traffic is forwarded to the lowest cost
(shortest) path to an IP subnet.
The IS-IS network consists of:
End Systems (user devices)
Intermediate Systems (routers)
Areas (group of routers)
Domains (group of areas)
IS-IS routing uses a two-level hierarchical routing:
Level 1 routingrouting within an area (intra routing)
Level 2 routingrouting between areas (inter routing)
NOTE
ISIS protocol supports only broadcast type of interfaces.
IS-IS Routers Types

Three types of routers exist:
Page 38
Level 1 routerit is part of the Level 1 routing. This router locates the destination host within
the area, known as the intra-area router. The Level 1 router has a link-state database containing
all the routing information for the area. For routers to communicate, neighbors must be in the
same area.
Level 2 routerit routes traffic between areas (so called inter-area routing). The link-state
database is identical on all Level 2 routers, although the database contains prefixes of addresses
in other areas as opposed to internal area addresses.
Level 1-2 routerit has neighbors in different areas. This router holds both a Level 1 database
for the Level 1 area to which it is connected, and a Level 2 database with all the information
for inter-area routing.
Figure 7: Level 1, Level 2, and Level 1-2 Routers in an IS-IS Network Topology
Page 39
Network Types
Broadcast networksconnect more than two devices. When one router sends a packet, all
connected routers receive it. One IS elects the DIS itself. The DIS is responsible for flooding;
it creates and floods a new pseudo-node LSP for each routing level in which it participates
(Level 1 or Level 2) and for each LAN to which it is connected.
LSPs on broadcast media (LANs) are sent to a multicast address.
No configuration is needed to inform IS-IS as to what the network type is.
How Adjacencies Are Built

Routers become IS-IS neighbors when they share a common data link and their hello packets
contain information that matches the criteria for forming an adjacency - authentication, IS-type and
MTU size. The criteria depend on the type of used network, point-to-point or broadcast.
Two routers are adjacent if the following parameters match:
Level 1the two routers sharing a common network should have their IP interfaces
configured to be in the same area if they are to have a Level 1 adjacency.
Level 2the two routers sharing a common network should be configured as Level 2 if they
are in different areas and want to become neighbors.
AuthenticationIS-IS allows to configure a password for a specified link, for an area, or for
an entire domain.
IS-IS Packet Types

Table 8: IS-IS Packet Types
Packet Type
Description
Intermediate System-to-Intermediate
System Hello (IIH)
IS-IS uses hello packets to establish and maintain

connections to neighbors.
Link-state packet (LSP)
LSPs distribute routing information between IS-IS

nodes.
There are four types of LSPs:
Page 40
Level 1 pseudonode
Level 1 nonpseudonode
Level 2 pseudonode
Level 2 nonpseudonode
Complete sequence number PDU (CSNP)
CSNPs contain a list of all LSPs from the current

database. CSNPs inform other routers of LSPs
that may be outdated or missing from their own
database.
Partial sequence number PDU (PSNP)
PSNPs request an LSP (or LSPs) and

acknowledge receipt of an LSP (or LSPs).
Table 9: IS-IS Hello PDU Fields

Field
Description
PDU type
The type of IS-IS packet: a point-to-point (WAN)

PDU or a LAN PDU.
Source ID
System ID of the sending router.
Holding time
Time period to wait to hear a hello before

declaring the neighbor unavailability.
Circuit type
Indicates whether the IP interface on which the

PDU is sent is Level 1, Level 2, or Level 1/Level 2.
PDU length
Length of entire PDU including the header, in

bytes.
Local circuit ID
A unique ID is assigned to a circuit at the time of

its creation. This circuit ID is only present in the
point-to-point hello PDUs.
LAN ID
System ID of the DIS plus the pseudonode ID

(circuit ID) to differentiate LAN IDs on the same
DIS.
Priority
Used in DIS election, with preference to higher

values.
Page 41
IS-IS Configuration Flow
Figure 8: IS-IS Configuration Flow
Page 42
IS-IS Commands
Commands Hierarchy
+ config terminal
+ [no] router
+ [no] isis
- [no] authentication-check
- [no] authentication-key-simple STRING
- [no] authentication-key-md5 STRING
- [no] authentication-type {none | simple | md5}

- [no] area-address FF:FF:FF:FF:FF:FF
- [no] level {level1 | level1L2 | level2}

+ [no] level-1
- [no] csnp-interval <interval>
- [no] hello-multiplier <value>
- [no] lsp-interval <delay>
- [no] metric <metric>
- [no] retransmit-interval <interval>

+ [no] level-2
- [no] csnp-interval <interval>
- [no] hello-multiplier <value>
- [no] lsp-interval <interval>

- [no] retransmit-interval <interval>
- [no] passive-interface
Page 43
- [no] shutdown
+ [no] level-1
- [no] lsp-gen-interval <interval>
- [no] metric-style {both | narrow | wide}

- [no] set-overload-bit
- [no] te-enable
+ [no] level-2
- [no] lsp-gen-interval <interval>
- [no] metric-style {both | narrow | wide}

- [no] set-overload-bit
- [no] lsp-refresh-interval <1interval>
- [no] max-lsp-lifetime <interval>
- [no] router-id [FF:FF:FF:FF:FF:FF]

- [no] route-leak A.B.C.D/M
- [no] spf-interval <interval>
- [no] summary-address A.B.C.D/M
- [no] type {level1IS | level1L2IS | level2IS}
- [no] shutdown
- [no] te-router-id A.B.C.D
- [no] redistribute connect

- [no] level {level1 | level2}
- [no] redistribute default

- [no] redistribute static
- show router isis database [level {level-1 | level-2}] [details]

- show router isis
- show router isis interfaces [interface {outBand0 | loN | swN}] [details]
Page 44
- show router isis neighbor
Table 10: IS-IS Commands
Command
Description
config terminal
router
no router
isis
Enables IS-IS and enters the IS-IS Router

Configuration mode
Disabled
no isis
Disables IS-IS
authentication-check
Enables the global authentication check of

ISIS incoming packets
Enabled
no authentication-check
Disables the authentication check
authentication-key-simple STRING
Specifies a global password for simple

authentication:
STRING: plain-text string of <1255> characters
no authentication-key-simple
authentication-key-md5 STRING
Specifies a global password for md5

authentication:

characters
no authentication-key-md5
authentication-type {none | simple

| md5}
md5: configures HMAC-MD5

authentication type
simple: configures plain-text

password
none: disables the

authentication of ISIS packets
None
no authentication-type
Restores to default
area-address FF:FF:FF:FF:FF:FF
Specifies the area ID:
no area-address FF:FF:FF:FF:FF:FF
FF:FF:FF:FF:FF:FF: area ID in
hexadecimal format
Removes the defined area ID
Page 45
Command
Description
Enable IS-IS on an already configured

interface (for more information on configuring
interfaces, refer to the Physical Ports and
Logical Interfaces chapter of this user guide):

interface

loopback IP-interface.
N: in the range of <09>

sw0
swN}
level {level1 | level1L2 |

level2}
Disables IS-IS on an already configured

interface:

interface

loopback IP-interface.

Specifies an adjacency level for a specified

interface:
level1: level 1 adjacency
level1L2: level 1 and Level 2

adjacency
level2: level 2 adjacency
Level 1 and Level 2 adjacency

no level
Restores to default
level-1
Enters the Level-1 adjacency Interface

Configuration mode
no level-1
Removes the Level-1 configurations
level-2
Enters the Level-2 adjacency Interface

Configuration mode
no level-2
Enables the level-2 authentication check of

ISIS incoming hello packets
Enabled
authentication-key-simple
Specifies level-2 simple authentication

password of Hello packets:
STRING
Page 46
Command
Description
authentication-key-md5
STRING
Specify level-2 MD5 authentication password

of Hello packets:

characters
authentication-type {none |
simple | md5}

authentication type

password
none: disables the

None
Restores to default
csnp-interval <interval>
Specifies the time between transmission of

CSNP packets:
10 seconds
no csnp-interval
Restores to default
Specifies the time between transmission of

hello packets:
3 seconds
no hello-interval
Restores to default
hello-multiplier <value>
Specifies the number of hello packets a

neighbor must miss before the router declares
the adjacency unavailability:
10
no hello-multiplier
Restores to default
lsp-interval <interval>
Specifies the time delay between successive

ILSP transmissions:
interval: in the range of <165535> milliseconds
10 milliseconds
no lsp-interval
Restores to default
metric <metric>
Specifies the cost of a specified interface.

The metric is a relative cost for sending
information over the specified interface.
metric: in the range of <0-63>
10
no metric
Restores to default
Page 47
Command
Description
priority <priority>
Specifies the priority of designated routers:
64
no priority
Restores to default
retransmit-interval
<interval>
Specifies the time between retransmissions of

LSP packets:
5 seconds
no retransmit-interval
Restores to default
passive-interface
Enables the passive mode on a specified

interface. In passive mode, transmission and
interpretation of PDUs on the specified
interface are suppressed. However these
interfaces are still included in LSPs and are
advertised to neighbors.
no passive-interface
Disables the passive mode
shutdown
Disables the specified interface
no shutdown
Enables the specified interface
level-1
Enters the Level-1 adjacency Global

Configuration mode
no level-1
level-2
Enters the Level-2 Global Configuration mode
no level-2
Enables the authentication check of ISIS

xSNP and LSP incoming packets
Enabled
authentication-key-simple
Specifies level-2 simple authentication

password of xSNP and LSP packets:
STRING
authentication-key-md5 STRING
Specifies level-2 MD5 authentication

password of xSNP and LSP packets:
Page 48

characters
Command
Description
authentication-type {none |
simple | md5}

authentication type

password
none: disables the

None
Restores to default
lsp-gen-interval <interval>
Specifies the minimum interval rate that LSPs

are generated:
30 seconds
no lsp-gen-interval
Restores to default
metric-style {both | narrow |

wide}
Specifies a metric style, advertised when

sending LSPs:
both: advertises narrow and wide

metric-style links
narrow: advertises links using

traditional metric-style (6
bits)
wide: advertises links using

wide metric-style (24 bits)
Narrow
no metric-style
Restores to default
set-overload-bit
Sets the overload bit in the header of its

nonpseudonode LSPs. When the overload bit
is set, other routers in the domain do not
include this router in their shortest-path-first
(SPF) calculations. Consequently, the other
routers do not detect any paths through this
router and do not forward traffic through this
router.
no set-overload-bit
Removes the overload bit
lsp-refresh-interval <interval>
Specifies the rate at which locally generated

LSPs are periodically transmitted:
900 seconds
no lsp-refresh-interval
Restores to default
max-lsp-lifetime <interval>
Specifies the maximum time that LSPs persist

without being refreshed:
interval: in the range of <165535>
1200 seconds
Page 49
Command
Description
no max-lsp-lifetime
Restores to default
router-id [FF:FF:FF:FF:FF:FF]
Specifies the IS-IS router ID:
FF:FF:FF:FF:FF:FF: (optional)
router ID in hexadecimal format
The IP address of loopback interface

with the lowest index, converted in
hexadecimal format
no router-id
Removes the defined IS-IS router ID
route-leak A.B.C.D/M
Redistributes L2 routes in the L1 routing

domain:
A.B.C.D/M: address and IP subnet

mask of the L2 route
no route-leak
Removes the specified route
spf-interval <interval>
Specifies the SPF Interval:

120000> milliseconds
5000 milliseconds
no spf-interval
Restores to default
summary-address A.B.C.D/M
Specifies a summary of addresses for a given

routing level:
A.B.C.D/M: address and IP subnet

mask
no summary-address
Removes the address
type {level1IS | level1L2IS |

level2IS}
Specifies the routing level:
level1IS: intra-area routing
level1L2IS: intra and inter area

routing
level2IS: inter-area routing
Level 1 and level 2

no type
level1IS: intra-area routing
level1L2IS: intra and inter area

routing
level2IS: inter-area routing
shutdown
Disables the IS-IS protocol
no shutdown
Enables the IS-IS protocol
te-router-id <id>
Enables the traffic engineering and specifies

the router ID for the traffic engineering
application:
Page 50
id: in format A.B.C.D
no te-router-id
Disables the traffic engineering
redistribute connect
Configures connected routes to be

redistributed
Command
Description
no redistribute connect
Removes the redistribution
redistribute default
Configures default routes to be redistributed
no redistribute default
redistribute static
Configures static routes to be redistributed
no redistribute static
metric <metric>
Specifies metric assigned to the link:
metric: in the range of <1-63>
10
no metric
Restores to default
level {level1 | level2}
Specifies the area routing:
level 1: intra-area routing
level 2: intra and inter area

routing
Level 2
no level
Restores to default
show router isis
Displays the state of the IS-IS protocol
show router isis database [level {level-1 |

level-2}] [details]
Displays the internal routing database:
show router isis interfaces [interface {

outBand0 | loN | swN}] [details]
show router isis neighbor
details: (optional) detailed

information
level-1: (optional) level1

related information
level-2: (optional) level2

related information
Displays IS-IS interfaces related information:
outBand0: (optional) an Ethernet

network interface
loN: (optional) an internal

logical loopback IP-interface. N
is in the range of <09>
swN: (optional) an IP interface

number in the range of <09999>
details: detailed information
Displays information for IS-IS neighbors
1.
The following example enables IS-IS as a Level1-2 router on interfaces sw10 and sw20:
device-name(config-isis)#router-id 11:11:11:11:11:11
device-name(config-isis)#interface sw10
device-name(config-interface-sw10)#level level1L2
device-name(config-interface-sw10)#exit
device-name(config-interface)#exit
Page 51
device-name(config-isis)#interface sw20
device-name(config-interface-sw20)#level level1L2
device-name(config-interface)#exit
device-name(config-isis)#area-address 11:22:33:44
device-name(config-area-address-11:22:33:44)#commit
2.
Display the state of IS-IS:

device-name#show router isis
Router is adminstratively up
Oper status: 1
Router ID: 11.11.11.11.11.11
ISIS type: L1-L2
SPF schedule delay 5000 msecs
LSP maximum lifetime 1200 secs,
LSP refresh interval 900 secs
Global authentication type: None
Suppress globally incoming packets authentication: Disabled
Level 1 setup:
LSP generation interval 30 secs,
metric style is NARROW
overload state: ON; set overload: FALSE
L1 authentication type: None
Suppress L1 incoming packets authentication: Disabled
Level 2 setup:
LSP generation interval 30 secs,
metric style is NARROW
overload state: ON; set overload: FALSE
L2 authentication type: None
Suppress L1 incoming packets authentication: Disabled
3.
Display the IS-IS neighbor information:

device-name#show router isis neighbours
00.00.96.01.01.02, state UP, Interface sw10
System type L1-L2, Adjacency type L1, Priority
SNPA: 02.00.00.00.04.8F
Holdtime 16 secs, Uptime 12m,16s,637ms,447us
SNPA: 02.00.00.00.04.8F
SNPA: 02.00.00.00.04.90
SNPA: 02.00.00.00.04.90
Page 52

Features
Standards
MIBs
RFCs
IP Unicast
Routing
No standards are
supported by this
feature.
Private MIB,
PRVT-SWITCHIPVLAN-MIB.mib.
RFC 791, Internet Protocol DARPA

Internet Program Protocol
Specifications
RFC 919, Broadcasting Internet
Datagrams
RFC 922, Broadcasting Internet
Datagrams in the Presence of Subnets
RFC 1042, A Standard for the
Transmission of IP Datagrams over
IEEE 802 Networks
RFC 1122, Requirements for Internet
Hosts -- Communication Layers
RFC 1812, Requirements for IP
Version 4 Routers
Open Shortest
Path First
(OSPF)
STD 54, OSPF

Version 2
RFC 1850, OSPF

Version 2
Management
Information Base
Private MIB,
PRVT-OSPFMIB.mib
RFC 1370, Applicability Statement for

OSPF
RFC 1587, The OSPF NSSA Option
RFC 1765, OSPF Database Overflow
RFC 2328, OSPF Version 2
Bidirectional
Forwarding
Detection
(BFD)
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
No RFCs are supported by this

feature.
IS-IS
ISO 10589
Information
Technology
Telecommunicati
on and
information
exchange
between
systems
Intermediate
system to
Intermediate
system intradomain routing
information
exchange
protocol for use
in conjunction
with the protocol
for providing the
connectionlessmode Network
Service (ISO
8473), 1992.
Private MIB,
PRVT-ISISMIB.mib
RFC 1195, Use of OSI IS-IS for

Routing in TCP/IP and Dual
Environments
RFC 2966, Domain-wide Prefix
Distribution with Two-Level IS-IS
RFC 3373, Three-way handshake
RFC 3567, IS-IS Cryptographic
Authentication
Page 53
Page 54
MPLS Protocols and Services

Table of Contents
Table of Figures 2
List of Tables 2
Multiprotocol Label Switching (MPLS) 3
Architecture 3
Pseudowires and Virtual Circuits 4
Virtual Private Wire Service (VPWS) 4
Virtual Private LAN Services (VPLS) 5
PW RedundancyService Protection 8
A Spoke PW Failure in a Hub and Spoke Topology 8
A Mesh PW Failure in a Hub and Spoke Topology 9
MPLS Transport and Service 10
Resource Reservation Protocol And Traffic Engineering 10
RSVP-TE Extensions for MPLS 10
RSVP-TE Fast Reroute (FRR) Transport Protection 11
The FRR Advantage 11
Fast Reroute Terms 11
Local Repair Technique: One-to-One Method 12
Local Repair Technique: Facility Method 13
Secondary LSP 14
Penultimate Hop Popping (PHP) 14
Traffic-Engineering Tool 15
MPLS and VPLS/VPWS Configuration Flow 15
MPLS and VPLS Configuration Commands 17
RSVP-TE Tunnels Configuration Examples 52
MPLS Protocols and Services (Rev. 01)
Page 1
LDP Tunnels Configuration Example54

VPLS Configuration Examples55
SAP Options on Services 56
Triangle Topology Configuration Example 57
Traffic-Engineering Tool Example 65
Table of Figures
Figure 1: MPLS Cloud ........................................................................................................................... 4
Figure 12: VPWS .................................................................................................................................... 4
Figure 2: VPLS Cloud ............................................................................................................................ 5
Figure 3: Packets at Different Points of the VPLS............................................................................ 6
Figure 4: H-VPLS Topology ................................................................................................................. 7
Figure 5: Two-tiered Hierarchical VPLS Model ................................................................................ 7
Figure 6: A Spoke PW Failure in a Hub and Spoke Topology ........................................................ 8
Figure 7: Recovery from a Spoke PW Failure .................................................................................... 9
Figure 8: A Mesh PW Failure in a Hub and Spoke Topology ......................................................... 9
Figure 9: Recovery from A Mesh PW Failure .................................................................................... 9
Figure 10: Establishing a TE-tunnel .................................................................................................. 11
Figure 11: One-to-One Backup Method ........................................................................................... 12
Figure 12: Facility Backup Method .................................................................................................... 13
Figure 13: Penultimate Hop Popping ................................................................................................ 15
Figure 14: MPLS and VPLS Configuration Flow ............................................................................ 16
Figure 15: A Triangle Topology Configuration Example............................................................... 57
List of Tables
Table 1: Term Definitions and Acronyms ........................................................................................ 11
Table 2: MPLS Configuration Commands ....................................................................................... 17
Table 3: LDP Configuration Commands .......................................................................................... 20
Table 4: RSVP and TE Entity Configuration Commands ............................................................. 26
Table 5: VPLS Commands .................................................................................................................. 36
Table 6: Show Commands .................................................................................................................. 45
Table 7: Fields Displayed by show mpls tunnel command................................................ 48
Page 2
T-Marc3208SH
Multiprotocol Label Switching (MPLS)

Multiprotocol Label Switching (MPLS), used mainly for service-provider core networks and large
enterprise networks, is a data-carrying mechanism that overcomes many of the shortcomings of IPbased networks. MPLS provides an easy way to engineer traffic, manage bandwidth, and bring
Quality of Service (QoS) to IP networks.
This mechanism provides a unified, multi-protocol, data-carrying service by building Virtual
Circuits (VCs) across IP networks that tunnel these packets through the MPLS network.
MPLS is based on prefixing data packets with an MPLS header that contains one or more label(s)
(label stacking) and switching these packets through the MPLS network solely according to their
MPLS labels. Using the labeling method, MPLS tunnels all packets through the network without
regard to their protocols.
MPLS supports traffic engineering to provide traffic prioritization and QoS.
Using MPLS, you can also define multiple paths to two endpoints to achieve load balancing and
ensure backup in case of a line failure.
Architecture
An MPLS network is typically a large group of core devices distributed over a wide geographic area.
MPLS can also be used in metropolitan area networks.
The MPLS network is built by unidirectional Label Switched Paths (LSPs) that are created by a
signaling protocol prior to data transmission. LSPs include:
Label Edge Routers (LER): Devices at the LSP ingress and egress points connected to the
non-MPLS networks.
Label Switching Routers (LSR): Devices within the MPLS network core.
Upon data transmission, data packets are routed to the LER (at the MPLS ingress point). Based on
packet details, the LER determines which LSP to tunnel the packet through and prefixes the packet
with an appropriate label. Each LSR along the LSP switches the packet label to another label and
then forwards the packet to the next LSR along the path. The LER at the MPLS network egress
removes the label from the packet and forwards the packet to the external network.
For further details refer to Multiprotocol Label Switching Architecture RFC 3031.
Page 3
Figure 1: MPLS Cloud
Pseudowires and Virtual Circuits

Pseudowire (PW) describes a connection oriented, service transport over packet switched network,
such as MPLS network. Each pseudowire contains two unidirectional Virtual Circuits (VCs) which
defines a connection between service end-points in the MPLS topology. A VC is usually referred to
as a Service Distribution Point (SDP).
According to its connection oriented nature, traffic starts flowing via the PW only after the
connection setup is signaled between PW end points and the connection is up.
PW delivers two types of services to end users:
VPWS
VPLS
Virtual Private Wire Service (VPWS)

VPWS is a point-to-point circuit (link) connecting two devices, a logical link through a packet
switched network. Frames transmitted by a device on such a virtual circuit are received by the
device at the other end-point of the virtual circuit.
An example of VPWS application is a customer network where CE (Customer Edge) devices are
connected to each other via a PW, which is either a physical or logical circuit, between PE (Provider
Edge) devices in the provider network.
Figure 12: VPWS
Page 4
Virtual Private LAN Services (VPLS)

VPLS, one of the most common VC applications, is a technology for transparently connecting
geographically-dispersed, corporate sites over an MPLS network so that the sites appear and behave
like a single bridged Ethernet LAN.
Combining the simplicity of Ethernet backbone LAN technology with the scalability and security
of the MPLS core, VPLS is a viable alternative for enterprises seeking a cost-effective Layer 2 VPN
solution. VPLS functionality is usually required for Provider Edge (PE) routers.
A PE router, located at the edge of the MPLS core, is administered only by the Service Provider
without customer management access. In case of VPLS, PE routers and LERs coincide since labels
are attached once packets arrive at PEs from a non-MPLS network. Each PE connects to
Customer Edge equipment administered solely by the customer.
Figure 2: VPLS Cloud
Pseudowire (PW) describes the connection between the end-points. A full mesh of PWs must exist
among PEs within the same VPLS instance. In order to prevent loops, a PE must not forward
traffic from one pseudowire to another in the same VPLS instance. Note that this does not apply to
traffic received on a PE user port that is considered an access port for the VPLS service. If a packet
with an unknown destination MAC address arrives at such a port, the PE must flood this packet to
all pseudowires and users ports (if any) pertaining to the VPLS instance.
While traveling along a PW, packets contain a stack of two labels. Both labels are added by PEs at
the time the packets enter the MPLS core. The core routers (LSRs) use the outer, transport label to
switch the packet through to the far-end PE. LSRs do not know that the packet belongs to a given
VPLS instance as they only take into account the outer label. This feature provides an additional
level of security for user traffic.
The other, inner, Virtual Circuit label, is put to use at the far-end PE. The Virtual Circuit label
identifies the VPLS instance to which the packet belongs (for example, it is used as a service
delimiter). Once the PE becomes aware of the VPLS, the packet is switched based on the
destination MAC address.
VPLS Packet Formats and VC Types

To traverse the MPLS network, MPLS packets contain encapsulated Ethernet packets.
Page 5
Figure 3: Packets at Different Points of the VPLS
On receipt, the far-end PE strips the Ethernet header and labels used within the MPLS cloud off
the packet. Depending on the VC label, the PE sends the packet to a respective access port.
When the PE receives an Ethernet frame carrying a VLAN tag intended to go into the MPLS
cloud, the PE can operate using two encapsulation modes (VC types):
Ethernet-VLAN: The PE regards tags placed in the packet by customer equipment as

service-delimiting. The service provider uses that tag to segment traffic. For example, LANs
from different customers may be attached to the same service provider device which, in turn,
applies VLAN tags to distinguish between customer traffic and forwards the frames to the PE.
In this case, it is important to make sure the tag is kept while traveling in the MPLS cloud.
When pseudowire is operating in this mode, every packet sent on the pseudowire must
have a service-delimiting VLAN tag. If the frame is received by the PE from the user
without a VLAN tag, the PE prepends the frame with a dummy VLAN tag of 1 before
sending the frame on the pseudowire.
ETHERNET: The PE regards tags placed in the packet by customer equipment as not
service-delimiting. In this mode, the tag has no meaning to the PE. Service-delimiting tags
are never sent over the pseudowire. If a service-delimiting tag is present when the packet is
received from a user by the PE, the tag must be removed from the packet before the packet is
sent to the pseudowire.
When this mode is used, the remote PE receives an untagged frame from the pseudowire
after the original tag was stripped off by the transmitting PE. Depending on the VPLS
instance SAP (Service Access Point) configuration, the PE may add a different tag, on
frame reception, to achieve VLAN translation across the PW, or the PE may leave the
frame untagged.
In both modes, when a single Ethernet packet contains more than one tag, the PE device inspects
the outermost tag to adapt the Ethernet packet to the pseudowire, and encapsulates the stacked tags
in VC type VLAN mode or removes the outer tag before encapsulation in VC type Ethernet mode.
NOTE
The VC type should match on the PW endpoint device.
Page 6
Hierarchical VPLS (H-VPLS)

The VPLS model described in the previous sections relies on a full mesh of pseudowires which
implement any-to-any connectivity in the provider core network. The pseudowires within the core
network are known as hub pseudowires. When large VPLSs are deployed, setting up the full
mesh of pseudowires may result in high signaling overhead. Hierarchical VPLS helps reduce the
overall number of pseudowires and relieves the overhead burdens of the PEs.
To accomplish this, H-VPLS uses MTU (Multi-Tenant Unit) devices. As a rule, MTU devices are
located in multi-tenant unit buildings and aggregate customer traffic before sending it to the PEs.
Figure 4: H-VPLS Topology
MTU and PE devices connect to each other via a single spoke pseudowire. There is no need
for a full mesh of pseudowires between an MTU and all the PEs of a particular VPLS instance
as in a classic VPLS application. This is achieved by introducing a slight change in PE
operation, specifically, PE devices treating spoke pseudowires as user access ports. As a result,
PEs flood packets received from spoke pseudowires to other spoke pseudowires and mesh
pseudowires associated with the same customer. The PE will flood packets received from
mesh pseudowires only to spoke pseudowires and not to other mesh pseudowires in order to
prevent loops and achieve Split-Horizon functionality.
Figure 5: Two-tiered Hierarchical VPLS Model
Page 7
According to its position in the H-VPLS topology, the device operates in two modes:
MTU-S mode single-active-spoke and backup-spoke pseudowires are allowed per VPLS
instance.
NOTE
In H-VPLS terminology, spoke pseudowires are referred to as spoke-SDPs (service
distribution points), and mesh/hub pseudowire are referred to as mesh-SDPs.
NOTE
The VPT preservation is enabled by default.
NOTE
You cannot use the same service ID for all MPLS L2 services.
You cannot use the same physical port as a MPLS and TLS SAP.
PW RedundancyService Protection
In H-VPLS topology, VPLS core PWs (mesh) are augmented with access PWs (spokes) to form a
two-tier hierarchical VPLS. The use of Dual-Homing, Active and Backup PWs terminating on
different PEs provides protection against the failure of the spoke or the failure of the PE.
In certain applications, there is a need for a different mechanism to protect the target PE node or
the MTU Service Access Point failure. PW redundancy overcomes such failures by signaling the
preferred PW used for forwarding data traffic between the local and remote peers of the PW. This
mechanism becomes operational once multiple PWs (SDPs) are configured for the same service.
The status of a spoke-PW/SDP (Active/Backup) determines the order of precedence for the PW.
In an MTU VPLS service instance with two PWs, the PW with the lower value will be the Active
one. If both PWs are the same, with respect to precedence, the Active PW would be the first one
signaled to the PEs.
Mechanism behavior s defined per service using the redundancy-mode parameter. By default, the
parameter is set to independent mode in which the PW state is defined both by PW precedence and
remote requests.
A Spoke PW Failure in a Hub and Spoke Topology

In case of a spoke PW failure, MTU notifies its remote PW peer on the preferred spoke PW used
to forward data traffic by clearing the preferential forwarding bit of the standby spoke PW. This
causes a switchover between the active and standby spoke PWs as illustrated in the following figure:
switchover between
Active and Standby
Active PW-spoke
1
PE
VPLS
Mesh
3
PE
Active PW-sp
oke
MTU
Backup
PW-sp
oke
2
PE
4
PE
MTU
oke
PW-sp
Backup
switchover request
(by clearing preferential forwarding bit)
Figure 6: A Spoke PW Failure in a Hub and Spoke Topology
Page 8
Once the standby spoke PW is active and a new path is used, the MTU for the activated, standby
PW sends a MAC-Address Withdrawal to the PE, which in turn distributes the MAC-Address
Withdrawal to all other PE devices, allowing faster convergence:
1
PE
Backup PW-spoke
3
PE
VPLS
Mesh
Active PW-sp
oke
MTU
Active
2
PE
PW-sp
oke
4
PE
MTU
oke
PW-sp
Backup
MAC Address
Withdrawal
Figure 7: Recovery from a Spoke PW Failure
A Mesh PW Failure in a Hub and Spoke Topology

In case of a mesh failure, the PE device notifies the relevant MTU devices by setting the
preferential forwarding bit of the corresponding spoke PWs, allowing the MTU devices to
switchover between active and standby spoke PWs as illustrated in the following figure:
switchover request
(by setting preferential forwarding bit)
switchover between
Active and Standby
1
Active PW-spoke
switchover between
Active and Standby
PE
Active PW-sp
oke
PE
VPLS
Mesh
MTU
Backup
PW-sp
oke
PE
MTU
poke
p PW-s
Backu
PE
switchover request
switchover request
Figure 8: A Mesh PW Failure in a Hub and Spoke Topology
With the backup spoke PW active, using a new path, the MTU for the standby PW, sends a MACAddress Withdrawal to the PE. To achieve faster convergence, the PE, in turn, distributes the
MAC-Address Withdrawal to all other PE devices.
1
Backup PW-spoke
PE
VPLS
Mesh
PE
Backup PW-sp
oke
MTU
Active
PW-sp
oke
PE
Active
MTU
oke
PW-sp
PE
MAC Address
Withdrawal
Figure 9: Recovery from A Mesh PW Failure
Page 9
MPLS Transport and Service

You can signal MPLS transport LSPs (tunnels) using two types of protocols, specifically LDP and
RSVP-TE, which are responsible for the exchange and distribution of transport labels. Note that
the LDP protocol, which must be used for signaling service VC labels, requires routing adjacency
between PW end-points to exchange labels.
Resource Reservation Protocol And Traffic Engineering

Use traffic engineering to:
Route traffic around congested and failed network points
Maximize throughput
Minimize delay
MPLS directs a flow of IP packets along unidirectional LSPs. The physical path of the LSP is not
constrained to the shortest path, to reach the destination IP address, chosen by the IGP.
A host uses the Resource Reservation Protocol (RSVP) network protocol to request specific
qualities of service from the network for particular application data streams or flows. Routers also
use RSVP to deliver Quality of Service (QoS) to all nodes along the path of the flow and to
establish and maintain the state needed to provide the requested service. MPLS leverages RSVP to
set up traffic-engineered LSPs.
RSVP requests generally result in reservation of resources in each node along the data path. Hosts
and routers that support both MPLS and RSVP can associate labels with RSVP flows. When MPLS
and RSVP are combined, the definition of a flow can be made more flexible. Once an LSP is
established, the traffic through the path is defined by the label applied at the ingress node of the
LSP.
RSVP-TE Extensions for MPLS

RSVP-TE, an extension of RSVP, enables label-switched paths in MPLS. RSVP-TE defines a
session as a data flow with a particular destination and transport-layer protocol. The ingress node of
an LSP uses a number of methods to determine which packets are assigned a particular label. Once
a label is assigned to a set of packets, the label effectively defines the flow through the LSP.
Since flow along an LSP is completely identified by the label applied at the ingress node of the path,
these paths may be treated as LSP tunnels (refer to RFC 2702.)
Use RSVP-TE to establish explicitly routed, label-switched paths that use RSVP as a signaling
protocol. The result is the instantiation of label-switched tunnels that can be automatically routed
away from network failures, congestion, and bottlenecks.
RSVP, extended for MPLS, supports automatic signaling of LSPs. To enhance scalability, latency,
and reliability of RSVP signaling, several extensions have been defined. Refresh messages are still
transmitted; traffic volume, CPU utilization, and response latency are all substantially reduced while
maintaining reliability support.
In addition, RSVP-TE uses CSPF infrastructure to engineer constraint-based LSPs (forcing the
LPS to use a certain path or preventing the LSP from using a specific path).
Page 10
Figure 10: Establishing a TE-tunnel
RSVP-TE Fast Reroute (FRR) Transport Protection

Use the Fast Reroute mechanism to facilitate fast, local repair of LSPs when a link or node fails. An
extension of RSVP, Fast Reroute, requests link or node protection by appending a Fast Reroute
object to the Path message. The Fast Reroute object indicates to the downstream LSRs that a
locally generated backup LSP should be set up as backup for the Protected LSP in case the
downstream link or node fails.
The FRR Advantage

Another extension of RSVP, FRR establishes backup label-switched path (LSP) tunnels used in
local repair of LSP tunnels. The extension attempts to reach the needs of real-time applications,
such as voice over IP, to redirect user traffic into backup LSP tunnels in tens of milliseconds. To
satisfy this timing requirement, FRR computes and signals backup LSP tunnels in advance of failure
and redirects traffic as close to the failure point as possible. In this way, the time need to redirect
user traffic includes no path computation and no signaling delays (including delays to propagate
failure notification between label-switched routers (LSRs)).
Speed of repair is the primary advantage to the methods and extensions described here. The term
local repair is used when referring to techniques that re-direct traffic to a backup LSP tunnel in
response to a local failure.
An FRR-enabled LSP is an RSVP tunnel in which the user configures the fast-reroute mode. The
fast-reroute model specifies the repair techniques described in the following section.
Fast Reroute Terms

Table 1: Term Definitions and Acronyms
Term
Meaning
Local Repair
Techniques used to repair LSP tunnels quickly when a node or link

along the LSP fails.
Merge Point (MP)
The LSR where one or more backup tunnels rejoin the path of the
protected LSP downstream of the potential failure. The same LSR may
Page 11
be both an MP and a PLR simultaneously.

Point of Local Repair
(PLR)
The head-end LSR of a backup tunnel or a detour LSP.
Facility Backup
Bypass tunnel used to protect one or more protected LSPs that

traverse the following (in the order shown):
Guarded-Destination
Hop
The PLR
The protected resource
The Merge Point
Signal the primary tunnel through the ingress IP address of the Merge
Point. To protect a group of primary tunnels traversing the hop, the
guarded-destination hop is defined on PLR as a for manual bypass
tunnel.
NOTE
For further details regarding protection establishment and the roles of devices in a
protected RSVP-TE based environment, refer to RFC 3209.
Local Repair Technique: One-to-One Method

In the traditional MPLS/VPN network architecture, each customer site was associated with a single
VPN with a one-to-one correspondence between customer sites and VPNs. In this architecture,
users can implement the FRR one-to-one method in which the PLR maintains a separate backup
path for each LSP. In the following figure, the protected LSP runs from R1 to R5. The example
shows the detour paths necessary to fully protect this LSP.
Figure 11: One-to-One Backup Method
R2 can provide user traffic protection by creating a partial backup LSP that merges with the
protected LSP at R4. The partial one-to-one backup LSP [R2->R7->R8->R4] is a detour.
To protect an LSP that traverses N nodes, there could be as many as (N - 1) detours.
To minimize the number of LSPs in the network, it is recommended to merge a detour back to its
protected LSP, whenever possible. Merger occurs when a detour LSP intersects its protected LSP at
an LSR with the same outgoing interface.
When a failure occurs along the protected LSP, the PLR redirects traffic onto the local detour. For
instance, if the [R2->R3] link fails, R2 switches traffic received from R1 onto the protected LSP
along link [R2->R7], using the label received when R2 created the detour.
When R4 receives traffic with the label provided for R2's detour, R4 switches this traffic onto link
[R4-R5], using the label received from R5 for the protected LSP.
Page 12
At no point does the depth of the label stack increase as a result of the detour.
While R2 uses its detour, traffic uses the path [R1->R2->R7->R8->R4->R5].
Local Repair Technique: Facility Method

The Facility Backup method takes advantage of the MPLS label stack. Instead of creating a separate
LSP for every backed-up LSP, a single LSP serves as back up to a set of LSPs. This type of LSP
tunnel is called a bypass tunnel.
The bypass tunnel must intersect the path of the original LSP(s) somewhere downstream of the
PLR. As a result, the set of LSPs being back up via that bypass tunnel are constrained to those that
pass through some common downstream node. Candidates for this set of LSPs must:
Pass through the local repair point
Pass through this common node
Not use the facilities involved in the bypass tunnel
Figure 12: Facility Backup Method
In the above example, R2 has built a bypass tunnel to protect against link failure [R2->R3] and
node [R3]. The doubled lines represent this tunnel. This technique provides scalability improvement
in that the same bypass tunnel can also be used to protect LSPs from any of R1, R2, or R8 to any of
R4, R5, or R9. Example 2 describes three different protected LSPs that are using the same bypass
tunnel for protection.
There could be as many as (N-1) bypass tunnels to fully protect an LSP that traverses N nodes.
However, each of those bypass tunnels could protect a set of LSPs.
When a failure occurs along a protected LSP, the PLR redirects traffic into the appropriate bypass
tunnel. For instance, if link [R2->R3] fails in Example 2, R2 will switch traffic received from R1 on
the protected LSP onto link [R2->R6]. The label will be switched for one which will be understood
by R4 to indicate the protected LSP, and the bypass tunnel label will then be pushed onto the labelstack of the redirected packets.
If penultimate-hop-popping is used, the merge point in Example 2, R4, will receive the redirected
packet with a label indicating the protected LSP that the packet is to follow. If penultimate-hoppopping is not used, R4 will pop the bypass tunnel label and examine the label underneath to
determine the protected LSP that the packet is to follow. When R2 is using the bypass tunnel for
protected LSP 1, the traffic takes the path [R1->R2->R6->R7->R4->R5]; the bypass tunnel is the
connection between R2 and R4.
Page 13
Secondary LSP
In addition to LSP FRR protection, which can be established dynamically (based on CSPF) or
defined explicitly to bypass a local failure, you can use a secondary pre-defined LSP, a redundant
path to the same end point of the protected LSP, to protect RSVP LSP. Same as an FRR bypass
LSP, the secondary LSP can be established dynamically (based on CSPF) or defined explicitly.
RSVP LSP can be protected by FRR, a secondary LSP, or both.
When both protection methods are applied on LSP, FRR will be the first to protect on failure; the
secondary LSP will be second. After an FRR event occurs, the bypass tunnel will be used until
expiration of the configured timeout. After expiration of the MBB timer, the bypass tunnel will be
torn down.
A secondary LSP will be used if it has been configured and established. In order to keep service
functional when the primary LSP fails to recover, the user must have configured a secondary
instance or the MBB timer must be disabled.
Penultimate Hop Popping (PHP)

In an MPLS-enabled network, PHP is a function performed by a Label Switch Router (LSR) before
passing the packet to an adjacent Label Edge Router (LER). In this process, the outermost label of
an MPLS process is removed thereby reducing the load on the LER. Without this process, the LER
would have to perform at least two label lookups:
Look up the outer label that identifies the packet should have its Transport label stripped on
this router.
Look up the inner label, that identifies which Virtual Routing/Forwarding (VRF in IP MPLS)
or Virtual Circuit (VC in MPLS VPLS) instance to use.
In a large network, two lookups can cause the CPU load on the LER to reach unacceptable levels.
By having PHP for an LER done on the connected LSRs, the load is effectively distributed among
neighboring routers.
PHP functionality is achieved by the LER advertising a label with a value of 3 to its neighbors. This
label is defined as implicit-null and informs the neighboring LSR(s) to perform PHP.
LSR receives implicit-null label from LER 2 to use for prefix 172.16.
Outer label is popped by LSR performing PHP before sending 172.16 to LER 2.
Page 14
Figure 13: Penultimate Hop Popping
Traffic-Engineering Tool
When CSPF is used for automatic RSVP-TE based LSP management, you can determine the path
hops used between two endpoints in the MPLS topology using a CLI, Traffic Engineering tool that
queries the CSPF database and tracks all hops between the endpoints.
Since the CSPF database is used by RSVP-TE to establish an LSP, the path indicated by this tool
will represent the LSP to be established by RSVP-TE protocol. The tool can be used for advanced
troubleshooting; usage requires specifying the head and tail ends of a desired path as shown in the
following example (see Traffic-Engineering Tool Example).
NOTE
In addition, two more mpls connectivity tools are available: mpls-ping and mplstrace.
MPLS and VPLS/VPWS Configuration Flow
Page 15
Figure 14: MPLS and VPLS Configuration Flow
Page 16
MPLS and VPLS Configuration Commands

MPLS Configuration Commands Hierarchy
#device-name
+ config terminal
mpls tunnels rebuild-now <value>
no mpls-te automatic-bypass TunnelIndex <value>

+ [no] router
+ [no] mpls
- [no] lsr-id A.B.C.D
- [no] label-range-egress <lowest-value>-<highest-value>
- [no] label-range-ingress <lowest-value>-<highest-value>
+ mpls lsp-ping {lsp LSP_NAME | prefix A.B.C.D/M}

- count <count>
- size <octets>
- timeout <timeout>
- ttl <ttl>
+ mpls lsp-trace {lsp LSP_NAME | prefix A.B.C.D/M}

- size <octets>
- timeout <timeout>
- ttl <ttl>
MPLS Configuration Commands Description

Table 2: MPLS Configuration Commands
Command
Description
config terminal
mpls tunnels rebuild-now <value>
Specifies index for the RSVP-TE tunnel to be

re-signaled manually:
no mpls-te automatic-bypass TunnelIndex

<value>
Specifies index of the dynamic bypass tunnel to

be deleted:
router
Enters Router Configuration mode
no router
mpls
Enables MPLS and enters MPLS Configuration

mode
Page 17
Command
no mpls
lsr-id A.B.C.D
Description
Disables MPLS
Specifies the unique LSR ID of the device. This
address is used by all MPLS protocols :
A.B.C.D: a logical loopback IP

address (loN) in a dotted format
NOTE
To change the LSR ID, remove the
entire MPLS configuration.
no lsr-id A.B.C.D
Removes the configured LSR ID:
label-range-egress <lowestvalue>-<highest-value>
A.B.C.D: a logical loopback IP

address (loN) in a dotted format
Specifies a range within labels for a neighboring

MPLS router are distributed.
lowest-value: in the range of

<28672-1048575>
28672
highest-value: in the range of

<28672-1048575>
1048575
no label-range-egress
Restores to default
label-range-ingress <lowestvalue>-<highest-value>
Specifies a range within labels from a

neighboring MPLS router are accepted.
The device must be rebooted for the changes to
take effect.
lowest-value: in the range of

<16-1048575>
16
highest-value: in the range of

<16-1048575>
1048575
no label-range-ingress
mpls lsp-ping {lsp LSP_NAME | prefix
A.B.C.D/M}
count <count>
Restores to default
Starts an LSP connectivity-test by sending inband MPLS echo packets to the egress LSR:
LSP_NAME: the LSP name
A.B.C.D/M: the FECs prefix
The number of messages the test sends:
count: in the range of

<1100>
1
size <octets>
The minimum packet size:
octets: in the range of

<84-1300> octets
No pad TLV added
Page 18
Command
timeout <timeout>
Description
The number of seconds to wait for a
connectivity test reply:
timeout in the range of

<1-120> seconds
2
ttl <label-ttl>
The maximum number of hops to reach the

specified IP address/LSP:
label-ttl: in the range of

<1255>
255
mpls lsp-trace {lsp LSP_NAME | prefix
A.B.C.D/M}
size <octets>
Verifies the packets hop-by-hop path by

sending in-band MPLS echo packets:
LSP_NAME: the LSP name
A.B.C.D/M: the FECs prefix
The minimum packet size:
octets: in the range of

<84-1300> octets
No pad TLV added

timeout <timeout>
The number of seconds to wait for a

connectivity test reply:
timeout: in the range of

<1-120> seconds
2
ttl <ttl>
The maximum number of hops to reach the

specified IP address/LSP:
ttl: in the range of

<1255>
255
Page 19
LDP Configuration Commands Hierarchy

#device-name
+ config terminal
+ [no] router
+ [no] ldp
+ [no] targeted-peer A.B.C.D
- [no] hello-hold-time <value>
- [no] keepalive-hold-time <value>

- [no] shutdown
+ [no] distribute
- [no] ingress {isis | ospf | static | ip A.B.C.D/M}
- [no] egress {connected | static | ospf | ip

A.B.C.D/M}

- [no] hello-hold-timer <value>
- [no] keepalive-hold-timer <value>
- [no] label-advertising-mode {explicit-null |

global-label-range | implicit-null}
- [no] shutdown
LDP Configuration Commands Description

Table 3: LDP Configuration Commands
Command
Description
config terminal
router
no router
ldp
Enables the LDP protocol and accesses LDP

Protocol Configuration mode
no ldp
Removes the LDP configurations
targeted-peer A.B.C.D
Specifies the targeted LDP peer IP address:
no targeted-peer A.B.C.D
Removes the targeted LDP peer:
Page 20
A.B.C.D: the remote LDP peer IP

address
A.B.C.D: the remote LDP peer IP
address
Command
Description
hello-hold-time <value>
Specifies the LDP targeted session hello hold

time:

seconds. Shutdown the peer to
change this value
0 seconds
LDP hello messages are sent hello-hold-time/3
seconds.
no hello-hold-time
Restores to default
keepalive-hold-time <value>
Specifies the LDP targeted session keep-alive

hold time:

seconds
40 seconds
no keepalive-hold-time
Restores to default
shutdown
Disables the targeted peer
no shutdown
Enables the targeted peer
distribute
ingress {isis | ospf | static
| ip A.B.C.D/M}
Specifies the distribution policy

Specifies the ingress (remote router) distribution
policy:
isis: marks the routes learned

from the IS-IS for usage of
ingress LDP LSPs
ospf: marks the routes learned

from the OSPF for usage of ingress
LDP LSPs
static: marks the static routes

for usage of ingress LDP LSPs
ip A.B.C.D: marks specific IP

address or network for usage for
ingress LDP LSPs
Distribution is disabled
no ingress {isis | ospf
static | ip A.B.C.D/M}
Removes the ingress distribution policy:
isis: marks the routes learned

from the IS-IS for usage of
ingress LDP LSPs

from the OSPF for usage of ingress
LDP LSPs

for usage of ingress LDP LSPs
ip A.B.C.D: marks specific IP

address or network for usage for
ingress LDP LSPs
Page 21
Command
Description
egress {connected | static |
ospf | ip A.B.C.D/M}
Specifies the egress (local router) distribution

policy:
connected: distributes all the

local interfaces

for usage of egress LDP LSPs

from the OSPF for usage of egress
LDP LSPs
ip A.B.C.D: distributes to a
specific IP route
Distribution is disabled
no egress {connected | static
| ospf | ip A.B.C.D/M}
Removes the egress distribution policy:
connected: distributes all the

local interfaces

for usage of egress LDP LSPs

from the OSPF for usage of egress
LDP LSPs
ip A.B.C.D: distributes to a
specific IP route
Specifies LDP values for an already configured

IP interface:

interface
NOTE
LDP protocol is not supported on
the Eth interface.

swN}

IP-interface.

range of <09999>
Disables MPLS on an already configured IP

interface:

interface
NOTE
LDP protocol is not supported on
the Eth interface.
Page 22

IP-interface.

range of <09999>
Command
Description
hello-hold-timer <value>
Specifies the LDP link session hello-hold time:

seconds
15 seconds
LDP hello messages are sent hello-hold-time/3
seconds.
NOTE
Shutdown the peer to change this
value
no hello-hold-timer
Restores to default
keepalive-hold-timer <value>
Specifies the LDP link session keep-alive hold

time.

seconds
40 seconds
no keepalive-hold-timer
Restores to default
label-advertising-mode
{explicit-null | globallabel-range | implicitnull}
Specifies the label value advertised on the

egress router of an LSP:
explicit-null: this label is

assigned to preserve the TC
(traffic class) value of the top
label of an incoming packet. The
top label is swapped with a label
value of 0 (20 bit label field)
and forwarded as an MPLS packet to
the next-hop downstream router.
global-label-range: uses dynamic

MPLS labels, specified by commands
label-range-egress and labelrange-ingress in MPLS
configuration mode
implicit-null: this label is

assigned when the top label of the
incoming MPLS packet is removed
and the resulting MPLS or IP
packet is forwarded to the nexthop downstream router. The value
for this label is 3 (20 bit label
field).
NOTE
When LDP and RSVP use the
same interface, changing label
advertising mode requires
recreation of the interface with a
new value. As a result, short period
of traffic loss can be expected.
Implicit-null label (label 3)
no label-advertising-mode
shutdown
Restores to default
Disables LDP
Disabled
Page 23
Command
Description
no shutdown
Enables LDP
RSVP and TE Configuration Commands Hierarchy

#device-name
+ config terminal
+ [no] router
+ [no] rsvp-te
- [no] ignore-ingress-interface-affinities
+ [no] admin-group <admin_group_id>
- name ADMIN_GROUP_NAME
- [no] admin-group <admin_group_id>
- [no] label-advertising-mode {explicit-null |

global-label-range | implicit-null}
- [no] te-metric <metric>
- [no] maximum-interface-bandwidth [speed <speed> |

unit {bps | gbps | kbps | mbps}]
- [no] maximum-reservable-bandwidth [speed <speed> |

unit {bps | gbps | kbps | mbps}]
- [no] maximum-diffserv-class-bandwidth [speed

<speed> | unit {bps | gbps | kbps | mbps}]
- [no] bypass-fast-reroute
- [no] detour-fast-reroute
- [no] dynamic-bypass
- [no] lsp-hold-timer <value>
+ [no] path <path>
+ [no] hop <id>
- [no] hop-type {strict | loose}
- [no] ip-address A.B.C.D {include | exclude}
- [no] shutdown
+ [no] lsp <lsp_id>
- [no] name LSP_NAME
- [no] backup-setup-priority <priority>
- [no] backup-holding-priority <priority>

- [no] far-end A.B.C.D
- [no] fast-reroute-mode {facility | one-to-one |

no-preference}
- [no] admin-group include-all <tunnel_affinity_id>
- [no] admin-group include-any <tunnel_affinity_id>
Page 24
- [no] admin-group exclude-any <tunnel_affinity_id>

- [no] backup-admin-group exclude-any
<tunnel_affinity_id>
- [no] backup-admin-group include-all

- [no] backup-admin-group include-any

- [no] guarded-destination A.B.C.D

- [no] holding-priority <priority>
- [no] max-backup-hops <hops>
- [no] mbb-timeout <value>
- [no] mtu <mtu>
- [no] rebuild-timer <value>
- [no] setup-priority <priority>
- [no] cspf
- [no] path <path>
- [no] exclude-resource-affinity
+ [no] secondary
- [no] admin-group include-all

- [no] admin-group include-any

- [no] admin-group exclude-any


- [no] cspf
- [no] holding-priority <priority>
- [no] mbb-timeout <value>
- [no] rebuild-timer <value>

- [no] mtu <mtu>
- name LSP_NAME
- [no] setup-priority <priority>
- [no] path <path>
- [no] exclude-resource-affinity
- [no] shutdown
- [no] shutdown
Page 25
RSVP and TE Configuration Commands Description

Table 4: RSVP and TE Entity Configuration Commands
Command
Description
config terminal
router
no router
rsvp-te
Enters the RSVP-TE Configuration mode
no rsvp-te
Removes the RSVP-TE configurations
ignore-ingress-interfaceaffinities
Specifies that the admin-groups defined on the

ingress interfaces are ignored
Admin-groups are not ignored
no ignore-ingress-interfaceaffinities
The admin-groups defined on ingress interfaces

are not ignored
admin-group <admin_group_id>
Creates a TE admin-group group or a range of

TE admin groups:
no admin-group <admin_group_id>
admin_group_id: in the range of

<132>
Removes the TE admin-group:

<132>
name ADMIN_GROUP_
NAME
The TE admin groups name:
ADMIN_GROUP_NAME: a string of <1

15> characters
Enable RSVP on an already configured IP

interface (for more information on configuring IP
interfaces, refer to the Physical Ports and Logical
Interfaces chapter of this user guide):

interface
NOTE
RSVP protocol is not supported on
the Eth interface.
Page 26

IP-interface.

range of <09999>
Command
Description

swN}
Disables RSVP on an already configured IP

interface:

interface
NOTE
RSVP protocol is not supported on
the Eth interface.
admin-group
<admin_group_id>

IP-interface.

range of <09999>
Selects an existing TE admin group or a range of

TE admin groups:

<132>
no admin-group
Removes the TE admin-group
label-advertising-mode
{explicit-null | globallabel-range | implicitnull}
Specifies the label value advertised on the

egress router of an LSP:
<admin_group_id>
explicit-null: this label is

assigned to preserve the TC
(traffic class) value of the top
label of an incoming packet. The
top label is swapped with a label
value of 0 (20 bit label field)
and forwarded as an MPLS packet to
the next-hop downstream router.
global-label-range: uses dynamic

MPLS labels, specified by commands
label-range-egress and labelrange-ingress in MPLS
configuration mode
implicit-null: this label is

assigned when the top label of the
incoming MPLS packet is removed
and the resulting MPLS or IP
packet is forwarded to the nexthop downstream router. The value
for this label is 3 (20 bit label
field).
NOTE
When LDP and RSVP use the
same interface, changing label
advertising mode requires
recreation of the interface with a
new value. As a result, short period
of traffic loss can be expected.
Implicit-null label (label 3)
no label-advertising-mode
Restores to default
Page 27
Command
Description
maximum-interface-bandwidth
[speed <speed> | unit {bps
| gbps | kbps | mbps}]
Specifies the maximum available amount of

bandwidth per interface:
speed: in the range of <1-1000>
unit: bps, gbps, kbps, or
mbps
no maximum-interfacebandwidth
Removes the defined bandwidth
maximum-reservable-bandwidth
[speed <speed> | unit {bps
| gbps | kbps | mbps}]
Specifies the maximum bandwidth that is

reserved per interface:
mbps
no maximum-reservablebandwidth
maximum-diffserv-classbandwidth [speed <speed> |

unit {bps | gbps | kbps |
mbps}]
Specifies the bandwidth allocation for DiffServ

classes:
mbps
no maximum-diffserv-classbandwidth
te-metric <metric>
Assigns a fixed metric value to an interface:
metric: in the range of <04294967294>
10
no te-metric
Restores to default
bypass-fast-reroute
Enables FRR facility extensions. Mandatory if

1:N FRR is used.
Disabled
no bypass-fast-reroute
Disables the FRR facility extensions
detour-fast-reroute
Enables FRR detour extensions. Mandatory if 1:1

FRR is used
Disabled
no detour-fast-reroute
Disables the FRR detour extensions
dynamic-bypass
Enables the creation of dynamic bypass tunnels

when FRR facility method is selected for
protection
Enabled
no dynamic-bypass
Disables the dynamic bypass tunnels
lsp-hold-timer <value>
Specifies the time the device waits before

switching from active to MBB signaled instance:
<value>: in the range of <0-10>

seconds
0 seconds
no lsp-hold-timer
Page 28
Restores to default
Command
Description
path <path>
The RSVP-TE unique path ID. Each path can

include multiple hops:
no path [<path>]
Removes the path (only if the path is not used):
hop <id>
id: any positive number
Removes the defined hop:
hop-type {strict | loose}
path: (optional) in the range of

<04294967294>
The hop used along the path:
no hop [<id>]
path: in the range of <0

4294967294>
id: (optional) any positive number
Specifies the hop type:
strict: only directly connected

hops are used between this hop and
the previous hop of the path
loose: non-directly connected hops

may be used between this hop and
the previous hop of the path
Loose
no hop-type
ip-address A.B.C.D
{include | exclude}
Restores to default
Specifies the hops IP address:
A.B.C.D: hop's IP address in

no ip-address A.B.C.D
include: the hop's IP address is

included into the path
exclude: the hop's IP address is

excluded from the path
Removes the hops IP address:
A.B.C.D: hop's IP address in

shutdown
Disables the defined path
no shutdown
Enables the defined path
lsp <lsp_id>
The LSP ID:
no lsp <lsp_id>
lsp_id: in the range of

<1-32638>
Removes the LSP instance:

<1-32638>
name LSP_NAME
Specifies the LSP name:
LSP_NAME: a string of <1-30>

characters
Page 29
Command
Description
no name LSP_NAME
Removes the LSP name:
backup-setup-priority
<priority>
LSP_NAME: a string of <1-30>

characters
Specifies the setup priority for the backup tunnel:
0
no backup-setup-priority
Restores to default
backup-holding-priority
Specifies the holding priority for the backup

tunnel:
<priority>
7
no backup-holding-priority
Restores to default
far-end A.B.C.D
Specifies the far-ends IP address:
no far-end A.B.C.D
Removes the far-ends IP address:
fast-reroute-mode {facility |
one-to-one | no-preference}
A.B.C.D: IP address in dotteddecimal format

A.B.C.D: IP address in dotteddecimal format
Specifies the LSP FRR mode:
facility: selects facility method

for tunnel protection
one-to-one: selects detour method

for tunnel protection
no-preference: removes the fast

reroute object from the packet
Disabled
no fast-reroute-mode
Restores to default
admin-group include-all
Selects which admin-groups will be considered

as mandatory when calculating CSPF path for
the primary tunnel.
All admin groups defined here must be available
on the links.
<tunnel_affinity_
id>
tunnel_affinity_id:
0
no admin-group include-all
Restores to default
admin-group include-any

as optional when calculating CSPF path for the
primary tunnel.
At least one admin group specified here must be
available on the links.
<tunnel_affinity_
id>
tunnel_affinity_id:
Page 30
Command
Description
no admin-group include-any
Restores to default
admin-group exclude-any

as excluded when calculating CSPF path for the
primary tunnel.
Any admin group specified here must not be
present on the links.
<tunnel_affinity_
id>
tunnel_affinity_id:
0
no admin-group exclude-any
Restores to default
backup-admin-group excludeany <tunnel_affinity_

backup tunnel.
present on the links.
id>
tunnel_affinity_id:
0
no backup-admin-group backupexclude-any
Restores to default
backup-admin-group includeall <tunnel_affinity_

the backup tunnel.
on the links.
id>
tunnel_affinity_id:
0
no backup-admin-group
include-all
Restores to default
backup-admin-group includeany <tunnel_affinity_id>

backup tunnel.
At least one admin group spcified here must be
tunnel_affinity_id:
0
no backup-admin-group
include-any
Restores to default
The MPLS tunnel description:
<132> characters
no description
Removes the MPLS tunnel description
guarded-destination A.B.C.D
Specifies the IP address of guarded destination

(see Table 1):
A.B.C.D: the ingress IP address
Page 31
Command
Description
no guarded_
destination A.B.C.D
holding-priority <priority>
Specifies the holding priority for a specific LSP.

The holding priority is the priority associated with
an LSP for this tunnel to determine if it should be
preempted by other LSPs that are being
signaled.
priority: in the range of <0-7>,

where a lower number indicates a
higher priority.
0
no holding-priority
Restores to default
max-backup-hops
The LSP maximum backup hops allowed:
<hops>
hops: in the range of <0

4294967294>
16
no max-backup-hops
Restores to default
mbb-timeout
The amount of time an LSP tries to re-signal the

MBB instance:
<value>
value: in the range of <21474836482147483647> minutes
10 minutes
no mbb-timeout
Restores to default
mtu <mtu>
The MTU size advertised by the RSVP-TE:
mtu: in the range of <64-12288>
9216
no mtu
Restores to default
rebuild-timer <value>
The amount of time needed to rebuild the

existing LSP:

4294967294> minutes
60 minutes
no rebuild-timer
Restores to default
setup-priority
Specifies the setup priority for a specific LSP.

The setup-priority is the priority used when
signaling an LSP for this tunnel to determine
which existing tunnels can be preempted.
<priority>
priority: in the range of <0-7>. A

lower number indicates a higher
priority. An LSP with a setup
priority of 0 can preempt any LSP
with a non-0 priority.
Page 32
no setup-priority
Restores to default
cspf
Enables the usage of CSPF for path calculation

CSPF is disabled by default
Command
Description
no cspf
Disables the usage of CSPF for path calculation.

The tunnel must have a path with strict hops
when this option is selected.
path <path>
The path used by the LSP:

4294967294>.
To modify the path, exit the LSP.

no path
Removes the path
exclude-resource-affinity
Removes the resource affinity object from the

packet session attributes
no exclude-resource-affinity
Restores the resource affinity object in the

secondary
Creates a secondary LSP instance
no secondary
Removes the secondary instance
admin-group include-all
tunnel_
affinity_id

the secondary tunnel.
on the links.
tunnel_affinity_id:
No admin groups
no admin-group include-all
Restores to default
admin-group include-any

secondary tunnel.
At least one admin group specified here must be
tunnel_
affinity_id
tunnel_affinity_id:
No admin groups
no admin-group include-any
Restores to default
admin-group exclude-any

secondary tunnel.
tunnel_
affinity_id
tunnel_affinity_id:
No admin groups
no admin-group exclude-any
Restores to default
The MPLS tunnel description:
no description

characters
Removes the MPLS tunnel description
Page 33
Command
Description
holding-priority
<priority>
The LSP holding priority.
0
no holding-priority
Removes the LSP holding priority
mbb-timeout <value>
The amount of time an LSP tries to re-signal the

MBB instance:
10 minutes
no mbb-timeout
Restores to default
rebuild-timer <value>
The amount of time needed to rebuild the

existing LSP:
60 minutes
no rebuild-timer
Restores to default
mtu <mtu>
The MTU size advertised:
mtu: in the range of <6412288>
9216
no mtu
Restores to default
name LSP_NAME
Specifies the secondary instance name

setup-priority <priority>
Specifies the setup priority:
0
no setup-priority
Restores to default
path <path>
The path used by the LSP:
Page 34

4294967294>
no path
Removes the defined path used by the LSP
exclude-resource-affinity
Removes the resource affinity object from the

no exclude-resourceaffinity
Restores the resource affinity object in the

shutdown
Disables the secondary LSP
no shutdown
Enables the secondary LSP
shutdown
Disables the LSP
no shutdown
Enables the LSP
dynamic-bypass
Enables dynamic-bypasses.
Enabled
no dynamic-bypass
Disables dynamic-bypasses
VPLS Configuration Commands Hierarchy

#device-name
+ config terminal
+ service
+ [no] customer NAME
- [no] contact CONTACT_NAME

- [no] phone phone_number
+ [no] sdp <sdp-id>

- [no] far-end A.B.C.D
- [no] lsp LSP_NAME
- [no] path-mtu <mtu>

- mode mtu-s
- [no] revert-timer <value>
- [no] shutdown
- [no] redundancy-mode {master | slave | none |

independent}


- [no] shutdown
- [no] secured
- [no] untagged
- [no] event-propagation-profile NAME
- [no] tunnel-profile {PROFILE-NAME | discard-all |

tunnel-all | tunnel-bpdu}
+ [no] spoke-sdp [<sdp-id>]
- [no] vc-type {ethernet | ethernet-vlan}

- [no] shutdown
- [no] pw-status-signaling
- [no] pw-redundancy
- [no] pw-precedence <precedence>
- [no] pw-active
- [no] secured
+ [no] vpws <vpws-id>

Page 35

- [no] shutdown

- [no] untagged
+ [no] sdp [<sdp-id>]
- [no] vc-type {ethernet | ethernet-vlan}

- [no] shutdown
- [no] pw-status-signaling
- [no] shutdown
VPLS Configuration Commands Description

Table 5: VPLS Commands
Command
Description
config terminal
service
customer NAME

Stores general text information regarding the
customer:
NAME: a string of <1-29> characters
no customer NAME
Removes the customer
contact CONTACT_NAME
Specifies the contact persons name:
CONTACT_NAME: a string of <1-29>

characters
no contact
Removes the contact persons name
phone phone_number
Specifies a phone number for contacting the

customer:
phone_number: up to 29 numbers
no phone
Removes the phone number
sdp <sdp-id>
Creates an SDP:
no sdp <sdp-id>
Removes the SDP:
sdp-id: in the range of <1

4294967295>
The SDP description:
no description
sdp-id: in the range of <1

4294967295>
<129> characters
Removes the SDP description
far-end A.B.C.D
Specifies the SDP destination IP address the PW

terminates at:
Page 36
Command
Description
no far-end A.B.C.D
Removes the SDP destination:
lsp LSP_NAME
A.B.C.D: SDP destination IP address

A.B.C.D: SDP destination IP address
Selects an RSVP LSP as the SDP transport:
LSP_NAME: an existing LSP name
No LSP is defined. The SDP uses LDP

transport.
no lsp LSP_NAME
Removes the RSVP LSP as the SDP transport:
path-mtu <mtu>
LSP_NAME: an existing LSP name
The MTU value used when negotiating a PW:
mtu: in the range of <512-9216>
9190
no path-mtu
vpls <vpls-id>
Restores to default
Creates a VPLS:
no vpls <vpls-id>

<14294967294>
Removes the VPLS:

<14294967294>
mode mtu-s
Specifies the VPLS mode

revert-timer <value>
Specifies the amount of time the VPLS must wait

before reverting the traffic from a backup SDP to a
primary SDP. If during this period the primary path
experiences any connectivity problem, the timer is
restarted.

seconds
0 (applicable on VPLS-MTU)
no revert-timer
Restores to default
The VPLS description:
<129> characters
no description
Removes the VPLS description
shutdown
Disables the VPLS

Disabled
no shutdown
Enables the VPLS
redundancy-mode {master | slave

| none | independent}
Specifies the VPLS PW redundancy mode:
master: the VPLS state is defined

only by PW precedence. Any remote
requests are discarded
slave: the VPLS state is defined

only by remote requests
none: disables the PW redundancy for
Page 37
Command
Description
the VPLS. The redundancy must also
be disabled for the SDPs.
independent: the VPLS state is

defined both by the PW precedence
and remote requests
None
no redundancy-mode
Restores to default


specifies the SAP attributes:
UU/SS/PP: the corresponding physical

port (unit, slot and port) defined
as SAP.(can be obtained from the
show port command)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
NOTE
CLI accepts multiple

definitions of unqualified
SAP, i.e: UU/SS/PP,
UU/SS/PP: or UU/SS/PP::.
All definitions result in
UU/SS/PP::.

definitions of qualified
SAP, i.e: UU/SS/PP:vlanid or UU/SS/PP:vlan-id:.
All definitions result in
UU/SS/PP:vlan-id:.

<1-14>

<1-4094>


ces-circuit: circuit ID in the range

of <1-64>

packets

control packets

UU1/SS1/PP1:<ces-
Page 38
UU/SS/PP: (optional) the

corresponding physical port (unit,
Command
Description
circuit>:{ces | ces-oos}}
slot and port) defined as SAP.(can

be obtained from the show port
command)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

<1-4094>



of <1-64>

packets

control packets

ethertype <value>

value: the valid values are: 0x8100,

0x9100, and 0x88a8
NOTE
The same ethertype value

must be configured for all
SAPs using the same
physical port.

remote and local SAPs in
the same service.
In case of matching the

VLAN ID of the SAP port
with the traffic VLAN ID,
the traffic is permitted
regardless of the
configured ethertype value.
0x8100
no ethertype
Restores to default
The SAP description:
no description
<129> characters
Removes the SAP description
Page 39
Command
Description
shutdown
Disables the SAP

Disabled
no shutdown
Enables the SAP
secured
Enables secured mode on a SAP. Traffic from a

secured SAP can be switched only to a nonsecured SAP/SDP. Can only be set in admin down
state.
Disabled
no secured
Disables secured mode on the SAP
untagged
Only untagged traffic passes through the SAP
Disabled
no untagged
Untagged and tagged traffic pass
event-propagation-profile
Applies the specified event propagation profile:
NAME
no event-propagation-profile
[NAME]
Removes all event propagation profiles or the

selected profile:
tunnel-profile {PROFILE-NAME
| discard-all | tunnel-all
| tunnel-bpdu}
NAME: a string of <132> characters
NAME: (optional) a string of <132>

characters

profile on a specified SAP:

characters
discard-all: discards only Layer-2

protocol PDUs
tunnel-all: tunnels only Layer-2

protocol PDUs

packets
For more information refer to the Transparent LAN

Services (TLS) chapter of this User Guide.
no tunnel-profile {PROFILENAME | discard-all |
tunnel-all | tunnel-bpdu}
spoke-sdp <sdp-id>

characters
discard-all: discards only Layer 2

protocol PDUs
tunnel-all: tunnels only Layer 2

protocol PDUs

packets
Creates a spoke SDP:
no spoke-sdp [<sdp_id>]
Removes the spoke SDP:
Page 40
sdp-id: (optional) in the range of

<14294967295>
<14294967295>
Command
Description
vc-type {ethernet | ethernetvlan}
Specifies the VC type signaled for SDP:
ethernet: strips the VLAN header

from the customer packets (the VC
type value is 0x0005)
ethernet-vlan: keeps the VLAN header

of the customer packets (the VC type
value is 0x0004).
ethernet-vlan
no vc-type
Restores to default
shutdown
Disables the spoke SDP

Disabled
no shutdown
Enables the spoke SDP
pw-status-signaling
Enables PW status signaling for the specific SDP:

Disabled
no pw-status-signaling
Disables PW status signaling for the specific SDP
pw-redundancy
Enables PW redundancy for the specific SDP (you

must enable PW status signaling to use this
option).
Disabled
no pw-redundancy
Disables PW redundancy for the specific SDP
pw-precedence <precedence>
The PW precedence. The PW with the lowest

defined value has the highest precedence over
other PWs:
precedence: in the range of <1-7>
1
no pw-precedence
Restores to default
pw-active
Sends once a switchover request
no pw-active
Disables the sending
secured
Enables the secured mode on the spoke SDP.

Traffic from a secured SDP can be switched only to
a non-secured SAP Disabled the spoke SDP to
change this setting.
Disabled
no secured
Disables the secured mode
vpws <vpws-id>
Creates a VPWS:
no vpws <vpws-id>
Removes the VPWS:

vpws-id: in the range of

<14294967294>
vpws-id: in the range of
<14294967294>
Adds a client port to a specific VPWS instance and

specifies the SAP attributes:

Page 41
Command
Description
show port command)

<1-14>

<1-4094>



of <1-64>

packets

control packets

UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
NOTE

definitions of unqualified SAP,
i.e: UU/SS/PP, UU/SS/PP: or
UU/SS/PP::. All definitions
result in UU/SS/PP::.

definitions of qualified SAP,
i.e: UU/SS/PP:vlan-id or
UU/SS/PP:vlan-id:. All
definitions result in
UU/SS/PP:vlan-id:.
]

show port command)
Page 42
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

<1-4094>


Command
Description

of <1-64>

packets

control packets

The SAP description:
<129> characters
no description
Removes the SAP description
ethertype <value>

value: the valid values are: 0x8100,

0x9100, and 0x88a8
NOTE

SAPs using the same
physical port.

remote and local SAPs in
the same service.
In case of matching the

VLAN ID of the SAP port
with the traffic VLAN ID,
the traffic is permitted
regardless of the
configured ethertype value.
0x8100
no ethertype
Restores to default
shutdown
Disables the SAP

Disabled
no shutdown
Enables the SAP
untagged
Only untagged traffic passes through the SAP

Disabled
no untagged
Untagged and tagged traffic pass
sdp <sdp_id>
Creates a SDP:
no sdp [<sdp_id>]
Removes the SDP:
sdp-id: in the range of

<14294967295>
<14294967295>
Page 43
Command
Description
vc-type {ethernet | ethernetvlan}
Specifies the PW VC type:
ethernet: 0x05 VC type
ethernet-vlan: 0x04 VC type
ethernet-vlan
no vc-type
Restores to default
shutdown
Enables the SDP
no shutdown
Disables the SDP
pw-status-signaling
Enables PW status signaling for the specific SDP

Disabled
no pw-status-signaling
Disables PW status signaling for the specific SDP
shutdown
Disables the VPWS
no shutdown
Enables the VPWS
The VPWS description:
no description
<129> characters
Removes the VPWS description
MPLS and VPLS Configuration Display Commands Hierarchy

#device-name
- show mpls interface [details]
- show mpls ldp {discovery | peer | session}
- show mpls tunnels [brief down | bypass-tunnels [brief] | bypasstunnels [protected-lsps] | down [brief]| egress [brief] | frractivated [brief] | frr-guarded [brief] | hold-timer | hops | nonfrr-guarded [brief] | transit [brief] | up [brief]]
- show mpls tunnels <lsp_id> [brief [egress] | brief [transit] | egress

[brief] | hops | transit [brief]]
- show mpls tunnels name string [brief [egress] | brief [transit] |

egress [brief] | hops | transit [brief]]
- show mpls tunnels interface <id> [brief [egress] | brief [transit] |

egress [brief] | hops | transit [brief]]
- show vpls [<vpls-id>] [details]
- show vpls [<vpls-id>] [sap [{{UU/SS/PP | agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}} ][details]
- show vpls [<vpls-id>] sdp [<sdp-id>] [details]
- show vpws [<vpws-id>] [details]
- show vpws [<vpws-id>] [sap [{{UU/SS/PP | agN}[:[igmp] | :[<vlanid>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}]][details]

- show vpws [<vpws-id>] sdp [<sdp-id>] [details]
Page 44
MPLS and VPLS Configuration Display Commands Description

Table 6: Show Commands
Command
Description
show mpls interface [details]
Displays the properties of the MPLS-enabled IP

interfaces:
show mpls ldp {discovery | peer | session}
show mpls tunnels [brief down | bypasstunnels [brief] | bypass-tunnels

[protected-lsps] | down [brief]| egress
[brief] | frr-activated [brief] | frrguarded [brief] | hold-timer | hops |
non-frr-guarded [brief] | transit
[brief] | up [brief]]
show mpls tunnels <lsp_id> [brief

[egress] | brief [transit] | egress
show mpls tunnels name string [brief

details: detailed information is

displayed
Displays the LDP details:
discovery: information about

current LDP Hello Adjacencies
peer: details on the LDP peers

discovered
session: information about the

current LDP session
Displays information about the MPLS tunnels

configuration, filtered by the below arguments:
brief: brief information
down: only inactive LSPs
bypass-tunnels: only bypass LSPs
protected-lsps: shows which

primary tunnels are protected by
which bypass tunnels
egress: only LSPs that end on

this device
frr-activated: FRR activated LSPs

only
frr-guarded: FRR guarded LSPs

only
hold-timer: the LSPs hold timer
hops: the LSPs hops
non-frr-guarded: non-FRR guarded

LSPs only
transit: only transit LSPs
up: only active LSPs
Displays information about the MPLS tunnels for

the specified LSP ID, filtered by the below
arguments:

<1-32767>

this device
hops: the LSPs hops

the specified LSP name, filtered by the below
Page 45
Command
show mpls tunnels interface <id> [brief

show vpls [<vpls-id>] [details]
show vpls [<vpls-id>] [sap [{{UU/SS/PP |

][details]
Description
arguments:
string: up to 32 characters

this device
hops: the LSPs hops

the specified interface ID, filtered by the below
arguments:
id: in the range of

<0-2147483647>

this device
hops: the LSPs hops
Displays the VPLS settings and instances:
details: detailed VPLS

information
vpls-id: displays the specified

VPLS information
Displays the VPLS SAP information:
details: detailed VPLS

information
vpls-id: (optional) displays the

specified VPLS information
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
Page 46
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

of <1-4094>



range of <1-64>
Command
Description
packets

control packets

show vpws [<vpls-id>] [sap [{{UU/SS/PP |
][details]
Displays the VPWS SAP information:
details: (optional) detailed SAP

information
vpws-id: (optional) displays the

specified VPWS information
UU/SS/PP: the
physical port
port) defined
obtained from
command)
corresponding
(unit, slot and
as SAP.(can be
the show port
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

<1-14>

of <1-4094>



range of <1-64>

packets

control packets

show vpls [<vpls-id>] sdp [details]
show vpws [<vpws-id>] [details]
show vpws [<vpws-id>] sdp [details]
Displays the VPLS SDP information:
details: (optional) detailed SDPs

information
vpls-id: (optional) displays the

specified VPLS information
Displays the VPWS settings and instances:
details: (optional) detailed VPWS

information

Displays the VPWS SDP information:

Page 47
Command
Description
details: (optional) detailed SDP

information
Example
In the following example, the show
mpls tunnel command displays the configured MPLS tunnels:
Table 7: Fields Displayed by show
mpls tunnel
command
device-name#show mpls tunnels

------------------------------------------------------------------------------RSVP LSPs - Ingress (Detail)
------------------------------------------------------------------------------------------------------------------------------------------------------------Tunnel Name : frr1 (Ingress)
------------------------------------------------------------------------------Tunnel Index : 1
Tunnel IF Index : 1025
From
: 1.1.1.1
To
: 2.2.2.2
------------------------------------------------------------------------------LSP Name : frr1 (Primary)
Description :
------------------------------------------------------------------------------Instance Id : 1
Admin State
: Up
Setup Prio : 0
Oper State
: Up
Hold Prio : 0
Sess Attrib : LocProt, MergPerm, IsPers, RecRt, NodProt, RecLbl
Max Rate
: 1000000 bps
Mean Rate
: 1000000 bps
Max Burst
: 9216000 bytes
Mean Burst
: 9216000 bytes
L-LSP PSC
: 0
DiffSrvClssType: 0
FastReroute : Enabled
FRR Method
: Facility
Bck HoldPrio: 7
Bck Bandwdth
: 0 bps
Bck Stp Prio: 0
Bck Max Hops
: 16
Bck Inc All : 0
Bck Inc Any : 0
Bck Exc Any : 0
Rebld Timer : 60
MTU
: 9216
Owner
: CLI
MBB Timeout
: 10
Path Comp
: Explicit
Path In Use : 1
----------------------------------------Hop Index
: 1
Hop Type
: Loose
Ip Addr
: 11.0.10.2/32
Include/Exclude: Include
Hop Index
: 2
Hop Type
: Loose
Ip Addr
: 2.2.2.2/32
Outgoing information
----------------------------------------Out If Idx : 35
Page 48
Num Labels
Out Port
Dest MAC
: 1 --> 285
: 3
: 00:00:0b:00:0a:02
VLAN
: 10
------------------------------------------------------------------------------Tunnel Name : lsp2 (Ingress)

------------------------------------------------------------------------------Tunnel Index : 2
Tunnel IF Index : 1026
From
: 1.1.1.1
To
: 3.3.3.3
------------------------------------------------------------------------------LSP Name : lsp2 (Primary)
Description :
------------------------------------------------------------------------------Instance Id : 1
Admin State
: Up
Setup Prio : 0
Oper State
: Up
Hold Prio : 0
Sess Attrib : MergPerm, IsPers, RecRt, RecLbl
Max Rate
: 1000000 bps
Mean Rate
: 1000000 bps
Max Burst
: 9216000 bytes
Mean Burst
: 9216000 bytes
L-LSP PSC
: 0
DiffSrvClssType: 0
FastReroute : Disabled
Rebld Timer : 60
MTU
: 9216
Owner
: CLI
MBB Timeout
: 10
Guarded Dest: 11.0.10.2
Path Comp
: Dynamic Full
Path In Use : 2
----------------------------------------Hop Index
: 1
Hop Type
: Loose
Ip Addr
: 11.0.20.2/32
Outgoing information
----------------------------------------Out If Idx : 36
Num Labels : 1 --> 124
Out Port
: 4
VLAN
: 20
Dest MAC
: 00:00:0b:00:14:02
------------------------------------------------------------------------------LSPs : 2
-------------------------------------------------------------------------------
Filed
Description
Tunnel Name
Name of the configured tunnel
Tunnel Index, Tunnel

IF Index
Tunnel index, tunnel interface index
From, to
LSP Name, Description
IP address of the ingress and egress points of the tunnel

Name of the configured tunnel (primary or backup). The tunnel
description is provided, too.
Page 49
Filed
Description
Instance Id
Admin State
Setup Prio
Oper State
Hold
Prio
Sess Attrib :
LocProt, MergPerm,
IsPers, RecRt,
NodProt, RecLbl
Max Rate, Mean Rate

Max Burst, Mean Burst
L-LSP PSC
Page 50
ID of the tunnel instance. Instance ID=1 for a primary tunnel,

instance ID=2 for a secondary tunnel.
Administrative state of the tunnel (up or down)
Setup priority of the tunnel. The valid values are <0-7> with 0
being the highest. Currently not in use.
Operational state of the tunnel. Take one of the following values:
Up
Down
Suppressed (only for secondary tunnel)
Down(Resig)tries to establish the tunnel
Up(Resign)FRR is in use for the current tunnel due to a
failure in the tunnel path
Holding priority of the tunnel. The valid values are <0-7> with 0
being the highest. Currently not in use.
Tunnel session attributes:
LocProtindicates that the any tunnel hop may choose to

reroute this tunnel without tearing it down. This flag permits
transit routers to use a local repair mechanism which may
result in violation of the explicit routing for this tunnel. When a
fault is detected on an adjacent downstream link or node, a
transit router can reroute traffic for fast service restoration.
MergPermpermits transit routers to merge this session with

other RSVP sessions for the purpose of reducing resource
overhead on downstream transit routers, thereby providing
better network scalability.
IsPersindicates whether the tunnel should be restored

automatically after a failure occurs.
IsPinindicates whether the loose-routed hops of this tunnel

are to be pinned.
RecRtindicates the actual route information that the LSP

tunnel traverse is recorded..
RecLblindicates that label information should be included

when recording the route.
BwProtindicates that a backup path with a bandwidth

guarantee is desired
NodProtindicates that a backup path that bypasses at least

the next node of the protected LSP is desired
Flow specification measured for this tunnel. Currently not in use.

Label-only-inferred-LSP PSC.
PSC value of the label inferred tunnel (PHB Scheduling Class
(PSC))this field contains the16-bit encoding of the PHB (Per
Hop Behavior) Scheduling Class (PSC) to be used for packets on
this LSP. Currently not in use.
DiffSrvClssType
DiffSrv class type. The valid range of <0-7>. Currently not in use.
FastReroute
Fast Reroute protection status (enabled or disabled)
Filed
Description
FRR Method
Fast Reroute methods. Take one of the following values:
One-to-onecreates detour LSPs for each protected service

LSP at each potential point of failure.
Facilitycreates a bypass tunnel to protect a potential failure

point. Single LSP serves as backup to a set of protected
LSPs.
Bck HoldPrio
Holding priority of the backup tunnel
Bck Bandwdth
Reserved bandwidth for the backup tunnel
Bck Stp Prio
Setup priority of the backup tunnel
Bck Max Hops
Maximum number of hops for the backup tunnel
Bck Inc All
All administrative group(s) included in the backup tunnel
Bck Inc Any
Any administrative group(s) included in the backup tunnel
Bck Exc Any
The administrative group(s) excluded in the backup tunnel
Rebld Timer
The rebuild timer of the tunnel
MTU
The MTU of the tunnel. The default value is 9216.
Guarded Dest
MBB Timeout
Path Comp
Guarded-destination. The LSP carrying this configuration protects

a primary tunnel that passes through the specified hop, which is
also the MP of the protected tunnels.
Make-before-break timeout. Amount of time an LSP uses for its
bypass
Path computation mode. Takes one of the following values:
Explicitmanually created path using strict hop(s), not using

CSPF
Dynamicusing the CSPF calculator mechanism to select

the preferred path for the tunnel
Path In Use
(only for Explicit Path) Index of the used path (internal)
Hop Index
(only for Explicit Path) The index of the hops used along the path
Hop Type
(only for Explicit Path) Type of the hop. Takes one of the following
values:
Ip Addr
Include/Exclude
ProtectFlags
Out If Idx
Num Labels
Out Port
Strictthe hop is specified explicitly

Loosethe hop is chosen by CSPF
IP address of a hop in the path

(only for Explicit Path) The hop is included/excluded to/from the
path by user configuration
(only for Explicit Path) Protection availability on this hop:
LocProtAvaillocal protection is available

No Protection
Output interface index of the tunnel (internal)

The Head-end egress label of the tunnel. If the tunnel is protected,
the Head-end egress label of the backup tunnel and the MP are
specified too.
Outbound port index of the tunnel (internal)
Page 51
Filed
Description
VLAN
Outbound VLAN ID of the tunnel
Dest MAC
MAC address of the next LSR along the path.
RSVP-TE Tunnels Configuration Examples
Create a Path:
This configuration creates an RSVP-TE path that combines loose with strict hops which can be
used in an LSP.
device-name(config)#router rsvp-te
device-name(config-rsvp-te)#path 1 hop 1 hop-type loose ip-address 3.3.3.3 true
device-name(config-hop-1)#commit
device-name(config-hop-1)#path 1 hop 2 hop-type strict ip-address 4.4.4.4 true
Create CSPF capable LSP:
This configuration creates a CSPF tunnel. The mandatory parameters are LSP-ID, egress
LSR-ID and LSP name. The system automatically signals the tunnel if the user validated the
prerequisites.
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
device-name(config-lsp-1)#commit
NOTE
You must enable OSPF TE protocol extensions - prior to this step.
Create CSPF Capable LSP with Administrative-Group Restriction:
This configuration creates a CSPF tunnel using admin-group. The mandatory parameters are LSPID, egress LSR-ID, LSP name and the administrative group affinity (include/exclude). The system
automatically signals the tunnel if the user validated the prerequisites
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
admin-group include-any 2
NOTE
Page 52
Create CSPF Capable LSP Using a Given Path:
This configuration creates a CSPF tunnel using specific path. The mandatory parameters are LSPID, egress LSR-ID, LSP name, and the path used. The system automatically signals the tunnel if the
user validated the prerequisites
.
NOTE
You must shutdown an active tunnel before applying the path.
device-name(config)#router rsvp-te path 1 hop 1 hop-type loose ip-address
3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
path 1
NOTE
Create Explicit LSP Using a Given Path:
This configuration creates an explicit tunnel which does not use CSPF. The specified path must
contain only strict hops. The mandatory parameters are LSP-ID, egress LSR-ID, LSP name, and
the path used. The system automatically signals the tunnel if the user validated the prerequisites
device-name(config)#router rsvp-te path 1 hop 1 hop-type strict ip-address
3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel path
1
device-name(config-lsp-1)#no cspf
.
NOTE
You must shutdown an active tunnel before applying the path.
Create CSPF FRR Capable LSP:
This configuration creates a FRR protected CSPF tunnel. The mandatory parameters are LSP-ID,
egress LSR-ID, LSP name, and the method of protection facility (one to many bypass) or detour
(one to one detour).
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf fastreroute-mode facility
Page 53
NOTE
You must define RSVP protocol extensionsto support facility mode, detour
mode, or bothprior to this step.
You can set an FRR set only on primary LSP.
Dynamic bypass are created for every FRR tunnel by default.
All routers within the topology must support a detour in order to establish
detour LSP.
Create CSPF Secondary LSP:
This configuration creates a CSPF tunnel with a secondary instance. The secondary instance
provides additional protection in case of a failure on the primary instance. The mandatory
parameters are LSP-ID, egress LSR-ID, LSP name, and the secondary instance name.
NOTE
NOTE
You must create the secondary LSP with an explicit path or administrative-group.
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel1 path 1
secondary name tunnel1_sec path 2
Create a manual bypass LSP using a given path:
The device automatically creates bypass tunnels for each primary FRR tunnel. However, users can
create also manual bypass tunnels. In this case, the guarded-destination IP address must match the
address of the hop of the primary tunnel it should protect.
NOTE
Once defined, a manual bypass is preferred over dynamic bypass.
NOTE
The manual bypass must use a path or an administrative-group.
3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name bypass path
11 guarded-dest 4.4.4.4
device-name(config-lsp-1)#no cspf
LDP Tunnels Configuration Example

Create LDP LSP:
This configuration creates a LDP tunnel. The mandatory parameters are ingress and egress
policy. The ingress ospf policy defines that all routes learned from the OSPF will be used for traffic
Page 54
injection into the MPLS domain. Respectively the mpls egress policy means the device will accept
traffic going out of the MPLS domain for the specified local loopback FEC only.
device-name(config)#router ldp distribute ingress ospf
device-name(config-distribute)#router ldp distribute egress ip 1.1.1.1/32
device-name(config-ip-1.1.1.1/32)#commit
VPLS Configuration Examples

Create an SDP using LDP or RSVP-TE LSP Transport:
device-name(config)#service sdp 1 far-end 2.2.2.2
device-name(config-sdp-1)#lsp tunnel1
NOTE
The above command is optional when RSVP-TE LSP is needed.
device-name(config-sdp-1)#commit
device-name(config-sdp-1)#top
Create VPLS on an MTU Device Using LDP as Transport:
This example uses one unqualified SAP and one SDP, relying on LDP as the transport protocol
and VC label signaling. The configuration will only work if the correct configuration order has been
followed.
device-name(config-sdp-1)#top
device-name(config)#service vpls 100 mode mtu-s
device-name(config-vpls-100)#commit
device-name(config-vpls-100)#no shutdown
device-name(config-vpls-100)#sap 1/1/1::
device-name(config-sap-1/1/1::)#no shutdown
device-name(config-sap-1/1/1::)#commit
device-name(config-sap-1/1/1::)#exit
device-name(config-vpls-100)#spoke-sdp 1
device-name(config-spoke-sdp-1)#no shutdown
device-name(config-spoke-sdp-1)#commit
Page 55
Create VPLS on an MTU device using RSVP as Transport, Protected by Dual

Homing:
This example uses one qualified SAP and two SDPs relying on RSVP as a transport protocol and
on LDP for VC label signaling. The configuration will only work if the correct configuration order
has been followed.
device-name(config-service)#sdp 1 far-end 2.2.2.2 lsp tunnel1
device-name(config-sdp-1)#exit
device-name(config-service)#sdp 2 far-end 3.3.3.3 lsp tunnel2
device-name(config-sdp-2)#exit
device-name(config-service)#vpls 101 mode mtu-s
device-name(config-sap-1/1/2:10:)#no shutdown
device-name(config-sap-1/1/2:10:)#commit
device-name(config-sap-1/1/2:10:)#exit
device-name(config-vpls-101)#spoke-sdp 1
device-name(config-vpls-101)#spoke-sdp 2 pw-precedence 7
SAP Options on Services

Unqualified SAP
This configuration of SAP allows all traffic types to pass through the SAP.
Qualified Tagged SAP
This configuration of SAP allows only traffic with the configured VLAN to pass through the SAP.
All other traffic is dropped on the entrance to the SAP.
Page 56
Unqualified Untagged SAP
This configuration of SAP allows only untagged traffic to pass through the SAP. All other traffic is
dropped on the SAP entrance
NOTE
Untagged mode is disabled by default.
device-name(config-sap-1/2/1::)#untagged
Triangle Topology Configuration Example

The following configuration example refers to the following topology:
Figure 15: A Triangle Topology Configuration Example
Configuring IP Interfaces and VLANs
PE1(config)#router interface sw12 address 150.2.1.1/30

PE1(config-interface-sw12)#exit
PE1(config)#router interface lo1 address 1.1.1.1/32
PE1(config-interface-lo1)#exit
PE1(config)#vlan 12 name PE1-PE2 routing-interface sw12 untagged 1/4/1
PE1(config-vlan-PE1-PE2/12)#exit
PE1(config)#vlan 13 name PE1-MTU routing-interface sw13 untagged 1/4/2
PE1(config-vlan-PE1-MTU/13)#exit
PE1(config-vlan)#exit
PE1(config)#no vlan 1 untagged 1/4/1
Page 57

PE1(config)#port 1/4/1 default-vlan 12
PE1(config-port-1/4/1)#exit
PE1(config)#commit
PE2(config-interface-sw12)# exit
PE2(config)#router interface lo1 address 2.2.2.2/32
PE2(config)#vlan 12 name PE2-PE1 routing-interface sw12 untagged 1/4/2
PE2(config-vlan-PE2-PE1/12)#exit
PE2(config)#vlan 23 name PE2-MTU routing-interface sw23 untagged 1/4/1
PE2(config-vlan-PE2-MTU/23)#exit
PE2(config-vlan)#exit
PE2(config)#commit
MTU(config)#router interface sw13 address 150.3.1.2/30
MTU(config-interface-sw13)#exit
MTU(config)#router interface sw23 address 150.3.2.1/30
MTU(config)#router interface lo1 address 3.3.3.3/32
MTU(config-interface-lo1)#exit
MTU(config)#vlan 13 name MTU-PE1 routing-interface sw13 untagged 1/4/1
MTU(config-vlan-MTU-PE1/13)#exit
MTU(config)#vlan 23 name MTU-PE2 routing-interface sw23 untagged 1/4/2
MTU(config-vlan-MTU-PE2/23)#exit
MTU(config-vlan)#exit
MTU(config)#no vlan 1 untagged 1/4/1
MTU(config)#no vlan 1 untagged 1/4/2
MTU(config)#port 1/4/1 default-vlan 13
MTU(config-port-1/4/1)#exit
MTU(config)#port 1/4/2 default-vlan 23
MTU(config-port-1/4/2)#exit
MTU(config)#commit
Configuring OSPF:
PE1(config)#router
PE1(config-router)#ospf
PE1(config-ospf)#router-id 1.1.1.1
PE1(config-ospf)#trafic-engineering
PE1(config-ospf)#area 0.0.0.0
Page 58
PE1(config-area-0.0.0.0)#interface 1.1.1.1
PE1(config-interface-1.1.1.1)#interface 150.2.1.1
PE1(config-interface-150.2.1.1)#dead-interval 10
PE1(config-interface-150.2.1.1)#hello-interval 3
PE2(config)#router
PE2(config-router)#ospf
PE2(config-ospf)#router-id 2.2.2.2
PE2(config-ospf)#trafic-engineering
PE2(config-ospf)#area 0.0.0.0
PE2(config-area-0.0.0.0)#interface 2.2.2.2
MTU(config)#router
MTU(config-router)#ospf
MTU(config-ospf)#router-id 3.3.3.3
MTU(config-ospf)#trafic-engineering
MTU(config-ospf)#area 0.0.0.0
MTU(config-area-0.0.0.0)#interface 3.3.3.3
MTU(config-interface-3.3.3.3)#interface 150.3.1.2
MTU(config-interface-150.3.1.2)#dead-interval 10
MTU(config-interface-150.3.1.2)#hello-interval 3
MTU(config-interface-150.3.1.2)#interface 150.3.2.1
MTU(config-interface-150.3.2.1)#dead-interval 10
MTU(config-interface-150.3.2.1)#hello-interval 3
Configuring MPLS
PE1(config)#router mpls
PE1(config-mpls)#lsr-id 1.1.1.1
PE1(config-mpls)#exit
PE1(config-router)#exit
PE1(config)#commit
PE2(config)#router mpls
PE2(config-mpls)#lsr-id 2.2.2.2
PE2(config-mpls)#exit
PE2(config-router)#exit
PE2(config)#commit
MTU(config)#router mpls
MTU(config-mpls)#lsr-id 3.3.3.3
MTU(config-mpls)#exit
MTU(config-router)#exit
Page 59
MTU(config)#commit
Configuring LDP, Targeted Peers, and Distribution

PE1(config)#router ldp
PE1(config-ldp)#interface lo1
PE1(config-ldp)#interface sw12
PE1(config-ldp)#targeted-peer 2.2.2.2
PE1(config-targeted-peer-2.2.2.2)#exit
PE1(config-ldp)#distribute ingress ospf
PE1(config-distribute)#exit
PE1(config-ldp)#distribute egress connected
PE1(config-ldp)#exit
PE1(config-router)#commit
PE2(config)#router ldp
PE2(config-ldp)#interface lo1
PE2(config-ldp)#distribute ingress ospf
PE2(config-ldp)#distribute egress connected
PE2(config-ldp)#exit
PE2(config-router)#commit
MTU(config)#router ldp
MTU(config-ldp)#interface lo1
MTU(config-ldp)#interface sw23
MTU(config-ldp)#interface sw13
MTU(config-ldp)#targeted-peer 1.1.1.1
MTU(config-targeted-peer-1.1.1.1)#exit
MTU(config-ldp)#targeted-peer 2.2.2.2
MTU(config-targeted-peer-2.2.2.2)#exit
MTU(config-ldp)#distribute ingress ospf
Page 60
MTU(config-distribute)#exit
MTU(config-ldp)#distribute egress connected
MTU(config-distribute)#exit
MTU(config-ldp)#exit
MTU(config-router)#commit
Configuring RSVP
PE1(config)#router rsvp-te
PE1(config-rsvp-te)#interface lo1
PE1 (config-interface-lo1)#exit
PE1(config-rsvp-te)#interface sw12
PE1 (config-interface-sw12)#exit
PE1 (config-interface-sw13)#exit
PE1(config-rsvp-te)#bypass-fast-reroute
PE1(config-rsvp-te)#ignore-ingress-interface-affinities
PE1(config-rsvp-te)#commit
PE2(config-rsvp-te)#interface lo1
PE2(config-rsvp-te)#ignore-ingress-interface-affinities
PE2(config-rsvp-te)#commit
MTU(config)#router rsvp-te
MTU(config-rsvp-te)#interface lo1
MTU(config-rsvp-te)#interface sw23
MTU(config-rsvp-te)#interface sw13
MTU(config-rsvp-te)#ignore-ingress-interface-affinities
MTU(config-rsvp-te)#commit
Configuring RSVP Path and LSPs
# PE1 uses Strict Hop for the path to reach directly PE2
# PE1 uses Loose Hop (via CSPF) for the path to reach MTU
PE1(config-rsvp-te)#path 1
PE1(config-path-1)#hop 1
PE1(config-hop-1)#ip-address 150.2.1.2 include
PE1(config-ip-address-150.2.1.2/true)#hop-type strict
PE1(config-hop-1)#no shutdown
PE1(config-hop-1)#exit
Page 61
PE1(config-path-1)#exit
PE1(config-ip-address-3.3.3.3/true)hop-type loose
PE1(config-hop-1)#commit
PE1(config-rsvp-te)#lsp 1 name PE1_PE2 far-end 2.2.2.2
PE1(config-lsp-1)#fast-reroute-mode facility
PE1(config-lsp-1)#path 1
PE1(config-lsp-1)#no shutdown
PE1(config-lsp-1)#commit
PE1(config-lsp-1)#exit
PE1(config-rsvp-te)#lsp 2 name PE1_MTU far-end 3.3.3.3
PE1(config-lsp-2)#cspf
# PE2 uses Strict Hop for the path to reach directly PE1
# PE2 uses Loose Hop (via CSPF) for the path to reach MTU
PE2(config-ip-address-150.2.1.1/true)#hop-type strict
PE2(config-ip-address-3.3.3.3/true)hop-type loose
PE2(config-hop-1)#commit
PE2(config-rsvp-te)#lsp 1 name PE2_PE1 far-end 1.1.1.1
PE2(config-lsp-1)#no shutdown
PE2(config-lsp-1)#exit
PE2(config-rsvp-te)#lsp 2 name PE2_MTU far-end 3.3.3.3
PE2(config-lsp-2)#cspf
# MTU uses CSPF to reach PE1 and PE2
Page 62
MTU(config)#router rsvp-te
MTU(config-rsvp-te)#lsp 1 name MTU_PE1 far-end 1.1.1.1
MTU(config-lsp-1)#fast-reroute-mode facility
MTU(config-lsp-1)#cspf
MTU(config-lsp-1)#no shutdown
MTU(config-lsp-1)#commit
MTU(config-lsp-1)#exit
MTU(config-rsvp-te)#lsp 2 name MTU_PE2 far-end 2.2.2.2
MTU(config-lsp-2)#fast-reroute-mode facility
MTU(config-lsp-2)#cspf
MTU(config-lsp-2)#no shutdown
MTU(config-lsp-2)#commit
Configuring a Service SDP
PE1(config)#service
PE1(config-service)#sdp 5002 far-end 2.2.2.2
PE1(config-sdp-5002)#description ldp_sdp_to_PE2
PE1(config-sdp-5002)#exit
PE1(config-sdp-5003)#description ldp_sdp_to_MTU
PE1(config-service)#commit
PE2(config)#service
PE2(config-sdp-5001)#description ldp_sdp_to_PE1
PE2(config-sdp-5003)#description ldp_sdp_to_MTU
PE2(config-service)#commit
MTU(config)#service
MTU(config-service)#sdp 5001 far-end 1.1.1.1
MTU(config-sdp-5001)#description ldp_sdp_to_PE1
MTU(config-sdp-5001)#exit
MTU(config-service)#sdp 5002 far-end 2.2.2.2
MTU(config-sdp-5002)#description ldp_sdp_to_PE2
MTU(config-sdp-5002)#no shutdown
MTU(config-sdp-5002)#exit
MTU(config-service)#commit
Configuring a Service VPLS
# VPLS (E-LAN) filtered for service-delimiter vlan 600

# MTU is in DUAL HOMED with an active SDP to PE1 and backup SDP to PE2
PE1(config-service)#vpls 50600
PE1(config-vpls-50600)#mode pe-rs
PE1(config-vpls-50600)#commit
PE1(config-vpls-50600)#no shutdown
Page 63
PE1(config-vpls-50600)#sap 1/2/1:600:
PE1(config-sap-1/2/1:600:)#no shutdown
PE1(config-sap-1/2/1:600:)#commit
PE1(config-sap-1/2/1:600:)#exit
PE1(config-vpls-50600)#mesh-sdp 5002
PE1(config-mesh-sdp-5002)#commit
PE1(config-mesh-sdp-5002)#vc-type ethernet-vlan
PE1(config-mesh-sdp-5002)#no shutdown
PE1(config-mesh-sdp-5002)#exit
PE1(config-vpls-50600)#spoke-sdp 5003
PE1(config-spoke-sdp-5003)#commit
PE1(config-spoke-sdp-5003)#vc-type ethernet-vlan
PE1(config-spoke-sdp-5003)#no shutdown
PE2(config-service)#vpls 50600
PE2(config-vpls-50600)#mode pe-rs
PE2(config-vpls-50600)#no shutdown
PE2(config-vpls-50600)#sap 1/2/1:600:
PE2(config-vpls-50600)#mesh-sdp 5001
PE2(config-mesh-sdp-5001)#vc-type ethernet-vlan
PE2(config-mesh-sdp-5001)#no shutdown
PE2(config-mesh-sdp-5001)#exit
PE2(config-vpls-50600)#spoke-sdp 5003
PE2(config-spoke-sdp-5003)#vc-type ethernet-vlan
PE2(config-spoke-sdp-5003)#no shutdown
MTU(config-service)#vpls 50600
MTU(config-vpls-50600)#mode mtu-s
MTU(config-vpls-50600)#commit
MTU(config-vpls-50600)#no shutdown
MTU(config-vpls-50600)#commit
MTU(config-vpls-50600)#sap 1/2/1:600:
MTU(config-sap-1/2/1:600:)#no shutdown
MTU(config-sap-1/2/1:600:)#commit
MTU(config-sap-1/2/1:600:)#exit
MTU(config-vpls-50600)#spoke-sdp 5001
MTU(config-spoke-sdp-5001)#commit
MTU(config-spoke-sdp-5001)#vc-type ethernet-vlan
MTU(config-spoke-sdp-5001)#no shutdown
Page 64
MTU(config-spoke-sdp-5001)#exit
MTU(config-vpls-50600)#spoke-sdp 5002
MTU(config-spoke-sdp-5002)#vc-type ethernet-vlan
MTU(config-spoke-sdp-5002)#backup
MTU(config-spoke-sdp-5002)#no shutdown
Configuring a Service VPWS
# VPWS (E-LINE) filtered for service-delimiter vlan 603

PE2(config-service)#vpws 52603
PE2(config-vpws-52603)#commit
PE2(config-vpws-52603)#no shutdown
PE2(config-vpws-52603)#commit
PE2(config-vpws-52603)#sap 1/2/1:603:
PE2(config-vpws-52603)#sdp 5103
PE2(config-sdp-5103)#commit
PE2(config-sdp-5103)#vc-type ethernet
PE2(config-sdp-5103)#no shutdown
PE2(config-sdp-5103)#commit
MTU(config-service)#vpws 52603
MTU(config-vpws-52603)#commit
MTU(config-vpws-52603)#no shutdown
MTU(config-vpws-52603)#commit
MTU(config-vpws-52603)#sap 1/2/1:603:
MTU(config-sap-1/2/1:603:)#no shutdown
MTU(config-sap-1/2/1:603:)#commit
MTU(config-sap-1/2/1:603:)#exit
MTU(config-vpws-52603)#sdp 5103
MTU(config-sdp-5103)#commit
MTU(config-sdp-5103)#vc-type ethernet
MTU(config-sdp-5103)#no shutdown
MTU(config-sdp-5103)#commit
Traffic-Engineering Tool Example

Specify the head-end and the tail-end of the required path between two end-points, and run the tool
to get the hops.
In the following example CSPF is used for automatic RSVP-TE based on LSP between node
1.1.0.54 and node 1.1.0.2. The tool indicates the hops used to establish the LSP between the nodes.
Page 65
device-name#tool traffic-engineering originating ip 1.1.0.54

device-name#tool traffic-engineering destination ip 1.1.0.2
device-name#tool traffic-engineering run
===============================================================================
Traffic Engineering Query Tool
===============================================================================
CSPF Instance created.
Stage 1
Source address 1.1.0.54
Source address type IPV4
Source interface index 0
Source address 1.1.0.2
Source address type IPV4
Source interface index 0
Source interface address 0.0.0.0
Source interface address type UNKNOWN
Primary route:
Source
Source
Source
Source
output
output
output
output
network interface address 105.54.53.2

network interface index 36
remote network interface address 105.54.53.1
remote network interface index 0
Hops:
Address 1.1.0.53
Address type IPV4
Interface index 0
Interface address 105.53.52.2
Remote Interface Index 0
Remote Interface Address 105.53.52.1
Address 1.1.0.52
Address type IPV4
Interface index 0
Address 1.1.0.2
Address type IPV4
Interface index 0
Page 66
te metric cost 30
max bandwidth 125000000
max reserve bandwidth 125000000
max unreserve bandwidth[0] = 125000000 bytes/sec
resource class 1,
srlg numbers: NONE
exclusion_overlap: routers = 0
exclusion_overlap: links = 0
exclusion_overlap: srlgs = 0
===============================================================================
Page 67

Feature
Standards
MIBs
RFCs
Multiprotocol
Label Switching
(MPLS) Protocols
and Services
No standards are
supported by this
feature.
Private MIBs:
RFC 3031,
Multiprotocol Label
Switching Architecture
RFC 3036, LDP

Specification
RFC 3063, MPLS

Loop Prevention
Mechanism
RFC4379, Detecting
Multi-Protocol Label
Switched (MPLS)
Data Plane Failures
Resource
ReSerVation
Protocol with
Traffic
Engineering
Extensions
(RSVP-TE)
Page 68
No standards are
supported by this
feature.
PRVT-LMGRMIB.mib
PRVT-MPLS-LDPMIB.mib
PRVT-CR-LDPMIB.mib
PRVT-RSVPMIB.mib
PRVT-MPLS-TEMIB.mib
PRVT-TEMIBENTITY-MIB.mib
Draft-ietf-mpls-lspping-03
PRVT-SERVMIB.mib
Draft-ietf-l2vpn-vplsldp
Draft-ietf-l2vpnsignaling
RFC 4447,
Pseudowire Setup and
Maintenance Using
the Label Distribution
Protocol (LDP)
RFC 2430 A Provider

Architecture for
DiffServ & TE
RFC 3209 Extensions

to RSVP for LSP
Tunnels
RFC 3210
Applicability
Statement for
Extensions to RSVP
for LSP Tunnels
RFC 3175
Aggregation of RSVP
for IPv4 & IPv6
Reservations
RFC 3181 Signaled

Pre-emption Priority
Policy Element
draft-ietf-mpls-rsvplsp-fastreroute-04.txt
Private MIB:
PRVT-RSVP-MIB.mib
Circuit Emulation Services (CES)

Table of Contents
Table of Figures 2
List of Tables 2
Supported Topologies 3
Operation 5
TDM Timing 5
Clock Controller 6
Clock Controller ID Assignment 7
Clock States 8
Main Clock 9
Defining the Source for the Main Clock 9
CES Packet Details 10
CES PDU Format 10
Structured Emulation 10
Unstructure (Unframed) Emulation 11
L-Bit and R-Bit 11
Real-time Transport Protocol (RTP) Timestamp 12
CES Features 12
Operation, Administration and Management (OAM) 12
Frame Aggregation 12
Jitter Buffer 13
Log Messages 13
Loopback Tests 14
CES over MPLS 14
CES over MPLS Configuration Steps 14
CES Configuration Flow 16
Circuit Emulation Services (CES) (Rev. 01)
Page 1
CES Commands 17
Table of Figures
Figure 1: A Schematic View of the CES Concept ..............................................................................3
Figure 2: Ethernet CLE based on Ring Topology with Virtual TDM Lines .................................3
Figure 3: Ethernet CLE Including CES Transport to a Central Office Using a Distributed
CES TDM Multiplexer over PSN.........................................................................................................4
Figure 4: Client Device Using a Providers Packet Network for PBX Interconnection As Well
As Data Transmission ............................................................................................................................4
Figure 5: Circuit Emulation Service over Packet Network ...............................................................5
Figure 6: Clock Controller .....................................................................................................................7
Figure 7: Clock State Machine ...............................................................................................................9
Figure 8: The CES PDU Format ....................................................................................................... 10
Figure 9: Structured Emulation .......................................................................................................... 11
Figure 10: Unstructured Emulation ................................................................................................... 11
Figure 11: CES Configuration Flow .................................................................................................. 16
Figure 12: CES over Ethernet Configuration .................................................................................. 40
Figure 13: CES over VPLS Configuration ....................................................................................... 46
Figure 14: CES over MPLS Configuration ....................................................................................... 56
List of Tables
Table 1: Clock Controller ID Assignment...........................................................................................8
Table 2: Parameters Affectin Packet Transit Delay ........................................................................ 13
Table 3: CES Log Warning Levels..................................................................................................... 14
Table 4: CES Commands .................................................................................................................... 19
Table 5: TCA Default Counter Threshold Values .......................................................................... 65
Table 6: Local Port Circuit Default Values ...................................................................................... 67
Table 7: Sync Interval Values ............................................................................................................. 67
Page 2
T-Marc3208SH
Circuit Emulation Services

Metro Ethernet Network Service can use CES over Ethernet to offer TDM services and to deliver
TDM voice traffic on the Ethernet and data transmission, as shown in the following figure.
Figure 1: A Schematic View of the CES Concept
Use CES over Ethernet to emulate Time-Division Multiplexing (TDM) services by tunneling TDM
circuits (such as T1 or E1) using the CES over a Packet-Switched Network (CESoPSN) method.
Supported Topologies
Use the device in the following topologies:
Ethernet CLE (Customer Located Equipment) based on a ring topology, providing virtual
TDM lines for service-provider clients over a packet network:
Figure 2: Ethernet CLE based on Ring Topology with Virtual TDM Lines
Page 3
Ethernet CLE including CES transport to a central office, using a distributed CES TDM
Multiplexer over PSN, to provide TDM services to telephony clients (mostly PBXs and TDM
multiplexers) using the packet network.
Figure 3: Ethernet CLE Including CES Transport to a Central Office

Using a Distributed CES TDM Multiplexer over PSN
CPE using a provider packet network for PBX interconnection as well as data transmission.
Figure 4: Client Device Using a Providers Packet Network

for PBX Interconnection As Well As Data Transmission
Page 4
Operation
CES over Ethernet, which encapsulates TDM data into a standard CES packet, forms packets on
ingress and reverses the process on egress, providing a transparent direct connection between any
two TDM devices, as shown in the following figure:
Figure 5: Circuit Emulation Service over Packet Network
To convert TDM data to a standard CES packet form, Customer Located Equipment (CLE) on
both sides of the PSN needs to employ an internet working function (IWF) that is based either on
structured or unstructured emulation.
Structured (Framed) Emulation uses the TDM framing structure, where each packet
comprises a sequence of timeslots.
Unstructured (Unframed) Emulation (also called structure-agnostic transport) disregards

the TDM framing structure, treating the TDM data as a stream of consecutive octets.
For details see: Structured and Unstructured Emulation Overview

With its MPLS capabilities, the device can transmit converted TDM data to an MPLS-based
network as part of VPLS/VPWS services (CES over Ethernet encapsulated in MPLS header).
TDM Timing
TDM timing is a crucial aspect of CES implementation. To avoid an overflow/underflow due to
differences in the clock, the clock rate for TDM has to be consistent across the emulated circuit.
TDM signals (such as E1/T1 and SONET/SDH) are synchronous. Therefore, physical TDM lines
always carry a clock signal for synchronization. When replacing a physical TDM line with a CES
service, the CES service has to synchronize both sides of the service either by providing the same
clock to both sides or by transporting clock information and regenerating the clock.
The module supports the following TDM timing modes:
Internal (Local): The modules internal oscillator is of insufficient quality for most
applications. The Internal (Local) mode relies upon the oscillator and is used when no other
timing source is available. We recommend using Internal (Local) Mode for debug/testing
purposes only.
Line: Uses an incoming clock from one of four TDM ports.
Loopback: Uses an incoming clock from the same TDM port.
Adaptive: generates the clock from incoming CES data packets.
Page 5
Precision Time Protocol (PTP, based on IEEE 1588v2): Similar to Adaptive, but uses
dedicated Ethernet packets (instead of CES data packets) resulting in more accurate clockrecovery.
Differential: Similar to Adaptive, but uses a common reference clock at both CES peers,
transmitting only the differences between the TDM clock and the reference clock. An external
clock (for example GPS) can be used as common reference clock.
Backplane: Uses a clock signal from an external clock source. This clock signal can be
received via the BNC port or via the ethernet ports.
The device supports the following clock domain options:
Multiple Clock Domains: Each TDM port uses an independent clock controlled by two
(redundant) clock controllers.
Single Clock Domain: All four TDM ports use the main clock
Clock Controller
You can define multiple clock domains for a CES module and define each of the eight TDM
interface clocks independently.
In this case, each TDM interface has a clock that is defined by a unique ID (as shown in the
following diagram). Each clock is assigned to two (redundant) clock controllers that retrieve the
clock for the specific TDM port. Each controller uses one of the TDM timing modes.
Page 6
Figure 6: Clock Controller
NOTE
Clock backup functionality is non-revertive. After failover from primary to
backup controller, revert back to primary controller occurs only when backup
fails.
Clock Controller ID Assignment

Thefollowing table details the clock controller ID assignment. Use the relevant clock controller ID
to configure the appropriate clock controller for each TDM interface:
Page 7
Table 1: Clock Controller ID Assignment

Interface
Clock ID
Clock Controller ID
(Interface)
Clock Controller ID
(CES Module)
primary and back-up
1 and 2
primary and back-up
3 and 4
primary and back-up
13 and 14
primary and back-up
15 and 16
Main Clock
99
primary and back-up
99 and 100
NOTE
For the interface, the clock-controller terms are primary and back up. The clockcontrollers in the CES module are defined using numbers.
NOTE
For the interface, the clock-controller terms are primary and back up.
Clock States
The current status of a clock can be shown using the Show
with the following possible values:
Clock-Controller Status command
freeRun: The operating condition of a clock when the output signal is internally controlled
without the influence of a present or previous reference.
acquisition: Clock synchronizes to the input reference. The output frequency and phase may
not be sufficiently stable may not, therefore, conform to standards.
normal: Clock is synchronized to a reference. The output frequency of the clock is traceable
to the input reference frequency over the long term and the phase difference between the
input and output is bound.
holdover: Operating condition of a clock that, having lost its references, uses data previously
acquired (while operating in normal mode) to control the output signal. The stored data, or
holdover value, used by a clock in holdover mode is an average value obtained over a certain
period of time (to reduce the effects of short-term variations in reference frequency that may
occur during normal operation).
fastAcquisition: Fast pull-in of the clock to a reference (for example, when recovering from
holdover or when the input reference experiences an abrupt change in frequency). After
achieving a lock, the clock automatically changes to the slower-tracking, normal mode the
clock input controller mode. Not all clock input controllers support all modes.
Page 8
NOTE
The clock input controller status is 'locked' only when the clock input controller
is in 'normal' mode.
Figure 7: Clock State Machine
Main Clock
In addition to the clock controllers, the CES module has a main clock used as a single clock domain
andalso used in some of the TDM timing modes (PTP, line, adaptive, and internal).
Defining the Source for the Main Clock

The clock command specifies the source for the main clock used by the CES Module for
transmission over TDM ports. Options for the command are:
Internal: On-card oscillator provides the clock source for the module. Use this source only
when an external clock is not available for example, in test mode where the circuit is looped
back internally or externally.
Line: Clock source is derived from a TDM line and sent to all other ports.
Backplane: Clock signal received from a neighboring module that is clocked by an external
device.
Adaptive: CES Module serves as a slave module. Clock is derived from the TDM bit-stream
(circuit) received from the master Module. If the TDM bit-stream circuit is disabled, the circuit
that is enabled for a second is used. If the circuit currently used for clocking goes down, the
clock recovery state changes to holdover state
PTP: specifies PTP as the clock source (see the following section for more information). See
chapter Managing the device of this User Guide for more information
Page 9
CES Packet Details

CES PDU Format
The following figure shows CES Ethernet PDU format options for MEF8, SAToP, and CESoPSN
protocols. The protocol used is configurable.
Figure 8: The CES PDU Format
Structured Emulation
Structured (Framed) Emulation uses the TDM framing structure where each packet comsists of a
sequence of timeslots.
In structured emulation, the IWF strips the framing structure (for example, the F bit in a DS1) from
the data stream and places each timeslot in the packet payload followed by the same timeslots from
the next frame, and so on. Once the payload is complete, IWF adds a header and sends the packet
through the PSN to the CLE at the other end. On egress from the PSN, the CLE recreates the
TDM data stream.
The following figure presents a schematic example of how an IWF converts TDM frames into
structured CESoPSN packets where:
M represents the number of TDM frames received so far
K represents the number of frames aggregated in each packet (see Bandwidth Efficiency and
Frame Aggregation ).
Page 10
Figure 9: Structured Emulation
Unstructure (Unframed) Emulation

19B
Unstructured (Unframed) Emulation (also called structure-agnostic transport) disregards the TDM
framing structure and treats TDM data as a stream of consecutive octets.
The number of octets that comprise each PSN packet payload (M in the figure below) is
independent of the number of timeslots in each TDM frame. Any alignment of these octets with
the underlying timeslots is coincidental and not guaranteed. The payload length (M) is typically
selected to make packet formation time approximately 1 millisecond in length (193 octets for a T1
circuit and 256 octets for an E1 circuit).
The following figure is a schematic example of how an IWF converts TDM frames into
unstructured CESoPSN packets (where N is the number of TDM octets received so far).
Figure 10: Unstructured Emulation
L-Bit and R-Bit

20B
The CES header contains 32 bits, two of which are the L(local) -bit and R(remote)-bit, used by the
protocol to indicate packet error or loss.
L-bit is set: Indicates that the TDM data carried in the payload is invalid due to a Local TDM
defect.
R-bit is set: Indicates that the local egress IWF (packet to TDM) is in the packet loss state.
L-bit and R-bit are definable by the user to provide different bit messages according to the error.
See policy idle pattern and policy idle signaling commands.
Page 11
Real-time Transport Protocol (RTP) Timestamp

An additional RTP timestamp, containing phase information about the TDM service clock, can be
added to the CES header.
If the peer circuit has RTP enabled then RTP must be enabled.
RTP is used in differential clock timing mode to detect and reconstruct the original clock. See the
circuit rtp command.
CES Features
Operation, Administration and Management (OAM)
The following OAM operations are supported for CES services:
Jitter-buffer size and frame aggregation level specification
Local loopback, the incoming CES packet stream is looped back to the PSN, per E1/T1 port
(used for testing)
Remote loopback, the incoming T1/E1 TDM stream is looped back including the clock, (used
for testing)
Generate and display MIB-II statistics for T1/E1 virtual channel connections to remote CES
devices
Display current connections using CLI show commands
Perform IP or MEF OAM pinging to the remote device
Display log messages
Frame Aggregation
To save bandwidth, several frames are aggregated and sent in a single packet using a common
header.
Without Frame Aggregation:
In structured mode, 8-bit samples are captured from each selected 64 Kbits DS0 timeslot and
transmitted in a single packet over the PSN. In this case, a separate CES protocol header is
transmitted for each set of selected 8-bit samples (from each frame).
In unstructured mode, each packet includes 24 timeslots for T1 and 32 timeslots for E1 and as
a result, transmits up to 193 bits plus a header for T1 and 256 bits plus a header for E1. Each
E1/T1 unstructured frame or DS0-structured frame sent over the packet-switched network
contains a payload of 132 bytes (8256 bits) and a header.
Transmission of T1/E1 frames over the packet network requires high bandwidth since in most
PSNs, the minimum packet size is 64 bytes and the minimum header size is 14-20 bytes.
With Frame Aggregation: To reduce the high bandwidth requirement, between 18 frames are
aggregated and sent in each PSN packet (usually between 18 frames). The frames use a common
header and reduce bandwidth overhead to only a few percentage points.
Page 12
This minor disadvantage to this solution is longer delays since several frames need to be received
and aggregated before sending the constructed packet over the PSN.
Configuration: Define the number of TDM frames aggregated in each packet.
NOTE
Minimum payload is 32 bytes with at least two timeslots.
Jitter Buffer
Jitter refers to the deviation in packet transit delay time that is sometimes present in emulated circuit
output. Jitter can also disrupt packet order in the network. The Jitter Buffer handles jitter and is
essential to the maintainance of the constant packet transit delay required to operate the CES endto-end system over time.
Packet transit delay is a direct result of four parameters:
Table 2: Parameters Affectin Packet Transit Delay
Parameter
Effect on Packet Transit Delay Time
Jitter Buffer Size:
Can result in a delay of tens to hundreds of

milliseconds
Larger buffer increases overall delay but

handles larger amounts of jitter
Smaller buffer size minimizes overall delay

but handles only a limited amount of jitter
Number of Frames Transported in a Single

Packet
Can result in a delay of a few seconds
Operational Delay of the Local and Remote

CES Devices
Can result in a delay of up to 12 milliseconds
Packet Transmit Delay between Local and

Remote Devices in PSN
Can result in a delay of tens to hundreds of

milliseconds
The T-Marc 3208SHs CES module uses a configurable jitter buffer to temporarily store ingressing
packets.
Configuration: Define the size the jitter buffer according to the maximum packet latency variation
expected in the network. The Jitter Buffer supports values between <1200> milliseconds.
NOTE
We recommend a jitter buffer size in the range of <140> milliseconds. However,
some applications require a larger jitter buffer of 150 milliseconds.
Log Messages
The CES application supports two types of log messages:
Local alert messages generated on the local device that are received from the CES board or
validated against a threshold value.
Remote alert messages generated from theSNMP private table of the remote device.
The following table shows the warning level of log messages defined in the CES application:
Page 13
Table 3: CES Log Warning Levels

Warning Level
Alert
Critical
The local CES board 1/2 is not responding
Error
Failed to execute the command on the CES board
Error
The local CES board 1/2 is down. Details:
Peer: available/unavailable
Jitter buffer: overflow/underflow/normal
Notification
Local 1/2/1 TDM port is up
Notification
Local CES board 1/2 circuit is up
Notification
Local CES board port:
Status: up/down
Alarm: blue/yellow/red
Loopback Tests
Loopback tests are used to test T1 lines. To support testing, an in-band loopback places the T1 in
remote loopback (also known as line loopback). Remote loopback causes the bits received on the
T1 to be looped, un-modified, back to the source. Sending the loopback pattern activates an inband loopback. The pattern must be sent for at least 5 seconds. The pattern overwrites the entire
payload in the T1, thus corrupting any calls or data traffic. The framing bit may or may not still be
present. The loopback is invoked when the pattern is removed. The loopback is torn down when
an in-band loop down pattern is transmitted for a period of five seconds.
CES over MPLS

CES over MPLS feature transports CES traffic in the Ethernet environment using MPLS as
transport media. The CES traffic is carried by a tunnel called Pseudo Wire that provides connection
between the entry and the exit points of an MPLS cloud.
To achieve CES over MPLS transport, two additional headers are inserted in the CES packet:
VC label It is negotiated by a targeted LDP session between the two endpoints of a PW.
Used as service delimiter at the terminating endpoints of a PW.
Transport Label It is a result of label mapping agreement between the entry point of PW and
the next hop in the MPLS cloud. It is used to provide transport of the packets to the PWs
other end.
CES over MPLS Configuration Steps

Follow below steps to transport CES traffic through an MPLS cloud:
1.
Define a CES circuit and specify an MPLS protocol type using command protocol
ldp
mpls-
Page 14
NOTE
The circuit destination MAC address, the MPLS transport label and the MPLS
VC label are not configurable.
The rest of CES circuit parameters needed for the CES circuit to become
operational are user-defined.
2.
Enable the CES circuit using command no
shutdown
NOTE
CES circuit remains operationally down until the configuration process is
completed.
3.
Define an MPLS tunnel (refer to the MPLS Protocols and Services chapter of this User Guide)
4.
Specify the defined CES circuit as only SAP point of the MPLS tunnel of point 3, using
command sap UU/SS/PP:<ces-circuit>:{ces | ces-oos} (refer to the MPLS Protocols
and Services chapter of this User Guide)
NOTE
Only when the CES circuit is successfully configured, it becomes operationally
up.
Page 15
CES Configuration Flow
Figure 11: CES Configuration Flow
Page 16
CES Commands
This section includes the CES Configuration Command Hierarchy, descriptions of available
commands, and a configuration example.
Command Hierarchy
NOTE
In order to use any of the commands successfully, the CES module must be in
Ready state.
+ config terminal
+ [no] ces
- module {1/3 | 1/4}
- [no] mode {e1 | t1}
- [no] ip-address A.B.C.D
- [no] mask A.B.C.D
- [no] ip-gateway A.B.C.D
- [no] clock {adaptive | backplane | internal | line | ptp}
- [no] policy {lops {type {idle | all-one | channel-idle}} |

{threshold {enter <value> | exit <value>}}}
- [no] policy unstructured-lops type {all-one | none}
- [no] policy lbit type {idle | all-one | channel-idle | none}

- [no] policy unstructured-lbit type {all-one | none}
- [no] policy structured-replace type {all-one | idle}
- [no] policy unstructured-replace {type {all-one | filler} |

pattern <value>}
- [no] policy rbit type {none | rai | channel-idle}

- [no] policy rd type {none | rai | channel-idle}
- [no] policy idle {pattern <value> | signaling <value>}
- [no] policy lbit-on-ais
+ [no] interface <CES_INTERFACE>

- [no] shutdown
- [no] clock {adaptive | diferential | loopback | module}

- [no] framing {cas | cas-crc | noncas | noncas-crc |
unframed | sf-cas | sf-noncas | esf-cas | esf-noncas}
- [no] linecode {ami | hdb3 | b8zs}
- [no] cable-length {long-15dB | long-22.5dB | long-7.5dB

| short-133ft | short-266ft | short-399ft | short533ft | short-655ft | 75ohm | 120ohm}
- loop {none | local | remote | payload}
- [no] remote-loopback
Page 17
+ [no] circuit <value>
- [no] exp-priority <value>
- [no] interface <CES_INTERFACE>

- timeslots TYPE
- [no] shutdown
- [no] vlan-id <id>
- [no] vlan-priority <priority>}
- rtp {enable | disable}
- policy-payload-suppress {enable | disable}

- [no] maximum-jitter-expected <value>
- [no] samples-aggregation <value>
- [no] protocol {satop-cesopsn | metro-ethernet | mplsldp}

- [no] ip-tos <value>
- [no] oos-tos <value>
- [no] rtp-payload-type <value>
- [no] oos-payload-type <value>
- [no] local {udp-port <value> | oos-udp-port <value> |}
- [no] destination {ip-address A.B.C.D | udp-port <value>

| oos-udp-port <value>}
+ [no] clock-controller {primary | backup}

- [no] circuit <value>
+ system
- [no] interface <CES_INTERFACE>
+ [no] time ptp
+ [no] ces module {1/3 | 1/4}

+ [no] ptp
+ [no] domain {d1 | d2}
- [no] priority1 <value>
- [no] priority2 <value>

- [no] mode <value>
+ port {d1 | d2} <value>

- [no] shutdown
- [no] encapsulation {ipv4 | ieee8023}

- [no] vlan-id <value>
- [no] vlan-cos <value>
- [no] tos <value>
- [no] acceptable-master {enable |

disable}
- [no] master-type {unicast | multicast}
Page 18
- [no] master-unicast-negotiation {enable

| disable}
- [no] slave-type {unicast | multicast}
- [no] slave-unicast-negotiation {enable |

disable}
- [no] sync-interval <value>
- [no] announce-interval <value>

- [no] announce-timeout <value>
+ [no] session <value>

- [no] shutdown
- [no] type {slave | master}
- [no] peer-type {address | fullyspec |

addressport}
- [no] local-port domain {<d1 | d2>}

number <value>
- [no] peer-port <value>

- [no] peer-clock-id
XX:XX:XX:XX:XX:XX:XX:XX
- [no] peer-address {A.B.C.D |

HH:HH:HH:HH:HH:HH}
- [no] encapsulation {ipv4 | iee8023}

- [no] vlan-id <value>
- [no] vlan-cos <value>
- [no] tos <value>
- [no] sync-interval <value>
+ [no] acceptable-master <value> {A.B.C.D |

HH:HH:HH:HH:HH:HH}
- [no] domain <value
- show ces module {1/3 | 1/4} ptp [acceptable-master | domain | port

<value> [status] | session <value> [status]]
- file cp ces-image PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file activate-ces-image module-id {1/3 | 1/4} file-name FILE-NAME

- clear ces module {1/3 | 1/4} statistics {circuit
| interface}
- show ces [module {1/3 | 1/4} [circuit <number> [status] | clockcontroller | policy | interface <CES_INTERFACE> [statistics {current
| interval <value> | total}]]
Table 4: CES Commands
Command
Description
config terminal
Page 19
Command
Description
ces
Enters CES Configuration mode
no ces
Removes the CES configuration
module {1/3 | 1/4}
mode {e1 | t1}
Specifies the configured location of the CES

module, in a unit/slot format:
1/3
1/4
Specifies the cable line type attached to the

TDM ports on the CES module:
e1
t1
Command takes effect only after rebooting the
CES module.
e1
no mode
Restores to default
ip-address A.B.C.B
Specifies an IP address for the currently

configured CES module.

CES module, in dotted-decimal
(Ipv4) format

CES module.
192.168.0.4 (module1/3)
192.168.0.3 (module 1/4)
no ip-address
Restores to default
mask A.B.C.D
Specifies the netmask for the CES module:
A.B.C.D: Mask of the CES module,

in dotted-decimal (Ipv4) format

CES module.
no mask
Removes the configured mask.
ip-gateway A.B.C.D
Specifies the IP address used as a default

gateway by the CES module:
A.B.C.D: the gateway IP address,

in dotted-decimal (Ipv4) format

CES module.
192.168.0.1
no ip-gateway
clock {adaptive | backplane |
internal | line | ptp}
Restores to default
Specifies the clock source used by the main
clock on the CES module for transmission over
TDM ports:
adaptive: retrieves the clock

from CES circuits
internal: retrieves the clock

from on-card oscillator
Page 20
Command
Description
line: retrieves the clock from

one TDM line and sends to other
ports
ptp: retrieves the clock from

Precision Time Protocol (PTP)
backplane: retrieves the clock

from the external clock source.
This clock signal can be received
via the BNC port or via the
ethernet ports
Internal
no clock
Restores to default
policy {lops {type {idle | all-one

| channel-idle}} | {threshold
{enter <value> | exit
<value>}}}
Specifies what is sent to the TDM line or what

affects the TDM circuit in specific situations:
lops: specifies the Loss Of

Packet Synchronization (LOPS)
state policy
type: specifies behavior when

packet synchronization is lost
idle: sends the idle configured

byte
all-one: selects the all-one TDM

policy (see below)
channel-idle: sends the idle byte

instead of the payload contents
and turns on the channel idle
indication in the trunk-signaling
during LOPS condition. Use with
CAS signaling
threshold: specifies the

threshold of entry and exit LOPS
state
enter <value>: entries threshold,

(packets/second)
exit: exits threshold, in the

range of <1-1023>
(packets/second)
All-One sends an AIS alarm:
When the circuit enters the LOPS state,

an AIS pattern (all ones for E1/T1) is sent
on the TDM transmit port.
When the circuit exits the LOPS state, the

module sends TDM traffic from the Jitter
Buffer.
The advantage to All-One is that the user
receives an alert. The disadvantage is that this
setting causes downtime of more than 300 ms.
All-one
no policy
Restores to default
Page 21
Command
policy unstructured-lops type
{all-one | none}
Description
Specifies the information sent on the TDMbound interface during a LOPS (Loss of Packet
Synchronization) state in an unstructured
circuit:
all-one: sends an AIS alarm:
When the circuit enters a LOPS state, an

AIS pattern with an appropriate amount of
data is sent on the TDM transmit interface.
When the circuit exits from the LOPS

state, the module sends TDM traffic from
the jitter buffer.
The user receives an alert; however, All-One
has a downtime of more than 300
millisecondes.
none: sends the data from the

fitter buffer
None
no policy unstructured-lops type
Restores to default
policy lbit type {idle | all-one |

channel-idle | none}
Specifies the payload pattern sent on a TDM

bound interface for packets received with L Bit
(Local bit) set in a structured circuit:
all-one: sends Alarm Indication

Signal (AIS) alarm
channel-idle: uses with CAS

signaling. The idle byte is
played out instead of payload and
channel idle indication is set
up in the trunk signaling.
idle: sends configured idle

pattern
none: sends the received data as

received
Idle
no policy lbit type
Restores to default
policy unstructured-lbit type

{all-one | none}
Specifies the payload pattern sent on the TDM

bound interface for packets received with the L
Bit set in an unstructured circuit:
all-one: sends AIS alarm
none: sends the received data as

received
None
no policy unstructured-lbit type
Restores to default
policy structured-replace type

{all-one | idle}
Specifies the information sent on the TDM

bound interface when a missing packet is
detected in a structured circuit:
all-one: sends an AIS alarm
idle: sends the configured idle

pattern
Page 22
Command
Description
All-one
no policy structured-replace type
Restores to default
policy unstructured-replace {type

{all-one | filler} | pattern
<value>}
Specifies the information sent on the TDM

bound interface when a missing packet is
detected in an unstructured circuit:
all-one: sends an AIS alarm
filler: sends the configured idle

pattern
pattern: the filler pattern in

All-one
no policy unstructured-replace
Restores to default
policy rbit type {none | rai |

channel-idle}
Specifies the signaling information on TDM

bound circuit for packets with R Bit (Remote
BIT) set in an unstructured circuit:
channel-idle: use with CAS

rai: sends the TDM Remote Alarm

Indication (RAI) pattern
none: sends the received

information as received
None
no policy rbit type
Restores to default
policy rd type {none | rai |

channel-idle}
Specifies the signaling information on the

TDM-bound interface for packets received with
the M Bits set to 10 and the L Bit set to 0 in an
structured circuit:
channel-idle: for use with CAS

rai: sends the TDM Remote Alarm

Indication (RAI) pattern
none: sends the received

information as received
None
no policy rd type
Restores to default
policy idle {pattern <value> |

signaling <value>}
Specifies the idle pattern number for the

module:
pattern <value>: specifies the

idle pattern sent on the TDM port
for the following events, in the
range of <0-255>:
the pattern includes receipt of L bit and
Page 23
Command
Description
packet loss
the pseudo-wire is administratively

disabled for pseudo-wires
When detecting a missing packet and

policy structured/unstructured-replace is
set to idle
When receiving a packet set with L bit, the

payload is present (not suppressed), and
policy L bit is set to idle
signaling <value>: specifies the

idle policy signaling number when
there is a failure on the TDM
port, including multi-frame
failures, in the range of <0-15>
no policy idle
Restores to default
policy lbit-on-ais
Configures the L-bit on the TX if AIS is

detected on the RX
Enabled
no policy lbit-on-ais
Restores to default
interface <CES_INTERFACE>
Specifies TDM CES interface and enters CES

Interface Configuration mode:
no interface
CES_INTERFACE: in the range of:
e1 mode: from e1-1.0.0.0 to e1-8.0.0.0

t1 mode: from t1-1.0.0.0 to t1-8.0.0.0
Removes the configured interface
shutdown
Disables the specified interface

Shutdown
no shutdown
Enables the specified interface
clock {adaptive | diferential |

loopback | module}
Specifies the CES interface clock source.

(Configure clock-controller command to
use differential or adaptive options)
module: the TDM port clock is

retrieved from the main modules
clock. Define this parameter for
all or some of the eight TDM
ports when using a single clock
domain
loopback: loops back the clock

received on the TDM port
differential: transmits only the

differences between the TDM clock
and the reference clock. In this
case, configure the clock
controller for the TDM port to
point to the relevant circuit
adaptive: retrieves the clock

from CES circuits. In this case,
configure the clock controller
for the TDM port to point to the
Page 24
Command
Description
relevant circuit
Module
no clock
Restores to default
description DESCRPTION
Adds a description to the interface:
DESCRPTION: text string up to 30

characters
no description
framing {cas | cas-crc | noncas

| noncas-crc | unframed |
sf-cas | sf-noncas | esf-cas
| esf-noncas}
Specifies the E1 framing mode:
unframed: configures the port to

work in an unframed mode
cas: specifies bandwidth as

56Kbps. Traffic carries CAS
information.
cas-crc: supports CAS and

performs CRC checksum
noncas: specifies bandwidth as 64

Kbps. Traffic does not carry
Channel Associated Signalling
(CAS) information.
noncas-crc: does not support CAS

but performs CRC checksum
Specifies the T1 framing mode:
sf-cas: configures port in

structured mode using SuperFrame
and supporting CAS.
sf-noncas: supports SF but does

not support CAS
esf-cas: configures port in

structured mode using Extended
SuperFrame and supporting CAS.
esf-noncas: configures port in

structured mode using Extended
SuperFrame and not supporting CAS
unframed: configures the port to

work in an unframed mode
Unframed
no framing
Restores to default
linecode {ami | hdb3 | b8zs}
Specifies the E1 controllers line coding of the

CES module:
ami: Alternative Mark Inversion

(AMI)
hdb3: high density bipolar of

order 3 (HDB3)
b8zs: bipolar with eight-zero

substitution (B8ZS)
hdb3 for E1 and b8zs for T1

no linecode
Restores to default
Page 25
Command
Description
cable-length {long-15dB | long22.5dB | long-7.5dB | short133ft | short-266ft | short399ft | short-533ft | short655ft | 75ohm | 120ohm}
Specifies the E1 cable length so that hardware

compensates for signal loss:
no cable-lengh
Restores to default
loop {none | local | remote |

payload}
Enables loops on the TDM port. Use the Loop

command to carry out diagnostics on the CES
module.
ohm: normal return loss

dB: decibels
e1: 120ohm
t1: short-133ft
none: disables loops on the TDM

port
local: bit stream from the

received PSN packets is looped
back. This mode is available only
for adaptive clock settings
remote: bit stream received on

the TDM port over the T1/E1 line
is looped back to the T1/E1 line
payload: loops back only the

payload of incoming signal while
framing is regenerated
None
no loop
Restores to default
thresholds
Configures Threshold Condition Alarming

(TCA) and enters TCA Configuration mode.
TCA triggers warnings whenever a monitored
port crosses a predefined counter threshold
during a predefined measuring period.
TCA triggers warnings when monitored TDM
ports cross predefined counter thresholds.
Counters are checked for overflow at 30
second intervals and when the threshold is
exceeded, a warning message is generated:
Only one message can be generated within
this interval. At the end of this interval, the
counters are cleared and a new interval
begins.
TCA is disabled
enable
Enables TCA
no enable
Disables TCA
quarter-hour {cv-l | es-l |

ses-l | fc-p | es-p |
esb-p | ses-p | sefs-p |
css-p | uas-p | es-lfe |
fc-pfe |cv-pfe |sefs-pfe
|es-pfe |esb-pfe |ses-pfe
|css-pfe |uas-pfe}
<value>
Specifies the threshold type for T1 interfaces

for 15-minutes interval:
type: see Table 5
value: specifies the maximum

threshold counter value that
triggers the alarm for the
specified interval
Page 26
Command
Description
daily {cv-l | es-l | ses-l |
fc-p | es-p | esb-p |
ses-p | sefs-p | css-p |
uas-p | es-lfe | fc-pfe
|cv-pfe |sefs-pfe |es-pfe
|esb-pfe |ses-pfe |csspfe |uas-pfe} <value>
Specifies the threshold type for T1 interfaces

for 24-hours interval:
quarter-hour {cv | es | ses

| bbe | uas | es-fe |
ses-fe | bbe-fe | uas-fe}
<value>
Specifies the threshold type for E1 interfaces

for 15-minutes interval:
daily {cv | es | ses | bbe |

uas | es-fe | ses-fe |
bbe-fe | uas-fe} <value>
type: see Table 5

specified interval
type: see Table 5

specified interval
Specifies the threshold type for E1 interfaces

for 24-hours interval:
type: see Table 5

specified interval
remote-loopback
Configures the loopback test used to test T1

lines and enter Remote loopback Configuration
mode. A remote loopback test causes the bits
received on the T1 to be looped, un-modified
and sent back to the source.
no remote-loopback
Removes the configured loopback test
circuit <value>
Enables the configuration of a specified

existing CES circuit and enters the CES Circuit
Configuration mode:
no circuit
exp-priority <value>
value: circuit ID in the range of

<1-64>
Removes the configured circuit

Specifies TC bits in the MPLS header if the
CES traffic is carried by the CES over MPLS
service.
The command is applicable only if the
circuit protocol is mpls-ldp.
0
no exp-priority
Restores to default
Specifies an interface of the circuit (unit/slot):
no interface
for e1 mode: from e1-1.0.0.0 to e18.0.0.0
for t1 mode: from t1-1.0.0.0 to t1-8.0.0.0
Removes the configured interface
Page 27
Command
Description
timeslots TYPE
Specifies the timeslots sent on this circuit:
TYPE: in the range of:
for e1: in the range of <1-31>

for t1: in the range of <1-24>
NOTE
To configure a circuit follow the below
rules:
Frames * number of timeslots >=32

Valid range of frames are:
in E1 full mode: 2-25,

26, 28, 30, and etc (even
numbers)
in T1 full mode: 2-33,

34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8
frames <=(maxjitter*8)/1.5
60 <= packet size <=1514; packet

size depends on: protocol, VLAN,
rtp, frames payload, number of
timeslots
shutdown
Enables the circuit
no shutdown
Disables the circuit
vlan-id <id>
Specifies a VLAN tag used for the circuits

Ethernet traffic:
id: VLAN identifier, in the range

of <1-4094>
no vlan-id [<id>]
Removes the configured VLAN tag
vlan-priority <priority>
Specifies a VLAN priority used for the circuits

Ethernet traffic:
priority: VLAN priority in the

range of <0-7>
0
no vlan-priority [<priority>]
Restores to default
rtp {enable | disable}
Enables/Disables the Real Time Transport

Protocol on the circuit
Disabled
no rtp
Restores to default
policy-payload-suppress {enable
| disable}
When L-bit is set, suppress (enable) or do not

suppress (disable) the payload.
Enable
Page 28
Command
Description
no policy-payload-suppress
Restores to default
maximum-jitter-expected <value>
Specifies the initial delay introduced by the

jitter buffer:
value: dynamically calculated
NOTE
rules:


numbers)

34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8

timeslots
no maximum-jitter-expected
Restores to default
samples-aggregation <value>
Specifies the number of aggregated E1/T1

frames in each outgoing packet.
In structured mode, the list of valid values is 8,
16, and 32. When several timeslots are
selected, the payload has to be in multiples by
8.
In unstructured mode, select a value from a
dynamically defined range (depending on the
defined jitter buffer value).
For E1 mode, values greater than 26 have

to be even numbers (for example: 3, 5, 20,
25, 26, 28)
For T1 mode, values greater than 34 have

to be even numbers (for example: 3, 4, 5,
31, 32, 34, 36)
8
Page 29
Command
Description
NOTE
rules:


numbers)

34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8

timeslots
no samples-aggregation
Restores to default
protocol {satop-cesopsn |
metro-ethernet | mpls-ldp}
Specifies the protocol used for the circuit.
satop-cesopn: uses Structure

Agnostic TDM (SAToP) for
unstructured circuits and CES
over Packet Switched Network
(CESoPSN) for structured circuits
metro-ethernet: Metro-ethernet
header (does not include IP
header in the packet)
mpls-ldp: configures dynamic CES

over MPLS. Selects the LDP (Label
Distribution Protocol) type of
MPLS, as opposed to MPLS
encapsulation (static).
satop-cesopsn
no protocol
Restores to default
ip-tos <value>
Specifies type of service in the ToS field of the

VLAN header in the packets:
0
no ip-tos
Restores to default
oos-tos <value>
Specifies out-of-sequence and type of service

packets in the ToS field of the VLAN header in
the packets:
Page 30
Command
Description
no oos-tos
Restores to default
rtp-payload-type <value>
Specifies theRTP payload type for the CES

module. Must match the RTP Type for the
remote CES module (RTP must be enabled):
See RFC 3555, for table showing payloads

corresponding to numerical values.
0
no rtp-payload-type
Restores to default
oos-payload-type <value>
Specifies the OOS payload type for the RTP of

the CES module. Must match the OOS type for
the RTP of the remote CES module (RTP must
be enabled):

See RFC 3555, for table showing payloads
corresponding to numerical values.
0
local {udp-port <value> | oosudp-port <value> }
Specifies the local UDP port receiving Ethernet

traffic from the circuit being configured:
udp-port <value>: local UDP port

in the range of <0-65535>. For
details see Table 6
oos-udp-port <value>: local Out

of Band Signals (OOS) port, in
the range of <0-65535>. Send the
ignaling to a separate port. For
details see Table 6
no local
Removes the configuration
destination {ip-address
A.B.C.D | udp-port <value>
| oos-udp-port <value>}
Configures the destination (remote peer) for

the specified CES circuit:
clock-controller {primary |
backup}
ip-address: the destination

(remote peer) IP address, in
dotted-decimal (Ipv4) format
udp-port <value>: the destination

UDP local port that receives
Ethernet traffic from the
currently configured circuit, in
the range of <0-65535>. This
command is valid only for
circuits not using the MetroEthernet Packet protocol
oos-udp-port <value>: the

destination OOS UDP local port
that receives Ethernet traffic
from the currently configured
circuit, in the range of <065535>
Specifies the source used by the clock

controller and enters CES Clock-controller
Configuration mode:
Page 31
Command
Description
no clock-controller
circuit <value>
primary
backup
Removes the configured controller

Assign a circuit ID to the clock controller:
value: circuit ID in the range of

<1-64>
no circuit
Specify an E1 or T1 interface from 1.0.0.0 to

8.0.0.0:
no interface
system
e1 mode: from e1-1.0.0.0 to e1-8.0.0.0

t1 mode: from t1-1.0.0.0 to t1-8.0.0.0

Enters System Configuration Mode
time ptp
Enters PTP Time Server Configuration mode
no time ptp
Removes the PTP Time Server configuration
ces module {1/3 | 1/4}
Enters CES Configuration mode and specifies

the configured location of the CES module, in a
unit/slot format:
1/3
1/4
ptp
Enters PTP Configuration mode for a specific

module
no ptp
Removes the PTP configuration for specific

CES module
domain {d1 | d2}
Configures a PTP domain and enters PTP

domain Configuration mode
no domain
Removes the domain configuration
priority1 <value>
Specifies the Best Main Clock (BMC) primary

priority. If there is more than one master clock
in the PTP domain, specifies which remains
master and which switches to slave mode.
128
priority2 <value>
Specify the BMC secondary priority to set

priorities between master clocks with an
identical primary priority:
128
mode {slaveonly |
ordinary}
Specifies the domain clock type:
slaveonly: clock can only be a

slave within the domain
ordinary: clock can be either a
Page 32
Command
Description
master or slave within the domain
ordinary
no mode
Restores to default
port {d1 | d2} <value>
Configures the local port for the PTP session

and enters PTP Port Configuration mode:
d1, d2: specifies a PTP domain in

which the port is configured
shutdown
Disables the port

Disabled
no shutdown
Enables the port
encapsulation {ipv4 |
ieee8023}
Specifies the encapsulation method for the

PTP port:
ipv4: based on IPv4
ieee8023: based on IEEE802.3 (one

octet)
ipv4
no encapsulation
Restores to default
vlan-id <value>
Assigns a VLAN to the port:
200
no vlan-id
Restores to default
vlan-cos <value>
Specifies the VLAN CoS:
7
no vlan-cos
Restores to default
tos <value>
Assigns a ToS to the port to define the type of

service provided to the packet:
0
no tos
Restores to default
acceptable-master {enable
| disable}
Configures the Best Master Clock protocol,

using Master clock with highest priority and
reassigning all other master clocks as slaves
Disabled
no acceptable-master
Restores to default
master-type {unicast |
multicast}
Specifies the master-type

Multicast
master-unicastnegotiation {enable |
disable}
Configures the master unicast negotiation:
enable: enables the negotiation
disable: disables the negotiation
Disabled
Page 33
Command
Description
no master-unicastnegotiation
Restores to default
no master-type
Restores to default
slave-type {unicast |
multicast}
Specifies the slave-type

Multicast
no slave-type
Restores to default
slave-unicast-negotiation
{enable | disable}
Configures the slave unicast negotiation:
enable: enables the negotiation
disable: disables the negotiation
Disabled
no slave-unicastnegotiation
Restores to default
sync-interval <value>
Specify the mean sync interval for the specified

port.
value: in the range of from -7 to

-1 (see Table 7)
-6
no sync-interval
Restores to default
announce-interval <value>
Specifies the interval between two consecutive

announce messages:
value: in the range of from -128

to 10
The valid values are:
-128: announce messages are disabled

-1: 2 messages per second
0: 1 message per second
n (in the range of <110>): 2 x n
messages per second
0
no announce-interval
Restores to default
announce-timeout <value>
Specifies the number of announce intervals

that pass before the slave drops the selected
master and sends an alarm:
4
no announce-timeout
session <value>
Restores to default
Configures a PTP session between a local port
and a remote port and enters PTP session
Configuration mode:
no session
shutdown
Removes the session configuration

Disables the PTP session
Disabled
Page 34
Command
Description
no shutdown
Enables the PTP session
type {slave | master}
Specifies the session type:
slave: defines the device as a

slave clock
master: defines the device as a

master clock
Master
no type
Restores to default
peer-type {address |
fullyspec |
addressport}
Specifies how the peer is determined:
address: The peer address and the

local port are configured in
advance. Clock identity and port
number for the peer are
dynamically resolved.
For slave sessions, the clock
identity and port number of the
peer are copied from either the
unicast negotiation response or
from the incoming Announce or
Sync messages.
For master sessions, the clock
identity and port number of the
incoming unicast negotiation
request or from incoming
Delay_Req.
fullyspec: All parameters for the

peer as well as the local port
are configured in advance
addressport: The clock

identifier, port number and local
port for the peer are configured
in advance. The peer address is
dynamically resolved.
For slave sessions, the address
and port number of the peer are
copied from incoming Announce
message from this clock or
through another resolution
method.
For master sessions, the
address and port number of the
incoming unicast negotiation
request or from incoming
Delay_Req.
Address
no peer-type
Restores to default
local-port domain <d1 |

d2> number <value>
Specifies the local port of the PTP session:
domain d1/d2: PTP domain name: d1

or d2
Page 35
Command
Description
no local-port
Removes the local port from the session
peer-port <value>
Specifies the peer port of the PTP session:
no peer-port
Removes the configured peer port
peer-clock-id
Specifies the ID of the peer port:
XX:XX:XX:XX:XX:XX:XX
:XX
value: string of <1-16>

characters
no peer-clock-id
Removes the configured ID
peer-address {A.B.C.D |
Specifies IP/MAC address of the peer port:
HH:HH:HH:HH:HH:HH}
A.B.C.B: peer port IP address, in

HH:HH:HH:HH:HH:HH: peer port MAC

address, in hexadecimal format
no peer-address
Removes the configured address
encapsulation {ipv4 |
ieee8023}
Specifies the encapsulation method for PTP

sessions:
ipv4: based on IPv4
ieee8023: based on IEEE802.3 (one

octet)
Ipv4
no encapsulation
Restores to default
vlan-id <value>
Assigns a VLAN to a session:
200
no vlan-id
Restores to default
vlan-cos <value>
Specifies the VLAN CoS:
7
no vlan-cos
Restores to default
tos <value>
Assigns a ToS to the session to define the type

of service provided to the packet:
0
no tos
Restores to default
sync-interval <value>
Specify the mean sync interval for the specified

session.
value: in the range of from -7 to

-1 (see Table 7)
-6
no sync-interval
acceptable-master <value>
{A.B.C.D |
Restores to default
Adds clocks to the list of acceptable master
clocks and enters Acceptable master clocks
Page 36
Command
Description
HH:HH:HH:HH:HH:HH}
no acceptable-master
[<value> {A.B.C.D |
HH:HH:HH:HH:HH:HH}]
priority <value>
Configuration mode:
A.B.C.B: device IP address, in

HH:HH:HH:HH:HH:HH: device MAC

address, in hexadecimal format
Removes the acceptable master configuration:

<1-100>
A.B.C.B: (optional) device IP

address, in dotted-decimal format
HH:HH:HH:HH:HH:HH: (optional)
device MAC address, in
hexadecimal format
Specifies the device priority

If there is more than one master device in the
PTP domain, the device with the highest
priority (lowest number) remains the master
while the other device/s switch to slave:
0
no priority
domain {d1 | d2}
Specifies the acceptable master clock PTP

domain:
no domain
show ces module {1/3 | 1/4} ptp
[acceptable-master | domain | port
[status] | session [status]]
file cp ces-image
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]
/FILE-NAME
d1/d2: PTP domain name: d1 or d2
Removes the configured domain

Displays PTP configuration:
1/3, 1/4: CES modules
acceptable-master: displays the

PTP acceptable-master clock
information
domain: displays PTP domain

information
port: displays PTP ports

information
session: displays PTP session

information
status: displays status of PTP

port/session
Downloads a new CES image from a


ftp://user:pass@A.B.C.D. For TFTP
servers, user, password, and port
are not required. For FTP
servers, port number is not
required.
Page 37
Command
file activate-ces-image module-id {1/3 |

1/4} file-name FILE-NAME
Description
USER: FTP user name


server (in dotted-decimal format)

transfer
FILE-NAME: name of the image file
Activates the CES image:
module-id: CES module (1/3 or

1/4)
file-name FILE-NAME: name of the

image file to be activated
NOTE
During the CES image activation, CES
modules (1/3 and 1/4) become not
configurable.
show ces module {1/3 | 1/4} [circuit
<number> [status] | clock-controller |
policy | interface <CES_INTERFACE>
[statistics {current | interval <value>
| total}]
Displays CES configuration information, filtered

by command arguments:
1/3, 1/4: CES modules
circuit <number>: circuit ID in

the range of <1-30>
status: circuit status
clock-controller: the source used

by the clock controller
policy: TDM policies
interface <CES_INTERFACE>: CES

interfaces number. The valid
ranges are:
e1 mode: from e1-1.0.0.0 to e1-8.0.0.0
statistics: displays the current

statistics of existing CES
circuits
current: statistics for the

current time interval
interval <value>: statistics for

a specified time interval, in the
range of <196>
total: statistics for all time

intervals
t1 mode: from t1-1.0.0.0 to t1-8.0.0.0
clear ces module {1/3 | 1/4} statistics

{circuit | interface}
Clears statistics for all CES circuits, specified

CES circuit, or CES interface.
Page 38
Example
device-name#show ces module 1/3 interface e1-1.0.0.0 statistics current

===============================================================================
CES - Statistics Information
===============================================================================
Module 1/3
Interface e1-1.0.0.0
------------------------------------------------------------------------------Interval
: Current
Start Time
: 23:30:00
End Time
: 23:41:39
Elapsed Time
: 700 sec
------------------------------------------------------------------------------DS1 NearEnd
------------------------------------------------------------------------------Valid intervals
: 96
Invalid intervals : 0
CV
: 0
ES
: 0
SES
: 0
BBE
: 0
UAS
: 0
------------------------------------------------------------------------------DS1 FarEnd
------------------------------------------------------------------------------Valid intervals
: 96
Invalid intervals : 0
ES-FE
: 0
SES-FE
: 0
UAS-FE
: 0
BBE-FE
: 0
===============================================================================
1.
Download the CES firmware from a TFTP server:

device-name#file cp ces-image tftp://10.3.71.66/cmx1624_R02.00.00_D38.bin
OK
Download complete
2.
(Optional) Verify the memory free space on device:

device-nameH#file ls
1 Oct 13:09 4.0k reboot.log
Number of files: 1, 4K
Flash Size: 56.5M
Used Space: 43.8M
Free Space: 12.7M
3.
(Optional) Display CES firmware images previously loaded on the device:

device-name#file ls ces-image
Page 39
2 Oct 13:40 4.4M cmx1624_R02.00.00_D35.bin

2 Oct 13:38 4.4M cmx1624_R02.00.00_D38.bin
4.
Specify the name of the CES firmware file to be loaded during the next restart.
device-name#file activate-ces-image module-id 1/3 file-name
cmx1624_R02.00.00_D38.bin
Uploading firmware, please wait: \
Copying backup to startup image. Bytes left to write: 0
Uploading firmware successful
Restarting CES module
Oct 2 13:51:13 alert
Ces
Setting CES module [1/3] to READY state
The following example displays how to configure CES over Ethernet.
Figure 12: CES over Ethernet Configuration
Connection: PSTN <-------->First Device is over SF-CAS TDM signaling. First Device receives
the clock from the TDM line. PSTN is responsible for providing the clock.
Connection: First Device<-------->Second Device is over Ethernet network using CESoPSN
protocol.
Devices are connected in VLAN ID 10 with priority 5 through ports 1/2/1<-------->1/2/1
Second Device receives the clock from the Ethernet.
Connection: Second Device <-------->PBX. is over SF-CAS TDM signaling. PBX is in receive
mode, PBX receives the clock from the second device.
1.
Configuring First Device:

a.
Define the SW interface configuration:
device-name(config)#router interface sw1
device-name(config-router)#exit
b.
Define the VLAN configuration:
device-name(config-vlan-v10/10)#routing-interface sw1
Page 40
device-name(config-vlan-v10/10)#commit
device-name(config-vlan-v10/10)#exit
c.
Define the CES IP address and mode configuration:
device-name(config)#ces module 1/3
device-name(config-module-1/3)#mode t1
device-name(config-module-1/3)#commit
device-name(config-module-1/3)#ip-address 1.0.0.16
device-name(config-module-1/3)#mask 255.255.0.0
device-name(config-module-1/3)#clock line
d.
Define the TDM interface configuration:
device-name(config-module-1/3)#interface t1-1.0.0.0
device-name(config-interface-t1-1.0.0.0)#clock module
device-name(config-interface-t1-1.0.0.0)#framing sf-cas
device-name(config-interface-t1-1.0.0.0)#commit
device-name(config-interface-t1-1.0.0.0)#exit
e.
Define the Circuit configuration:
device-name(config-module-1/3)#circuit 1
device-name(config-circuit-1)#interface t1-1.0.0.0
device-name(config-circuit-1)#timeslots 1-24
device-name(config-circuit-1)#vlan-id 10
device-name(config-circuit-1)#vlan-priority 5
device-name(config-circuit-1)#rtp enable
device-name(config-circuit-1)#maximum-jitter-expected 10
device-name(config-circuit-1)#samples-aggregation 8
device-name(config-circuit-1)#ip-tos 100
device-name(config-circuit-1)#oos-tos 100
device-name(config-circuit-1)#rtp-payload-type 110
device-name(config-circuit-1)#oos-payload-type 115
device-name(config-circuit-1)#local udp-port 2200
device-name(config-circuit-1)#local oos-udp-port 2300
device-name(config-circuit-1)#destination ip-address 1.0.0.56
device-name(config-circuit-1)#destination udp-port 3000
device-name(config-circuit-1)#destination oos-udp-port 3300
device-name(config-circuit-1)#commit
f.
Define the Clock-controller configuration:

device-name(config-module-1/3)#clock-controller primary interface t11.0.0.0
g.
Enable circuit after clock-controller configuration:
device-name(config-circuit-1)#no shutdown
2.
Configuring Second Device:
Page 41
h.
Define the SW interface configuration:
device-name(config-router)#exit
i.
Define the VLAN configuration:

device-name(config-vlan-v10/10)#commit
device-name(config-vlan-v10/10)#exit
j.
Define the CES IP address and mode configuration:

device-name(config-module-1/3)#end
k.
Define the TDM interface configuration:

device-name(config-module-1/3)#
device-name(config-interface-t1-1.0.0.0)#clock adaptive
device-name(config-interface-t1-1.0.0.0)#framing sf-cas
device-name(config-interface-t1-1.0.0.0)#commit
l.
Define the Circuit configuration:

device-name(config-circuit-1)#interface t1-1.0.0.0
device-name(config-circuit-1)#timeslots 1-24
device-name(config-circuit-1)#vlan-priority 5
device-name(config-circuit-1)#ip-tos 100
device-name(config-circuit-1)#oos-tos 100
device-name(config-circuit-1)#rtp-payload-type 110
device-name(config-circuit-1)#oos-payload-type 115
device-name(config-circuit-1)#local udp-port 3000
device-name(config-circuit-1)#local oos-udp-port 3300
Page 42
device-name(config-circuit-1)#destination udp-port 2200

device-name(config-circuit-1)#destination oos-udp-port 2300
m. Define the Clock-controller configuration:

device-name(config-interface-t1-1.0.0.0)#clock-controller primary circuit 1
device-name(config-clock-controller-primary)#commit
device-name(config-clock-controller-primary)#exit
n.
Enable circuit after clock-controller configuration:
3.
Display module details:

device-name#show ces module 1/3
===============================================================================
CES
===============================================================================
Module 1/3
------------------------------------------------------------------------------Description
: CES 8 E1/T1
Type
: CES-1628-OCXO
Status
: Ready
Working mode
: E1
Up Time
: 2 day, 23 hours, 43 minutes
Ready Time
: Thu Jan
1 00:00:00 1970
Insert Time
: Thu Oct
1 13:01:40 2009
Extract Time
: Thu Oct
1 13:01:40 2009
FW Version
: CES Module R02.00.00_D038-200
MAC Address
: 00:12:72:00:95:78
IP Address
: 192.168.0.3/255.255.255.0
Gateway
: 192.168.0.1
Clock Mode
: Internal
===============================================================================
4.
Display Circuit details:

device-name##show ces module 1/3 circuit 1
===============================================================================
CES
===============================================================================
Module 1/4
Circuit 1
------------------------------------------------------------------------------Interface
: t1-1.0.0.0
Admin Status
: Enabled
Mode
: Unstructured
Vlan ID
: 10
Priority
: 5
RTP
: Enabled
RTP Payload Type
: 96
OOS Payload Type
: 96
Policy Payload Suppress
: Enabled
Maximum Jitter Expected
: 10
Samples Aggregation
: 10
Protocol
: SATOP/CESOPSN
IP TOS
: 0
IP OOS TOS
: 0
Page 43
Destination IP Address
: 192.168.0.128
Resolve status
: 0
Destination UDP Port
: 49152
Destination OOS UDP Port
: 49152
Local UDP Port
: 49152
Local OOS UDP Port
: 49152
======================================================
5.
Display Circuit status:

device-name#show ces module 1/3 circuit 1 status
===============================================================================
CES
===============================================================================
Module 1/3
Circuit 1
------------------------------------------------------------------------------Admin status
: Enabled
Oper status
: Up
Enable Time
: Sun Oct
Up Time
: 00:00:11
Peer MAC
: 00:12:72:00:96:fe
Used for clocking
: No
TDM Tx
: Alarm
TDM Rx
: Yes
PSN Tx
: Up
PSN Rx
: Up L
Tx Up Counter
: 0
Jitter Information
: Yes
4 12:58:52 2009
Jitter Current (ms)
9.227
Jitter Buffer Delay (ms)
1.336
Jitter Min Level (ms)
8.601
Jitter Max Level (ms)
9.937
Ping to Peer
------------------------------------------------------------------------------Counter Name
Value
------------------------------------------------------------------------------Valid Eth pps

Handled Eth pkts
800
7953
Unordered Eth pkts
Restarts TDM Tx
Restarts TDM Rx
Packets per sec
800
Malformed Frames
Underrun Eth pkts
LBit Counter pkts
7953
RBit Counter pkts
104
Missing Eth pkts
=====================================================================
6.
Display Clock-Controller status:

device-name#show ces module 1/3 clock-controller 1
===========================================================================
====
CES
===========================================================================
====
-----------------------------------------------------------------------------Module 1/3
Clock-Controller 1
Page 44
-----------------------------------------------------------------------------Destination Interface
: t1-1.0.0.0
Status
: Not Locked
State
: Aquisition
Mode
: Active
Recovery Method
: Adaptive
Source Circuit Number
: 1
Source TDM Interface
: Source PTP Session Number
: 0
------------------------------------------------------------------------------
Explanation of Clock States:
freeRun: The operating condition of a clock when the output signal is internally controlled,
without influence from a present or previous reference.
acquisition: Synchronization of the clock to the input reference. The output frequency and
phase may not be stable enough and therefore may not conform to standards.
normal: Synchronization of the clock to a reference. The output frequency of the clock is
traceable to the input reference frequency over the long term, and the phase difference
between the input and output is bound.
holdover: Operating condition of a clock when the clock has lost its references and is using
data acquired, during operation in normal mode, to control the output signal. In general, the
stored data or holdover value used by a clock in holdover mode is an average value obtained
over a certain period of time (to reduce the effects of short-term variations that may occur in
the reference frequency during normal operation).
fastAcquisition: Fast pull-in of the clock to a reference (for example, when recovering from
holdover or when the input reference has an abrupt change in frequency). After the clock
achieves a lock, the clock automatically changes to the slower-tracking, normal mode. The
mode of the clock input controller. Not all clock input controllers support all modes.
NOTE
The clock input controller status is 'locked' only if the clock input controller is
in 'normal' mode.
1.
Display interface details:

NOTE
All 8 interfaces are displayed
device-name#show ces module 1/3 interface

===============================================================================
CES
===============================================================================
Module 1/3
------------------------------------------------------------------------------Admin Status
: Enabled
Link state
: Down
Up Time
: Thu Jan 1 19:48:02 1970
Service clock
:
Framing
: Unframed
Page 45
Line Code
: HDB3
Cable Length
: 125 ohm
Loopback
: None
------------------------------------------------------------------------------
------------------------------------------------------------------------------Module 1/3
------------------------------------------------------------------------------Admin Status
: Enabled
Link state
: Down
Up Time
: Thu Jan 1 19:48:03 1970
Service clock
:
Framing
: CAS-NON CRC
Line Code
: HDB3
Cable Length
: 125 ohm
Loopback
: None
Alarms
: XmtAIS LossOfSignal
The following example displays how to configure CES over VPLS.
Figure 13: CES over VPLS Configuration
Connection: First Device<-------->Second Device is over VPLS network using CESoPSN over
Ethernet protocol to convert the TDM before encapsulating inside VPLS.
Devices are connected through ports 1/2/8<-------->1/2/8 running MPLS LDP LSPs over OSPF
infrastructure.
On both devices, TDM traffic is received on two circuits and converted into two Ethernet flows
carrying customer VLANs (C-VLANs) 120 and 130 entering into the MPLS cloud as two Service
Access Points (SAP) under the same VPLS service.
Second Device receives the clock from the Ethernet/MPLS.
1.
Connection: Second Device<-------->PBX. is over SF-CAS TDM signaling. PBX is in receive

mode, PBX receives the clock from the second device
2.
First Device (CES master clock loopback) configuration:

o.
Define the VPLS configuration:
Page 46
device-name(config-router)#interface lo1
device-name(config-interface-lo1)#address 3.3.1.1/32
device-name(config-interface-lo1)#no shutdown
device-name(config-interface-lo1)#interface sw2
device-name(config-interface-sw2)#no shutdown
device-name(config-interface-sw2)#interface outBand0
device-name(config-interface- outBand0)#address 10.3.179.179/16
device-name(config-interface- outBand0)#no shutdown
device-name(config-interface- outBand0)#ldp
device-name(config-ldp)#no shutdown
device-name(config-ldp)#targeted-peer 1.1.172.102
device-name(config-targeted-peer-1.1.172.102)#distribute
device-name(config-distribute)#ingress ospf
device-name(config-distribute)#egress ip 3.3.1.1/32
device-name(config-ip-3.3.1.1/32)#interface lo1
device-name(config-interface-sw2)#mpls
device-name(config-mpls)#lsr-id 3.3.1.1
device-name(config-mpls)#interface lo1
device-name(config-interface-sw2)#ospf
device-name(config-ospf)#router-id 3.3.1.1
device-name(config-ospf)#area 0.0.0.0
device-name(config-area-0.0.0.0)#interface 3.3.1.1
device-name(config-interface-3.3.1.1)#interface 100.0.0.1
device-name(config-interface-100.0.0.1)#port 1/2/8
device-name(config-port-1/2/8)# default-vlan 2
device-name(config-port-1/2/8)#vlan 2 2
device-name(config-vlan-2/2)#no management
device-name(config-vlan-2/2)#routing-interface sw2
device-name(config-vlan-2/2)#untagged 1/2/8
device-name(config-vlan-2/2)#service
device-name(config-service)#sdp 1
device-name(config-sdp-1)#far-end 1.1.172.102
device-name(config-sdp-1)#vpls 100
device-name(config-vpls-100)#mode mtu-s
device-name(config-vpls-100)#revert-timer 0
device-name(config-sap-1/3/9:120:)#description ""
device-name(config-sap-1/3/9:120:)#no learn-new-mac-address
device-name(config-sap-1/3/9:120:)#no untagged
device-name(config-sap-1/3/9:120:)#no secured
device-name(config-sap-1/3/9:120:)#spoke-sdp 1
device-name(config-spoke-sdp-1)#vc-type ethernet
device-name(config-spoke-sdp-1)#no pw-status-signaling
device-name(config-spoke-sdp-1)#no pw-active
Page 47
device-name(config-spoke-sdp-1)#no pw-redundancy
device-name(config-spoke-sdp-1)#pw-precedence 1
device-name(config-spoke-sdp-1)#no backup
device-name(config-spoke-sdp-1)#learn-new-mac-address
device-name(config-spoke-sdp-1)#no secured
device-name(config-spoke-sdp-1)#vpls 101
Commit complete.
p.
Define the CES configuration:

The following warnings were generated:
'ces module 1/3': For the change to take effect the 'apply configuration'
command should be executed. This may restart the CES module.
Proceed? [yes,no] yes
Commit complete.
Commit complete.
device-name(config-module-1/3)#interface e1-1.0.0.0
device-name(config-interface-e1-1.0.0.0)#clock loopback
device-name(config-interface-e1-1.0.0.0)#framing unframed
device-name(config-interface-e1-1.0.0.0)#interface e1-1.0.0.0
device-name(config-interface-e1-1.0.0.0)#clock loopback
device-name(config-interface-e1-1.0.0.0)#framing unframed
device-name(config-interface-e1-1.0.0.0)#commit
Commit complete.
Page 48
device-name(config-circuit-1)#circuit 5
device-name(config-circuit-5)#interface e1-5.0.0.0
device-name(config-circuit-5)#timeslots 1-15,17-31
Commit complete.
3.
Device 2 (CES slave clock adaptive) configuration:

q.
Define the VPLS configuration:
device-name(config-router)#interface lo1
device-name(config-interface-lo1)#address 1.1.172.102/32
device-name(config-interface-sw2)#ldp
device-name(config-ldp)#no shutdown
device-name(config-ldp)#targeted-peer 3.3.1.1
device-name(config-targeted-peer-3.3.1.1)#distribute
device-name(config-distribute)#ingress ospf
device-name(config-distribute)#egress ip 1.1.172.102/32
device-name(config-ip-1.1.172.102/32)#interface lo1
device-name(config-interface-sw2)# mpls
device-name(config-mpls)#lsr-id 1.1.172.102
device-name(config-mpls)#interface lo1
device-name(config-interface-sw2)#ospf
device-name(config-ospf)#router-id 1.1.172.102
device-name(config-ospf)#area 0.0.0.0
device-name(config-area-0.0.0.0)#interface 1.1.172.102
device-name(config-interface-1.1.172.102)#passive
device-name(config-interface-1.1.172.102)#interface 100.0.0.2
device-name(config-interface-100.0.0.2)#port 1/2/8
device-name(config-port-1/2/8)#vlan 2 2
device-name(config-vlan-2/2)#no management
device-name(config-vlan-2/2)#routing-interface sw2
device-name(config-vlan-2/2)#untagged 1/2/8
Page 49
device-name(config-vlan-2/2)#service
device-name(config-service)#sdp 1
device-name(config-sdp-1)#far-end 3.3.1.1
device-name(config-sdp-1)#vpls 100
device-name(config-spoke-sdp-1)#vpls 101
device-name(config-spoke-sdp-1)#pw-precedence
1
Commit complete.
r.
Define the CES configuration:

Page 50

Commit complete.
Jan 1 00:25:02 critical Ces Local CES Module 1/3 does not reply to the
configuration message 804. Resend the configuration message.
Jan 1 00:25:06 critical Ces Local CES Module 1/3 is not responding
Commit complete.
device-name(config-interface-e1-1.0.0.0)#clock adaptive
device-name(config-interface-e1-1.0.0.0)#interface e1-5.0.0.0
device-name(config-interface-e1-5.0.0.0)#clock adaptive
device-name(config-interface-e1-5.0.0.0)#framing cas
device-name(config-interface-e1-5.0.0.0)#commit
Commit complete.
device-name(config-circuit-1)#exit
device-name(config-circuit-5)#timeslots 1-15,17-31
Commit complete.
device-name(config-interface-e1-1.0.0.0)#clock-controller primary circuit 1
Commit complete.
device-name(config-interface-e1-1.0.0.0)#exit
device-name(config-interface-e1-5.0.0.0)#clock-controller primary circuit 5
Commit complete.
device-name(config-interface-e1-5.0.0.0)#exit
Page 51
device-name(config-circuit-1)#exit
Commit complete.
4.
Display the CES clock controller status:

===============================================================================
CES
===============================================================================
------------------------------------------------------------------------------Module 1/3
Clock-Controller 1
------------------------------------------------------------------------------Destination Interface
: e1-1.0.0.0
Status
: Not Locked
State
: FreeRun
Mode
: Active
Recovery Method
: Adaptive
: 1
: -
Source PTP Session Number
: 0
------------------------------------------------------------------------------===============================================================================

===============================================================================
CES
===============================================================================
Module 1/3
Circuit 1
------------------------------------------------------------------------------Operational Status
: Up
Create Time
: Thu Jan
1 00:00:00 1970
Enable Time
: Thu Jan
1 00:00:00 1970
Up Time
: Thu Jan
1 00:00:00 1970
Peer MAC
: 00:12:72:00:94:86
Used for clocking
: No
Jitter Information
: Yes
TDM Tx
: Yes
TDM Rx
: Alarm
PSN Tx
: Fault
PSN Rx
: LOPS
------------------------------------------------------------------------------Counter Name
Value
------------------------------------------------------------------------------Tx Up Packets
Jitter Current (ms)
4.359
1.133
3.855
4.988
Valid Eth pps

Handled Eth pkts
100
9713
Late Eth pkts
Lost Eth pkts
Unordered Eth pkts
Ping to Peer
Restarts TDM Tx
Restarts TDM Rx
Page 52
Packets per sec
1000
Malformed Frames
Underrun Eth pkts
13
Overrun Eth pkts
Invalid Seq Eth pkts
LBit Counter pkts
RBit Counter pkts
Duplicate Eth pkts
Missing Eth pkts
16844397
===============================================================================

===============================================================================
CES
===============================================================================
------------------------------------------------------------------------------Module 1/3
Clock-Controller 9
------------------------------------------------------------------------------Destination Interface
: e1-5.0.0.0
Status
: Locked
State
: Normal
Mode
: Active
Recovery Method
: Adaptive
: 5
: -
Source PTP Session Number
: 0
------------------------------------------------------------------------------===============================================================================

===============================================================================
CES
===============================================================================
Module 1/3
Circuit 5
------------------------------------------------------------------------------Operational Status
: Up
Create Time
: Thu Jan
1 00:00:00 1970
Enable Time
: Thu Jan
1 00:00:00 1970
Up Time
: Thu Jan
1 00:00:00 1970
Peer MAC
: 00:12:72:00:94:86
Used for clocking
: No
Jitter Information
: Yes
TDM Tx
: Yes
TDM Rx
: Yes
PSN Tx
: Fault
PSN Rx
: LOPS
------------------------------------------------------------------------------Counter Name
Value
------------------------------------------------------------------------------Tx Up Packets
Jitter Current (ms)
0
18.366
2.667
17.362
20.029
Valid Eth pps

Handled Eth pkts
Late Eth pkts
100
489899
0
Lost Eth pkts
Unordered Eth pkts
Ping to Peer
Restarts TDM Tx
Page 53
Restarts TDM Rx
Packets per sec
500
Malformed Frames
Underrun Eth pkts
412
Overrun Eth pkts
Invalid Seq Eth pkts
LBit Counter pkts
50
RBit Counter pkts
Duplicate Eth pkts
Missing Eth pkts
16842753
===============================================================================
device-name#show vpls details

------------------------------------------------------------------------------Display VPLS all (details)
===============================================================================
------------------------------------------------------------------------------Service Description ===============================================================================
Service ID
: 100
Admin Status
: Up
Service Type
: MTU
Oper Status
: Up
VC ID
: 100
Up Time
: 00:06:48
Number SDPs (UP): 1 (1 )
Last Status Change : Jan
1 00:00:51 2009
Number SAPs (UP): 1 (0 )
Last Mnmt Change
1 00:00:01 2009
: Jan
Secure SAPs mode: Disabled

Revert timer
: 0
Mesh oper mode
: Independent
Spoke oper mode : Independent

SDP Table - 1 SDPs
------------------------------------------------------------------------------SDP: 3.3.1.1
===============================================================================
SDP Role
: Primary
Admin Status
VC Type
: Ethernet
Oper Status
: Up
: Up
Signaling
: LDP
Up Time
: 00:06:48
Group ID
: 0
1 00:00:51 2009
MTU
: 9190
Last Mnmt Change
: Jan
1 00:00:01 2009
Tunnel
: Prefix LSP(LDP)
Outgoing Label
: 28673
Out Intf
: 34
Incoming Label
: 28673
PW status signaling: Disabled

PW redundancy
: Disabled
Local PW precedence: 1
Local VCCV : ttl/lsp-ping
VCCV in use
: ttl/lsp-ping
SAP Table - 1 SAPs

------------------------------------------------------------------------------SAP: 1/3/9:120:
===============================================================================
Admin Status: Up
Up Time
Oper Status : Down
: 00:00:00
1 00:00:00 1970
Last Mnmt Change
1 00:00:01 2009
: Jan

Service ID
: 101
Admin Status
Service Type
: MTU
Oper Status
: Up
: Up
VC ID
: 101
Up Time
: 00:06:48
1 00:00:51 2009
Last Mnmt Change
1 00:00:01 2009
: Jan

Revert timer
: 0
Page 54
Mesh oper mode
: Independent
Spoke oper mode : Independent

SDP Table - 1 SDPs
------------------------------------------------------------------------------SDP: 3.3.1.1
===============================================================================
SDP Role
: Primary
Admin Status
VC Type
: Ethernet
Oper Status
: Up
: Up
Signaling
: LDP
Up Time
: 00:06:48
Group ID
: 0
1 00:00:51 2009
MTU
: 9190
Last Mnmt Change
: Jan
1 00:00:01 2009
Tunnel
: Prefix LSP(LDP)
Outgoing Label
: 28674
Out Intf
: 34
Incoming Label
: 28674

PW redundancy
: Disabled
VCCV in use
: ttl/lsp-ping
SAP Table - 1 SAPs

------------------------------------------------------------------------------SAP: 1/3/9:130:
===============================================================================
Admin Status: Up
Up Time
Oper Status : Down
: 00:00:00
1 00:00:00 1970
Last Mnmt Change
1 00:00:01 2009
: Jan
The following example displays how to configure CSU loopback.
Configuring the Master Device:
device-name(config-interface-t1-1.0.0.0)#remote-loopback receive line
device-name(config-interface-t1-1.0.0.0)#remote-loopback pseudo-wire allow
device-name(config-interface-t1-1.0.0.0)#ex
device-name(config-circuit-1)#destination ip-address 7.7.7.30 udp-port 42530
oos-udp-port 42530
device-name(config-circuit-1)#local udp-port 42520 oos-udp-port 42520
Configuring the Slave device:
device-name(config-interface-t1-1.0.0.0)#clock adaptive
Page 55
device-name(config-interface-t1-1.0.0.0)#clock-controller primary circuit 1

device-name(config-clock-controller-primary)#ex
device-name(config-interface-t1-1.0.0.0)#ex
device-name(config-circuit-1)#destination ip-address 7.7.7.20 udp-port 42520
oos-udp-port 42520
device-name(config-circuit-1)#local udp-port 42530 oos-udp-port 42530
The following example configures PTP:
Device-name(config-module-1/3)#clock ptp
Device-name(config-module-1/3)#commit
Device-name(config)#system time ptp ces module 1/3 ptp
Device-name(config-ptp)#port d1 1
Device-name(config-port-d1/1)#slave-unicast-negotiation enable
Device-name(config-port-d1/1)#no shutdown
Device-name(config-port-d1/1)#exit
Device-name(config-ptp)#session 1
Device-name(config-session-1)#local-port number 1
Device-name(config-session-1)#local-port domain d1
Device-name(config-session-1)#type slave
Device-name(config-session-1)#peer-type address
Device-name(config-session-1)#peer-address 11.0.0.3
Device-name(config-session-1)#no shutdown
Device-name(config-session-1)#commit
Device-name(config-session-1)#end
Device-name(config)#ces module 1/3
Device-name(config-module-1/3)#clock-controller primary ptp-session 1
Device-name(config-clock-controller-primary)#commit
The following example displays how to configure CES over MPLS.
Figure 14: CES over MPLS Configuration
Page 56
Connection: First Device<-------->Second Device is over MPLS network using CESoPSN
protocol to convert the TDM before encapsulating inside MPLS.
Devices are connected through ports 1/1/1<-------->1/2/1 running MPLS LDP LSPs over OSPF
infrastructure.
On both devices, TDM traffic is encapsulated with the MPLS header.
Second Device receives the clock from the CES over MPLS.
Connection: Second Device<-------->PBX. is over SF-CAS TDM signaling. PBX is in receive
mode, PBX receives the clock from the second device.
1.
First Device (CES master clock loopback) configuration:

a. Define the CES configuration:
Device-name(config)#ces
Device-name(config-ces)#module 1/3
Device-name(config-module-1/3)#mode t1
Device-name(config-module-1/3)#interface t1-1.0.0.0
Device-name(config-interface-t1-1.0.0.0)#framing esf-cas
Device-name(config-interface-t1-1.0.0.0)#circuit 1
Device-name(config-circuit-1)#interface t1-1.0.0.0
Device-name(config-circuit-1)#timeslots 1-10
Device-name(config-circuit-1)#vlan-id 11
Device-name(config-circuit-1)#no shutdown
Device-name(config-circuit-1)#policy-payload-suppress disable
Device-name(config-circuit-1)#protocol mpls-ldp
Device-name(config-circuit-1)#top
Device-name(config)#
b. Define the MPLS configuration:

Device-name(config)#router
Device-name(config-router)#static-route 104.104.104.104/32 22.0.0.104 1
Device-name(config-router)#interface lo1
Device-name(config-interface-lo1)#address 106.106.106.106/32
Device-name(config-interface-lo1)#no shutdown
Device-name(config-interface-lo1)#exit
Device-name(config-router)#interface sw0
Device-name(config-interface-sw0)#description sw0
Device-name(config-interface-sw0)#no shutdown
Device-name(config-interface-sw0)#exit
Device-name(config-interface-sw1)#address 22.0.0.106/16
Device-name(config-router)#ospf
Device-name(config-ospf)#router-id 106.106.106.106
Device-name(config-ospf)#dscp-mapping 48
Page 57
Device-name(config-ospf)#mpls
Device-name(config-mpls)#lsr-id 106.106.106.106
Device-name(config-mpls)#exit
Device-name(config-router)#ldp
Device-name(config-ldp)#no shutdown
Device-name(config-ldp)#distribute
Device-name(config-distribute)#ingress static
Device-name(config-distribute)#interface sw1
Device-name(config-ldp)#top
Device-name(config)#port 1/1/1
Device-name(config-port-1/1/1)#default-vlan 11
Device-name(config)#service
Device-name(config-service)#sdp 1
Device-name(config-sdp-1)#far-end 104.104.104.104
Device-name(config-sdp-1)#vpls 1
Device-name(config-vpls-1)#no shutdown
Device-name(config-vpls-1)#mode mtu-s
Device-name(config-vpls-1)#sap 1/3/9:1:ces-oos
Device-name(config-sap-1/3/9:1:ces-oos)#no shutdown
Device-name(config-sap-1/3/9:1:ces-oos)#
Device-name(config-sap-1/3/9:1:ces-oos)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#no shutdown
Device-name(config-spoke-sdp-1)#vc-type ces_o_psn_tdm_cas
Device-name(config-spoke-sdp-1)#no pw-status-signaling
Device-name(config-spoke-sdp-1)#
Device-name(config-spoke-sdp-1)#vpls 2
Device-name(config-vpls-2)#sap 1/3/9:1:ces
Device-name(config-sap-1/3/9:1:ces)#no shutdown
Device-name(config-sap-1/3/9:1:ces)#
Device-name(config-sap-1/3/9:1:ces)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#top
Device-name(config)#vlan 11
Device-name(config-vlan-11)#name 11
Device-name(config-vlan-11)#no management
Device-name(config-vlan-11)#routing-interface sw1
Device-name(config-vlan-11)#untagged 1/1/1
Device-name(config-untagged-1/1/1)#exit
Device-name(config-vlan-11)#commit
'ces module 1/3': [Warning]For the change to take effect the CES module
needs
to be restarted.
Proceed? [yes,no] yes|
Commit complete.
2.
Device 2 (CES slave clock adaptive) configuration:
Page 58
a. Define the CES configuration:

Device-name(config)#ces
Device-name(config-ces)#module 1/3
Device-name(config-module-1/3)#mode t1
Device-name(config-module-1/3)#interface t1-1.0.0.0
Device-name(config-interface-t1-1.0.0.0)#clock adaptive
Device-name(config-interface-t1-1.0.0.0)#framing esf-cas
Device-name(config-interface-t1-1.0.0.0)#clock-controller primary
Device-name(config-clock-controller-primary)#circuit 1
Device-name(config-clock-controller-primary)#exit
Device-name(config-interface-t1-1.0.0.0)#
Device-name(config-interface-t1-1.0.0.0)#circuit 1
Device-name(config-circuit-1)#interface t1-1.0.0.0
Device-name(config-circuit-1)#timeslots 1-10
Device-name(config-circuit-1)#vlan-id 11
Device-name(config-circuit-1)#no shutdown
Device-name(config-circuit-1)#policy-payload-suppress disable
Device-name(config-circuit-1)#protocol mpls-ldp
Device-name(config-circuit-1)#top
a. Define the MPLS configuration:

Device-name(config)#router
Device-name(config-router)#static-route 106.106.106.106/32 22.0.0.106 1
Device-name(config-router)#interface lo1
Device-name(config-interface-lo1)#address 104.104.104.104/32
Device-name(config-interface-lo1)#no shutdown
Device-name(config-interface-lo1)#exit
Device-name(config-interface-sw1)#address 22.0.0.104/16
Device-name(config-router)#ospf
Device-name(config-ospf)#router-id 104.104.104.104
Device-name(config-ospf)#dscp-mapping 48
Device-name(config-ospf)#mpls
Device-name(config-mpls)#lsr-id 104.104.104.104
Device-name(config-mpls)#exit
Device-name(config-router)#ldp
Device-name(config-ldp)#no shutdown
Device-name(config-ldp)#distribute
Device-name(config-distribute)#ingress static
Device-name(config-distribute)#interface sw1
Device-name(config-ldp)#top
Page 59
Device-name(config-port-1/2/1)#default-vlan 11
Device-name(config)#service
Device-name(config-service)#sdp 1
Device-name(config-sdp-1)#far-end 106.106.106.106
Device-name(config-sdp-1)#vpls 1
Device-name(config-vpls-1)#sap 1/3/9:1:ces-oos
Device-name(config-sap-1/3/9:1:ces-oos)#no shutdown
Device-name(config-sap-1/3/9:1:ces-oos)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#vpls 2
Device-name(config-vpls-2)#sap 1/3/9:1:ces
Device-name(config-sap-1/3/9:1:ces)#no shutdown
Device-name(config-sap-1/3/9:1:ces)#
Device-name(config-sap-1/3/9:1:ces)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#top
Device-name(config)#vlan 11
Device-name(config-vlan-11)#name 11
Device-name(config-vlan-11)#no management
Device-name(config-vlan-11)#routing-interface sw1
Device-name(config-vlan-11)#untagged 1/2/1
Device-name(config-untagged-1/2/1)#exit
Device-name(config-vlan-11)#commit
'ces module 1/3': [Warning]For the change to take effect the CES module
needs
to be restarted.
Commit complete.
Display Configuration details:

device-name#show vpls details
------------------------------------------------------------------------------Display VPLS all (details)
===============================================================================
Service ID
: 1
Admin Status
: Up
Service Type
: MTU
Oper Status
: Up
VC ID
: 1
Up Time
: 02:34:53
Page 60
Number SDPs (UP):

Number SAPs (UP):
Secure SAPs mode:
Revert timer
:
Mesh oper mode :
Spoke oper mode :
1 (1 )
1 (1 )
Disabled
0
Disabled
Disabled
Last Status Change : Oct 01 15:09:10 2009

Last Mnmt Change
: Oct 01 15:06:46 2009
SDP Table - 1 SDPs

------------------------------------------------------------------------------SDP: 106.106.106.106
===============================================================================
SDP Role
: Primary
Admin Status
: Up
VC Type
: CESoPSN-TDM-with-sCAS
Oper Status
: Up
Signaling : LDP
Up Time
: 02:34:53
Group ID
: 0
MTU
: 9190
Last Mnmt Change
: Oct 01 15:06:46 2009
Transport : 106.106.106.106/32
Outgoing VC Label : 28673
Out Intf
: 44
Incoming VC Label : 28673
Nexthop
: 22.0.0.106
Transport Label
: 3
Learning
: Enabled
Secured
: Disabled
PW redundancy
: Disabled
VCCV in use
: ttl/lsp-ping
MAC Count : 0
SAP Table - 1 SAPs
------------------------------------------------------------------------------SAP: 1/3/9:1:CES-OOS
===============================================================================
Admin Status: Up
Up Time
: 02:36:50
Oper Status : Up
Learning
: Enabled
Last Mnmt Change
: Oct 01 15:06:46 2009
Ethertype
: 0x8100
Untagged
: false
Secured
: Disabled
MAC Count
: 0
Service ID
: 2
Admin Status
: Up
Service Type
: MTU
Oper Status
: Up
VC ID
: 2
Up Time
: 02:34:53
Last Mnmt Change
: Oct 01 15:06:46 2009
Revert timer
: 0
Mesh oper mode : Disabled
Spoke oper mode : Disabled
SDP Table - 1 SDPs
------------------------------------------------------------------------------SDP: 106.106.106.106
Page 61
===============================================================================
SDP Role
: Primary
Admin Status
: Up
VC Type
: CESoPSN-TDM-with-sCAS
Oper Status
: Up
Signaling : LDP
Up Time
: 02:34:53
Group ID
: 0
MTU
: 9190
Last Mnmt Change
: Oct 01 15:06:46 2009
Transport : 106.106.106.106/32
Outgoing VC Label : 28674
Out Intf
: 44
Incoming VC Label : 28674
Nexthop
: 22.0.0.106
Transport Label
: 3
Learning
: Enabled
Secured
: Disabled
PW redundancy
: Disabled
VCCV in use
: ttl/lsp-ping
MAC Count : 0
SAP Table - 1 SAPs
------------------------------------------------------------------------------SAP: 1/3/9:1:CES
===============================================================================
Admin Status: Up
Up Time
: 02:36:50
Oper Status : Up
Learning
: Enabled
Last Mnmt Change
: Oct 01 15:06:46 2009
Ethertype
: 0x8100
Untagged
: false
Secured
: Disabled
MAC Count
: 0
===============================================================================
CES
===============================================================================
Module 1/3
Circuit 1
------------------------------------------------------------------------------Admin status
: Enabled
Oper status
: Up
Enable Time
: Thu Oct
Up Time
: 02:37:41
Used for clocking
: Yes
TDM Tx
: Yes
TDM Rx
: Yes
PSN Tx
: Up
PSN Rx
: Up
Tx Up Counter
: 0
Jitter Information
: Yes
1 15:07:13 2009
Jitter Current (ms)
4.037
1.000
3.537
4.537
Ping to Peer
------------------------------------------------------------------------------Counter Name
Value
------------------------------------------------------------------------------Valid Eth pps
1000
Handled Eth pkts
4000
Unordered Eth pkts
Restarts TDM Tx
Restarts TDM Rx
Packets per sec
1000
Page 62
Malformed Frames
Underrun Eth pkts
LBit Counter pkts
RBit Counter pkts
Missing Eth pkts
===============================================================================
Page 63

Features
Standards
MIB
RFC
CES
Not supported
Not supported
draft-ietf-pwe3-satopStructure
agnostic TDM over packet
draft-ietf-pwe3-cesopsnTDM
circuit emulation service over
packet switched network.
MEF-8Implementation
agreement for the emulation of
PDH circuits over Metro-Ethernet
networks.
Page 64
Appendix I. Tables of Values

Table 5: TCA Default Counter Threshold Values
Parameter
Description
es
The threshold is applied for errored seconds (ES)
ses
uas
cv
The threshold is applied for severely errored seconds (SES)

The threshold is applied for unavailable seconds (UAS)
The threshold is applied for code violation (CV)
bbe
The threshold is applied for background block errors (BBE)
bbe-fe
The threshold is applied Far End BBE
es-fe
ses-fe
uas-fe
esb-p
fc-p
es-l
es-p
Applies the number of Far End ES

Applies the number of Far End SES
Applies the number of Far End UAS
The errored second type B.
1-second interval with no less than 2, and not more than 319 CRC-6 errors, no
SEF defects, and no AIS defects.
The failure event counter.
Counts the LOF or AIS events at the path layer.
The errored second-line.
This parameter is the number of 1-second intervals with one or more BPVs, or
one or more EXZs, or one or more LOS defects.
The errored second at the path (STS) layer
For DS1 ESF:
1-second interval containing any of the following:
CRC-6 errors
CS events
SEF defects
AIS defects
For DS1 SF:
uas-p
ses-l
1-second interval containing any of the following:
FE errors;
CS events
SEF defects
AIS defect
The number 1-second intervals for which the SONET STS-path is unavailable
The number of 1-second intervals with 1544 or more BPVs plus EXZs, or one or
more LOS defects. For B8ZS-coded signal, BPVs that are part of zero
substitution code are excluded
Page 65
Parameter
Description
ses-p
Applies to both SF and ESF frame formats of DS1
cvl=bbe-l
sas-p
css-p
es-pfe
ses-pfe
sefs-pfe
uas-pfe
In the case of ESF, it is the number of 1-second intervals with 320 or more
CRC-6 errors, or one or more SEF or AIS defects
In the case of SF, it is the number of 1-second intervals with eight or more
FE events (if Ft and Fs bits are measured) or four or more FE events (if
only Ft bits are measured), or SEF or AIS defect
The number of both BPVs and EXZs occurring over the accumulation period.
An EXZ shall increment the CV-L by one regardless of the length of the zero
string. For a B8ZS-coded signal, BPVs that are part of the zero substitution
code are excluded from the count.
The number of 1-second intervals containing one or more SEF defects or one
or more AIS defects
The number of 1-second intervals containing one or more controlled slips in the
path terminating network element
The errored second Far End
The severely errored seconds Far End
The severely errored frame second Far End
The unavailable seconds per path Far End
css-pfe
The controlled slip seconds Far End
cv-pfe
The code violation-path Far End
ssb-pfe
fc-pfe
es-lfe
The errored second type B Far End

The failure event counter Far End
The errored second-line Far End
For e1 interfaces:
Parameter
Quarter-hour
Daily
cv
4294967295
4294967295
12
121
10
100
4294967295
4294967295
10
10
12
121
10
100
4294967295
4294967295
10
10
es
ses
bbe
uas
es-fe
ses-fe
bbe-fe
uas-fe
For T1 interfaces:
Page 66
Parameter
Quarter-hour
Daily
cv-l
4294967295
4294967295
12
121
10
100
4294967295
4294967295
12
121
4294967295
4294967295
10
100
17
4294967295
4294967295
10
10
4294967295
4294967295
4294967295
4294967295
4294967295
4294967295
17
12
121
4294967295
4294967295
10
100
4294967295
4294967295
10
10
es-l
ses-l
fc-p
es-p
esb-p
ses-p
sefs-p
css-p
uas-p
es-lfe
FC-PFE
cv-pfe
sefs-pfe
es-pfe
esb-pfe
ses-pfe
css-pfe
uas-pfe
Table 6: Local Port Circuit Default Values

Parameter
Default Value
The number of the local/destination UDP

port that receives the circuit's traffic
port 49152 for circuit 1


(up to port 49181 for circuit 30)
The number of the local/destination OOS

UDP port that receives the circuit's traffic


(up to port 49181 for circuit 30)
Table 7: Sync Interval Values

Parameter
Default Value
-7
128 Sync messages per second, 7 milliseconds Sync interval
-6
64 Sync messages per second, 15 milliseconds Sync interval,
-5
Page 67
Parameter
Default Value
-4
-3
-2
4 Sync messages per second, 250 milliseconds Sync interval,
-1
Page 68
Troubleshooting
Table of Contents
Table of Figures 2
List of Tables 2
Safe Mode 4
Safe Mode Features 4
Accessing Safe Mode 4
Examples 6
Built-In Self Tests (BISTs) 13
BIST Commands13
Periodic Monitoring 15
Alert Types 16
Periodic Monitoring Commands 17
Diagnosing Connectivity Problems27
Packet Internet Groper (PING) 27
Traceroute 28
Connectivity Diagnostic Commands 29
Port Mirroring (Port Monitoring) 31
Network Traffic Monitoring Commands 32
Ethernet Loopback Test 34
Ethernet Loopback Test Commands 34
Technical Support Information40
Technical Support Commands 40
Troubleshooting (Rev. 01)
Page 1
Table of Figures
Figure 1: Periodic Monitoring Configuration Flow ......................................................................... 15
Figure 2: Port Mirroring ...................................................................................................................... 31
List of Tables
Table 1: BIST Result Groups ............................................................................................................. 13
Table 2: BIST Commands ................................................................................................................... 13
Table 3: Periodic Monitor Types and Results .................................................................................. 16
Table 4: Periodic Monitoring Commands ........................................................................................ 20
Table 5: Monitor Indicators ................................................................................................................ 24
Table 6: Connectivity Diagnostic Commands.................................................................................. 29
Table 7: Characteristics of Port Types............................................................................................... 31
Table 8: Network Traffic Monitoring Commands .......................................................................... 32
Table 9: Ethernet Loopback Test Commands ................................................................................. 35
Table 10: Technical Support Commands .......................................................................................... 40
Page 2
T-Marc3208SH

This chapter describes the available tools used to troubleshoot and resolve technical issues with
Telco Systems devices.
Safe Mode
Safe mode provides access to a minimum set of device management commands.
Periodic Monitoring
Monitors hardware conditions to identify problematic hardware and deteriorated
environmental conditions.
Ethernet Loopback Test

The Ethernet Loopback test gives cost-effective method for testing.
Diagnosing Connectivity Problems

Diagnoses connectivity problems using the Ping and Traceroute utilities.
Port Mirroring (Port Monitoring)

Monitors network traffic by sending copies of all incoming and outgoing packets from
one port to a monitoring port for analysis.
Technical Support Commands

As part of standard troubleshooting methodology, retrieves technical information for the
device and forwards command output to the Telco Systems technical support team.
Page 3
Safe Mode
Safe mode provides access to a minimum set of device management commands which you can use
in case of:
error during the startup process, which prevents the devices initialization
failure of a hardware component (unit), which prevents the operating system from starting up
failure to locate the devices root file system
failure after system upgrade
lost administrators password
Safe Mode Features

Safe Modes Startup screen enables you to perform the following operations:
Reload the device
Check the connectivity (ping and traceroute commands )
Reset the devices configuration to the default factory settings
Reset the devices password to the default factory password
Provide software installation, recovery and upgrade services (for the file system, software
image file, and etc)
The recovery and upgrade service operation provides access to a Device Software Installation menu,
which you can use to:
Download a software image from TFTP/FTP server, via a serial console port (using the
Xmodem protocol) or from a HTTP web site
Activate a new software image
List the available software images or displaying the active software image
Remove a software image
Display the free space available in the area of the local file system that stores software
images (image file system)
Accessing Safe Mode

NOTE
To enter Safe mode, you need to first connect to the device directly through the
devices serial console port.
To access safe mode:
Page 4
1.
Power on or reload the device.
2.
During the devices initialization, press the S key within 6 seconds until the Safe Modes startup
screen appears:
Entering safe mode...

init started: BusyBox v1.11.1 (2011-08-11 15:48:22 IDT)
starting pid 935, tty '': '/bin/recovery-console'
____________________________
_____
.\\
___________________
\
/
\------------------------/ || (___________________)
|
<|
.________________________. || ____________________
|
\_____/
\// (____________________)
|
\\___________________________/
____________________________________________________________________________
(-) Mounting the /proc file system...
OK
(-) Mounting required pseudo file systems...
OK
(-) Reading the flash partitions table from /proc/mtd...
OK
(-) Mounting flash file system... (/real-root,ubi0:rootfs,ubifs,rw)... OK
(-) Reading the file systems table from /real-root/etc/fstab...
OK
(-) Mounting flash file system... (applicfs,ubi1:binos,ubifs,rw)...
OK
(-) Mounting flash file system... (applicvarfs,ubi2:data,ubifs,rw)... OK
(-) Collecting host system information...
OK
(-) Preparing the IP network connectivity...
OK
(-) Enabling remote access via telnet on port 23...
OK
(-) Checking for task script to execute...
OK
____________________________________________________________________________
(version 2.1.TP-dev54)
_______
___
___ ___
__
|
__|.---.-.' _|.-----. |
|
|.-----.--| |.-----.
|__
|| _ |
_|| -__| |
|| _ | _ || -__|
|_______||___._|__| |_____| |__|_|__||_____|_____||_____|
_________________________________________________________________________
/
\
|
Device Maintenance and Recovery Console - Main Menu
|
\_________________________________________________________________________/
0
1
2
3
4
5
6
7
8
9
R
H
Q
|
|
|
|
|
|
|
|
|
|
|
|
|
reset
outband
defgw
ping
traceroute
defcfg
passwd
install
speed
dns
remote
help
exit
:
:
:
:
:
:
:
:
:
:
:
:
:
Reset the device

Change the outband IP address and netmask
Change the default gateway
Execute ping
Execute traceroute
Load the factory-default configuration for the device
Change the administrator password
Install and recover software images
Change the baud rate of the serial interface
Configure DNS domain name servers
Enable or disable remote access to this console
Display help about this utility
Exit the console (reboot the device)
Type the desired menu option or command:
Page 5
3.
From the textual menu, select the appropriate option. This will display the command prompt
for the selected options.
Examples
Example 1:
In the following example, the outband (option 1) command changes the OutBand IP address and
netmask of the device:
Type the desired menu option or command: outband
Changing outband IP address:
_______________________________________________________________________
NOTICE: The outband interface's IP address you will set will only affect
the current session (no system configuration file is modified).
Type the outband new IP address (A.B.C.D): 192.168.1.20
Type the outband new netmask (A.B.C.D):
255.255.255.0
Outband IP address changed successfully.
Press Enter to continue:
_______
___
_______
__
|
__|.---.-.' _|.-----. |
|
|.-----.--| |.-----.
|__
|| _ |
_|| -__| |
|| _ | _ || -__|
|_______||___._|__| |_____| |__|_|__||_____|_____||_____|
_________________________________________________________________________
/
\
|
|
\_________________________________________________________________________/
0
1
2
3
4
5
6
7
8
9
R
H
Q
|
|
|
|
|
|
|
|
|
|
|
|
|
reset
outband
defgw
ping
traceroute
defcfg
passwd
install
speed
dns
remote
help
exit
:
:
:
:
:
:
:
:
:
:
:
:
:
Reset the device

Execute ping
Execute traceroute
Example 2:
In the following example, the passwd (option 6) command restores the users password to its
default value (admin):
Page 6
_______
___
___ ___
__
|
__|.---.-.' _|.-----. |
|
|.-----.--| |.-----.
|__
|| _ |
_|| -__| |
|| _ | _ || -__|
|_______||___._|__| |_____| |__|_|__||_____|_____||_____|
_________________________________________________________________________
/
\
|
|
\_________________________________________________________________________/
0
1
2
3
4
5
6
7
8
9
R
H
Q
|
|
|
|
|
|
|
|
|
|
|
|
|
reset
outband
defgw
ping
traceroute
defcfg
passwd
install
speed
dns
remote
help
exit
:
:
:
:
:
:
:
:
:
:
:
:
:
Reset the device

Execute ping
Execute traceroute
Type the desired menu option or command: 6

Type 'yes' if you are sure you want to change the administrator password: yes
The administrator password will be reset on the next boot.
Example 3:
In the following example, the tftp (option 1) command downloads a software image file from a
TFTP server to the local file system:
_______
___
___ ___
__
|
__|.---.-.' _|.-----. |
|
|.-----.--| |.-----.
|__
|| _ |
_|| -__| |
|| _ | _ || -__|
|_______||___._|__| |_____| |__|_|__||_____|_____||_____|
_________________________________________________________________________
/
\
|
|
\_________________________________________________________________________/
0
1
2
3
4
5
6
7
|
|
|
|
|
|
|
|
reset
outband
defgw
ping
traceroute
defcfg
passwd
install
:
:
:
:
:
:
:
:
Reset the device

Execute ping
Execute traceroute
Page 7
8
9
R
O
H
Q
|
|
|
|
|
|
speed
dns
remote
outif
help
exit
:
:
:
:
:
:
Change the baud rate of the EIA232 serial interface

Change the outband interface
Type the desired menu option or command: 7

############################################################################
###
Device Software Installation and Recovery ###########################
############################################################################
1
2
3
4
L
5
6
D
7
8
9
X
H
|
|
|
|
|
|
|
|
|
|
|
|
|
tftp
ftp
xmodem
http
flash
ls
activate
deactive
show
remove
free
main
help
:
:
:
:
:
:
:
:
:
:
:
:
:
Download a software image from a TFTP server

Download a software image from a FTP server
Download a software image with the XMODEM protocol
Download a software image from a HTTP web site
Install a software image directly from the flash
List the available software images
Change the active working application
Deactivate any active working application
Display the active working application
Delete an application
Display the free space in the application file system
Return to the main menu
Display help about this menu
Type the desired menu option or command: tftp

_________________________________________________________________________
Device Software Image Installation and Recovery
_________________________________________________________________________
Type the IP address of the TFTP server:
192.168.1.10
Type the file path on server to download: TM3208SH /2.4.R1. T-Marc
3208SH.binoxpkg
Downloading " TM3208SH /2.4.R1.T-Marc 3208SH.binoxpkg" from TFTP
192.168.1.10... Done.
The " TM3208SH /2.4.R1. T-Marc 3208SH.binoxpkg" file downloaded successfully.
Verifying the integrity of the package file... OK
Package file details:
-------------------------------------------------------------------------> Description:
BiNOX Package (System with Application)
> Package Version: 2.4.R1
> Creation Date:
Wednesday 24 November 2010, 15:34
> Target Kernel:
2.6.27.39
> Target Device:
T-Marc 3208SH
Generating components list for the package file... Done.
Page 8
Package's Content:
---------------------------------------------------------------------_________________________________________________________________________________________
/
|
|
Component Type:
|
Version:
| File Name:
|-----------------------------|--------------------|-----------------------------------------|
| > Application
| 2.4.R1
| 2.4.R1. T-Marc 3208SH.tar.bz2
| > Kernel Image
| 2.6.27.39
| uImage
| > Safe Mode Image
| 2.1.TP-dev23
| > Root File System Image
T-Marc 3208SH-uboot_safemode.img
| Undefined
| ubi_root_volume.img
| > Applic. File System Image | Undefined
| ubi_batm_volume.img
| > Data File System Image
| ubi_data_volume.img
| Undefined
\_____________________________|____________________|_________________________________________/
WARNING: Installing this package will overwrite the images on this device!
The original images will be replaced by the images contained in this package.
Type 'y' if you would like to install this package: y
Unmounting flash-based file systems:
---------------------------------------------------------------------(-) Unmounting flash filesystem (/real-root/applic/var)... Done.
(-) Unmounting flash filesystem (/real-root/applic)... Done.
(-) Unmounting flash filesystem (/real-root)... Done.
(-) Detaching UBI device 'rootfs' from MTD device 'mtd5'... Done.
(-) Detaching UBI device 'binos' from MTD device 'mtd6'... Done.
(-) Detaching UBI device 'data' from MTD device 'mtd7'... Done.
Installing Images:
---------------------------------------------------------------------Extracting the package file's components... Done.
Verifying the integrity of the
3208SH.tar.bz2'... OK
uboot_safemode.img'... OK
component file '2.4.R1. T-Marc

component file 'uImage'... OK
component file ' T-Marc 3208SHcomponent file 'ubi_root_volume.img'... OK
component file 'ubi_batm_volume.img'... OK
component file 'ubi_data_volume.img'... OK
-> Installing the kernel image file 'uImage' version 2.6.27.39:

Flashing the 'uImage' image on the /dev/mtd3 partition (NAND)... OK
-> The image has been successfully flashed on the partition.
-> Installing the safe mode image file ' T-Marc 3208SH-uboot_safemode.img'
version 2.1.TP-dev23:
Erasing the /dev/mtd4 flash partition...
Skipping bad block at 0x00000000
Flashing the ' T-Marc 3208SH-uboot_safemode.img' image on the /dev/mtd4
partition (NAND)... OK
-> Installing the root file system image file 'ubi_root_volume.img':
Page 9
Erasing 128 Kibyte @ fe0000 -- 99 % complete.

Flashing the 'ubi_root_volume.img' image on the /dev/mtd5 partition (NAND)...
OK
-> Installing the application file system image file 'ubi_batm_volume.img':
Erasing 128 Kibyte @ ce0000 -- 21 % complete.
Skipping bad block at 0x00d00000
Erasing 128 Kibyte @ 1ba0000 -- 45 % complete.
Skipping bad block at 0x01bc0000
Erasing 128 Kibyte @ 2b40000 -- 71 % complete.
Skipping bad block at 0x02b60000
Erasing 128 Kibyte @ 3c00000 -- 99 % complete.
Flashing the 'ubi_batm_volume.img' image on the /dev/mtd6 partition (NAND)...
OK
-> Verifying the integrity of the data file system:
|| The data file system seems perfectly valid, would you like to overwrite
|| this file system with the image from the package? [y/n] Skipped.
Mounting flash-based file systems:
---------------------------------------------------------------------(-) Attaching MTD device 'mtd5' to UBI device 'ubi0:rootfs'... Done.
(-) Attaching MTD device 'mtd6' to UBI device 'ubi1:binos'... Done.
(-) Attaching MTD device 'mtd7' to UBI device 'ubi2:data'... Done.
(-) Mounting flash file system... (/real-root,ubi0:rootfs,ubifs,rw)... Done.
(-) Reading the file systems table from /real-root/etc/fstab... Done.
(-) Mounting flash file system... (applicfs,ubi1:binos,ubifs,rw)... Done.
(-) Mounting flash file system... (applicvarfs,ubi2:data,ubifs,rw)... Done.
-> Installing the application '2.4.R1. T-Marc 3208SH.tar.bz2' version 2.4.R1:
Installing the '2.4.R1. T-Marc 3208SH.tar.bz2' file to the images directory...
Done.
Type 'y' if you want to activate the new application image: y
The new application image is "2.4.R1. T-Marc 3208SH.tar.bz2".
The old application image was deactivated.
Example 5:
In the following example, the active (option 6) command specifies the name of the software
image file to be loaded:
Type the desired menu option or command: active
Page 10
_______________________________________________________________________
Current image files for the device:
-rw-r--r-- 1 root root
15414655 Nov 1 2010 2.3.R1. T-Marc 3208SH.tar.bz2
-rw-r--r-- 1 root
root 15437955 Nov 1 2010 2.3.R2. T-Marc 3208SH.tar.bz2
lrwxrwxrwx 1 root
root
37 Dec 31 2008 current_active_version ->
2.3.R2. T-Marc 3208SH.tar.bz
2
Type the name of the image file you want to activate:2.4.R1. T-Marc
3208SH.tar.bz2 <<<<<<<<<< will activate image called 2.4.R1.T-Marc
3208SH.tar.bz2
******************************************************************************
############################################################################
###
############################################################################
1
2
3
4
L
5
6
D
7
8
9
X
H
|
|
|
|
|
|
|
|
|
|
|
|
|
tftp
ftp
xmodem
http
flash
ls
activate
deactive
show
remove
free
main
help
:
:
:
:
:
:
:
:
:
:
:
:
:

Example 6:
In the following example, the free (option 9) command displays the free space available on the
image file system:
Type the desired menu option or command: free
_______________________________________________________________________
Filesystem
ubi1:binos
Size
56.5M
Used Available Use% Mounted on

45.0M
11.5M 80% /real-root/batm

******************************************************************************
############################################################################
###
############################################################################
Page 11
1
2
3
4
L
5
6
D
7
8
9
X
H
Page 12
|
|
|
|
|
|
|
|
|
|
|
|
|
tftp
ftp
xmodem
http
flash
ls
activate
deactive
show
remove
free
main
help
:
:
:
:
:
:
:
:
:
:
:
:
:

Built-In Self Tests (BISTs)

On startup, the device performs a series of basic hardware and configuration validity tests. If the
device passes all of the tests, the Status LED (STS) turns green; if the device fails one or more of
the tests, the Status LED turns red and blinks. Results are summarized, by test group, on the
terminal above the switch banner (see the following table). If so configured, the device sends an
SNMP trap with information on the test failures.
The device administrator can run these self tests at any time during the device operation. Test
results are grouped as follows:
Table 1: BIST Result Groups
Test Group
Description
CPU usage test
Checks the CPU usage
CPU temperature test
Check the temperature around the CPU
Fans test
Checks integrity of the fan tray
Onboard power test
Checks the onboard power
Power supply test
Checks the status of the 2 power supplies
Power supply fans test
Checks the integrity of power supplies fans
RAM Usage test
Checks the amount of used RAM
BIST Commands
This section defines the command hierarchy for BISTs and provides a list of available commands.
Included also, is a configuration example.
Command Hierarchy
device-name#
- system monitor self-test [execute-now | full]
Table 2: BIST Commands
Command
Description
device-name#
Operational mode
Page 13
Command
system monitor self-test [execute-now |
full]
Page 14
Description
Initiates the execution of built-in test sequence
that automatically tests the system. Execute the
command without argument to display only failed
tests:
execute-now: executes BIST

immediately
full: the state of all tests

(passed and failed tests)
Periodic Monitoring
Through periodic monitoring, you can:
periodically monitor crucial device functions in the background and receive alerts when the
monitored indicators vary from operating norms
as a troubleshooting tool, monitor transient conditions and track irregular behaviors. You can
use this method for triggering diagnostic data-polling based on the device operational status
The following flow chart shows the steps need to define a monitor:
Figure 1: Periodic Monitoring Configuration Flow
When a monitor is defined for a device function (such as CPU temperature or RAM usage), results
are returned and actions taken according to a predefined configuration. The monitor can report two
types of results:
Pass/Fail: Operational status is reported as a simple Pass or Fail o (for example, whether the
fans are working or not or if the power supply is working or not)
Page 15
Measurement: The monitor returns a specific, measured value (for example, the device
temperature or the number of packet errors)
The following table describes available monitors and the results returned by that monitor type.
Table 3: Periodic Monitor Types and Results
Indicator
Monitored As
On-Board Power
Pass/Fail
Fans
Pass/Fail
Laser
Pass/Fail
CPU Resources
Measured value
RAM Resources
Measured value
Power Supply
Pass/Fail
CPU Temperature
Measured value
Port Statistics
Measured value
Alert Types
For each monitor you establish, you also define the action or actions that will occur as a result.
These actions are defined individually for each monitor:
log: writes to the Command Line Interface (CLI) history and error message log files
led: flashes the STS LED on the device front panel
trap: generates an SNMP trap
When monitoring a device function that returns a measurement, you can also define limit values so
that alerts are generated only when the device functions outside of the defined range. Log, LED,
and/or Trap alerts would be generated when:
Page 16
the measured value rises above the defined limit
the measured value drops below the defined limit
the measured value is outside of the defined limits (above or below)
Periodic Monitoring Commands

This section describes the command hierarchy for periodic monitoring as well as the available
commands.
Command Hierarchy
NOTE
All periodic monitoring commands are applied immediately, no commit is required.
device-name#
+ config terminal
+ system
+ monitor
+ cpu-temperature
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>

- [no] shutdown
- [no] trap
+ cpu-usage
- [no] led
- [no] log

- [no] shutdown
- [no] trap
+ fans
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ onboard-power
- [no] led
- [no] log
Page 17
- [no] shutdown
- [no] trap
+ port-statistics
- [no] led
- [no] log

- [no] shutdown
- [no] trap
+ power-supply
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ ram-usage
- [no] led
- [no] log

- [no] shutdown
- [no] trap
+ laser
- [no] led
- [no] log

- [no] shutdown
- [no] trap
- [no] port UU/SS/PP
- [no] rx-power {high-threshold <value> | lowthreshold <value>}

- [no] tx-power {high-threshold <value> | lowthreshold <value>}
- [no] temperature {high-threshold <value> |
low-threshold <value>}
- [no] shutdown
Page 18
- [no] rx-power {high-threshold <value> | lowthreshold <value>}

- [no] tx-power {high-threshold <value> | lowthreshold <value>}
- [no] temperature {high-threshold <value> | lowthreshold <value>}

- [no] shutdown
- show system monitor [cpu-temperature | cpu-usage | | fans | onboardpower | port-statistics | power-supply [fans] | ram-usage | laser
[port UU/SS/PP] [detailed]]
- show system cpu-usage
- show system ram-usage
- show system temperature
Page 19
Table 4: Periodic Monitoring Commands
Command
Description
config terminal
system
monitor
Page 20

Enters Periodic Monitoring Configuration mode
cpu-temperature
Enables CPU temperature monitoring and

enters Temperature Monitoring Configuration
mode
Disabled
cpu-usage
Enables CPU monitoring and enters the CPU

Monitoring Configuration mode. CPU monitoring
collects CPU usage samples and periodically
calculates the average value from previous
percentage estimates. If the calculated value
exceeds a configured limit value, the monitor
triggers an alert.
Disabled
fans
Enables fan monitoring and enters Fan

Monitoring Configuration mode
Disabled
onboard-power
Enables power monitoring and enters Power

Disabled
port-statistics
Enables port monitoring and enters Port

Disabled
ram-usage
Enables RAM monitoring and enters RAM

Monitoring Configuration mode. RAM usage
monitoring periodically checks the remaining
RAM available for allocation. If the amount is
less than the configured limit, the monitor
triggers an alert.
Disabled
laser
Enables Laser Management monitoring and

enters Laser Monitoring Configuration mode.
Laser Management monitors SFP transceivers
parameters (received optical power, transmitter
(Tx)/receiver (Rx) output power, and transceiver
temperature).
This feature is based on the enhanced digitaldiagnostic interface, described in SFF8472 specification.
Disabled
no laser
Restores to default
power-supply
Enables power supply monitoring and enters

Power Supply Monitoring Configuration mode
Disabled
Command
Description
high-threshold <value>
Specifies the high threshold value for a specific

monitoring:
value: high threshold value
90% high threshold for RAM-usage

75% high threshold for CPU-usage
0% high threshold for port statistics
70C high threshold for CPU-temperature
no high-threshold
Removes the high threshold value
led
Enables LED-alert notification.

The LED starts blinking when one of the
following conditions occurs:
the indicator shows a fail status

the measured value for the indicator
exceeds its configured limit
Disabled
no led
Restores to default
log
Enables alert-notification logging.

An alert message is written to the log and
history files when one of the following conditions
occurs:

Disabled
no log
Restores to default
low-threshold <value>
Specifies the low threshold value for a specific

monitoring:
value: low threshold value
0% low threshold for CPU-usage, RAMusage, and port statistics

-3C low threshold for CPU-temperature
no low-threshold
Removes the low threshold value
period <value>
Specifies an interval at which an indicator is

polled:

seconds
60 seconds
no period
Restores to default
Page 21
Command
Description
trap
Enables SNMP trap notification for a specific

monitoring.
When enabled, an SNMP trap is issued when
one of the following conditions occurs:

Disabled
no trap
Restores to default
port UU/SS/PP
(Only for laser management monitoring)

Specifies a port for which thresholds will be
configured:
no port [UU/SS/PP]
Removes the configured port
rx-power {high-threshold
<value> | low-threshold
<value>}
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8

and 1/2/1-1/2/8

Specifies a Rx power threshold:
high-threshold <value>: from -40

dBm to 8 dBm
- 7 dBm
low-threshold <value>: from -40

dBm to 8 dBm
- 32 dBm
no rx-power {high-threshold
| low-threshold}
Restores to default
tx-power {high-threshold
<value>}

Specifies a Tx power threshold:

to 8 dBm
- 5 dBm

to 8 dBm
- 16 dBm
no tx-power {high-threshold
| low-threshold}
Restores to default
temperature {high-threshold
<value>}

Specifies a temperature threshold:

C0 to 128 C0
85 C0

C0 to 128 C0
- 40 C0
Page 22
Command
Description
no temperature {highthreshold | lowthreshold}
Restores to default
shutdown
Disables the port
no shutdown
Enables the port
rx-power {high-threshold
<value>}

Specifies a Rx power threshold:

to 8 dBm
- 7 dBm

to 8 dBm
- 32 dBm
no rx-power {high-threshold |
low-threshold}
Restores to default
tx-power {high-threshold
<value>}

Specifies a Tx power threshold:

to 8 dBm
- 5 dBm

to 8 dBm
- 16 dBm
no tx-power {high-threshold |
low-threshold}
Restores to default
temperature {high-threshold <128-128> | low-threshold <128-128>}

Specifies a temperature threshold:

to 128 C0
85 C0

to 128 C0
- 40 C0
no temperature {high-threshold
| low-threshold}
Restores to default
shutdown
Disables a specific monitoring
no shutdown
Enables a specific monitoring
show system monitor [cpu-temperature |

cpu-usage | | fans | onboard-power |
port-statistics | power-supply [fans] |
ram-usage | laser [port UU/SS/PP]
[detailed]]
Displays monitor settings filtered by the

command arguments (see Table 5)
show system cpu-usage
Displays CPU Usage for the current device
show system ram-usage
Displays RAM load in percent
show system temperature
Displays the temperature of the current device
Page 23
Table 5: Monitor Indicators

Indicator
Description
cpu-temperature
CPU temperature monitoring settings
cpu-usage
CPU usage monitoring settings
fans
Fan monitoring settings
onboard-power
Onboard power monitoring settings
laser
Laser monitoring settings
port-statistics
Port monitoring settings
power
Power monitoring settings
ram-usage
RAM usage monitoring settings
CPU Usage Monitoring
1.
Enter the CPU Monitoring Configuration mode:

device-name(config)#system monitor
device-name((config-monitor)#cpu-usage
2.
Define the CPU usage high limit value to 10 and the low limit to 1:
device-name(config-cpu-usage)#high-threshold 10
device-name(config-cpu-usage)#low-threshold 1
3.
Define the monitoring interval to 20 seconds:

device-name(config-cpu-usage)#period 20
device-name(config-cpu-usage)#no shutdown
device-name(config-cpu-usage)#commit
device-name(config-cpu-usage)#end
4.
Display the CPU usage monitoring settings:

device-name#show system monitor cpu-usage
cpu-usage
status PASSED
Page 24
RAM Usage Monitoring

1.
Enter the RAM Monitoring Configuration mode:

device-name(config-monitor)#ram-usage
2.
Define the RAM usage high limit value to 10 and the low limit to 3:
device-name(config-ram-usage)#high-threshold 10
device-name(config-ram-usage)#low-threshold 3
3.

device-name(config-ram-usage)#period 5
device-name(config-ram-usage)#no shutdown
device-name(config-ram-usage)#commit
device-name(config-ram-usage)#end
4.
Display the RAM usage monitoring settings:

device-name#show system monitor ram-usage
ram-usage
status FAIL
Laser Management Monitoring

1.
Enter the Laser Monitoring Configuration mode:

device-name(config-monitor)#laser
2.
Define the Laser monitor temperature thresholds to be in the range of -10 to 60 degrees and
to indicate by the led on a problem:
device-name(config-laser)# temperature high-threshold 60
device-name(config-laser)# temperature low-threshold -10
device-name(config-laser)#led
3.

device-name(config-laser)#period 600
device-name(config-laser)#no shutdown
device-name(config-laser)#end
4.
Display the Laser monitoring settings:

device-name#show system monitor laser
Laser Monitor Test
Period
Status LED
Traps
: 600
: Enabled
: Disabled
Page 25
Logging
Temperature Limit
Common :
1/2/7 :
1/2/8 :
Tx-Power
Common :
1/2/7 :
1/2/8 :
Rx-Power
Common :
1/2/7 :
1/2/8 :
Page 26
: Disabled
:
-10C..60C
-5C..85C
-5C..85C
:
-16dBm..-5dBm
-11dBm..-3dBm
-11dBm..-3dBm
:
-32dBm..-7dBm
-20dBm..0dBm
-20dBm..0dBm
Diagnosing Connectivity Problems

The device offers two utilities for troubleshooting network-connectivity issues:
Packet Internet Groper (PING)
Traceroute
Packet Internet Groper (PING)

To verify Internet connectivity at the IP level, PING sends an Internet Control Message Protocol
(ICMP) echo request to a specified IP address or device name and waits for one of the following
ICMP responses:
Normal response: device replies within 110 seconds depending on network traffic.
Destination does not respond: the device does not respond. One of two messages is returned. If no
response, a no-answer message is returned. If the device does not exist, an unknown message
is returned.
Destination unreachable: the default gateway cannot reach the specified network.
Network or device unreachable: the route table does not include the device or network.
Example: Reachable Device
device-name#ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
64 bytes from 192.168.1.100: icmp_seq=0 ttl=128 time=1.4
ms
ms
ms
ms
ms
--- 192.168.1.100 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.3/1.3/1.4 ms
Example: Unreachable Device
device-name#ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101): 56 data bytes
--- 192.168.1.101 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss
Page 27
Traceroute
Traceroute sends ICMP echo packets with varying IP Time-to-Live (TTL) values to the destination.
Upon receipt of an ICMP echo packet with a TTL value of 1 or 0, the device drops the packet and
sends a time-to-live-exceeded message back to the sender. Traceroute uses this mechanism to determine
the route to the destination:
Traceroute sends a User Datagram Protocol (UDP) to the destination device that sets the TTL
value to 1 and receives a time-to-live-exceeded message.
To identify the next hop, Traceroute sends another UDP packet, this time setting the TTL value to
2. The first device reached by the UDP decreases the TTL field by 1 and sends the datagram to the
next device. That device discards the datagram, with its TTL value of 1, and returns a time-to-liveexceeded message to the source.
This process continues until the TTL has been incremented to a value large enough for the
datagram to reach the destination device (or until reaching the maximum value for the TTL is
reached).
To determine when a datagram reaches its destination, Traceroute sets the UDP destination port
number in the datagram to a value unlikely to be used by the destination device. When a device
receives a self-destined datagram containing a destination port number that is unused locally, it
sends an ICMP port unreachable error to the source. Because all errors except port unreachable errors
come from intermediate hops, the receipt of a port unreachable error means that the message was sent
by the destination.
Page 28
Connectivity Diagnostic Commands

This section defines the Connectivity Diagnostic Command Hierarchy and provides a list of
command descriptions as well as an example.
Command Hierarchy
device-name#
- traceroute {A.B.C.D | HOSTNAME} [ttl <ttl> | timeout <timeout>]
- ping {A.B.C.D | HOSTNAME} [number <number> | length <length>]

+ config terminal
+ system
- [no] icmp access source-ip A.B.C.D/M
Table 6: Connectivity Diagnostic Commands
Command
Description
device-name#
Operational mode
traceroute {A.B.C.D | HOSTNAME} [ttl

<ttl> | timeout <timeout>]
Traces the data-packet route to the destination IP

address:

pinged device
HOSTNAME: the name of the pinged
device
ttl: the maximum number of devices
the traceroute command passes, in
the range of <1255>
30
timeout: the timeout for receiving

responses, in the range of <1600>
seconds
5 seconds
Page 29
Command
Description
ping {A.B.C.D | HOSTNAME} [number

<number> | length <length>]
Pings a remote device:

pinged device
HOSTNAME: the name of the pinged
device
number: the number of ICMP echo
packets sent, in the range of
<12147483646>
length: the size of the ICMP echo

packet, in the range of
<5665535>
56
config terminal
system
icmp access source-ip A.B.C.D/M

Limits the access to the ICMP server only from
no icmp access source-ip
A.B.C.D/M
Page 30

address.
Removes the trusted IP address(es)
Port Mirroring (Port Monitoring)

Port Mirroring is a method used to monitor network traffic. Port mirroring forwards all the data
transmitted and received by a port to a different location for analysis. The port receiving the
mirrored traffic must be connected to a Network Analyzer or RMON probe for packet analysis.
Port Mirroring copies and sends packets passing through one or more ports (source ports) to a
monitor port (destination port). Both the source and destination ports are located on the same device.
Figure 2: Port Mirroring
Network traffic monitoring includes the following traffic types:
Receive (Rx, ingress monitoring): Destination port receives a copy of the packets transmitted to the
source port before the source device modifies or processes them.
Transmit (Tx, egress monitoring): Destination port receives a copy of the packets transmitted by
the source port after the source device modifies and processes them.
NOTE
In egress monitoring, packets are forwarded to the destination port before the source
port changes the 802.1q packet header. Therefore, the packets transmitted to the
destination port may differ from the packets sent out by the source port.
Table 7: Characteristics of Port Types

Ports Type
Description
Source Port
The device can monitor egress traffic, ingress

traffic, or both simultaneously:
When monitoring egress traffic, the device

supports up to eight source ports.
The device can monitor port types such as

Fast Ethernet, Gigabit Ethernet, and linkaggregation group.
The source port cannot be a destination port.

Source ports can be in the same or
different VLANs.
Page 31
Ports Type
Description
Destination Port
The destination port:
must reside on the same device as the

source port (for local network traffic
monitoring)
can be any physical Ethernet port
does not transmit any traffic except the traffic

required for the network traffic monitoring
has a limited capacity, any traffic exceeding

port capacity is dropped
cannot be a source port

can participate in only one network traffic
monitor at a time (it cannot be a destination
port for a second network traffic monitoring)
Network Traffic Monitoring Commands

This section defines the command hierarchy for Network Traffic Monitoring and lists the available
commands. A configuration example is provided.
Commands Hierarchy
device-name#
+ config terminal
+ system
- [no] mirror {tx | rx} {destination UU/SS/PP | source

{UU/SS/PP | cpu-port}}
Table 8: Network Traffic Monitoring Commands
Command
Description
config terminal
system
Page 32
Command
mirror {tx | rx} {destination
UU/SS/PP | source {UU/SS/PP |
cpu-port}}
Description
Initiates network traffic monitoring:
tx: monitors egress traffic
rx: monitors ingress traffic
destination UU/SS/PP: the

destination port (monitoring
port)
source UU/SS/PP: a list of source

(monitored) ports
(valid only for rx source) cpuport: allows the CPU port to

mirror transmitted packets
The valid range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/11/2/8
Disabled
no mirror {tx | rx}
Disables network traffic monitoring for a

specified traffic type (ingress or egress):
tx: disables egress traffic

monitoring
rx: disables ingress traffic

monitoring
Page 33
Ethernet Loopback Test

The Ethernet loopback testing is a diagnostic procedure based on the Ethernet/MAC header in
which a signal is transmitted and returned back to the same sending device after passing through all
or a portion of a network to test transportation or transportation infrastructure. A comparison of
the returned signal with the transmitted signal conveys the integrity of the transmission path.
There are two major cases for loopback test to work:
1.
Non-SLA-Aware on access/user port or uplink/network port - loopback is applied on a

specific port and expected to be looped and forwarded back to the same port.
2.
SLA-Aware on access/user port - loopback is applied on a specific port and expected to be

looped and forwarded back to port different than the port the loopback is applied.
Ethernet Loopback Test Commands

Commands Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] loopback-test NAME
- [no] amount <value>
- [no] destination-mac HH:HH:HH:HH:HH:HH
- [no] inner-vlan-id <vlan-id>
- [no] inner-vlan-priority <value>

- [no] outer-vlan-id <vlan-id>
- [no] outer-vlan-priority <value>
- [no] source-mac HH:HH:HH:HH:HH:HH
- [no] untagged
- [no] oam loopback-test NAME lag agN [duration <value> | sla-aware]
- [no] oam loopback-test NAME port UU/SS/PP [duration <value> | slaaware]
- [no] oam loopback-test NAME service dot1q <service-id> {sap {UU/SS/PP |

agN} |sdp {UU/SS/PP | agN}} [duration <value> | sla-aware]
- [no] oam loopback-test NAME service tls <service-id> {sap {UU/SS/PP |

agN} |sdp {UU/SS/PP | agN}} [duration <value> | sla-aware]
- show oam loopback-test NAME
Page 34
Table 9: Ethernet Loopback Test Commands
Command
Description
config terminal
oam
no oam
Removes the OAM configurations
loopback-test NAME
Specifies Ethernet loopback test and enters

Ethernet Loopback test Configuration mode:
no loopback-test
amount <value>
NAME: a string of up to 32
characters
Removes the configured test

Specifies the number of destination MAC
addresses to be looped back
1
no amount
Restores to default
destination-mac
HH:HH:HH:HH:HH:HH
Configures Ethernet traffic stream with

individual destination MAC address used to
verify if the processed packets are looped back
after MAC swapping:
HH:HH:HH:HH:HH:HH: destination MAC

address, hexadecimal format
no destination-mac
ethertype <value>
Configures Ethernet traffic stream with specific

packet ethertype value:
value: in hexadecimal format (for

example 0x9000)
0x8100
no ethertype
Restores to default
inner-vlan-id <vlan-id>
(valid only for double-tagged traffic stream)

VLAN ID (inner VLAN tag) in order to verify the
correct transmission of the stream through the
network.
no inner-vlan-id
Removes the configured VLAN ID.
inner-vlan-priority <value>

VLAN Priority Tag (VPT) in the inner-VLAN tag
header in order to verify the correct prioritization
of the stream through the network:
4092>
Page 35
Command
no inner-vlan-priority
Description
outer-vlan-id <vlan-id>
(valid for double and single tagged traffic)

VLAN ID (outer VLAN tag, in case of doubletagged traffic) in order to verify the correct
transmission of the stream through the network.
4092>
no outer-vlan-id
Removes the configured VLAN ID.
outer-vlan-priority <value>

VLAN Priority Tag (VPT) in the outer-VLAN tag
header in order to verify the correct prioritization
of the stream through the network:
no outer-vlan-priority
source-mac HH:HH:HH:HH:HH:HH
Configures Ethernet traffic stream with

individual source MAC address:
HH:HH:HH:HH:HH:HH: source MAC
address, hexadecimal format
no source-mac
untagged
Configures untagged Ethernet traffic stream

tagged
no untagged
Configures tagged Ethernet traffic stream
oam loopback-test NAME port UU/SS/PP

[duration <value> | sla-aware]
Applies the configured Ethernet loopback test

on a specified port.
NOTE
The selected port must be member
of the Outer VLAN, if the traffic is
tagged.
NAME: Ethernet loopback test

name, previously configured
UU/SS/PP: port, in the range of

1/1/1-1/1/4, 1/2/1-1/2/8. This
of the S-VLAN.
duration <value>: (optional) test

duration, in the range of <11440> min
5 minutes
sla-aware: (optional) specifies

test mechanism
not sla-aware
oam oopback-test NAME lag agN [duration
<value> | sla-aware]
Page 36

on a specified LAG:
Command
Description


<1-14>

5 minutes

test mechanism
not sla-aware
oam oopback-test NAME service dot1q
<service-id> {sap {UU/SS/PP | agN}
|sdp {UU/SS/PP | agN}} [duration

on a specified 802.1Q service:
NOTE
When the Ethernet loopback

test is applied on SDP/SAP
port, the outer VLAN ID must
be the same as the service
VLAN ID for the specific
service. Inner VLAN ID must
be the same as C-VLAN ID,
member of which is the SAP
port.

UU/SS/PP: SAP/SDP port, in the

agN: SAP/SDP LAG ID. N is in the

range of <1-14>

5 minutes

test mechanism
not sla-aware
oam oopback-test NAME service tls
<service-id> {sap {UU/SS/PP | agN}
|sdp {UU/SS/PP | agN}} [duration

on a specified TLS service
Page 37
Command
Description
NOTE

test is applied on SDP port, the
outer VLAN ID must be the
same as the service VLAN ID
for the specific service.

test is applied on SAP port,
member of specific C-VLAN
ID:
Outer VLAN ID must be the same
as the service VLAN ID for the
specific service.
Inner VLAN ID must be the same
as C-VLAN ID, member of which is
the SAP port.

member of specific C-VLAN
untagged:
specific service.
Inner VLAN ID must not be
defined.

member of specific C-VLAN all:
specific service.
Inner VLAN ID is optional but must
match the test traffic.

UU/SS/PP: SAP/SDP port, in the

agN: SAP/SDP LAG ID. N is in the

range of <1-14>

5 minutes
Page 38

test mechanism
Command
Description
not sla-aware
no oam oopback-test NAME
Stops the Ethernet loopback test:
show oam loopback-test NAME
NAME: Ethernet loopback test name

currently running
Displays Ethernet loopback test information:

Example
1.
Configure the Ethernet Loopback test:
Device-name(config)#oam
Device-name(config-oam)#loopback-test A1
Device-name(config-loopback-test-A1)#destination-mac 00:00:00:01:01:01
Device-name(config-loopback-test-A1)#outer-vlan-id 7
Device-name(config-loopback-test-A1)#outer-vlan-priority 5
2.
Configure VLAN and add ports 1/1/1 and 1/1/2 as tagged members of it:
Device-name(config)#vlan v7 7
Device-name(config-vlan-7)#tagged 1/1/1
Device-name(config-vlan-7)#tagged 1/1/2
3.
Apply the A1 test on port 1/1/1:
Device-name#oam loopback-test A5 port 1/1/1

Starting test A1 with duration 5 minutes ...Success!
Page 39
Technical Support Information

Telco Systems provides special-purpose CLI commands used to retrieve the technical information
about the device. Forward this information to Telco Systems technical support to aid in tracking
and resolving issues that cause system failures.
Technical Support commands dump the required information onto the screen. You can also save
the command output as an encrypted file locally or to a specific remote server.
Technical Support Commands

The following section defines the command hierarchy for Technical Support and provides a list of
available commands as well as a configuration example.
Command Hierarchy
device-name#
- file cp technical-support PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILENAME
- file cp technical-support use-external-file FILE-NAME USE-EXTERNALFILE-NAME
- file cp technical-support use-external-file FILE-NAME

PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME USE-EXTERNAL-FILE-NAME
- file cp technical-support FILE-NAME
- show technical-support use-external-file USE-EXTERNAL-FILE-NAME
- show technical-support
Table 10: Technical Support Commands
Command
Description
device-name#
Operational mode
file cp technical-support
PROTOCOL[USER[:PASSWORD]@]IPv4[:P
ORT]/FILE-NAME
Page 40
Uploads the output of the show technicalsupport command to a TFTP/FTP server:

servers, no user, password, and
port are required. For FTP
required.
USER: FTP user name


server in A.B.C.D format
Command
file cp technical-support FILE-NAME
Description

transfer
Saves the output of the show technicalsupport command to the local file system:
file cp technical-support use-externalfile FILE-NAME USE-EXTERNAL-
FILE-NAME
file cp technical-support use-externalfile FILE-NAME

PROTOCOL[USER[:PASSWORD]@]IPv4[:P
ORT]/FILE-NAME USE-EXTERNAL-
FILE-NAME
show technical-support use-externalfile USE-EXTERNAL-FILE-NAME
Saves a filtered output of the show technicalsupport command to the local file system:
FILE-NAME: name of the file that

contains the original command
output
the file that contains a modified
copy of the commands to be
executed
Uploads a filtered output of the show

technical-support command to a TFTP/FTP
server:

servers, no user, password, and
port are required. For FTP
required.
USER: FTP user name


server in A.B.C.D format

transfer
FILE-NAME: name of the file that

contains the original command
output
the file that contains a modified
copy of the command output
Displays the content of a file containing an

output of the show technical-support
command:
show technical-support
the file
Displays the selected technical-support

parameter information
Page 41
Execute commands from default TSDB and display the output:
device-name#show technical-support
===============================================================================
TECHNICAL SUPPORT
===============================================================================
It could take several minutes to complete the command. Please wait ...
------------------------------------------------------------------------------output from command show running-config

------------------------------------------------------------------------------snmp-server
no enable
port
161
engineID 80:00:61:81:05:01
notify linkDown
tag
tag
type
trap
------------------------------------------------------------------------------TSDB_default.db had 2 commands to process

Started at Wed Jul 20 15:05:10 EET 2010
Finished at Wed Jul 20 15:05:10 EET 2010
------------------------------------------------------------------------------===============================================================================
Page 42
Page 43
Page 44
Features
Standards
MIB
RFC
Periodic Monitoring
No standards are
supported by this
feature.
Private MIB,
PRVT-SYS-MONMIB.mib
No RFCs are
supported by this
feature.
Diagnosing Connectivity
Problems
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
RFC 792-Internet
Control Message
Protocol
Port Monitoring
No standards are
supported by this
feature.
No MIBs are
supported by this
feature.
No RFCs are
supported by this
feature.
Technical Support
Information
No standards are
supported by this
feature.
Private MIB,
PRVTINTERWORKINGOS-MIB
No RFCs are
supported by this
feature.
Appendix A: SNMP Reference Guide

Table of Contents
Table of Figures 2
List of Tables 2
Getting Started 3
Audience 3
Introduction 3
Obtaining MIB Files 3
Compiling MIB Files 3
MIB Tree 4
Object Identifier (OID) 5
Managing Objects 5
SNMP Object Parameters 6
MIB Architecture and Configuration 8
Managing the Device 8
Device Authentication15
Filtering Traffic 21
Traffic Control 26
VLANs 31
Service Configuration 38
Basic Routing and Router Protocols 43
PRVT-OSPF-MIB 44
Multiprotocol Label Switching 47
Network Monitoring and Troubleshooting 56
Traffic Engineering 72
Appendix A: SNMP Reference Guide (Rev. 01)
Page 1
Table of Figures
Figure 1: The MIB Tree ......................................................................................................................... 4
Figure 2: Branch of the MIB Object Identifier Tree ......................................................................... 5
Figure 3: Communication between an SNMP Agent and Manager............................................... 6
List of Tables
Table 1: Predefined SNMP Object Parameters ................................................................................. 6
Page 2
T-Marc3208SH
Getting Started
This guide describes the objects supported in the Management Information Base (MIB) on the
device and illustrates all parameters in the MIB structure. Many configuration examples are
provided to help you make the required changes to your system.
For more detailed information regarding any of the features described in this guide, please refer to
the BiNOX User Guide.
Audience
This guide is intended for network administrators who want to manage the system using SNMP
MIB applications.
Introduction
The Management Information Base (MIB) is a database of objects that can be used by a network
management system (NMS) to manage and monitor devices on the network. The managed objects
are structured in the form of a hierarchical tree.
The MIB can be retrieved by an NMS using Simple Network Management Protocol (SNMP). The
MIB structure determines the scope of management access allowed by a device.
SNMP defines the type of messages that are exchanged between the manager and agent (refer to
the Simple Network Management Protocol (SNMP) chapter). By using SNMP, a management application
can issue read or write operations within the scope of the MIB. Three versions of SNMP are
supported: SNMPv1, SNMPv2, and SNMPv3.
Obtaining MIB Files

There are two options to obtain the MIBs:
By contacting the support center
Customers that have a valid Support Contract can freely download MIBs from the Telco
Systems Web site
Compiling MIB Files

After obtaining the MIBs, follow the instructions of your network management system regarding
usage.
Page 3
MIB Tree
The MIB database is presented in a tree form with conceptual tables, where each managed resource
is represented by an object. Individual data items, the MIB objects, make up the leaves of the tree.
At the top of the tree is the most general information available about the network. Each branch of
the tree gets more detailed into a specific network area.
Figure 1: The MIB Tree
Page 4
Object Identifier (OID)

Each item on the MIB tree is assigned a number which creates a path to objects in the MIB; the
path is known as the object identifier (OID). The OID value consists of two or more integers
(called subidentifiers) separated by a dot (.).
Due to Basic Encoding Rules (the part of ASN.1 that defines how values are encoded for
transmission "on the wire"), the first subidentifier must be 0, 1 or 2. The second subidentifier must
be between 0 and 39 if the first subidentifier is 0 or 1. Otherwise, the only restrictions imposed by
SNMP are that (1) there is a limit of 128 subidentifiers in an OID value, and (2) that each
subidentifier is restricted to the range from 0 to 4294967295.
Figure 2: Branch of the MIB Object Identifier Tree
Example:
To retrieve an object from the OSPF MIB, the software uses this OID:
1.3.6.1.2.1.14
which indicates this path:

iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1).ospf(14)
Device OID is 1.3.6.1.4.1.738.10.5.100.1.1.10004
Managing Objects
An SNMP application can read values for the objects (for device monitoring) and some
applications can also change the variables (to provide remote management of devices). Basic SNMP
operations include:
Page 5
Get: Gets a specified SNMP object for a device
Get Next: Gets the next object in a table or list
Set: Sets the value of an SNMP object on a device
B: Sends a message about an event (that occurs on the device) to the management application
When you perform an SNMP Get operation, the SNMP manager sends the OID to the Agent,
which in turn determines whether the OID is supported. If the OID is supported, the Agent
returns information about the object (refer to the Simple Network Management Protocol (SNMP)
chapter).
Figure 3: Communication between an SNMP Agent and Manager
SNMP Object Parameters

The MIB file contains the definition of the global tree and the definition of leaf object.
Table 1: Predefined SNMP Object Parameters
Field Name
Description
TYPE
Provides a unique, object name used to collect information by using

names instead of numbers.
SYNTAX
Defined in RFC 1212, Syntax holds the value type managed by the
object. Value types are:
INTEGER
IP ADDRESS
BITS
GAUGE
COUNTER
TIMESTAMP
OCTET STRING
OBJECT IDENTIFIER
NULL
DisplayString
Unsigned
It is possible to create a new syntax from those defined in this last. A new
syntax uses the keyword TEXTUAL CONVENTION.
ACCESS
Indicates how the object could be addressed. Possible values are:
Page 6
Read-only
Read-write
Field Name
Description
STATUS
Not-accessible
Indicates the status of the object

A standard MIB file defines a set of objects, some of which should be
implemented in the Agent. A query should have an answer to follow the
norm. Possible values are:
DESCRIPTION
Read-create
Mandatory: This object should be implemented in the agent.

Optional: This object could be implemented in the agent.
Obsolete: This object is no longer implemented on the new
generation of agent.
Information, presented in text format, describing the objects use and

associated value. Text is between quotes.
Page 7
MIB Architecture and Configuration

Managing the Device
This section contains MIBs used to manage the software image and device configuration:
PRVT-INTERWORKING-OS-MIB
PRVT-CONFIGCHANGE-MIB
PRVT-SWITCH-MIB (only sysManufacturing table )
PRVT-SYNC-ETHERNET-MIB
PRVT-STATHIST-MIB
PRVT-INTERWORKING-OS-MIB
This MIB displays and manages the OS features of the device including OS upgrades. The MIB is
used to:
Page 8
reset the device
change the active image
download a new image
download/upload running configuration
download technical support informationrename or merge files
delete images
NOTE
For the purposes of system information management via SNMP, only the
prvtInterworkingOSMibObjects node of the PRVT-INTERWORKING-OS-MIB
is used.
Examples:
Software Update via SNMP
1. Download image from tftp:
Page 9
SET prvtBootUpgradeSrcURI = tftp://1.0.0.26/new image.tar.7z

2. Set a new application name different from batmBootApplicationNameURI:
SET prvtBootApplicationNameURI = new image.tar.7z
3. Start application replacement:
SET prvtBootUpgradeCmd = applyExec(3)
4. Check if the status is upgradeInProgress(3):
GET prvtBootOperStatus upgradeInProgress(3)
5.After transfer complete check the status is ready(1):
GET prvtBootOperStatus ready(1)
6. Verify that the image appears in the device and becomes active.
device-name#file ls os-image
The active image has star (*) symbol.
Upload a configuration file from the local file system to a TFTP server
via CLI:
1.
Save the running configuration file to the local file system:
device-name#file cp running-configuration myconfig.cfg

device-name#file ls
2.
Upload the running configuration file to a TFTP server:

device-name#file cp running-configuration tftp://10.3.71.167/myconfig.cfg
3.
Check if the file is stored in TFTP.
Upload a configuration file from the local file system to a TFTP server
via SNMP:
1.
Configure the source type to be the file system:
SET prvtConfigSourceType.0 (integer) fileSystem(1)
2.
Add a name of the file in example myconfig.cfg:

SET prvtConfigSourceFileName.0 (octet string) myconfig.cfg
3.
Configure the destination type to be tftp:

SET prvtConfigTargetType.0 (integer) tftp(5)
4.
Add a name of the file that will be uploaded in example myconfig.cfg:

SET prvtConfigTargetFileName.0 (octet string) myconfig.cfg
5.
Configure the type of the remote address to be IPv4:

SET prvtConfigRemoteAddressType.0 (integer) ipv4(1)
6.
Fill IP of the tftp server in example. The IP is 10.3.71.167:

SET prvtConfigRemoteAddress.0 (octet string)#0x0A 0x03 0x47 0xA7
7.
Add a port for tftp. The port number is 69:

SET prvtConfigRemotePort.0 (gauge) 69
Page 10
8.
Configure the type of the file action. First to be prepare, and second to be copy:
SET prvtConfigAction.0 (integer) prepare(2)
SET prvtConfigAction.0 (integer) copy(3)
NOTE
Refer to the Managing the device chapter to see Software Upgrade example via CLI.
PRVT-CONFIGCHANGE-MIB
A private MIB providing notification for configuration changes as SNMP traps. Each trap contains:
Time at which the configuration change was committed
Name of the user who made the change
Method by which the change was made
Examples:
Configuration Management via CLI
1.
Configure SNMP with Traps:

device-name(config-system)#snmp
device-name(config-snmp)#view myview 1.3 included
device-name(config-snmp)#group mygroup noAuthNoPriv read myview write
myview notify myview
device-name(config-snmp)#user tester mygroup v3
device-name(config-snmp)#target-address mycomp
device-name(config-target-address-mycomp)#dst-port 162
device-name(config-target-address-mycomp)#address 10.3.71.167
device-name(config-target-address-mycomp)#security-name tester
device-name(config-target-address-mycomp)#security-level noAuthNoPriv
device-name(config-target-address-mycomp)#message-model v3
device-name(config-target-address-mycomp)#type trap
device-name(config-target-address-mycomp)#com
Commit complete.
device-name(config-target-address-mycomp)#exit
2.
Configure notification change trap to be true:

device-name(config-snmp)#notification-change-trap
device-name(config-snmp)#com
Commit complete.
Configure system location .
device-name(config-snmp)#system-location LAB
device-name(config-snmp)#com
Commit complete.
Page 11
device-name(config-snmp)#
PRVT-SWITCH-MIB (only sysManufacturing table )

The private Switch MIB manages internal device parameters and contains additional configuration
options and device information.
The manufacturing details are retrieved from the sysManufacturing table of the MIB.
Examples:
Retrieving via CLI
Display manufacturing details using the show
system manufacturing-details command:
device-name#show system manufacturing-details

===============================
System Manufacturing-Details
===============================
Main board
Serial number: 0309342504
Assembly No:
AL001392
Part number:
T-Marc 3208SH
CLEI:
HW revision:
02
HW subrevision:
Date:
30/09/2009
FW version:
32.77.48.21
Base MAC addr: 00:a0:12:64:08:60
Retrieving via SNMP
Retrieve manufacturing details using SNMP query:

1: sysSerialNumber.0 (octet string) 0309342504
[30.33.30.39.33.34.32.35.30.34 (hex)]
2: sysAssemblyNumber.0 (octet string) AL001392 [41.4C.30.30.31.33.39.32
(hex)]
3: sysPartNumber.0 (octet string) T-Marc 3208SH [54.4D.58.47 (hex)]
4: sysCLEI.0 (octet string) (zero-length)
Page 12
5: sysHwRevision.0 (octet string) 02 [30.32 (hex)]

6: sysManufacturingDate.0 (octet string) 30/09/2009
[33.30.2F.30.39.2F.32.30.30.39 (hex)]
7: sysHwSubRevision.0 (octet string) (zero-length)
8: sysBaseMacAddress.0 (octet string) 00:a0:12:64:08:60
Display manufacturing details via SNMP :
***** SNMP QUERY STARTED *****
1: moduleSysSerialNumber.1 (octet string) (zero-length)
4: moduleSysAssemblyNumber.1 (octet string) (zero-length)
7: moduleSysHwRevision.1 (octet string) (zero-length)
10: moduleSysHwSubRevision.1 (octet string) (zero-length)
13: moduleSysPartNumber.1 (octet string) (zero-length)
16: moduleSysCLEI.1 (octet string) (zero-length)
19: moduleSysManufacturingDate.1 (octet string) 1/1/2011
20: moduleSysManufacturingDate.2 (octet string) (zero-length)
21: moduleSysManufacturingDate.3 (octet string) (zero-length)
22: moduleSysBaseMacAddress.1 (octet string) 00:A0:12:9A:08:40
25: moduleSysFirmwareVersion.1 (octet string) 0.0.21.4
26: moduleSysFirmwareVersion.2 (octet string) n/a
27: moduleSysFirmwareVersion.3 (octet string) n/a
***** SNMP QUERY FINISHED *****
***** SNMP QUERY STARTED *****
1: sysSerialNumber.0 (octet string) (zero-length)
2: sysAssemblyNumber.0 (octet string) (zero-length)
3: sysPartNumber.0 (octet string) (zero-length)
4: sysCLEI.0 (octet string) (zero-length)
5: sysHwRevision.0 (octet string) (zero-length)
6: sysManufacturingDate.0 (octet string) 1/1/2011
7: sysHwSubRevision.0 (octet string) (zero-length)
8: sysBaseMacAddress.0 (octet string) 00:A0:12:9A:08:40
9: sysFirmwareVersion.0 (octet string) 0.0.21.4
RVT-SYNC-ETHERNET-MIB
This private MIB provides complete SNMP management of Synchronous Ethernet (SyncE).
Page 13
PRVT-STATHIST-MIB
This section describes MIBs used to provide historical view of the interface statistics.
Example
Configuration via CLI

Device-name(config)#system
Page 14
Device-name(config-system)#statistics-history
Device-name(config-statistics-history)#profile FFF xpath-template
/bridge:interfaces/interface{%s}/Counters/ifInOctets
Device-name(config-statistics-history)#com
Commit complete.
Device-name(config-statistics-history)#control 1 profile-name FFF xpath-key
1/1/1
Device-name(config-statistics-history)#type delta get-interval 10
Device-name(config-statistics-history)#no shutdown
Device-name(config-statistics-history)#commit
Commit complete.
Configuration via SNMP

prvtStatHistMIB with OID 1.3.6.1.4.1.738.10.5.180
prvtStatHistProfileRowStatus.3.70.70.70 (integer) createAndWait(5)
prvtStatHistProfileXPathTemplate.3.70.70.70 (octet string)
/bridge:interfaces/interface{%s}/Counters/ifInOctets
prvtStatHistProfileRowStatus.3.70.70.70 (integer) active(1)
prvtStatHistType.0 (integer) delta(2)
prvtStatHistGetInterval.0 (gauge) 10
prvtStatHistControlRowStatus.1 (integer) createAndWait(5)
prvtStatHistControlProfileName.1 (octet string) FFF
prvtStatHistControlXPathKey.1 (octet string) 1/1/1
prvtStatHistControlRowStatus.1 (integer) active(1)
prvtStatHistShutdown.0 (integer) false(2)
This section describes MIBs used to define interfaces on a device and contains the following MIBs:
PRVT-MAC-SECURITY-MIB
PRVT-SWITCH-MIB (only configL2IfaceTable table)
PRVT-PORTS-AGGREGATION-MIB
PRVT-RESILIENT-LINK-MIB
PRVT-SWITCH-IPVLAN-MIB
PRVT-MAC-SECURITY-MIB
This private MIB provides complete SNMP management of port security.
Page 15
Examples:
1.
Create a MAC learning profile with the following parameters:

profile name = test1
Maximum MAC Count = 30
Profile policy = port-limit
device-name(config-ethernet)#mac-learning learning-profile test1
device-name(config-learning-profile-test1)#max-mac-count 30
device-name(config-learning-profile-test1)#policy port-limit
device-name(config-learning-profile-test1)#commit
2.
Apply the configured profile on port 1/1/1:

device-name(config-port-1/1/1)#mac-learning-profile test1
3.
Using SNMP create a MAC learning profile (test1) with the following parameters:
prvtMacSecLrnProfRowStatus.5.116.101.115.116.49 (integer) create and
wait(5)
prvtMacSecLrnProfPolicy.5.116.101.115.116.49 (integer) portLimit(2)
prvtMacSecLrnProfMaxMacCount.5.116.101.115.116.49 (gauge) 30
prvtMacSecLrnProfRowStatus.5.116.101.115.116.49 (integer) active(1)
4.
Apply the configured profile on port A (1/1/1):

prvtMacSecIfProfRowStatus.1101.5.116.101.115.116.49(integer) createAndGo(4)
PRVT-SWITCH-MIB (only configL2IfaceTable table)

A private MIB used to manage internal device parameters containing additional configuration
options and device information beyond the requirements defined by the RFC 2863 standard.
The Fast Ethernet and Giga Ethernet port configuration is done through the configL2IfaceTable
table of the MIB.
Page 16
Examples:
1.
Configure the desired speed on port 1/1/1:

device-name(config-port-1/1/1)#speed 1000
2.
Configure the desired duplex-mode on port 1/1/1:

device-name(config-port-1/1/1)#duplex full
3.
Define the ports MTU:

1.
Configure the desired speed on port 1/1/1:

snmpset configL2IfaceSpeedSet.1.1.1 integer 1000 (1000 mbps)
2.
Configure the desired duplex-mode on port 1/1/1:

snmpset configL2IfaceDuplexModeSet.1.1.1 integer 2 (full)
3.
Define the ports MTU:

snmpset configL2IfaceMtu.1.1.1 (integer) 4096
Page 17
PRVT-PORTS-AGGREGATION-MIB
The private Ports Aggregation MIB is used to manage static and dynamic port aggregation for the
device.
Examples:
1.
Configure static link aggregation:

device-name(config)#ethernet lag lag-id ag2
device-name(config-lag-id-ag2)#description Uplink12
Page 18
2.
Remove the port from aggregation:

device-name(config-lag-id-ag2)#no port 1/1/1
Static Link Aggregation Configuration via SNMP
1.
Configure static link aggregation:

portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
portsAggregationDescription.3.97.103.50 (octet string) Uplink12
portsAggregationPortsRowStatus.3.97.103.50.1101 (integer) createAndWait(5)
portsAggregationRowStatus.3.97.103.50 (integer) active(1)
portsAggregationPortsRowStatus.3.97.103.50.1101 (integer) active(1)
2.
Remove the port from aggregation:

portsAggregationPortsRowStatus.3.97.103.50.1104 (integer) destroy(6)
LACP Configuration via SNMP

portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
portsAggregationDescription.3.97.103.50 (octet string) Uplink12
portsAggregationRowStatus.3.97.103.50 (integer) active(1)
portsAggregationLacpEnable.3.97.103.50 (integer) true(1)
PRVT-RESILIENT-LINK-MIB
The Resilient link MIB is used to manage the resilient link of the device.
Page 19
Examples:

device-name(config-ethernet)#resilient-link res1
device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
device-name(config-resilient-link-res1)#backup-mode shutdown
device-name(config-resilient-link-res1)#commit
Commit complete

prvtResilientLinkRowStatus.1 (integer) createAndWait(5)
prvtResilientLinkPrimaryPort.1 (integer) 1101 [1101]
prvtResilientLinkBackupPort.1 (integer) 1102 [1102]
prvtResilientLinkBackupMode.1 (integer) shutdown(2)
prvtResilientLinkRowStatus.1 (integer) active(1)
PRVT-SWITCH-IPVLAN-MIB
The IPVLAN MIB controls the assignment of IP subnets to VLANs.
Page 20
Example:
Configuration via CLI:
1.
Define an IP interface with name sw2:

2.
Configure the IP address 2.0.0.1 for sw2:

3.
Attach sw2 to VLAN 2:

4.
Configure VLAN 2 as a management VLAN:

device-name(config-vlan-v2/2)#management
Configuration via SNMP:
5.
Define an IP interface with name sw2 and address 2.0.0.1 with mask 8:
ipInterfaceRowStatus.3.115.119.50 (integer) createAndWait(5)
ipInterfaceIpAddress.3.115.119.50 (ipaddress) 2.0.0.1
ipInterfaceSubnetMask.3.115.119.50 (ipaddress) 255.0.0.0
ipInterfaceRowStatus.3.115.119.50 (integer) active(1)
6.
Attach sw2 to VLAN2:

ipVlanStatus.2.3.115.119.50 (integer) attached(1)
7.
Configure VLAN 2 as a management VLAN:

ipVlanManagementStatus.2 (integer) true(1)
Filtering Traffic
PRVT-SWITCH-ACCESS-LIST-MIB
The private Switch Access List MIB is used to manage ACL rules.
Page 21
Examples:
Creating a Standard IP ACL
The following example creates and configures a standard IP ACL 1:

device-name(config-rule-1)#source_ip 9.0.0.1/32
Page 22
Commit complete.
device-name(config-rule-1)#

prvtSwAclStdRowStatus.1.49.(integer) createAndGo(4)
prvtSwAclStdRuleRowStatus.1.49.1 (integer) createAndWait(5)
prvtSwAclStdRuleAction.1.49.1 (integer) permit(0)
prvtSwAclStdRuleIpSrcPrefix.1.49.1 (octet string) 9.0.0.1/32
[09.00.00.01.20 (hex)]
prvtSwAclStdRuleRowStatus.1.49.1 (integer) active(1)
Creating an Extended IP ACL
The following example creates and configures an extended IP ACL 101:

device-name(config-extended-101)#rule 1
device-name(config-rule-1)#source_ip 9.0.0.2/32
device-name(config-rule-1)#destination_ip any
device-name(config-rule-1)#protocol tcp
device-name(config-rule-1)#rule 2
device-name(config-rule-2)#source_ip any
device-name(config-rule-2)#destination_ip any
device-name(config-rule-2)#protocol ip
Commit complete.

prvtSwAclExtRuleRowStatus.3.49.48.49 (integer) createAndWait(5)
prvtSwAclExtRuleAction.3.49.48.49.1 (integer) permit(0)
prvtSwAclExtRuleIpProtocol.3.49.48.49.1 (integer) 6 [6]
prvtSwAclExtRuleIpSrcPrefix.3.49.48.49.1 (octet string) 9.0.0.2/32
[09.00.00.02.20 (hex)]
prvtSwAclExtRuleIpDstPrefix.3.49.48.49.1 (octet string) 255.255.255.255/0
[FF.FF.FF.FF.00 (hex)]
prvtSwAclExtRuleRowStatus.3.49.48.49.1 (integer) active(1)
prvtSwAclExtRuleRowStatus.3.49.48.49.2 (integer) createAndWait(5)
prvtSwAclExtRuleAction.3.49.48.49.2 (integer) deny(1)
prvtSwAclExtRuleIpProtocol.3.49.48.49.2 (integer) 0 [0]
prvtSwAclExtRuleIpSrcPrefix.3.49.48.49.2 (octet string) 255.255.255.255/0
prvtSwAclExtRuleIpDstPrefix.3.49.48.49.2 (octet string) 255.255.255.255/0
prvtSwAclExtRuleRowStatus.3.49.48.49.2 (integer) active(1)
Creating an Extended MAC ACL
Page 23
The following example creates and configures an extended MAC ACL 400:

device-name(config)#mac access-list 400
device-name(config-rule-255)#source_mac 00:00:00:aa:00:01
device-name(config-rule-255)#destination_mac any
device-name(config-rule-255)#vlan 10
Commit complete.

prvtSwAclMacRowStatus.3.52.48.48 (integer) createAndGo(4)
prvtSwAclMacRuleRowStatus.3.52.48.48.250 (integer) createAndWait(5)
prvtSwAclMacRuleAction.3.52.48.48.250 (integer) permit(0)
prvtSwAclMacRuleMacSrc.3.52.48.48.250 (octet string) 00:00:00:AA:00:01
[00.00.00.AA.00.01 (hex)]
prvtSwAclMacRuleMacDst.3.52.48.48.250 (octet string) FF:FF:FF:FF:FF:FF
[FF.FF.FF.FF.FF.FF (hex)]
prvtSwAclMacRuleVlanId.3.52.48.48.250 (integer) 10 [10]
prvtSwAclMacRuleVpt.3.52.48.48.250 (gauge) 5
prvtSwAclMacRuleRowStatus.3.52.48.48.250 (integer) active(1)
Creating an EtherType ACL
The following example creates and configures an EtherType ACL 500:

device-name(config)#ether-type access-list 501
device-name(config-rule-1)#ether-type 98:76
Commit complete.

prvtSwAclEthRowStatus.3.53.48.49 (integer) createAndGo(4)
prvtSwAclEthRuleRowStatus.3.53.48.49.1 (integer) createAndWait(5)
prvtSwAclEthRuleAction.3.53.48.49.1 (integer) permit(0)
prvtSwAclEthRuleEthType.3.53.48.49.1 (octet string) 98:76 [98.76 (hex)]
prvtSwAclEthRuleRowStatus.3.53.48.49.1 (integer) active(1)
Applying an Extended IP ACL to a Port
Page 24
The following example applies the extended IP ACL 100 to the ingress traffic on port 1/1/1 with
single-type rate limit, Committed Information Rate (CIR) of 1000 Kbps, and Committed Burst Size
(CBS) of 16 KB:
Applying via CLI
device-name(config-port-1/1/1)#access-groups-rule-sequence 1 ip-access-groupextended 100 in
device-name(config-ip-access-group-extended-100/in)#rate-limit single cir 1000
cbs 16
Commit complete.
device-name(config-rate-limit-single)#
Applying via SNMP
prvtSwAclIfAcgRowStatus.1101.1.1.3.49.48.49.1 (integer) createAndWait(5)

prvtSwAclIfAcgRLimitRowStatus.1101.1.1.3.49.48.49.1.1 (integer)
createAndWait(5)
prvtSwAclIfAcgRLimitCir.1101.1.1.3.49.48.49.1.1 (gauge) 1000
prvtSwAclIfAcgRLimitCbs.1101.1.1.3.49.48.49.1.1 (gauge) 16
prvtSwAclIfAcgRowStatus.1101.1.1.3.49.48.49.1 (integer) active(1)
prvtSwAclIfAcgRLimitRowStatus.1101.1.1.3.49.48.49.1.1 (integer) active(1)
Applying an Extended MAC ACL to a Port
The following example applies the extended MAC ACL 400 to egress traffic on port 1/1/2 with
remarking by dscp:
Applying via CLI
device-name(config-port-1/1/2)#access-groups-rule-sequence 1 mac-access-group
400 out
device-name(config-mac-access-group-400/out)# dscp 44
device-name(config-mac-access-group-400/out)# commit
Commit complete.
Applying via SNMP

prvtSwAclIfAcgDscp.1102.1.2.3.52.48.48.2 (gauge) 44
Applying an EtherType ACL to a Port
The following example applies the EtherType ACL 500 as VLAN translation to port 1/1/3:
Page 25
Applying via CLI

device-name(config-port-1/1/3)#access-groups-rule-sequence 1 ether-type-accessgroup 500 vlan
device-name(config-ether-type-access-group-500/vlan)#vlan 100
device-name(config-ether-type-access-group-500/vlan)#commit
Commit complete.
device-name(config-ether-type-access-group-500/vlan)#
Applying via SNMP

prvtSwAclIfAcgVlan.1103.1.3.3.53.48.48.3 (integer) 100 [100]
Traffic Control
This section includes the PRVT-QOS-MIB MIB. For more information on the Traffic Control
feature, refer to the BiNOX User Guide.
PRVT-QOS-MIB
Page 26
Examples:
Configuring QoS Policies per Port
1.
Configure the shaper profile:

device-name(config)#qos shaper-profile port 2 cir 5555 cbs 55
device-name(config-port-2)#description descr
Page 27
2.
Configure the scheduling profile:

device-name(config)#qos scheduling-profile 5 scheduling-type hybrid-2
queue1-weight 11 queue2-weight 22 queue3-weight 33 queue4-weight 44 queue5weight 55 queue6-weight 66
device-name(config-scheduling-profile-5)#exit
3.
Configure the port ingress policy:

device-name(config)#qos port-ingress-policy 2
device-name(config-port-ingress-policy-2)#description snmp
device-name(config-port-ingress-policy-2)#trust-mode trust-priority-anddscp
device-name(config-port-ingress-policy-2)#exit
device-name(config)#qos port-egress-policy 2
device-name(config-port-egress-policy-2)#description snmp
device-name(config-port-egress-policy-2)#shaper-profile 2
device-name(config-port-egress-policy-2)#scheduling-profile 5
4.

device-name(config-port-egress-policy-2)#commit
Creating a Scheduler Profile
1.
Configure the scheduling row:
prvtQosSchedProfileRowStatus.5 (integer) createAndWait(5)
2.
Configure the scheduling type:

prvtQosSchedProfileType.5 (integer) hybrid2(4)
3.
Configure the values for the queues:

prvtQosSchedProfileQueue1Weight.5
4.
(integer)
(integer)
(integer)
(integer)
(integer)
(integer)
11
22
33
44
55
66
[11]
[22]
[33]
[44]
[55]
[66]
Activate the scheduling row:

prvtQosSchedProfileRowStatus.5 (integer) active(1)
Creating a Shaper Profile
1.
Configure the shaper row:

prvtQosPortShaperProfRowStatus.2 (integer) createAndWait(5)
2.
Configure the shaper values:

prvtQosPortShaperProfCIR.2 (gauge) 5555
prvtQosPortShaperProfCBS.2 (gauge) 55
3.
Page 28
Add a description of the shaper:
prvtQosPortShaperProfDescr.2 (octet string) descr [64.65.73.63.72 (hex)]
4.
Activate the shaper row:

prvtQosPortShaperProfRowStatus.2 (integer) active(1)
Creating an Ingress Policy
1.
Create the ingress policys RowStatus:

prvtQosPortIngPolRowStatus.1.50 (integer) createAndWait(5)
2.
Add a description of the policy:

prvtQosPortIngPolDescr.1.50 (octet string) snmp [73.6E.6D.70 (hex)]
3.
Modify the ingress policy:

prvtQosPortIngPolTrustMode.1.50 (integer) trustPriorityAndDscp(4)
4.
Activate the ingress policys RowStatus:

prvtQosPortIngPolRowStatus.1.50 (integer) active(1)
Creating an Egress Policy
1.
Create the egress policys RowStatus:

prvtQosPortEgrPolRowStatus.1.50 (integer) createAndWait(5)
2.
Add a description of the policy:

prvtQosPortEgrPolDescr.1.50 (octet string) snmp [73.6E.6D.70 (hex)]
3.
Modify the egress policy:

prvtQosPortEgrPolShaperProf.1.50 (integer) 2 [2]
prvtQosPortEgrPolSchedProf.1.50 (integer) 5 [5]
4.
Activate the egress policys RowStatus:

prvtQosPortEgrPolRowStatus.1.50 (integer) active(1)
Configuring QoS Policies per Service
1.
Configure the shaper profile:

device-name(config-qos)#qos shaper-profile service 22
device-name(config-service-22)#cir 20000 cbs 100
device-name(config-service-22)#description descr
device-name(config-service-22)#commit
Commit complete.
device-name(config-service-22)#
2.
Configure the scheduling profile:

device-name(config-qos)#scheduling-profile 5 scheduling-type hybrid-2
device-name(config-scheduling-profile-5)#queue1-weight 11
device-name(config-scheduling-profile-5)#queue3 33
Page 29
device-name(config-scheduling-profile-5)#commit
Commit complete.
device-name(config-scheduling-profile-5)#
3.
Configure the service ingress policy:

device-name(config-scheduling-profile-5)#qos
device-name(config-qos)#service-ingress-policy 2
device-name(config-service-ingress-policy-2)#description snmp
device-name(config-service-ingress-policy-2)#shaper-profile 22
device-name(config-service-ingress-policy-2)#scheduling-profile 5
device-name(config-service-ingress-policy-2)#commit
Commit complete.
device-name(config-service-ingress-policy-2)#
Creating a Shaper Profile
1.
Configure the shaper profile row:

prvtQosServShaperProfRowStatus.22 (integer) createAndWait(5)
2.
Configure the shaper profile parameters:

prvtQosServShaperProfCIR.22 (gauge) 20000
prvtQosServShaperProfCBS.22 (gauge) 100
3.
Add a description:
prvtQosServShaperProfDescr.22 (octet string) descr [64.65.73.63.72 (hex)]
4.
Activate the shaper profile row:

prvtQosServShaperProfRowStatus.22 (integer) active(1)
Creating a Scheduling Profile
1.
Configure the scheduling row:
prvtQosSchedProfileRowStatus.5 (integer) createAndWait(5)
2.
Configure the scheduling type:

prvtQosSchedProfileType.5 (integer) hybrid2(4)
3.
Configure the parameters of the queues:

4.
Page 30
(integer)
(integer)
(integer)
(integer)
(integer)
(integer)
11
22
33
44
55
66
[11]
[22]
[33]
[44]
[55]
[66]
Activate the scheduling row:
prvtQosSchedProfileRowStatus.5 (integer) active(1)
Creating a Service Ingress Policy
1.
Create the RowStatus for the service ingress policy:

prvtQosSvcIngPolRowStatus.2.50.50 (integer) createAndWait(5)
2.
Modify the service ingress policy:

prvtQosSvcIngPolDescr.2.50.50 (octet string) snmp [73.6E.6D.70 (hex)]
prvtQosSvcIngPolShaperProfile.2.50.50 (integer) 22 [22]
prvtQosSvcIngPolSchedProfile.2.50.50 (integer) 5 [5]
3.
Apply the service ingress policy on already created TLS service 100 and its sap 1/2/5 with cvlan 33:
prvtQosServiceRowStatus.100 (integer) createAndWait(5)
prvtQosServiceIngressPolicy.100 (octet string) 22 [32.32 (hex)]
prvtQosServiceRowStatus.100 (integer) active(1)
prvtQosServSapRowStatus.100.1205.33 (integer) createAndWait(5)
prvtQosServSapPolicyEnable.100.1205.33 (integer) true(1)
prvtQosServSapRowStatus.100.1205.33 (integer) active(1)
VLANs
This section includes the following MIBs:
Q-BRIDGE-MIB
PRVT-SUPER-VLAN-MIB
Q-BRIDGE-MIB
The VLAN Bridge MIB used to manage VLAN networks. The Q-BRIDGE-MIB manages the
MAC address table and is also referred to as 8021Q_d6.mib.
Page 31
NOTE
Configuration via SNMP uses only the dot1qVlanStaticTable.
Examples:
1.
Create a VLAN with the specified name vlan3 and ID 3:

device-name(config)#vlan vlan3 3
2.
Add port 1/1/1 as tagged to the created VLAN:

device-name(config-vlan-vlan3/3)#tagged 1/1/1
3.
Add port 1/1/2 as untagged to the created VLAN:

device-name(config-vlan-vlan3/3)#untagged 1/1/2
1.

set dot1qVlanStaticRowStatus.3 (integer) createAndWait(5)
set dot1qVlanStaticName.3(octet string) vlan3
2.

set value: # 0xC0 0x00 0x00 0x00 to
dot1qVlanStaticEgressPorts.3 (octet string) C0.00.00.00 (hex)
3.

set value: # 0x40 0x00 0x00 0x00 to
Page 32
ste dot1qVlanStaticUntaggedPorts.3 (octet string) 40.00.00.00 (hex)

set dot1qVlanStaticRowStatus.3 (integer) active(1)
Examples:
1.

device-name(config)#vlan vlan3 3
2.

device-name(config-vlan-vlan3/3)#tagged 1/1/1
3.

device-name(config-vlan-vlan3/3)#untagged 1/1/2
1.

set dot1qVlanStaticRowStatus.3 (integer) createAndWait(5)
set dot1qVlanStaticName.3(octet string) vlan3
2.

set value: # 0x00 0x00 0x00 0xC0 to
dot1qVlanStaticEgressPorts.3 (octet string) 00.00.00.C0 (hex)
3.

set value: # 0x00 0x00 0x00 0x40 to
dot1qVlanStaticUntaggedPorts.3 (octet string) 00.00.00.40 (hex)
set dot1qVlanStaticRowStatus.3 (integer) active(1)
PRVT-SUPER-VLAN-MIB
PRVT-SUPER-VLAN-MIB is a private MIB that provides complete SNMP management of Super
Virtual Local Area Network (VLAN).
Page 33
Examples:
Configuration via CLI with target port

Create a Super-VLAN with the specified name vlan2:
device-name(config-super-vlan-1/1/1)#target-port 1/1/2device-name(config-cvlan-2)#commit
Commit complete
Configuration via SNMP with target port

prvtSuperVlanIfRowStatus.1101 (integer) createAndWait(5)
prvtSuperVlanIfTargetPort.1101 (integer) 1102 [1102]
prvtSuperVlanIfRowStatus.1101 (integer) active(1)
Configuration via CLI with ring ports

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3 preferred-port
1/1/2 vlan 2
device-name(config-ring-ports-1/1/2/1/1/3)#commit
Commit complete
Configuration via SNMP with ring ports

prvtSuperVlanIfRingPortRowStatus.1101.1102.1103 (integer) createAndWait(5)
prvtSuperVlanIfRingPortPreferred.1101.1102.1103 (integer) 1102 [1102]
prvtSuperVlanIfRingPortVlanId.1101.1102.1103 (integer) 2
set simultaneously both
prvtSuperVlanIfRowStatus and prvtSuperValnIfRingPortRowStatus to active
state
Page 34
prvtSuperVlanIfRowStatus.1101 (integer) activate(1)

prvtSuperVlanIfRingPortRowStatus.1101.1102.1103 (integer) activate(1)

PRVT-SPANNING-TREE-MIB
The private Spanning Tree MIB is used to manage spanning tree and fast ring protocols.
Page 35
Examples:
Pending Configuration
1.
Enable MSTP:
device-name(config)#config
device-name(config)#ethernet spanning-tree protocol-mstp
device-name(config-protocol-mstp)#no shutdown
device-name(config-protocol-mstp)#commit
2.
Map VLANs 1 and 2 to MST instance 1:

device-name(config-protocol-mstp)#vlan-per-instance 1 instance-id 1
device-name(config-protocol-mstp)#vlan-per-instance 2 instance-id 1
3.
Assign name region1 and the revision number 2 to the MSTP:

device-name(config-protocol-mstp)#region-name region1
device-name(config-protocol-mstp)#region-revision 2
Configuration of the Global MSTP Parameters
1.
Enable MSTP and configure the forward-delay value to 14 seconds:

device-name(config)#ethernet spanning-tree protocol-mstp
device-name(config-protocol-mstp)#no shutdown
device-name(config-protocol-mstp)#exit
device-name(config-spanning-tree)#forward-delay 14
2.
Configure parameters:
bridge priority: 4096
hello-time: 5 seconds
MaxAge time: 14 seconds
max-hop count: 23
device-name(config-spanning-tree)#priority 4096
device-name(config-spanning-tree)#hello-time 5
device-name(config-spanning-tree)#max-age 14
device-name(config-protocol-mstp)#max-hops 23
Configuration of the MSTP Port Parameters
1.
Configure port 1/1/3 as edge port:
device-name(config-spanning-tree)#port 1/1/3 edge-port
2.
Set port priority 80 and path-cost 1000 on port 1/1/1 for MSTI0:
device-name(config-spanning-tree)#port 1/1/1 path-cost 1000
device-name(config-spanning-tree)#port 1/1/1 priority 80
3.
Set port priority 0 and path-cost 300 on port 1/1/1 for MSTI1:
device-name(config-spanning-tree)#port 1/1/1 mstp instance-id 1 priority 0
Page 36
device-name(config-spanning-tree)#port 1/1/1 mstp instance-id 1 path-cost

300
Fast Ring Configuration
1.
Enter into fast-ring node:

device-name(config-spanning-tree)#protocol-fast-ring
2.
Configure ports 1/1/1 and 1/1/2 as ring ports:

device-name(config-protocol-fast-ring)#ring-ports 1/1/1 1/1/2
3.
Enable MSTP Fast-Ring:

device-name(config-protocol-fast-ring)#no shutdown
Pending Configuration
1.
Enable MSTP:
prvtStMstpProtocolEnable.0 (integer) true(1)
2.
Map VLANs 1 and 2 to MST instance 1:

prvtStMstpVlanPerInstRowStatus.1 (integer)
prvtStMstpVlanPerInstMstId.1 (gauge) 1
prvtStMstpVlanPerInstMstId.2 (gauge) 1
3.
createAndWait(5)
active(1)
createAndWait(5)
active(1)
Assign bridge priority for MST instance 1:

prvtStMstpInstPriority.1 (gauge) 4096
4.
Assign name region1 and the revision number 2 to the MSTP:

prvtStMstpRegionName.0 (octet string) region1[72.65.67.69.6F.6E.31 (hex)]
prvtStMstpRegionRevision.0 (gauge) 2
Configuration of the Global MSTP Parameters
1.
Enable MSTP and configure the forward-delay value to 14 seconds:

prvtStMstpProtocolEnable.0 (integer) true(1)
prvtStForwardDelay.0 (gauge) 14
2.
Configure parameters:
bridge priority:
hello-time:
MaxAge time:
max-hop count:
4096
5 seconds
14 seconds
23
prvtStPriority.0 (gauge) 4096

prvtStHelloTime.0 (gauge) 5
prvtStMaxAge.0 (gauge) 14
Page 37
prvtStMstpMaxHops.0 (gauge) 23
Configuration of the MSTP Port Parameters
1.
Configure port 1/1/3 as edge port:
prvtStPortEdge.1103 (integer) true(1)
2.
Set port priority 80 and path-cost 1000 on port 1/1/1 for MSTI 0:
prvtStPortPriority.1101 (gauge) 80
prvtStPortPathCost.1101 (gauge) 1000
3.
Set port priority 0 and path-cost 300 on port 1/1/1 for MSTI 1:
prvtStMInstPortPriority.1.1101 (gauge) 0
prvtStMInstPortPathCost.1.1101 (gauge) 300
Fast Ring Configuration
1.
Configure ports 1/1/1 and 1/1/2 as ring ports:

prvtStFRingInstRowStatus.1101.1102 (integer) createAndWait(5)
prvtStFRingInstRowStatus.1101.1102 (integer) active(1)
2.
Enable MSTP Fast-Ring:

prvtStFRingProtocolEnable.0 (integer) true(1)
8.
Enable RSTP:
prvtStRstpProtocolEnable.0 (integer) true(1)
9.
Enable STP:
prvtStStpProtocolEnable.0 (integer) true(1)
Service Configuration
This section includes the PRVT-SERV- MIB.
PRVT-SERV-MIB
The private Service MIB manages and provides various services on the device.
Page 38
VPLS Configuration Examples:
Creating a VPLS Instance and Activating It

1.
Create VPLS on an MTU device:

device-name(config)#no service vpls 1 shutdown
2.
Create the primary and backup SDPs using LDP transport:

3.
Add spoke SDPs to a specific VPLS instance:

device-name(config)#service vpls 1 spoke-sdp 1
device-name(config)#no service vpls 1 spoke-sdp 1 shutdown
device-name(config)#service vpls 1 spoke-sdp 2 backup
4.
Add an qualified SAP to a specific VPLS instance:
Page 39
device-name(config)#service vpls 1 sap 1/1/1:10:

device-name(config)#no service vpls 1 sap 1/1/1:10: shutdown
1.
Create the service entity:

Set serviceRowStatus.1 with value CreateAndWait(5)
2.
Set the VPN ID:

Set serviceVpnId.1 with value 1
3.

Set serviceType.1 with value vplsMtu(11)
4.
Activate the service:

Set serviceRowStatus.1 with value active(1)
5.
Enable the service:

Set serviceAdminStatus.1 with value up(1)
6.
Create primary SDP:

Set
Set
Set
Set
Set
Set
7.
Create backup SDP:

Set
Set
Set
Set
Set
Set
8.
sdpRowStatus.1.1 with value CreateAndWait(5)

sdpFarEndIpAddress.1.1 with value 112.112.112.112
sdpType.1.1 with value spoke(2)
sdpPwPrecedence.1.1 with value 1
sdpRowStatus.1.1 with value active(1)
sdpAdminStatus.1.1 with value up(1)


Set sapRowStatus.1.1101.10 with value CreateAndGo(4)
Create and Configure a VPLS Service with Spoke SDPs and Unqualified SAPs
1.

device-name(config)#no service vpls 1 shutdown
2.
Create the primary and backup SDPs using LDP transport:

Page 40
3.
Add spoke SDPs to a specific VPLS instance:

device-name(config)#service vpls 1 spoke-sdp 1
device-name(config)#service vpls 1 spoke-sdp 2 backup
4.

device-name(config)#service vpls 1 sap 1/1/1::
device-name(config)#no service vpls 1 sap 1/1/1:: shutdown
1.
Create the service entity:

Set serviceRowStatus.1 with value CreateAndWait(5)
2.
Set the VPN ID:

Set serviceVpnId.1 with value 1
3.

Set serviceType.1 with value vplsMtu(11)
4.
Activate the service:

Set serviceRowStatus.1 with value active(1)
5.
Enable the service:

Set serviceAdminStatus.1 with value up(1)
6.
Create primary SDP:

Set
Set
Set
Set
Set
Set
7.

Create backup SDP:

Set
Set
Set
Set
Set
Set

Page 41
8.

Set sapRowStatus.1.1101.4095 with value CreateAndGo(4)
TLS Configuration Example
Creating and Configuring a TLS Service

1.
Create and configure TLS service 1:

device-name(config-tls-1)#no shutdown
device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
Commit complete.
device-name(config-interface-1/1/2)#
2.
Display the created TLS configuration:

device-name(config-interface-1/1/2)#exit
device-name(config-tls-1)#top
device-name(config)#exit
device-nameshow running-config service tls
service
tls 1
sap 1/1/1
c-vlan 3
!
!
sdp s-vlan 10
port 1/1/2
!
1.
Create the TLS service:

serviceRowStatus.1 (integer) createAndWait(5)
serviceType.1 (integer) tls(3)
serviceAdminStatus.1(integer) up(2)
serviceVpnId.1 (gauge) 10
serviceRowStatus.1 (integer) active(1)
2.
Get the next free id value (Needed to configure the SDP port.):
sdpNextFreeId.0 (gauge)16
3.
Configure the SDP RowStatus:

sdpRowStatus.1.16 (integer) createAndWait(5)
4.
Configure the service Vlan:

sdpBindVlanTag.1.16 (gauge) 10
Page 42
5.
Configure the SDP interface:

sdpOutInterface.1.16 (integer) 1102 [1102]
6.
Set the SDP/SAP RowStatuses to active:

sdpRowStatus.1.16 (integer) active(1)
sapRowStatus.1.1101.3 (integer) createAndWait(5)
sapRowStatus.1.1101.3 (integer) active(1)
Basic Routing and Router Protocols

This section includes the following MIBs:
PRVT-ROUTE-MIB
PRVT-OSPF-MIB
PRVT-ISIS-MIB
PRVT-ROUTE-MIB
The private MIB, PRVT-ROUTE-MIB, isused to manage static and dynamic IP routes.
Example
1.
Create Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
device-name(config)#router static-route 11.0.0.0/8 5.0.0.1 1
2.
Delete Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
Page 43
device-name(config)#no router static-route 11.0.0.0/8 5.0.0.1 1
3.
Create Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
set prvtCfgRouteRowStatus (integer) 11.0.0.0.8.5.0.0.1.1 createAndGo(4)
4.
Delete Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
set prvtCfgRouteRowStatus (integer) 11.0.0.0.8.5.0.0.1.1 destroy(6)
PRVT-OSPF-MIB
The private OSPF MIB, which enables the OSPF protocol, redistributes other routing protocols in
the OSPF and contains additional configuration not provided in the standard RFC 1850.
Page 44
Examples:
1.
Set the OSPF router ID:

device-name(config)#router ospf router-id 1.1.1.1
device-name(config-ospf)#commit
2.
Create an OSPF area:

device-name(config)#router ospf area 0.0.0.3
device-name(config-area-0.0.0.3)#commit
3.
Map the software interfaces to the created area:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4
device-name(config-interface-10.3.2.4)#commit
4.
Configure the OSPF hello-interval:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4 hellointerval 3
5.
Configure the OSPF dead-interval:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4 deadinterval 10
1.
Set the OSPF router ID:

Set prvtOspfRouterId.0 with value 1.1.1.1
2.
Create an OSPF area:

Set prvtOspfAreaRowStatus.0.0.0.3 with value createAndGo(4)
3.
Map the software interfaces to the created area:

Set prvtOspfIfRowStatus.10.3.2.4 with value createAndWait(5)
Set prvtOspfIfAreaId.10.3.2.4 with value 0.0.0.3
Set prvtOspfIfRowStatus.10.3.2.4 with value active(1)
4.
Configure the OSPF hello-interval:

Set prvtOspfIfRowStatus.10.3.2.4 with value notInService(2)
Set prvtOspfIfHelloTimer.10.3.2.4 with value 3
5.
Configure the OSPF dead-interval:

Set prvtOspfIfRowStatus.10.3.2.4 with value notInService(2)
Set prvtOspfIfDeadTimer.10.3.2.5 with value 10
Page 45
PRVT-ISIS-MIB
This private MIB provides complete SNMP management of Intermediate System-toIntermediate System (IS-IS).
Example
1.
Set the ISIS router ID:

device-name(config)#router isis router-id 11:22:33:44:55:66
device-name(config-isis)#commit
2.
Create an ISIS area:

device-name(config)#router isis area-address 01:02:03
device-name(config-area-address-01:02:03)#commit
3.
Enable ISIS on a software interface:

device-name(config)#router isis interface sw11
device-name(config-interface-sw11)#no shutdown
Page 46
4.
Enable ISIS globally:

device-name(config)#router isis
device-name(config-isis)#no shutdown
5.
Configure the ISIS spf-interval:

device-name(config)#router isis spf-interval 1000
6.
Configure the ISIS level 1 metric style:

device-name(config)#router isis level-1 metric-style wide
device-name((config-level-1)#commit
1.
Set the ISIS router ID:

Set prvtIsisSysExistState.1 to createAndGo(4)
Set prvtIsisSysID.1 to 11:22:33:44:55:66
2.
Create an ISIS area:

Set prvtIsisManAreaAddrExistState.1.3.1.2.3 to createAndGo(4)
3.
Enable ISIS on a software interface:

Set prvtIsisCircExistState.1.40011 to createAndGo(4)
Set prvtIsisCircShutdown.1.40011 to false(2)
4.
Enable ISIS globally:

Set prvtIsisSysShutdown.1 to false(2)
5.
Configure the ISIS spf-interval:

Set prvtIsisSysCalcMaxDelay.1 to 1000
6.
Configure the ISIS level 1 metric style:

Set prvtIsisSysLvl1MetricStyle.1 to wide(2)
Multiprotocol Label Switching

This section presents SNMP MIBs for the Multiprotocol Label Switching (MPLS) feature:
PRVT-L2TUNNELING-MIB
PRVT-MPLS-TE-MIB
PRVT-TEMIB-ENTITY-MIB
PRVT-RSVP-MIB
PRVT-MPLS-IF-MIB
PRVT-LMGR-MIB
PRVT-MPLS-LDP-MIB
PRVT-CR-LDP-MIB
Page 47
PRVT-L2TUNNELING-MIB
The private Layer 2 Tunneling MIB manages the Layer 2 Protocol Tunneling feature designed for
service providers. L2 tunneling profile on SAP and SDP port is not supported.
Example

device-name(config)#l2-tunneling
device-name(config-l2-tunneling)#no shutdown
device-name(config-l2-tunneling)#commmit
Commit complete.
device-name(config-l2-tunneling)#exit
device-name(config-sap-1/1/1)#c-vlan 3
device-name(config-c-vlan-3)#tunnel-profile tunnel-all
device-name(config-c-vlan-3)#exit
device-name(config-sap-1/1/1)#exit
device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
device-name(config-interface-1/1/2)#tunnel-profile tunnel-bpdu
Commit complete.
Page 48
device-name(config-interface-1/1/2)#
1.
Enable Layer 2 tunneling and create TLS:

prvtL2TunnEnable.0 (integer) enable(1)
serviceRowStatus.1 (integer) createAndWait(5)
serviceType.1 (integer) tls(3)
serviceVpnId.1 (gauge) 10
serviceRowStatus.1 (integer) active(1)
2.
Get next free id value (Needed to configure the SDP port.):

sdpNextFreeId.0 (gauge)16
Use return value to configure sdp port:
3.
Configure the SDP RowStatus:

sdpRowStatus.1.16 (integer) createAndWait(5)
4.
Configure the service vlan:

sdpBindVlanTag.1.16 (gauge) 10
5.
Configure the SDP interface:

sdpOutInterface.1.16 (integer) 1102 [1102]
6.
Set the SDP/SAP RowStatus to active:

sdpRowStatus.1.16 (integer) active(1)
sapRowStatus.1.1101.3 (integer) createAndWait(5)
sapRowStatus.1.1101.3 (integer) active(1)
PRVT-MPLS-TE-MIB
The private MPLS-TE MIB supports tables for configuring:
tunnels
tunnel hop
tunnel resources
differential Service
tunnel trap
Actual Route Hop
Calculated Hop
Page 49
Creating a single tunnel is equivalent to creating a row in the Tunnel table. Path nodes are in the
Nodes table. The same table also provides a field to set the path name used to unite the nodes. The
same rules apply for two-phase setting: first create and configure the tunnel and then activate the
tunnel. Activating a tunnel works with all active nodes. You cannot create nodes that are intended
to belong to the same path but have different path names.
PRVT-TEMIB-ENTITY-MIB
The private TE Entity MIB is designed to list tunnel entities. Such entities are needed to use RSVP
tunnel router functionality and cannot be created manually. Using only one RSVP router means
only one tunnel entity is created when creating the router.
Page 50
Examples:
Enable RSVP prior to configure MPLS (refer to Examples).
1.
Create the path:

100.0.0.2 true
device-name(config-hop-1)#exit
2.
Create the tunnel, assign a name to the tunnel, configure the tunnel attributes, and specify the
explicit route hops for this tunnel:
device-name(config)#router rsvp-te lsp 1 far-end 1.1.1.1 name 3_to_1 fastreroute-mode facility max-backup-hops 20 cspf path 1
1.
Create the tunnel:

Set mplsManTunnelRowStatus.1.1.1 with value createAndWait(5)
Set mplsManTunnelIngressLSRId.1.1.1 with value 0A0A0A0A
Set mplsManTunnelEgressLSRId.1.1.1 with value 0B0B0B0B
2.
Assign a name to the tunnel:

Set mplsManTunnelName with value 3_to_1
3.
Configure the tunnel attributes:

Set mplsManTunnelSessionAttributes.1.1.1 with value fast reroute
Set mplsManTunnelFastRerouteMode.1.1.1 with value facilityFastReroute(2)
Set mplsManTunnelBackupMaxHops.1.1.1 with value 20
4.
Specify the explicit route hops for this tunnel:

Set mplsManTunnelHopTableIndex.1.1.1 with value 1
Set mplsManTunnelPathInUse.1.1.1 with value 1
5.
Create the tunnel hop:

Set mplsTunnelManHopRowStatus.1.1.1.1 with value createAndWait(5)
6.
Set the tunnel hop address:
Page 51
Set mplsTunnelManHopIpAddr.1.1.1.1 with value 64000002
7.
Set the hop type:

Set mplsTunnelManHopType.1.1.1.1 with value strict(1)
8.
Activate the hop:

Set mplsTunnelManHopRowStatus.1.1.1.1 with value active(1)
9.
Activate the tunnel:

Set mplsManTunnelRowStatus.1.1.1 with value active(1)
PRVT-RSVP-MIB
The private MIB, PRVT-RSVP-MIB, provides configuration capabilities for RSVP functionality.
Examples:
Enable MPLS on software interfaces prior to configuring RSVP.
10. Enable RSVP router:

device-name(config)#router rsvp-te
device-name(config-rsvp-te)#commit
11. Set RSVP-extensions:

device-name(config-rsvp-te)#bypass-fast-reroute true
device-name(config-rsvp-te)#commit
12. Enable RSVP router:

Set prvtMplsTeMibEntityRowStatus.1 with value createAndGo(4)
Set prvtRsvpProductRowStatus.1 with value createAndGo(4)
13. Set RSVP-extensions:

Set prvtRsvpProductProtocolExtensions.1 with value bypassFastReroute(0)
PRVT-MPLS-IF-MIB
The private MIB, PRVT-MPLS-IF-MIB, manages specific MPLS and RSVP interface parameters.
Page 52
Examples:

Enable MPLS on previously created IP interfaces lo1 and sw1.
device-name(config)#router mpls interface lo1
device-name(config)#router mpls interface sw1

Create LSR entity with LSR ID and transport address:
Set ifaceMplsRowStatus.20001 with value createAndGo(4)
Set ifaceMplsRowStatus.40001 with value createAndGo(4)
PRVT-LMGR-MIB
The private LMGR MIB is designed to support Label Manager settings.
Page 53
PRVT-MPLS-LDP-MIB
The private LDP MIB contains information about negotiated parameters when starting an LDP
router. The MIB configures remote peers to hear LDP multicast advertisements. This MIB
includes:
Page 54
LDP entities
LDP peers
LDP sessions
FECs
PRVT-CR-LDP-MIB
This private CR LDP MIB contains two tables for viewing and configuring the path manager and
the session manager. Tables are read-only and cannot have multiple instances for either the path or
session manager. A single instance is created (with index 1) when activating the LDP entity in the
LDP entity table.
Examples:
Enable MPLS on software interfaces prior to configuring RSVP.
1.
Create LSR entity with LSR ID:

device-name(config)#router mpls lsr-id 10.10.10.10
device-name(config-mpls)#commit
device-name(config-mpls)#exit
2.
Enable LDP protocol and assign the transport address:

device-name(config)#router ldp
device-name(config-ldp)#commit
device-name(config-ldp)#exit
3.
Create two targeted peers and assign them IP addresses:

device-name(config)#router ldp targeted-peer 11.11.11.11
device-name(config-targeted-peer-11.11.11.11)#commit
device-name(config-targeted-peer-11.11.11.11)#exit
device-name(config)#router ldp targeted-peer 12.12.12.12
device-name(config-targeted-peer-12.12.12.12)#commit
1.
Create LSR entity with LSR ID and transport address:

Set
Set
Set
Set
2.
prvtLmgrLsrEntityRowStatus.1 with value createAndWait(5)

prvtLmgrLsrEntityLsrId.1 with value 168430090
prvtLmgrLsrEntityTranAddr with value 0A0A0A0A
prvtLmgrLsrEntityRowStatus.1 with value active(1))
Enable LDP protocol:

Set prvtcrldpSigRowStatus.1 with value createAndGo(4)
Set prvtcrldpPmRowStatus.1 with value createAndGo(4)
Configuring the Targeted Peers
Page 55
1.
Create two targeted peers:

Set mplsLdpEntityRowStatus.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value
CreateAndWait(5)
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value
CreateAndWait(5)
2.
Assign them IP addresses:

Set mplsLdpEntityTargetPeerAddr.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value 0B0B0B0B
Set mplsLdpEntityTargetPeerAddr.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value 0C0C0C0C
3.
Activate the entries:

1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value active(1)
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value active(1)
Network Monitoring and Troubleshooting

This chapter presents MIBs used to monitor and troubleshoot technical issues and includes the
following sections:
PRVT-CFM-MIB
PRVT-SYS-MON-MIB
PRVT-ALARM-MIB
PRVT-STORM-CTL-MIB
PRVT-LMM-MIB
PRVT-EFM-OAM-MIB
PRVT-EPS-MIB
PRVT-RAPS-MIB
PRVT-SAA-MIB
PRVT-CFM-MIB
The private CFM MIB is an extension of the Connectivity Fault Management module for managing
IEEE 802.1ag connectivity. The MIB provides proactive and diagnostic connectivity fault
localization capabilities over SNMP for Ethernet Virtual Connections (EVC) that span one or more
links.
Page 56
Example
In the following example, a domain MA is created for a VLAN and port 1/1/1 is added as a MEP
to the specified MA.
1.
Enable CFM:
2.
Create the domain_1 domain:
Page 57
device-name(config-cfm)#domain-name domain_1 level 1
3.
Create ma_1 MA:

device-name(config-domain-name-domain_1)#ma ma_1 vlan 251
4.
Create a MEP:
device-name(config-ma-ma_1)#mep 105 bind-to 1/1/1
device-name(config-mep-105/1/1/1)#direction down
device-name(config-mep-105/1/1/1)#ccm-enabled
device-name(config-mep-105/1/1/1)#no shutdown
device-name(config-mep-105/1/1/1)#commit
Commit complete.
device-name(config-mep-105/1/1/1)#
1.
Enable CFM:
1: prvtCfmShutdown.0
It`s value should be set to 2 in order to activate oam cfm.:
1: prvtCfmShutdown.0 (integer) false(2)
2.
Create domain_1 domain:

1: prvtCfmMdRowStatus.8.100.111.109.97.105.110.95.49 = 5
2: prvtCfmMdLevel.8.100.111.109.97.105.110.95.49 (integer) 1 [1]
3: prvtCfmMdFormat.8.100.111.109.97.105.110.95.49 (integer) charString(4)
4: prvtCfmMdMhfIdPermission.8.100.111.109.97.105.110.95.49 (integer)
sendIdNone(1)
5: prvtCfmMdRowStatus.8.100.111.109.97.105.110.95.49 = 1
The same applies for MA configuration:
1: prvtCfmMaRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49 = 5
2: prvtCfmMaVlanId.8.100.111.109.97.105.110.95.49.4.109.97.95.49 (integer)
3
3: prvtCfmMaMhfCreation.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) defMHFdefer(4)
4: prvtCfmMaPermission.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) sendIdDefer(5)
5: prvtCfmMaFormat.8.100.111.109.97.105.110.95.49.4.109.97.95.49 (integer)
charString(2)
6: prvtCfmMaCcmInterval.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) interval1s(4)
7: prvtCfmMaAisLckReceive.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) false(2)
8: prvtCfmMaAisLckInterval.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) interval1s(1)
9:1:prvtCfmMaRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) active(1)
3.
Create ma_1 MA:

get prvtCfmMdMaNextIndex.1 (gauge) 1
prvtCfmMaRowStatus.1.1 5
prvtCfmMaName.1.1 ma_1
prvtCfmMaVlanId.1.1 251
prvtCfmMaRowStatus.1.1 1
4.
Page 58
Create a MEP with ID 105:
1: prvtCfmMepRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105 =
5
2:prvtCfmMepInterfaceIndex.8.100.111.109.97.105.110.95.49.4.109.97.95.49.10
5 (integer) 1101 [1101]
3: prvtCfmMepDirection.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) down(1)
4: prvtCfmMepShutdown.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) false(2)
5: prvtCfmMepCciEnabled.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) true(1)
6: prvtCfmMepRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) active(1)
PRVT-SYS-MON-MIB
The MIB contains settings for system monitoring and periodic system self-tests.
Examples:
Page 59
Displaying the Self-Test Results via CLI
Type the show
system self-test full command:
device-name#show system self-test full

CPU Temperature Test
Status
Measure
: PASSED
: 33C
CPU Resources Test

Status
Measure
: PASSED
: 6%
RAM Resources Test

Status
Measure
: PASSED
: 40%
Fan Test
Status
: PASSED
On-Board Power Test

Status
: PASSED PASSED
Power Supply Test

Status
: FAIL PASSED
Power Supply Fans Test

Status
: ABSENT PASSED
Port Statistics Test

Status
Measure
: PASSED
: 0%
Displaying the Self-Test Results via SNMP

Start an SNMP query***** SNMP QUERY STARTED *****
1: prvtSysMonCurrentCpuUsage.0 (octet string) 6%
2: prvtSysMonCurrentCpuTemperature.0 (octet string) 39C
3: prvtSysMonCurrentRamUsage.0 (octet string) 42%
4: prvtSysMonSelfTestExecuteNow.0 (integer) 0
5: prvtSysMonCpuUsageShutdown.0 (integer) true(1)
6: prvtSysMonCpuUsageLog.0 (integer) false(2)
7: prvtSysMonCpuUsageLed.0 (integer) false(2)
8: prvtSysMonCpuUsageTrap.0 (integer) false(2)
9: prvtSysMonCpuUsagePeriod.0 (gauge) 60
Page 60
10: prvtSysMonCpuUsageLowThreshold.0 (integer) 0

11: prvtSysMonCpuUsageHighThreshold.0 (integer) 75
12: prvtSysMonCpuTemperatureShutdown.0 (integer) false(2)
13: prvtSysMonCpuTemperatureLog.0 (integer) true(1)
14: prvtSysMonCpuTemperatureLed.0 (integer) false(2)
15: prvtSysMonCpuTemperatureTrap.0 (integer) false(2)
16: prvtSysMonCpuTemperaturePeriod.0 (gauge) 60
17: prvtSysMonCpuTemperatureLowThreshold.0 (integer) -3
18: prvtSysMonCpuTemperatureHighThreshold.0 (integer) 70
19: prvtSysMonCpuTemperatureLastStatus.0 (octet string) PASSED
20: prvtSysMonRamUsageShutdown.0 (integer) true(1)
21: prvtSysMonRamUsageLog.0 (integer) false(2)
22: prvtSysMonRamUsageLed.0 (integer) false(2)
23: prvtSysMonRamUsageTrap.0 (integer) false(2)
24: prvtSysMonRamUsagePeriod.0 (gauge) 60
25: prvtSysMonRamUsageLowThreshold.0 (integer) 0
26: prvtSysMonRamUsageHighThreshold.0 (integer) 90
27: prvtSysMonPortStatisticsShutdown.0 (integer) true(1)
28: prvtSysMonPortStatisticsLog.0 (integer) false(2)
29: prvtSysMonPortStatisticsLed.0 (integer) false(2)
30: prvtSysMonPortStatisticsTrap.0 (integer) false(2)
31: prvtSysMonPortStatisticsPeriod.0 (gauge) 60
32: prvtSysMonPortStatisticsLowThreshold.0 (integer) 0
33: prvtSysMonPortStatisticsHighThreshold.0 (integer) 0
34: prvtSysMonFanShutdown.0 (integer) true(1)
35: prvtSysMonFanLog.0 (integer) false(2)
36: prvtSysMonFanLed.0 (integer) false(2)
37: prvtSysMonFanTrap.0 (integer) false(2)
38: prvtSysMonFanPeriod.0 (gauge) 60
39: prvtSysMonOnboardPowerShutdown.0 (integer) true(1)
40: prvtSysMonOnboardPowerLog.0 (integer) false(2)
41: prvtSysMonOnboardPowerLed.0 (integer) false(2)
42: prvtSysMonOnboardPowerTrap.0 (integer) false(2)
43: prvtSysMonOnboardPowerPeriod.0 (gauge) 60
44: prvtSysMonPowerSupplyShutdown.0 (integer) true(1)
45: prvtSysMonPowerSupplyLog.0 (integer) false(2)
46: prvtSysMonPowerSupplyLed.0 (integer) false(2)
47: prvtSysMonPowerSupplyTrap.0 (integer) false(2)
48: prvtSysMonPowerSupplyPeriod.0 (gauge) 60
PRVT-ALARM-MIB
This private MIB provides information for the following alarms:
Temperature test fail
Power-supply test fail
Power-supply fan test fail
Onboard power test fail
Fan test fail
Page 61
Page 62
CPU-usage test fail
RAM-usage test fail
Port statistics test fail
Link Down
Lag Down
SyncE alarms
Event
Alarm
lagLinkDown
Raise LAG agXX is down
lagLinkUp
Clear
lagMemberLinkDown
Raise lagMemberLink agXX down
lagMemberLinkUp
Clear
linkDown
Raise Interface XX/XX/XX down
linkUp
Clear
syncEthernetDPLLLockFailed - for DPLL 0
Raise DPLL 0 lock failed
syncEthernetDPLLChanged==Locked for DPLL 0
Clear
syncEthernetDPLLLockFailed - for DPLL 1
Raise DPLL 1 lock failed
syncEthernetDPLLChanged==Locked for DPLL 1
Clear
cpu-temperature test failed
Raise "Temperature test failed."
cpu-temperature test passed
Clear
power supply test failed
Raise "Power-supply test failed. PS1

FAILED, PS2 OK
FAILED, PS2 FAILED
FAILED, PS2 ABSENT"
Event
Alarm
power supply test passed
Clear
power supply fan test failed
Raise "Power-supply fan test failed. PS1 fan

OK, PS2 fan FAILED."
FAILED, PS2 fan OK"
FAILED, PS2 fan FAILED"
FAILED, PS2 fan ABSENT"
ABSENT, PS2 fan FAILED"
ABSENT, PS2 fan OK"
ABSENT, PS2 fan ABSENT"
FAIL, PS2 fan ABSENT"
ABSENT, PS2 fan ABSENT"
power supply fan test passed
Clear
onboard-power test failed
Raise "Onboard power test failed"
onboard-power test passed
Clear
fan test failed
Raise "Fan test failed"

Raise "Fan test found empty tray"
fan test passed
Clear
cpu-usage test failed
Raise "Cpu-usage test failed."
cpu-usage test passed
Clear
ram-usage test failed
Raise "Ram-usage test failed"
ram-usage test passed
Clear
port-statistics test failed
Raise "Port statistics test failed"
port-statistics test passed
Clear
The MIB contains list of predefined device alarms with index, time of occurrence and description.
Every time an alarm is triggered, a new row is added to the prvtAlarmCurrentTable.
Once the alarm goes off, the relevant row is removed from the prvtAlarmCurrentTable.
Page 63
PRVT-LMM-MIB
This private MIB provides complete SNMP management of the Laser Management feature.
Example:

device-name(config-monitor)#laser
device-name(config-laser)#no shutdown
device-name(config-laser)#period 60
device-name(config-laser)#log
device-name(config-laser)#led
device-name(config-laser)#temperature low-threshold -10
device-name(config-laser)#temperature high-threshold 60
device-name(config-laser)#tx-power low-threshold -5
device-name(config-laser)#tx-power high-threshold 5
device-name(config-laser)#commit
Commit complete.

prvtLmmShutdown.0 (integer) false(2)
Page 64
prvtLmmPeriod.0 (integer) 60
prvtLmmLog.0 (integer) true(1)
prvtLmmLed.0 (integer) true(1)
prvtLmmTemperatureLowThreshold.0 (integer) -10
prvtLmmTemperatureHighThreshold.0 (integer) 60
prvtLmmTxPowerLowThreshold.0 (integer) -5
prvtLmmTxPowerHighThreshold.0 (integer) 5
PRVT-STORM-CTL-MIB
This private MIB provides complete SNMP management of the Traffic Storm Control feature.
Example:

Device-name(config)#ethernet
Device-name(config-ethernet)#storm-control
Device-name(config-storm-control)#port 1/1/1
Device-name(config-port-1/1/1)#traffic-type unknown rate-threshold 100
Device-name(config-traffic-type-unknown)#exit
Device-name(config-port-1/1/1)#no shutdown
Device-name(config-port-1/1/1)#commit
Commit complete.

prvtStrmCtlPortRowStatus.1201 (integer) createAndWait(5)
prvtStrmCtlPortTrafficRowStatus.1201.1 (integer) createAndWait(5)
prvtStrmCtlPortTrafficThreshold.1201.1 (gauge) 100
prvtStrmCtlPortShutdown.1201 (integer) false(2)
prvtStrmCtlPortRowStatus.1201 (integer) active(1)
prvtStrmCtlPortTrafficRowStatus.1201.1 (integer) active(1)
PRVT-EFM-OAM-MIB
This private MIB provides complete SNMP management of 802.3ah Ethernet in the First Mile
(EFM-OAM).
Page 65
Examples:

Device-name(config-port-1/1/1)#efm role active
Device-name(config-port-1/1/1)#
Device-name(config-port-1/1/1)#efm event-return-shutdown 5
Device-name(config-port-1/1/1)#efm event-forward-status 1/1/2
Device-name(config-port-1/1/1)#commit
Page 66
set prvtEfmOamInterfaceRole(1.3.6.1.4.1.738.10.5.133.1.23.1.3).1101
(integer) active(2)
or
set prvtEfmOamInterfaceRole.1101 (integer) active(2)
set prvtEfmOamInterfaceEventReturnShutdown(1.3.6.1.4.1.738.10.5.133.1.23.1.
12).1101 (gauge) 5
or
set prvtEfmOamInterfaceEventReturnShutdown.1101 (gauge) 5
set prvtEfmOamEventForwardStatusRowStatus(1.3.6.1.4.1.738.10.5.133.1.24.1.2
).1101.1102 createAndWait(5)
or
set prvtEfmOamEventForwardStatusRowStatus.1101.1102 (integer)
createAndWait(5)
set prvtEfmOamEventForwardStatusRowStatus(1.3.6.1.4.1.738.10.5.133.1.24.1.2
).1101.1102 active(1)
or
set prvtEfmOamEventForwardStatusRowStatus.1101.1102 (integer) active(1)
PRVT-SAA-MIB
This private MIB provides complete SNMP management of SAA tests.
Examples:
SAA RFC 2544 SNMP configuration:
Page 67
Specify SAA RFC 2544 profile:

device-name(config)#saa profile 1 rfc2544 frameloss 100000

prvtSaaProfileRowStatus.1.49 = 5
prvtSaaProfileType.1.49 = rfc2544
prvtSaaProfileRfc2544FrameLoss.1.49 = 100000
Configure bi-directional loopback

device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode bitest-loopback
device-name(config-rfc2544)#domain d2 ma ma2 mep 1001

prvtSaaTestRowStatus.1.49.1.49 = 5
prvtSaaTestType.1.49.1.49 = rfc2544
prvtSaaTestEnable.1.49.1.49 = true
prvtSaaTestRfc2544Mode.1.49.1.49 = biTestLoopback=4
prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
Configure bi-directional-head test

Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode bitest-head
Device-name(config-rfc2544)#cir 750000
Device-name(config-rfc2544)#data-size 64
Device-name(config-rfc2544)#domain d2
Device-name(config-rfc2544)#ma ma2
Device-name(config-rfc2544)#mep 1001
Device-name(config-rfc2544)#target-type mep
Device-name(config-rfc2544)#target-mep 2001
Device-name(config-rfc2544)#commit

Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Page 68
00. prvtSaaTestRowStatus.1.49.1.49 = 5
1. prvtSaaTestType.1.49.1.49 = rfc2544
2. prvtSaaTestProfile.1.49.1.49 = 1
3. prvtSaaTestEnable.1.49.1.49 = true
4. prvtSaaTestRfc2544Mode.1.49.1.49 = biTestHead=2
5. prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
6. prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
7. prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
8. prvtSaaTestRfc2544TargetType.1.49.1.49 = mep
9. prvtSaaTestRfc2544TargetMep.1.49.1.49 = 2001
10. prvtSaaTestRfc2544Cir.1.49.1.49 = 750000

Step 11. prvtSaaTestRfc2544Cbs.1.49.1.49 = 1024
Step 12. prvtSaaTestRfc2544BurstPercentage.1.49.1.49 = 10
Step 13. prvtSaaTestRfc2544Duration.1.49.1.49 = 5
Step 14. prvtSaaTestRfc2544Pattern.1.49.1.49 = prbsCrc
Step 15. prvtSaaTestRfc2544LoopbackType.1.49.1.49 = oam
Step 16. prvtSaaTestRfc2544CVlanDropEligible.1.49.1.49 = false
Step 17. prvtSaaTestRfc2544SVlanPriority.1.49.1.49 = 5
Step 18. prvtSaaTestRfc2544SVlanDropEligible.1.49.1.49 = false
Step 19. prvtSaaTestRfc2544Timeout.1.49.1.49 = 10
Step 20. prvtSaaTestRfc2544ResultAckTimeout.1.49.1.49 = 5
Step 21. Create few data sizes:
prvtSaaTestDataSizeRowStatus.1.49.1.49.i64 = 5
Step 22. Simultaneously set status "1" on all rowstatuses (must be executed
in 1 SNMP Set command):
Configure uni-test-Tail:
Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode unitest-tail
Device-name(config-rfc2544)#domain d2 ma ma2 mep 1001

Step
Step
Step
Step
Step
Step
Step
Step
1.
2.
3.
4.
5.
6.
7.
8.
prvtSaaTestType.1.49.1.49 = rfc2544
prvtSaaTestRfc2544Mode.1.49.1.49 = uniTestTail=3
prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
Configure uni-test-head test:

Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode unitest-head
Device-name(config-rfc2544)#cir 750000
Device-name(config-rfc2544)#burst-percentage 0
Device-name(config-rfc2544)#domain d2
Device-name(config-rfc2544)#ma ma2
Device-name(config-rfc2544)#mep 1001
Device-name(config-rfc2544)#target-type mep
Device-name(config-rfc2544)#target-mep 2001
Page 69
Step 00. prvtSaaTestRowStatus.1.49.1.49 = 5

Step 1. prvtSaaTestType.1.49.1.49 = rfc2544
Step 2. prvtSaaTestProfile.1.49.1.49 = 1
Step 3. prvtSaaTestEnable.1.49.1.49 = true
Step 4. prvtSaaTestRfc2544Mode.1.49.1.49 = uniTestHead=1
Step 5. prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
Step 6. prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
Step 7. prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
Step 8. prvtSaaTestRfc2544TargetType.1.49.1.49 = mep
Step 9. prvtSaaTestRfc2544TargetMep.1.49.1.49 = 2001
Step 10. prvtSaaTestRfc2544Cir.1.49.1.49 = 750000
Step 11. prvtSaaTestRfc2544Cbs.1.49.1.49 = 1024
Step 12. prvtSaaTestRfc2544BurstPercentage.1.49.1.49 = 0
Step 13. prvtSaaTestRfc2544Duration.1.49.1.49 = 5
Step 14. prvtSaaTestRfc2544Pattern.1.49.1.49 = prbsCrc =4
Step 15. prvtSaaTestRfc2544LoopbackType.1.49.1.49 = oam =2
Step 16. prvtSaaTestRfc2544CVlanDropEligible.1.49.1.49 = false
Step 17. prvtSaaTestRfc2544SVlanPriority.1.49.1.49 = 5
Step 18. prvtSaaTestRfc2544SVlanDropEligible.1.49.1.49 = false
Step 19. prvtSaaTestRfc2544Timeout.1.49.1.49 = 10
Step 20. prvtSaaTestRfc2544ResultAckTimeout.1.49.1.49 = 5
Step 21. Create few data sizes:
Step 22. Simultaneously set status "1" on all rowstatuses (must be executed
in 1 SNMP Set command):
Saa Y1731 configuration:
Device-name(config)#saa profile 1 type y1731 y1731 delay-near-end 1000

delay-far-end 1000 jitter-near-end 10 jitter-far-end 10 frameloss-near-end
1000 frameloss-far-end 1000
Device-name(config-y1731)#commit
Commit complete.

Y1731 threshold profile
Step
Step
Step
Step
Step
Step
Step
Step
Step
1.
2.
3.
4.
5.
6.
7.
8.
9.
prvtSaaProfileType.1.49 = 1
prvtSaaProfileY1731DelayNearEnd.1.49 = 1000
prvtSaaProfileY1731DelayFarEnd.1.49 = 1000
prvtSaaProfileY1731JitterNearEnd.1.49 = 10
prvtSaaProfileY1731JitterFarEnd.1.49 = 10
prvtSaaProfileY1731FrameLossNearEnd.1.49 = 1000
prvtSaaProfileY1731FrameLossFarEnd.1.49 = 1000
Y1731 Testhead device configuration:
Device-name(config)#saa test 2 2 type y1731 profile 1

Device-name(config-test-2/2)#y1731 mode test domain d2 ma ma2
Page 70
Device-name(config-y1731)#history 20 priority 0 interval 60 frequency 1

period 100
Device-name(config-y1731)#mep 3002 target-type mep target-mep 2106

Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
01.
02.
03.
04.
05.
06.
07.
08.
09.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
prvtSaaTestType.1.50.1.50 = y1731
prvtSaaTestProfile.1.50.1.50 = 1
prvtSaaTestY1731Mode.1.50.1.50 = test
prvtSaaTestY1731Domain.1.50.1.50 = "d2"
prvtSaaTestY1731MA.1.50.1.50 = "ma2"
prvtSaaTestY1731Mep.1.50.1.50 = 3002
prvtSaaTestY1731TargetType.1.50.1.50 = mep
prvtSaaTestY1731TargetMep.1.50.1.50 = 2106
prvtSaaTestY1731Priority.1.50.1.50 = 0
prvtSaaTestY1731Frequency.1.50.1.50 = 1
prvtSaaTestY1731Interval.1.50.1.50 = 60
prvtSaaTestY1731Period.1.50.1.50 = 100
prvtSaaTestY1731Timeout.1.50.1.50 = 3
prvtSaaTestY1731Function.1.50.1.50 = both
prvtSaaTestY1731DelayMode.1.50.1.50 = twoWay
prvtSaaTestY1731DelayMethod.1.50.1.50 = average
prvtSaaTestY1731DelayPValue.1.50.1.50 = 50
prvtSaaTestY1731JitterMethod.1.50.1.50 = variance
prvtSaaTestY1731JitterPValue.1.50.1.50 = 50
prvtSaaTestY1731History.1.50.1.50 = 20
Y1731 loopback device configuration:
Device-name(config)#saa test 2 2 type y1731 profile 1

Device-name(config-test-2/2)#y1731 mode loopback
Device-name(config-y1731)#domain d2 ma ma2
Device-name(config-y1731)#mep 2106
Device-name(config-y1731)#function both

Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step
01.
02.
03.
04.
05.
06.
07.
08.
09.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
prvtSaaTestType.1.50.1.50 = y1731
prvtSaaTestProfile.1.50.1.50 = #0x31=1
prvtSaaTestY1731Mode.1.50.1.50 = loopback = 2
prvtSaaTestY1731Domain.1.50.1.50 = "d2"
prvtSaaTestY1731MA.1.50.1.50 = "ma2"
prvtSaaTestY1731Mep.1.50.1.50 = 2106
prvtSaaTestY1731Priority.1.50.1.50 = 6
prvtSaaTestY1731Frequency.1.50.1.50 = 1
prvtSaaTestY1731Interval.1.50.1.50 = 900
prvtSaaTestY1731Period.1.50.1.50 = 1000
prvtSaaTestY1731Timeout.1.50.1.50 = 3
prvtSaaTestY1731Function.1.50.1.50 = both
prvtSaaTestY1731DelayMode.1.50.1.50 = twoWay
prvtSaaTestY1731DelayMethod.1.50.1.50 = average
prvtSaaTestY1731DelayPValue.1.50.1.50 = 50
prvtSaaTestY1731JitterMethod.1.50.1.50 = variance
prvtSaaTestY1731JitterPValue.1.50.1.50 = 50
Page 71

Step 20. prvtSaaTestY1731History.1.50.1.50 = 96
Step 21. prvtSaaTestRowStatus.1.50.1.50 = 1
Traffic Engineering
This section presents the SNMP MIB, PRVT-TE-PARAM-MIB, used for the Multiprotocol Label
Switching (MPLS) feature:
PRVT-TE-PARAM-MIB
PRVT-TE-PARAM-MIB
The TE MIB includes objects describing features that support traffic engineering.
Examples:

Setting Admin Group 1 with the name "green":
device-name(config)#router rsvp-te admin-group 1 name green
device-name(config-admin-group-1)#commit

Setting Admin Group 1 with the name "green":
Set prvtTeParamAdminGroupRowStatus.1 with value createAndWait(5)
Set prvtTeParamAdminGroupName.1 with value green
Set prvtTeParamAdminGroupRowStatus.1 with value active(1)
Page 72
The following example creates VPWS between two devices: Device1 and Device2.
1.
Configure a VLAN with ID 10 and add port 1/1/5 as a tagged member of it:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
dot1qVlanStaticRowStatus.10 i 5 Q-BRIDGE-MIB::dot1qVlanStaticRowStatus.10 =
INTEGER: createAndWait(5) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
dot1qVlanStaticEgressPorts.10 x 08000000 Q-BRIDGEMIB::dot1qVlanStaticEgressPorts.10 = Hex-STRING: 08 00 00 00 snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.51 dot1qVlanStaticName.10 s vlan10 QBRIDGE-MIB::dot1qVlanStaticName.10 = STRING: vlan10 snmpset -t 10 -L n v2c -c user-v2c 10.3.155.51 dot1qVlanStaticRowStatus.10 i 1 Q-BRIDGEMIB::dot1qVlanStaticRowStatus.10 = INTEGER: active(1)
2.
Configure IP interafce sw1with IP address 100.1.1.51/24:

ipInterfaceRowStatus.3.115.119.49 i 5
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."sw1" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.3.115.119.49 a 100.1.1.51 PRVT-SWITCH-IPVLANMIB::ipInterfaceIpAddress."sw1" = IpAddress: 100.1.1.51 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.51
ipInterfaceSubnetMask.3.115.119.49 a 255.255.255.0 PRVT-SWITCH-IPVLANMIB::ipInterfaceSubnetMask."sw1" = IpAddress:
255.255.255.0
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."sw1" = INTEGER: active(1)
3.
Configure loopback interafce lo1 with IP address 1.1.155.51/32:

PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.3.108.111.49 a 1.1.155.51 PRVT-SWITCH-IPVLANMIB::ipInterfaceIpAddress."lo1" = IpAddress: 1.1.155.51 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.51
ipInterfaceSubnetMask.3.108.111.49 a 255.255.255.255 PRVT-SWITCH-IPVLANMIB::ipInterfaceSubnetMask."lo1" = IpAddress:
255.255.255.255
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER: active(1)
4.
Attach IP interface sw1 to VLAN 10:

snmpset -t 10 -L n -v2c -c user-v2c
ipVLANStatus.10.3.115.119.49 i 1
10.3.155.51
Page 73
PRVT-SWITCH-IPVLAN-MIB::ipVLANStatus.10."sw1" = INTEGER: attached(1)
5.
Enable OSPF. Interfaces lo1 and sw1 are configured in Area 0.0.0.0:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtOspfRouterId.0 a
1.1.155.51
PRVT-OSPF-MIB::prvtOspfRouterId.0 = IpAddress: 1.1.155.51 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.51 prvtOspfAreaRowStatus.0.0.0.0 i 4 PRVTOSPF-MIB::prvtOspfAreaRowStatus.0.0.0.0 = INTEGER: createAndGo(4) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.51
prvtOspfIfRowStatus.100.1.1.51 i 5
PRVT-OSPF-MIB::prvtOspfIfRowStatus.100.1.1.51 = INTEGER: createAndWait(5)
prvtOspfIfAreaId.100.1.1.51 a 0.0.0.0
PRVT-OSPF-MIB::prvtOspfIfAreaId.100.1.1.51 = IpAddress: 0.0.0.0 snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51
PRVT-OSPF-MIB::prvtOspfIfRowStatus.100.1.1.51 = INTEGER: active(1)
10 -L n -v2c -c user-v2c 10.3.155.51
prvtOspfIfWorkingMode.1.1.155.51 i 1
PRVT-OSPF-MIB::prvtOspfIfWorkingMode.1.1.155.51 = INTEGER: passive(1)
6.
Enable the Label manager. Configure LSR ID 1.1.155.51:

prvtLmgrLsrEntityRowStatus.1 i 5
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtLmgrLsrEntityLsrId.1 u
16882483
PRVT-LMGR-MIB::prvtLmgrLsrEntityLsrId.1 = Gauge32: 16882483 snmpset -t 10 L n -v2c -c user-v2c 10.3.155.51
prvtLmgrLsrEntityTranAddr.1 x 01019B33
PRVT-LMGR-MIB::prvtLmgrLsrEntityTranAddr.1 = Hex-STRING: 01 01 9B 33
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: active(1)
7.
Enable MPLS on interfaces lo1 and sw1:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 ifaceMplsRowStatus.20001 i
4
PRVT-MPLS-IF-MIB::ifaceMplsRowStatus.20001 = INTEGER: createAndGo(4)
4
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 ifaceMplsEnable.20001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.20001 = INTEGER: true(1) snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.51 ifaceMplsEnable.40001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.40001 = INTEGER: true(1)
Page 74
8.
Enable LDP:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtcrldpPmRowStatus.1 i 4
Error in packet.
Reason: inconsistentValue (The set value is illegal or unsupported in some
way) Failed object: PRVT-CR-LDP-MIB::prvtcrldpPmRowStatus.1
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtcrldpSigRowStatus.1 i 4
PRVT-CR-LDP-MIB::prvtcrldpSigRowStatus.1 = INTEGER: createAndGo(4)
9.
Configure LDP targeted peer with IP address 1.1.155.56:

mplsLdpEntityRowStatus.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 i 5
PRVT-MPLS-LDP-MIB::mplsLdpEntityRowStatus.1."1.1.155.51:00".1 = INTEGER:
createAndWait(5)
mplsLdpEntityTargetPeerAddr.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 x
01019b38
PRVT-MPLS-LDP-MIB::mplsLdpEntityTargetPeerAddr.1."1.1.155.51:00".1 =
STRING: 1 1 9b 38
mplsLdpEntityAdminStatus.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 i 1
PRVT-MPLS-LDP-MIB::mplsLdpEntityAdminStatus.1."1.1.155.51:00".1 =
INTEGER: enable(1)
active(1)
echo "10.Set LDP distribuition - ingress OSPF, egress ip 1.1.155.51/32:"
10.Set LDP distribuition - ingress OSPF, egress ip 1.1.155.51/32:
prvtMplsRouteProtocolRowStatus.ingress.ospf i 4 PRVT-MPLS-IFMIB::prvtMplsRouteProtocolRowStatus.ingress.ospf = INTEGER:
createAndGo(4)
prvtMplsRouteAddressRowStatus.egress.1.1.155.51.32 i 4
PRVT-MPLS-IF-MIB::prvtMplsRouteAddressRowStatus.egress.'...3 ' =
INTEGER: createAndGo(4)
10. Enable RSVP:

prvtMplsTeMibEntityRowStatus.1 i 4
PRVT-TEMIB-ENTITY-MIB::prvtMplsTeMibEntityRowStatus.1 = INTEGER:
createAndGo(4)
prvtRsvpProductRowStatus.1 i 4
PRVT-RSVP-MIB::prvtRsvpProductRowStatus.1 = INTEGER: createAndGo(4)
11. Configure RSVP path 10 and next hop IP address 100.1.1.56:

mplsTunnelManHopRowStatus.1.10.1.1 i 5
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.10.1.1 = INTEGER:
Page 75
createAndWait(5)
mplsTunnelManHopType.1.10.1.1 i 1
PRVT-MPLS-TE-MIB::mplsTunnelManHopType.1.10.1.1 = INTEGER: strict(1)
mplsTunnelManHopIpAddr.1.10.1.1 x 64010138
PRVT-MPLS-TE-MIB::mplsTunnelManHopIpAddr.1.10.1.1 = Hex-STRING: 64 01 01 38
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.10.1.1 = INTEGER: active(1)
12. Create RSVP LSP 10 with ingress LSR ID 1.1.155.51 , egress LSR ID 1.1.155.56 :
mplsManTunnelRowStatus.1.10.1 i 5
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.10.1 = INTEGER: createAndWait(5)
mplsManTunnelIngressLSRId.1.10.1 x 01019b33
PRVT-MPLS-TE-MIB::mplsManTunnelIngressLSRId.1.10.1 = STRING: 1.1.155.51
mplsManTunnelEgressLSRId.1.10.1 x 01019b38
PRVT-MPLS-TE-MIB::mplsManTunnelEgressLSRId.1.10.1 = STRING: 1.1.155.56
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 mplsManTunnelName.1.10.1 s
lsp10
PRVT-MPLS-TE-MIB::mplsManTunnelName.1.10.1 = STRING: "lsp10"
mplsManTunnelAdminStatus.1.10.1 i 1
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: up(1) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.51
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.10.1 = INTEGER: active(1)
13. Apply the configured RSVP path 10 to LSP 10:

PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: down(2)
mplsManTunnelPathInUse.1.10.1 u 1 mplsManTunnelHopTableIndex.1.10.1 u 10
PRVT-MPLS-TE-MIB::mplsManTunnelPathInUse.1.10.1 = Gauge32: 1
PRVT-MPLS-TE-MIB::mplsManTunnelHopTableIndex.1.10.1 = Gauge32: 10 snmpset t 10 -L n -v2c -c user-v2c 10.3.155.51
mplsManTunnelPathComp.1.10.1 i 2
PRVT-MPLS-TE-MIB::mplsManTunnelPathComp.1.10.1 = INTEGER: explicit(2)
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: up(1)
14. Configure VPWS with ID 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceRowStatus.10 i 5
PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: createAndWait(5) snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51 serviceVpnId.10 u 10 PRVT-SERVMIB::serviceVpnId.10 = Gauge32: 10 snmpset -t 10 -L n -v2c -c user-v2c
10.3.155.51 serviceType.10 i 9 PRVT-SERV-MIB::serviceType.10 = INTEGER:
vpws(9) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
serviceAdminStatus.10 i 1 PRVT-SERV-MIB::serviceAdminStatus.10 = INTEGER:
up(1) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceRowStatus.10 i
1 PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: active(1)
Page 76
15. Configure SAP 1/1/10:10: for VPWS 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sapRowStatus.10.1110.10 i 5
| tee PRVT-SERV-MIB::sapRowStatus.10.1110.10 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sapAdminStatus.10.1110.10 i
1 PRVT-SERV-MIB::sapAdminStatus.10.1110.10 = INTEGER: up(1) snmpset -t 10 L n -v2c -c user-v2c 10.3.155.51 sapRowStatus.10.1110.10 i 1 PRVT-SERVMIB::sapRowStatus.10.1110.10 = INTEGER: active(1)
16. Configure SDP (SDP uses the configured LSP 10) for VPWS 10:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sdpRowStatus.10.1 i 5
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: createAndWait(5) snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.51 sdpFarEndIpAddress.10.1 a 1.1.155.56
PRVT-SERV-MIB::sdpFarEndIpAddress.10.1 = IpAddress: 1.1.155.56 snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51 sdpAdminStatus.10.1 i 1
PRVT-SERV-MIB::sdpAdminStatus.10.1 = INTEGER: up(1) snmpset -t 10 -L n -v2c
-c user-v2c 10.3.155.51
sdpTransportTunnelName.10.1 s lsp10
PRVT-SERV-MIB::sdpTransportTunnelName.10.1 = STRING: "lsp10"
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sdpVCType.10.1 i 5
PRVT-SERV-MIB::sdpVCType.10.1 = INTEGER: ethernet(5) snmpset -t 10 -L n v2c -c user-v2c 10.3.155.51 sdpType.10.1 i 3
PRVT-SERV-MIB::sdpType.10.1 = INTEGER: mesh(3) snmpset -t 10 -L n -v2c -c
user-v2c 10.3.155.51 sdpMtu.10.1 i 9190
PRVT-SERV-MIB::sdpMtu.10.1 = INTEGER: 9190 snmpset -t 10 -L n -v2c -c userv2c 10.3.155.51 sdpRowStatus.10.1 i 1
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: active(1)
17. Verify the VPWS configuration:

snmpget -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceOperStatus.10 PRVTSERV-MIB::serviceOperStatus.10 = INTEGER: down(2)
18. Configure a VLAN with ID 10 and add port 1/1/5 as a tagged member of it:
dot1qVlanStaticRowStatus.10 i 5 Q-BRIDGE-MIB::dot1qVlanStaticRowStatus.10 =
INTEGER: createAndWait(5) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56
dot1qVlanStaticEgressPorts.10 x 08000000 Q-BRIDGEMIB::dot1qVlanStaticEgressPorts.10 = Hex-STRING: 08 00 00 00 snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.56 dot1qVlanStaticName.10 s vlan10 QBRIDGE-MIB::dot1qVlanStaticName.10 = STRING: vlan10 snmpset -t 10 -L n v2c -c user-v2c 10.3.155.56 dot1qVlanStaticRowStatus.10 i 1 Q-BRIDGEMIB::dot1qVlanStaticRowStatus.10 = INTEGER: active(1)
19. Configure IP interafce sw1with IP address 100.1.1.56/24:

ipInterfaceRowStatus.4.115.119.49.48 i 5 PRVT-SWITCH-IPVLANMIB::ipInterfaceRowStatus."sw10" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.4.115.119.49.48 a 100.1.1.56 PRVT-SWITCH-IPVLANMIB::ipInterfaceIpAddress."sw10" = IpAddress: 100.1.1.56 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56
ipInterfaceSubnetMask.4.115.119.49.48 a 255.255.255.0 PRVT-SWITCH-IPVLANMIB::ipInterfaceSubnetMask."sw10" = IpAddress:
255.255.255.0
Page 77
ipInterfaceRowStatus.4.115.119.49.48 i 1 PRVT-SWITCH-IPVLANMIB::ipInterfaceRowStatus."sw10" = INTEGER: active(1)
20. Configure loopback interafce lo1 with IP ddress 1.1.155.56/32:

PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.3.108.111.49 a 1.1.155.56 PRVT-SWITCH-IPVLANMIB::ipInterfaceIpAddress."lo1" = IpAddress: 1.1.155.56 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.56
ipInterfaceSubnetMask.3.108.111.49 a 255.255.255.255 PRVT-SWITCH-IPVLANMIB::ipInterfaceSubnetMask."lo1" = IpAddress:
255.255.255.255
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER: active(1)
21. Attach interface sw10 to VLAN 10:

ipVLANStatus.10.4.115.119.49.48 i 1
PRVT-SWITCH-IPVLAN-MIB::ipVLANStatus.10."sw10" = INTEGER: attached(1)
22. Enable OSPF. Interfaces lo1 and sw10 are configured in Area 0.0.0.0:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtOspfRouterId.0 a
1.1.155.56
PRVT-OSPF-MIB::prvtOspfRouterId.0 = IpAddress: 1.1.155.56 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56 prvtOspfAreaRowStatus.0.0.0.0 i 4 PRVTOSPF-MIB::prvtOspfAreaRowStatus.0.0.0.0 = INTEGER: createAndGo(4) snmpset t 10 -L n -v2c -c user-v2c 10.3.155.56
10 -L n -v2c -c user-v2c 10.3.155.56
10 -L n -v2c -c user-v2c 10.3.155.56
prvtOspfIfWorkingMode.1.1.155.56 i 1
PRVT-OSPF-MIB::prvtOspfIfWorkingMode.1.1.155.56 = INTEGER: passive(1)
23. Enable the Label manager. Configure LSR ID 1.1.155.56:

Page 78
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtLmgrLsrEntityLsrId.1 u
16882488
PRVT-LMGR-MIB::prvtLmgrLsrEntityLsrId.1 = Gauge32: 16882488 snmpset -t 10 L n -v2c -c user-v2c 10.3.155.56
prvtLmgrLsrEntityTranAddr.1 x 01019B38
PRVT-LMGR-MIB::prvtLmgrLsrEntityTranAddr.1 = Hex-STRING: 01 01 9B 38
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: active(1)
24. Enable MPLS on interfaces lo1 and sw10:

4
4 PRVT-MPLS-IF-MIB::ifaceMplsRowStatus.40010 = INTEGER: createAndGo(4)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 ifaceMplsEnable.20001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.20001 = INTEGER: true(1) snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56 ifaceMplsEnable.40010 i 1 PRVT-MPLS-IFMIB::ifaceMplsEnable.40010 = INTEGER: true(1)
25. Enable LDP:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtcrldpPmRowStatus.1 i 4
PRVT-CR-LDP-MIB::prvtcrldpPmRowStatus.1 = INTEGER: createAndGo(4) snmpset t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtcrldpSigRowStatus.1 i 4
PRVT-CR-LDP-MIB::prvtcrldpSigRowStatus.1 = INTEGER: createAndGo(4)
26. Configure LDP targeted peer with IP address 1.1.155.51:

createAndWait(5)
mplsLdpEntityTargetPeerAddr.1.13.49.46.49.46.49.53.53.46.53.54.58.48.48.1 x
01019b33
PRVT-MPLS-LDP-MIB::mplsLdpEntityTargetPeerAddr.1."1.1.155.56:00".1 =
STRING: 1 1 9b 33
mplsLdpEntityAdminStatus.1.13.49.46.49.46.49.53.53.46.53.54.58.48.48.1 i 1
PRVT-MPLS-LDP-MIB::mplsLdpEntityAdminStatus.1."1.1.155.56:00".1 =
INTEGER: enable(1)
active(1)
27. Configure LDP distribuition policy with ingress OSPF and egress IP address 1.1.155.56:
prvtMplsRouteProtocolRowStatus.ingress.ospf i 4 PRVT-MPLS-IFMIB::prvtMplsRouteProtocolRowStatus.ingress.ospf = INTEGER:
createAndGo(4)
prvtMplsRouteAddressRowStatus.egress.1.1.155.56.32 i 4
Page 79
PRVT-MPLS-IF-MIB::prvtMplsRouteAddressRowStatus.egress.'...8 ' =
INTEGER: createAndGo(4)
28. Enable RSVP:

prvtMplsTeMibEntityRowStatus.1 i 4
PRVT-TEMIB-ENTITY-MIB::prvtMplsTeMibEntityRowStatus.1 = INTEGER:
createAndGo(4)
prvtRsvpProductRowStatus.1 i 4
PRVT-RSVP-MIB::prvtRsvpProductRowStatus.1 = INTEGER: createAndGo(4)
29. Configure RSVP path 20 and next hop IP address 100.1.1.51:

PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.20.1.1 = INTEGER:
createAndWait(5)
mplsTunnelManHopType.1.20.1.1 i 1
PRVT-MPLS-TE-MIB::mplsTunnelManHopType.1.20.1.1 = INTEGER: strict(1)
mplsTunnelManHopIpAddr.1.20.1.1 x 64010133
PRVT-MPLS-TE-MIB::mplsTunnelManHopIpAddr.1.20.1.1 = Hex-STRING: 64 01 01 33
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.20.1.1 = INTEGER: active(1)
30. Configure RSVP LSP 20 with ingress IP address 1.1.155.56 and egress IP address 1.1.155.51:
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.20.1 = INTEGER: createAndWait(5)
mplsManTunnelIngressLSRId.1.20.1 x 01019b38
PRVT-MPLS-TE-MIB::mplsManTunnelIngressLSRId.1.20.1 = STRING: 1.1.155.56
mplsManTunnelEgressLSRId.1.20.1 x 01019b33
PRVT-MPLS-TE-MIB::mplsManTunnelEgressLSRId.1.20.1 = STRING: 1.1.155.51
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 mplsManTunnelName.1.20.1 s
lsp20
PRVT-MPLS-TE-MIB::mplsManTunnelName.1.20.1 = STRING: "lsp20"
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: up(1) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.56
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.20.1 = INTEGER: active(1)
31. Apply the configured path 20 to LSP 20:

PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: down(2)
mplsManTunnelPathInUse.1.20.1 u 1 mplsManTunnelHopTableIndex.1.20.1 u 20
PRVT-MPLS-TE-MIB::mplsManTunnelPathInUse.1.20.1 = Gauge32: 1
Page 80
PRVT-MPLS-TE-MIB::mplsManTunnelHopTableIndex.1.20.1 = Gauge32: 20 snmpset t 10 -L n -v2c -c user-v2c 10.3.155.56

mplsManTunnelPathComp.1.20.1 i 2
PRVT-MPLS-TE-MIB::mplsManTunnelPathComp.1.20.1 = INTEGER: explicit(2)
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: up(1)
32. Configure VPWS with ID 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 serviceRowStatus.10 i 5
PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: createAndWait(5) snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.56 serviceVpnId.10 u 10 PRVT-SERVMIB::serviceVpnId.10 = Gauge32: 10 snmpset -t 10 -L n -v2c -c user-v2c
10.3.155.56 serviceType.10 i 9 PRVT-SERV-MIB::serviceType.10 = INTEGER:
vpws(9) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56
serviceAdminStatus.10 i 1 PRVT-SERV-MIB::serviceAdminStatus.10 = INTEGER:
up(1) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 serviceRowStatus.10 i
1 PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: active(1)
33. Configure SAP 1/1/10:10: for VPWS 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sapRowStatus.10.1110.10 i 5
PRVT-SERV-MIB::sapRowStatus.10.1110.10 = INTEGER: createAndWait(5) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.56 sapAdminStatus.10.1110.10 i 1 PRVTSERV-MIB::sapAdminStatus.10.1110.10 = INTEGER: up(1) snmpset -t 10 -L n v2c -c user-v2c 10.3.155.56 sapRowStatus.10.1110.10 i 1 PRVT-SERVMIB::sapRowStatus.10.1110.10 = INTEGER: active(1)
34. Configure SDP (SDP uses the configured LSP 20) for VPWS 10:
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpFarEndIpAddress.10.1
a 1.1.155.51
PRVT-SERV-MIB::sdpFarEndIpAddress.10.1 = IpAddress: 1.1.155.51
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpAdminStatus.10.1 i 1
PRVT-SERV-MIB::sdpAdminStatus.10.1 = INTEGER: up(1)
sdpTransportTunnelName.10.1 s lsp20
PRVT-SERV-MIB::sdpTransportTunnelName.10.1 = STRING: "lsp20"
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpVCType.10.1 i 5
PRVT-SERV-MIB::sdpVCType.10.1 = INTEGER: ethernet(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpType.10.1 i 3
PRVT-SERV-MIB::sdpType.10.1 = INTEGER: mesh(3)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpMtu.10.1 i 9190
PRVT-SERV-MIB::sdpMtu.10.1 = INTEGER: 9190
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: active(1)
35. Verify the VPWS configuration:

snmpget -L n -v2c -c user-v2c 10.3.155.56 serviceOperStatus.10
PRVT-SERV-MIB::serviceOperStatus.10 = INTEGER: up(1)
Page 81
Appendix B: Specifications
Physical Specifications
Width
440 mm (18)
Height
66.7 mm (1.5RU)
Depth
253 mm (10)
Power Source
AC Power Source
DC Power Source
Voltage/Current
100-240 VAC, 2A
Frequency
50-60Hz
Typical Power consumption
150 W
Weight
0.35 kg (0.78 lbs)
Voltage
-48 VDC, 1.8A
Typical Power consumption
130 W
Weight
0.2 kg (0.44 lbs)
Maximum current 1.8A = 60% of the fuse rate

Fuse current rate value = 1.8A/0.6 = 3A per PSU
NOTE
Two PSUs are required for operation above 45C (normal ambient temperature). A
single PSU is used for normal operation temperatures.
Operating Conditions
Operating temperature
-20 C to 65 C (-4 F to 149 F)
Environment
Designed for use in indoor applications only
Relative Humidity
5% to 90% non-condensing
Operating Altitude
2,012 m (6,600 ft)
Storage Temperature
-40 C to 65 C (-40 F to 149 F)
Storage Humidity
95% maximum relative humidity, non-condensing
Storage Altitude
4,500 m (15,000 ft) maximum
Specifications (Rev. 01)
Page 1
Appendix C: Acronyms Glossary

Term
Meaning
AAA
Authentication, Authorization, and Accounting
ACG
Access Control Group
ACL
Access List
AIS
Alarm Indication Signal
AMI
Alternate Mark Inversion
ARP
Address Resolution Protocol
AS
Autonomous System
ASIC
Application Specific Integrated Circuit
ATM
Asynchronous Transfer Mode
BES
Bursty Error Seconds
BFD
Bidirectional Forwarding Detection
BID
Bridge ID
BiST
Built-in Self Test
BPDU
Bridge Protocol Data Units
CCM
Continuity Check Message
CCS
Common Channel Signalling
CES
Circuit Emulation Service
CFM
Connectivity Fault Management
CIC
Clock Input Controller
CIR
CIST
Common and Internal Spanning Tree
CLE
Customer Located Equipment
CLI
Command Line Interface
CO
Central Office
CoLo
Co-Location
CPE
Customer Premise Equipment
CPU
Central Processing Unit
CRC
Cyclical Redundancy Checking
CSS
Controlled Slip Seconds
CST
Common Spanning Tree
C-VLAN
Customer VLAN
DAI
Dynamic ARP Inspection
Page 1
Appendix C: Acronyms Glossary (Rev 01)
Term
Meaning
DHCP
Dynamic Host Configuration Protocol
DLC
Data-Link Control
DNS
Domain Name System
DoS
Denial of Service
DoSAP
Denial of Service Access Point
DRR
Deficit Round Robin
DSCP
Differentiated Services Code Point
DSx
Digital Signal Level x
DSA
Digital Signature Algorithm
DSS
Digital Signature Standard
DST
Daylight Saving Time
DTE
Data Terminating Entity
EAP
Extensible Authentication Protocol
EAPOL
EAP Encapsulation over LAN
ECN
Explicit Congestion Notification
EFM-OAM
Ethernet in the First Mile
EPS
Ethernet Protection Switching
ES
Error Seconds
ESF
Extended Super Frame
EVC
Ethernet Virtual Connections
FC
Forwarding Class
FDB
Forwarding Database Table
FEC
Forwarding Equivalence Class
FIB
Forwarding Information Base
FRR
Fast Re-Route
FS
File System
H-VPLS
Hierarchical VPLS
IETF
Internet Engineering Task Force
IGMP
Internet Group Multicast Protocol
IP
Internet Protocol
ISAP
Intermediate Service Access Protocol
IST
Internal Spanning Tree
ITU-T
International Telecommunications Union-
IWF
InterWorking Function
LACP
Link Aggregation Control Protocol
LAG
Link Aggregation Group
LAN
Local Area Network
Page 2
Term
Meaning
LBM
Loopback Message
LBR
Loopback Reply
LCK
Ethernet Lock Signal
LCV
Line Code Violations
LDP
Label Distribution Protocol
LER
Label Edge Router
LES
Line Error Seconds
LIU
Line Interface Unit
LLDP
LMM
Laser Management Monitoring
LOPS
Loss of Packet Synchronization
LSL
Logical Service Loopback
LSP
Label Switched Path
LSR
Label Switch Router
LTM
Link Trace Message
LTR
Link Trace Reply
MA
Maintenance Association
MAID
Maintenance Association Identifier
MAC
Media Access Control
MCID
MST Configuration Identifier
MBB
Make-Before-Break
MEP
Maintenance Association End Point
MEPID
Maintenance association End Point Identifier
MIB
Management Information Base
MIP
Maintenance Intermediate Points
MOTD
Message of the Day
MPLS
Multi Protocol Label Switching
MSTI
Multiple Spanning Tree Instance
MSTP
Multiple Spanning Tree Protocol
MTU
Maximum Transmission Unit
MVR
Multicast VLAN Registration
NAS
Network Access Server
NMS
Network Management System
NTP
Network Time Protocol
OAM
Operations, Management and Maintenance
OAMPDU
OAM Protocol Data Units
OSPF
Open Shortest Path First
Page 3
Term
Meaning
PCV
Path Coding Violations
PDU
Protocol Data Unit
PE
Provider Edge
PHP
Penultimate Hop popping
PING
Packet Internet Groper
PIR
Peak Information Rate
PLR
Point of Local Repair
POP
Point of Presence
PSN
Packet Switched Network
PVID
Port VLAN Identifier
PVST
Per-VLAN Spanning Tree
PW
Pseudo Wire
PWE
Pseudo Wire Emulation
QoS
Quality of Service
RADIUS
Remote Authentication Dial In User Service
R-APS
Ring Automatic Protection Switching
RED
Random Early Detection
RFC
Request for Comments
RIP
Routing Information Protocol
RMON
Remote Monitoring
RSTP
Rapid Spanning Tree Protocol
RSVP
Resource Reservation Protocol
RTP
Real-Time Transport Protocol
RTR
Response Time Reporter
SA
Service Agreement
SAA
Service Assurance Application
SAP
Service Access Point
SCP
Secure Copy Server
SDP
Service Distribution Path
SES
Server Error Seconds
SF
Super Frame
SFD
Start of Frame Delimiter
SFP
Small Form-factor Pluggable
SLA
Service Level Agreement
SLO
Service Level Objectives
SNMP
SSH
Secure Shell
Page 4
Term
Meaning
SST Bridge
Single Spanning Tree Bridge
STP
SW
Software
TACACS+
Terminal Access Controller Access Control System Plus
TC
Topology Change
TCA
Threshold Crossing Alarm
TCN
TC Notification
TCP
Transmission Control Protocol
TDM
Time Division Multiplexing
TFTP
Trivial File Transfer Protocol
TIME
Time Synchronization Control Protocol
TLS
Transparent LAN Service
TLV
Type Length Value
TTL
Time-to Live
ToS
Type of Service
UAS
Unavailable Seconds
UDP
User Datagram Protocol
USM
User-based Security Model
VACM
View-based AccessSecurity Model
VCCV
Virtual Circuit Connection Verification
VID
VLAN Identifier
VLAN
Virtual LAN
VPLS
Virtual Private LAN Service
VPT
VLAN Priority Tag
VPWS
Virtual Private Wire Service
VRED
Virtual Random Early Detection
VRRP
Virtual Router Redundancy Protocol
VTY
Virtual Telnet Type
WAN
World Area Network
WRR
Weighted Round Robin
Page 5

T-Marc 3208SH User Guide Ver 3.5.R1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

T-Marc 3208SH User Guide Ver 3.5.R1

Uploaded by

Copyright:

Available Formats

T-Marc 3208SH

Carrier Ethernet Demarcation Switch User Guide

Copyright Telco Systems 2013. All rights reserved.

Introduction (Rev. 01)