Manual LightBolt - 1.7 - Inglês

AsGa LightB
Light Bolt 10G Switch

AsGa LightB
LightBolt 10G Switch
User Guide
User Guide
Index
AsGa LightB
User Guide Index
INDEX
1 INTRODUCTION ........................................................................................................................................ 8
1.1 FRONT PANEL ............................................................................................................................. 14
1.2 REAR PANEL............................................................................................................................... 14
1.3 POWER SUPPLY ..................................................................................................................... 15
1.4 CONSUMPTION ...................................................................................................................... 15
1.5 DIMENSIONS .......................................................................................................................... 15
1.6 ENVIRONMENTAL CONDITIONS ....................................................................................... 15
1.7 LED SYSTEM INFORMATION ............................................................................................. 15
2 SPECIFICATION ...................................................................................................................................... 17
2.1 SYSTEM DEFAULTS .................................................................................................................... 17
3 CONFIGURATION ................................................................................................................................... 18
3.1 COMMAND LINE INTERFACE....................................................................................................... 18
3.2 CONVENTIONS USED IN THIS GUIDE ........................................................................................... 18
3.3 COMMAND LINE INTERFACE PRIMER.......................................................................................... 18
3.3.1 Command Line Help .......................................................................................................... 19
3.3.2 Syntax Help ........................................................................................................................ 19
3.3.3 Command Abbreviations .................................................................................................... 20
3.3.4 Command Line Errors ........................................................................................................ 20
3.4 MODES COMMON TO PROTOCOLS .............................................................................................. 20
3.5 COMMAND NEGATION ................................................................................................................ 21
3.6 FORMAT USED FOR COMMAND DESCRIPTION ............................................................................. 21
3.7 INITIAL CONFIGURATION ............................................................................................................ 21
3.8 CONNECTING TO THE SWITCH ..................................................................................................... 22
3.8.1 Local Configuration ........................................................................................................... 22
3.8.2 Remote Connections........................................................................................................... 22
3.9 CONFIGURING THE SWITCH ........................................................................................................ 23
3.9.1 Basic Configuration – Console Connection ....................................................................... 23
3.9.2 Displaying system configuration ........................................................................................ 24
3.9.3 Displaying system inventory .............................................................................................. 27
3.9.4 Defining 802.1Q VLAN ..................................................................................................... 27
3.9.4.1 Creating VLANs into the Switch Database ........................................................................................ 27
3.9.5 Switch Port Roles ............................................................................................................... 28
3.9.6 Switchport Mode ................................................................................................................ 28
3.9.7 Assigning a VLAN to an Access port ................................................................................ 29
3.9.8 Adding VLANs to a Trunk Port ......................................................................................... 30
3.9.9 Displaying VLAN information .......................................................................................... 30
3.9.10 Setting Management IP address ..................................................................................... 31
3.9.11 Creating a Switched Virtual interface. ........................................................................... 31
3.9.12 Specifying Host Name.................................................................................................... 32
3.10 MANAGING FILE SYSTEM ........................................................................................................... 32
3.10.1 File types ........................................................................................................................ 32
3.10.2 Loading new files into your system ............................................................................... 33
3.10.3 Saving and restoring system Files .................................................................................. 33
3.10.4 Configure your booting process. .................................................................................... 33
AsGa LightB
User Guide Index
3.10.5 Creating a Default configuration File ............................................................................. 35
3.11 CONFIGURING SYSTEM LOGS..................................................................................................... 35
3.11.1 System Log Configuration ............................................................................................. 35
3.12 CONFIGURING YOUR CONSOLE PORT........................................................................................... 36
3.12.1 Console attributes ........................................................................................................... 36
3.12.2 Enabling Telnet connections and SSH connections ....................................................... 37
3.13 CONFIGURING REMOTE OR LOCAL LOGON AUTHENTICATION ................................................... 38
3.13.1 Enabling a RADIUS Server .......................................................................................... 38
3.13.2 Enabling a TACACs Server ......................................................................................... 39
3.13.3 Configuring User and Passwords .................................................................................. 39
3.13.3.1 Setting locally defined users and passwords........................................................................................ 39
3.13.3.2 Setting remotly authenticated users using an external server. .......................................................... 40
3.14 CONFIGURING SNMP ................................................................................................................. 41
3.14.1 Configuring SNMP V1 ................................................................................................... 41
3.14.2 Configuring SNMP V3 ................................................................................................... 41
3.15 PORT CONFIGURATION ............................................................................................................... 42
3.15.1 Configuring specific basic physical port settings ........................................................... 42
3.15.1.1 Speed ................................................................................................................................................... 42
3.15.1.2 Duplex ................................................................................................................................................. 42
3.15.1.3 Flow Control ........................................................................................................................................ 43
3.16 CONFIGURING IP ADDRESSES ON SWITCHED VIRTUAL INTERFACES SVI´S ................................ 43
3.17 MAC ADDRESS TABLE............................................................................................................... 44
3.17.1 Displaying MAC address tables ..................................................................................... 44
3.17.2 Setting the aging time ..................................................................................................... 45
3.17.3 Setting a Static MAC address......................................................................................... 45
3.18 ACCESS LIST .............................................................................................................................. 45
3.18.1 Access-Lists Categories ................................................................................................. 46
3.18.2 Wildcard Mask ............................................................................................................... 46
3.18.3 Configuring IP standard Access List ............................................................................. 47
3.18.4 Configuring IP extended Acees List .............................................................................. 47
3.18.5 Istaling IP based Access List ......................................................................................... 48
3.18.6 Configuring MAC Bases Access List ............................................................................ 49
3.18.7 Instilling MAC based Access List ................................................................................. 49
3.18.8 Aplaying multiple entries to an ACL ............................................................................. 49
3.19 DENIAL OF SERVICE ATTACK PREVENTION (DOS PREVENTION) ................................................. 50
3.19.1 IP packet with invalid “First-fragment” ......................................................................... 50
3.19.2 Fragmented ICMP packets- icmp-attack-check ............................................................. 50
3.19.3 TCP fragment attack ....................................................................................................... 50
3.19.4 Source IP equal to destination IP attack ......................................................................... 51
3.19.5 Check on invalid TCP flags............................................................................................ 51
3.20 SPANNING TREE PROTOCOLS...................................................................................................... 53
3.20.1 Common Spanning Tree Protocol Commands ............................................................... 53
3.20.1.1 bridge forward-time ............................................................................................................................. 53
3.20.1.2 bridge hello-time .................................................................................................................................. 53
3.20.1.3 bridge max-age .................................................................................................................................... 54
3.20.1.4 bridge priority ...................................................................................................................................... 55
3.20.1.5 Bridge spanning-tree errdisable-timeout enable .................................................................................. 55
3.20.1.6 Bridge spanning-tree errdisable-timeout interval ................................................................................ 56
3.20.1.7 bridge spanning-tree portfast bpdu-filter ............................................................................................. 56
3.20.1.8 bridge spanning-tree portfast bpdu-guard ............................................................................................ 57
3.20.1.9 bridge-group path-cost ......................................................................................................................... 57
3.20.1.10 bridge-group priority ....................................................................................................................... 58
AsGa LightB
User Guide Index
3.20.1.11 spanning-tree guard root.................................................................................................................. 58
3.20.2 STP Commands .............................................................................................................. 58
3.20.2.1 Bridge spanning-tree enable ................................................................................................................ 59
3.20.2.2 debug stp .............................................................................................................................................. 59
3.20.2.3 Show spanning-tree ............................................................................................................................. 60
3.20.3 RSTP Commands ........................................................................................................... 60
3.20.3.1 Bridge rapid-spanning-tree enable ....................................................................................................... 60
3.20.3.2 Clear spanning-tree detected protocols ................................................................................................ 61
3.20.3.3 debug rstp ............................................................................................................................................ 61
3.20.3.4 show spanning-tree .............................................................................................................................. 62
3.20.3.5 spanning-tree force-version ................................................................................................................. 63
3.20.3.6 Spanning-tree link-type ....................................................................................................................... 63
3.20.4 MSTP Commands .......................................................................................................... 64
3.20.4.1 bridge cisco-interoperability ................................................................................................................ 64
3.20.4.2 bridge instance priority ........................................................................................................................ 64
3.20.4.3 bridge instance vlan ............................................................................................................................. 65
3.20.4.4 bridge max-hops .................................................................................................................................. 66
3.20.4.5 bridge multiple-spanning-tree enable .................................................................................................. 66
3.20.4.6 bridge region ........................................................................................................................................ 67
3.20.4.7 bridge revision ..................................................................................................................................... 67
3.20.4.8 bridge-group instance .......................................................................................................................... 68
3.20.4.9 bridge-group instance path-cost ........................................................................................................... 68
3.20.4.10 bridge-group instance priority ......................................................................................................... 68
3.20.4.11 clear spanning-tree detected protocols ............................................................................................ 69
3.20.4.12 debug mstp ...................................................................................................................................... 70
3.20.4.13 show spanning-tree mst ................................................................................................................... 70
3.20.4.14 Show spanning-tree mst config ....................................................................................................... 71
3.20.4.15 Show spanning-tree mst detail ........................................................................................................ 71
3.20.4.16 Show spanning-tree mst instance .................................................................................................... 72
3.20.4.17 Spanning-tree force-version ............................................................................................................ 73
3.20.4.18 link-type .......................................................................................................................................... 74
3.20.4.19 spanning-tree mst configuration ...................................................................................................... 74
3.21 LINK AGREGATION CONTROL PROTOCOL COMMANDS SET. ....................................................... 75
3.21.1 Channel-group ................................................................................................................ 75
3.21.2 port-channel load-balance .............................................................................................. 76
3.21.3 lacp port-priority............................................................................................................. 76
3.21.4 lacp timeout .................................................................................................................... 77
3.21.5 lacp system-priority ........................................................................................................ 77
3.21.6 Show lacp counters ......................................................................................................... 78
3.21.7 Show etherchannel detail................................................................................................ 78
3.21.8 Show etherchannel summary.......................................................................................... 79
3.21.9 show port etherchannel ................................................................................................... 79
3.22 VLAN CLASSIFIER. .................................................................................................................... 80
3.22.1 Introduction .................................................................................................................... 80
3.22.2 Exec mode commands .................................................................................................... 80
3.22.2.1 Show Vlan Classifier Rules ................................................................................................................. 80
3.22.2.2 Show Vlan Classifier groups ............................................................................................................... 80
3.22.2.3 Show Vlan Classifier Groups interface configuration ......................................................................... 80
3.22.3 Configure mode commands............................................................................................ 81
3.22.3.1 Create a Vlan Classifier Protocol rule ................................................................................................. 81
3.22.3.2 Create a Vlan Classifier MAC rule ...................................................................................................... 82
3.22.3.3 Create a Vlan Classifier Subnet rule .................................................................................................... 82
3.22.3.4 Delete Vlan Classifier rule................................................................................................................... 82
3.22.3.5 Associate a Vlan Classifier Protocol rule to a Vlan Classifier Group ................................................. 83
AsGa LightB
User Guide Index
3.22.3.6 Associate all Vlan Classifier MAC rules to a Vlan Classifier Group .................................................. 83
3.22.3.7 Associate all Vlan Classifier Subnet rules to a Vlan Classifier Group ................................................ 83
3.22.3.8 Disassociate a Vlan Classifier Protocol rule to a Vlan Classifier Group............................................. 83
3.22.3.9 Disassociate all Vlan Classifier MAC rules to a Vlan Classifier Group ............................................. 84
3.22.3.10 Disassociate all Vlan Classifier Subnet rules to a Vlan Classifier Group ....................................... 84
3.22.3.11 Delete a Vlan Classifier group ........................................................................................................ 84
3.22.4 Interface mode commands.............................................................................................. 84
3.22.4.1 Install a Vlan Classifier group into interface ....................................................................................... 84
3.22.4.2 Uninstall a Vlan Classifier group into interface .................................................................................. 85
3.23 PRIVATE VLAN SUPPORT .......................................................................................................... 86
3.23.1 Introduction .................................................................................................................... 86
3.23.2 Configuring Private VLANs. ........................................................................................ 86
3.23.2.1 Creating an Associated Private VLAN. ............................................................................................... 86
3.23.2.2 Setting interfaces as Host or Promiscuous mode. ................................................................................ 87
3.23.2.3 Associating VLANs to Host or Promiscuous interfaces. ................................................................... 87
3.23.2.4 A complete configuration example ...................................................................................................... 88
3.24 VLAN TRANSLATION ................................................................................................................ 90
3.24.1 Selective Queue-in-queue............................................................................................... 90
3.24.2 Vlan Translate Swap ...................................................................................................... 92
3.24.3 Vlan Translate Egress ..................................................................................................... 93
3.25 QUALITY OF SERVICE ................................................................................................................. 95
3.25.1 Introduction .................................................................................................................... 95
3.25.2 Ethernet Marking ............................................................................................................ 96
3.25.3 L3 Packet Markings........................................................................................................ 97
3.25.3.1 ToS....................................................................................................................................................... 97
3.25.3.2 Differentiated Service Code Point (DSCP) ......................................................................................... 98
3.25.3.3 Classification ....................................................................................................................................... 99
3.25.4 Queuing ........................................................................................................................ 101
3.25.4.1 Scheduling modes. ............................................................................................................................. 101
3.25.5 Queuing commands ...................................................................................................... 103
3.25.5.1 Queuing profile .................................................................................................................................. 103
3.25.5.2 DSCP to COS default mapping ......................................................................................................... 105
3.25.5.3 Changing DSCP to COS mapping. .................................................................................................... 106
3.25.5.4 DSCP to DSCP mutation map ........................................................................................................... 106
3.25.5.5 CoS to egress queue map ................................................................................................................... 107
3.25.5.6 Queuing Show commands ................................................................................................................ 107
3.25.6 Multicast ....................................................................................................................... 110
3.25.6.1 IGMP Multicast Snooping ................................................................................................................. 110
3.25.6.2 IGMP Snooping show commands. .................................................................................................... 112
3.25.6.3 IGMP Snooping configuration comands ........................................................................................... 113
4 COMMANDS IN ALPHABETIC ORDER .................................................................................................. 121

4.1 ACCESS-LIST ............................................................................................................................ 121
4.1.1 Access List Numbers ........................................................................................................ 121
4.1.2 Access List Masks ............................................................................................................ 121
4.2 ACCES-GROUP COMMANDS ...................................................................................................... 124
4.2.1 mac access-group ............................................................................................................. 124
4.2.2 ip acc ess-Group ............................................................................................................... 124
4.3 BOOT ........................................................................................................................................ 125
4.4 CLEAR COUNTERS..................................................................................................................... 126
4.5 CLEAR MAC-ADDRESS-TABLE ................................................................................................... 127
4.6 CLASS MAP COMMAND ............................................................................................................ 127
4.7 DIR ........................................................................................................................................... 128
AsGa LightB
User Guide Index
4.8 DUPLEX .................................................................................................................................... 129
4.9 ERASE ...................................................................................................................................... 130
4.10 EXIT ......................................................................................................................................... 130
4.11 FLOWCONTROL......................................................................................................................... 131
4.12 INTERFACE ............................................................................................................................... 131
4.13 IP ADDRESS ............................................................................................................................... 132
4.14 IP-ACCESS-GROUP..................................................................................................................... 133
4.15 MAC-ADDRESS-TABLE AGING-TIME .......................................................................................... 133
4.16 MAC-ADDRESS-TABLE FREEZE ................................................................................................. 134
4.17 MAC-ADDRESS-TABLE STATIC .................................................................................................. 134
4.18 SWITCHPORT ............................................................................................................................ 135
4.19 SWITCHPORT MODE .................................................................................................................. 135
4.20 SWITCHPORT ACCESS................................................................................................................ 136
4.21 SWITCHPORT TRUNK................................................................................................................. 137
4.22 SWITCHPORT MODE TRUNK INGRESS FILTER ............................................................................. 138
4.23 SPEED ....................................................................................................................................... 138
4.24 SHOW INTERFACE ..................................................................................................................... 139
4.25 SHOW INTERFACES ................................................................................................................... 140
4.26 SHUTDOWN .............................................................................................................................. 141
4.27 SHOW VLAN ........................................................................................................................... 142
4.28 SHOW OUTBOUND ACCESS-PRIORITY-TABLE ............................................................................ 143
4.29 SHOW TRAFFIC-CLASS-TABLE ................................................................................................... 143
4.30 SHOW USER-PRIORITY .............................................................................................................. 144
4.31 STORM CONTROL ..................................................................................................................... 144
4.32 SNMP-SERVER MANAGER .......................................................................................................... 145
4.33 SNMP-SERVER TRAP-SOURCE .................................................................................................... 145
4.34 SNMP-SERVER ENABLE-TRAPS .................................................................................................. 146
4.35 SNMP-SERVER COMMUNITY ...................................................................................................... 147
4.36 SNMP-SERVER NAME ................................................................................................................ 147
4.37 SNMP-SERVER CONTACT ........................................................................................................... 148
4.38 SNMP-SERVER LOCATION ......................................................................................................... 148
4.39 SNMP-SERVER VIEW ................................................................................................................. 149
4.40 SNMP-SERVER ENGINEID .......................................................................................................... 149
4.41 SNMP-SERVER USER CREATE .................................................................................................... 150
4.42 SHOW SNMP VIEW ..................................................................................................................... 150
4.43 SHOW ALL-FILES ....................................................................................................................... 151
4.44 SHOW LOG-FILES ...................................................................................................................... 151
4.45 SHOW CONFIG-FILES ................................................................................................................. 152
4.46 SHOW MAC-ADDRESS-TABLE .................................................................................................... 152
4.47 STORM-CONTROL ..................................................................................................................... 153
4.48 VLAN DATABASE.................................................................................................................... 154
4.49 VLAN ...................................................................................................................................... 154
4.50 VLAN CLASSIFIER ..................................................................................................................... 155
4.51 WRITE ...................................................................................................................................... 156
AsGa LightB
User Guide Safety Warnings
SAFETY WARNINGS
Safety
When installing, operating and maintaining this equipment, basic safety precautions should always be
followed. No adjustment, repair or maintenance should be performed by the operator or user. Only
qualified person or authorized services are allowed to repair or make adjustments to this equipment.
Optical Device
Since this product has an optical device, the following security warnings should be followed:
• Never look directly into the optical transmission interface, aligning your
eye with the optical device. Doing so, user could expose your eye to a
concentrated beam of optical radiation.
• Do not attempt to adjust the optical device, intending to amplify or
attenuate the optical signal.
Internal Voltage
As the serial inputs and outputs of this equipment operate with voltages lower
than the 5 volt threshold, it cannot harm the user when handling the equipment.
However, over voltages coming from the Telecommunication Network could be
present, mainly if the equipment is not properly installed.
Electrostatic Discharge
This product (chassis and printed circuit boards) can be handled by the user, not
presenting any problems concerning electrical discharge. However, it is
recommended user to follow ANSI IPC-A-610 standard for electrical discharge
(ESD) and use a wrist strap when removing or inserting any card into the
equipment.
The information contained in this guide is AsGa’s property, and it is not authorized to publish,
reproduce or to make any other use without written permission of AsGa.
AsGa reserves the right to make changes to this guide without notice.
7
AsGa LightB
User Guide Introduction
1 INTRODUCTION
Over the past several years, Ethernet has been the most popular choice of technology for
local area networks (LAN). There are millions of Ethernet users worldwide and still counting growing.
In 1998, the standard for 1-Gigabit Ethernet was released. Today 1-Gigabit Ethernet dominate the
LAN markets.
As the demand for high-speed networks continues to grow, the need for a faster Ethernet
technology became a need. By March 1999, a working group was formed at IEEE 802.3 Higher
Speed Study Group (HSSG) to develop a standard for 10-Gigabit Ethernet, today 10GigE is a reality.
10-Gigabit Ethernet is basically the faster-speed version of Ethernet. It will support the data rate of 10
Gb/s. It offers similar benefits to those of the preceding Ethernet standard.
The potential of 10-Gigabit Ethernet to solve the actual and future network bottlenecks are
enormous.
There are broad groups of users who demand 10-Gigabit Ethernet; for example, enterprise
users, universities, telecommunication carriers, and Internet service providers, but in a last instance;
users and their application will be pushing up this new generation of equipments and its use.
One of the main benefits of 10-Gigabit standard is that it offers a low-cost solution to solve the
current and future demands for bandwidth. Not only the cost of installation is low, but the cost of
network maintenance and management is minimal as well. Management and maintenance for 10-
Gigabit Ethernet may be done by local network administrators as it is done actually for 1GigE
networks.
In addition to the cost reduction benefit, 10-Gigabit Ethernet may allow faster switching. Since
10-Gigabit Ethernet uses the same Ethernet format, it allows seamless integration of LAN, MAN, and
WAN. There is no need for packet fragmentation, reassembling, or address translation 10-Gigabit
Ethernet also offers straightforward scalability (10/100/1000/10000 Mb/s).
Upgrading to 10-Gigabit Ethernet is simple since the upgrade paths are similar to those of 1-
Gigabit Ethernet.
AsGa LightBolt 10Giga switches offer a seamless path migration to your 10Gig solution,
integrating in just one rack unit 24 1Giga electrical/ optical ports (two optical/ electrical 1Giga combo
port available) plus four 10Giga ports with an unparallel switching capacity: less than 3 microsecond
switching time at full load. In addition to many other capabilities, all switching/routing decisions are
solved by hardware, all Access Control List (ACL´s) are also solved in hardware off loading all host
CPU processing time related with those and many other tasks.
LightBolt family of switches is composed by:
LightBotl 26302-O
• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

Electrical/Optical.
• 2 ports 10G (XC4 compatible).
• 1 Rack Unit.
• 8K MAC Table.
• 256 L3 IPV4 Table.
• 0,75 MBit Shared Buffer memory pool.
8
AsGa LightB
LightBotl 26302-E

Electrical/Optical.
• 2 ports 10G (XC4 compatible).
• 1 Rack Unit.
• 8K MAC Table.
• 256 L3 IPV4 Table.
LightBotl 28322-E
• 24 Ports 10/100/1000. Electrical ports. Two Combo ports Electrical/Optical (base on SFP
technology).
• 4 ports 10G (Two XSFP based plus two 10Gig electrical port XC4 compatible).
• 1 Rack Unit.
• 8K MAC Table.
• 4K L3 IPV4 Table.
LightBotl 28522-E
• 24 Ports 10/100/1000. Electrical Ports. Two Combo ports Electrical/Optical (base on SFP
technology).
• 1 Rack Unit.
• 16K MAC Table.
• 2 MBit Shared Buffer memory pool.
9
AsGa LightB
LightBotl 28322-O

Electrical/Optical.
• 1 Rack Unit.
• 8K MAC Table.
LightBotl 28522-O

Electrical/Optical
• 1 Rack Unit.
• 16K MAC Table.
LightBotl 28340-O

Electrical/Optical.
• 4 ports 10G (Four XSFP based).
• 1 Rack Unit.
• 8K MAC Table.
10
AsGa LightB
LightBotl 28540-O

Electrical/Optical.
• 1 Rack Unit.
• 16K MAC Table.
LightBotl 28540-E

Electrical/Optical.
• 1 Rack Unit.
• 16K MAC Table.
With LightBOLT switches, AsGa introduce AsGOS a compressive CLI (Command Line Interface)
industry standard configuration. AsGOS come in the following packages:
Layer 2 protocol support:

• IEEE 802.3ac – VLAN Tagging.
• IEEE 802.1S – Multiple Spanning Tree.
• IEEE 802.1W – Rapid Spanning Tree.
• IEEE 802.1D – Spanning Tree.
• IEEE 802.1Q – Virtual LANs with Port Based VLANs.
Up to 4095 VLANs.
• IEEE 802.1v – Protocol based VLANs.
• IEEE 802.1p – Prioritization of Traffic at the Data-Link Level.
• IEEE 802.1X – Port Authentication. (*)
• IEEE 802.3x – Flow Control.
• Port Mirroring.
Switched Port Analyzer (SPAN).
Remote switched Port Analyzer (RSPAN).
• Broadcast Storm filtering.
• Multicast Storm filtering.
• Rate Limiting (In/Out).
11
AsGa LightB
• Static MAC Filtering.
• Mac freezing.
Stop the automatic learning process on the switch.
• Double VLAN / vMAN Tagging Q on Q.
• Support for Jumbo Frames.
• L2 Access Control List. ACLs Support.
• MAC addresses Table size:
Up to 16K MAC addresses for LightBolt 285XX.
Up to 8K MAC addresses for LightBolt 283XX.
• L3 Access Control List ACLs fully supported in Hardware.
• Denied Of Service (DoS) Checking.
DoS checking for source IP equal to destination IP
Fragmented ICMP packets.
Packets with TCP header offset equals to 1.
UDP packets where destination ports is the same as source ports.
TCP packets where destination ports is the dame as source ports.
TCP packets with FIN, URG, PSH bits enable and sequence number = 0.
Minimum TCP header size value for header size
Other specific DoS characteristics are checked.
• Private VLAN Support
• VLAN translation support.
• Selective Q in Q support.
• Quality Of Service Support:
Filtering (L3/L4 Access Lists).
RFC 2474 – DiffServ Definition.
RFC 2475 – DiffServ Architecture.
RFC 2597 – Assured Forwarding PHB.
RFC 3246 – An Expedited Forwarding PHB.
RFC 3260 – New Terminology and Clarifications for DiffServ.
L3 ACLs Access Control List.
Queuing Method: Strict Priority (SP).
Queuing Method: Round Robbing. (RR).
Queuing Method: Weighted Round Robbing (WRR).
Queuing Method: Defict Round-Robin Scheduling.
RFC 2698 – A Two Rate Three Color Marker.
Single Rate Two Color Marker.
L3 Access Control List.
L2 Access Control List.
Multi-rule Access Control Lists.
L4 Filtering capabilities for Access Control Lists
Vlan traffic classification.
Mac traffic classification.
IP traffic Classification.
L4 traffic Classification.
TCP/UDP port traffic Classification.
Access Control Lists reuse for classification.
Access Control Lists reuse for classification.
Traffic Police.
Traffic L3 QoS parameters change.
Traffic priority assignment.
Policed and classified traffic counters.
Bandwidth profiles.
Multi-queue system per-port (8 queues)
Per-queue bandwidth configuration
DSCP-to-CoS mapping
DSCP-to-DSCP mutation mapping
12
AsGa LightB
Per-port default CoS value with system trust mode.
Full system CoS to Priority mapping.
2nd TAG COS Copy (Q In Q COS Copy).
• Management:
SNMP V1 RFC 1157.
SNMP V2 RFC 1901.
SNMP V3 RFC 257.
- RFC 2575 – View based Access Control Model for SNMP.
CLI industry standard.
TFTP as a transfer protocol for all File exchange operations.
Logging system.
Configuration Backup and restore: You can save the current configuration settings to a
file on a TFTP server, and later download this file to restore the switch configuration
settings.
Image Backup and restore: You can save or restore the image files on a TFTP
server, and later download or restore it to the switch
Authentication – This switch authenticates management access via the console port,
Telnet. User names and passwords can be configured locally or can be verified via a
remote authentication server RADIUS. Other authentication options include SSH for
secure management access over a Telnet-equivalent connection, IP address filtering
for SNMP/Telnet management.
• Full L3 protocol Support (*). When loaded with this feature set software. In addition to the
before mentioned L2 characteristics the LightBOLT family of switches Full Layer 3 support.
• AsGOS MC Extension (*): Full Layer 2; little Layer 3 package specifically adapted for provide
full management support to AsGa 1GigE Media Converters directly attached to Optical
LightBOLT Family of switches.
The following lines detail basic CLI standard commands available at the current AsGOS L2
version; for more complete information about all command available please refer to the alphabetic
command index.
13
AsGa LightB
1.1 Front Panel
The figure 1-1 displays the frontal view of Switch LightBolt.
Figure 1.1: Front Panel.
Position Designation
RJ45 connector for combo port Electrical 10/ 100/ 1000Mbps and indicative Led of activity
[1]
in the port (ports 1 – 24).
[2] SFP connector for combo port Optical.
[3] Microgiga connector for ports 10GE.
[4] Indicative Led for Ethernet link (LINK 1 - 4).
[5] Indicative Led of activity in the port 10GE (ACT 1 - 4).
[6] Indicative Led for activated Switch (PWR).
1.2 Rear Panel

The figure 1-2 displays the back view of Switch LightBolt.
Figure 1.2: Rear Panel.
Position Designation
[7] RJ45 connector for notebook connection.
[8] DB9 connector for notebook connection.
[9] Backup connectors for power supply input (AC / DC).
[10] Main connectors for power supply input (AC / DC).
14
AsGa LightB
1.3 POWER SUPPLY
LightBolt10GigE switch has a 90 to 250VAC or 36V to 60V DC input voltage supply source.
Power input is made through a three-pole connector found in the rear panel. Alternatively, switch may
be supplied with an extra source for protection.
1.4 CONSUMPTION
• LightBolt 26302-O: 98W • LightBolt 26302-E: 94W
• LightBolt 28340-O: 98W
1.5 DIMENSIONS
• Height: 44,45mm (1U)
• Width: 482,6 mm (19”)
• Depth: 367 mm
1.6 ENVIRONMENTAL CONDITIONS

LightBolt10GigE switch fully meet the “Prática Telebrás 240-600-703” specifications, as class
C – variant 2 – equipment for operation in non-acclimatized, covered environment, within the 0°C to
50°C temperature range.
• Operational Temperature: 0°C to 50°C.
• Storage Temperature: -5°C to 50°C.
• Transportation Temperature: -40°C to 70°C.
• Relative Humidity: Up to 90%, without condensation.
1.7 LED SYSTEM INFORMATION

The LightBolt family of switches has an extensive range of LEDs that allow you to easily
monitor network activity and status.
Basic information’s as negotiated Speed, traffic activity and link are provided on LightBolt
Electrical switches through two bi colored leds incorporated in the same RJ45 connector. The
following picture shows the Leds and their status. For activity status the led will twinkle between two
colors, green and yellow, for receiving or transmitting packets on that interface.
Figure 1.3: Led System Information (LightBolt Eletrical switches)
15
AsGa LightB
The 10 gigE system Led appear at each side of the 10GigE connectors. See the description of
those leds in Figure 1.4:
Figure 1.4: Led description for 10 GigE Ports.
To Optical LightBolt switches, the system of Leds have the same meaning but their function are
determinate by the MODE button at the right side of the front panel switch. Pressing this button you
will change the front panel led meaning. The color follows the same pattern of electrical switches.
The blue Led on the right side have also some meanings:
• Off: No power.
• On: System working.
• Blinking: System on test; System not working properly; or, system on booting process.
16
AsGa LightB
LightBolt 10GigE Switch
User Guide Specification
2 SPECIFICATION
2.1 System Defaults
The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup
configuration file. The following table lists some of the basic system default.
FUNCTION PARAMETER DEFAULT
Baud Rate 9600 bps
Data Bit 8
CONSOLE PORT CONNECTION Stop Bit 1
Parity N
Console time out Disable 0
User Name: none
Normal Exec
Password: none
Configuration Level Password: none
AUTHENTICATION
RADIUS Disable
SSH V2.0 Disable
Telnet port 23 Disable
SNMP V1; V2; V3 Disable
RO: not configured
SNMP
Communities R/WR: not configured
Trap: not configured
Admin Status Enable
Auto negotiation (on 1GigE optical Disable (fixed at 1GigE on optical
port) switch model)
Flow Control ( on 1 GigE optical
Disable
ports)
10 Mbps Half Duplex Enable
PORT CONFIGURATION 10 Mbps Full Duplex Enable
GiGE (Electrical) negotiated Port 100 Mbps Half Duplex Enable
Negotiated and Fixed Capabilities 100 Mbps Full Duplex Enable
1000 Mbps Full Duplex Enable
Flow Control Enable
Xe (10GigE) Optical Port 10 GigE Full Duplex. Fixed.
Capabilities Flow Control Disable.
Xe (10GigE) XAUI Port 10 GigE Full Duplex. Fixed.
Capabilities Physical: CX4
RATE LIMITING In/Out Disable
BROADCAST STORM
In Disable
SUPPRESSION
MULTICAST LIMIT
In Disable
SUPPRESSION
Mode 802.1D Classic Spanning Tree
SPANNING TREE PROTOCOL
Port Fast Disable
ADDRESS MAC TABLE Aging Time 300 seconds
Default VLAN 1
Port vlan Mode: PVID 1
VIRTUAL LANs VLANs
Frames Acceptable Untagged
Switch Port Mode Access
IP address 0.0.0.0
MANAGEMENT IP SETTINGS
Mask 255.0.0.0
first-fragment-ip-packets Enable
icmp-attack-check Enable
minimun-icmp-packet-over-size 512
minimun-tcp-header-allowed 20
DENIED OF SERVICES
sip-dip-protection Enable
tcp-fragment-attack Enable
tcp-on-invalid-flags Enable
tcp-udp-sp-equal-dp Eanble
SYSTEM LOG Status Disable
Table 2.1: System Defaults.
17
AsGa LightB
User Guide Configuration
3 CONFIGURATION
3.1 Command Line Interface
This Guide attempts to make configuration simpler as possible; displaying all AsGOS
command lines necessaries to configure LightBOLT series switches. It covers basic configurations for
Basic Access and all Networking Services provided by the platform.
3.2 Conventions Used in this Guide

Conventions for the syntax and procedures describing how to enter information and how
information is displayed on the console are presented in the following table.
CONVENTION DESCRIPTION SYNTAX

This monospaced font represents command strings
command syntax show ip ospf
entered on a command line and sample source code.
A variable parameter. Enter a value according to the area AREAID range
UPPERCASE
descriptions that follow. ADDRESS
[parm1|parm2|?parm3]
Used with the square brackets to limit the immediately
expands to parm1 parm3
? question Mark following token to one occurrence. Not to be entered as
parm1 parm2 (with parm3
part of the command.
occurring once)
A keyword parameter. Enter lowercase values exactly as
lowercase show ip ospf
shown.
| The vertical bar. Delimits choices; select one from the list. A.B.C.D|<0-4294967295>
Allows the repetition of the element that immediately
.AA:NN can be expanded
. Dot (period) follows it multiple times. Not to be entered as part of the
to: 1:01 1:02 1:03.
command.
Parenthesis. Delimits optional parameters. Do not enter
() (A.B.C.D|<0-4294967295>)
parentheses as part of any command
Square brackets: groups parameters and keywords into a
[] single unit. Take all parts within these brackets. Do not [parm2|parm2|parm3]
enter brackets as part of any command.
Angle brackets: enclose a numeric range for a keyword.
<> <0-65535>
Do not enter angle brackets as part of any command.
description Proportional font gives specific details about a parameter.
Equal sign: separates the command syntax from
= PROCESSID = <0-65535>
explanatory text.
GE1 (For Giga Bit Etherrnet
IFNAME Indicates the name of an interface. interfaces) XE1 (For 10Giga
Bit Interfaces)
Table 3.1 – Conventions used on this guide.
Note: Unless otherwise stated, press Enter after each command entry.
3.3 Command Line Interface Primer

The AsGOS Command Line Interface (CLI) is a text-based facility similar to most industry
standards command lines interfaces. Each command CLI is usually associated with a specific function
or a common task performing it specifically.
Multiple users can telnet and issue commands using the Exec mode and the Privileged Exec
mode. However, only one user is allowed to use the Configure mode at a time, to avoid multiple users
from issuing configuration commands simultaneously.
18
AsGa LightB
3.3.1 Command Line Help
The AsGOS CLI contains a text-based help facility. Access this help by typing in the full or
partial command string then typing “?”. The AsGOS CLI displays the command keywords or
parameters plus a short description.
Note: Some of our command exemplified here are base on features that will be released. All of them
must be taken as typographic examples only.
For example, at the CLI command prompt, type “show ?” (the CLI does not display the question
mark). The CLI displays this keyword list with short descriptions for each keyword:
bgpd# show
debugging Debugging functions (see also 'undebug')
history Display the session command history
ip IP information
memory Memory statistics
route-map route-map information
running-config running configuration
startup-config Contents of startup configuration
version Displays AsGOS version
3.3.2 Syntax Help

The AsGOS CLI can complete the spelling of command or parameter keywords. Begin typing
the command or parameter then press TAB. At the CLI command prompt type sh:
AsGOS> sh
Press TAB. The CLI shows:
AsGOS> show
If the command or parameter partial spelling is ambiguous, the AsGOS CLI displays the
choices that match the abbreviation. Type “show i”. Press TAB. The CLI shows:
AsGOS> show i
interface ip
AsGOS> show i
The interface displays the interface and ip keywords. Type “n” to select interface and press
TAB. The CLI shows:
AsGOS> show in
AsGOS> show interface
Type “?” and the CLI shows the list of parameters for the show interface command.
[IFNAME] Interface name

AsGOS> show interface
This command has but one positional parameter, an interface name. Supply a value for the
IFNAME parameter.
19
AsGa LightB
3.3.3 Command Abbreviations
The AsGOS CLI accepts abbreviations for commands. For example:
sh in Ge7
Is the abbreviation for the “show interface command”.
3.3.4 Command Line Errors

If the switch does not recognize the command after ENTER is pressed, it displays the following
message:
% Unknown command.
If a command is incomplete it displays the following message:

% Command incomplete.
Some commands are too long for the display line and can wrap in mid-parameter or mid-
keyword if necessary.
3.4 Modes Common to Protocols

Exec: This mode, also called the View mode, is the base mode from where users can perform basic
commands like show, exit, quit, help, list, and enable.
Privileged Exec: This mode, also called the Enable mode, allows users to perform debugging
commands, the write commands (for saving and viewing the configuration), show commands, and so
on.
Configure: Sometimes referred to as Configure Terminal, this mode serves as a gateway to jump to
another cotext, like the Interface, Line, Route Map, Key Chain and Address Family modes contexts.
Interface: This mode (or context) is used to configure protocol-specific settings for a particular
interface.
Figure 3.1 – Modes common to protocols.
20
AsGa LightB
3.5 Command Negation
Some commands can be negated by using a no keyword. Depending on the command or
the parameters, command negation can mean the disabling of one entire feature for the
AsGOS/switch or the disabling of that feature for a specific ID, interface or address.
In the following example, negation is for the base command only. The negated form does
not take any parameter.
default-metric <1-16777214>
no default-metric
3.6 Format used for Command Description

The following lines show us how commands will be represented in the context of this manual:
Command name
Description of the command. What the command does and when should it be used.
Command Syntax
Sample command name mandatory-parameters (OPTIONAL-PARAMETERS)
Default
The status of the command before it is executed. Is it enabled or disabled by default.
Command Mode
Name of the command mode in which this command is to be used. Such as, Exec, Privilege Exec,
Configure mode and so on.
Usage
This section is optional. It describes the usage of a specific command and the interactions between
parameters. It also includes appropriate sample outputs for show commands.
Example
Used if needed to show the complexities of the command syntax.
Related Commands
This section is optional and lists those commands that are of immediate importance.
Equivalent Commands
This section is optional and lists commands that accomplish the same function.
Validation Commands
This section is optional and lists commands that can be used to validate the effects of other
commands.
3.7 Initial Configuration

The switch includes a built-in network management agent based on a CLI Industry default
access method. A PC may be connected directly to the switch for configuration and all of its features
can be monitored and configured via this command line interface (CLI). In addition to CLI access
method the system has a complete SNMP option; including those defined on SNMP V.3 RFC 2575
(View based Access Control Model for SNMP).
The CLI program can be accessed by a direct connection to the RS-232 serial console port
on the switch; or remotely by a Telnet or SSH connection over the network. For any remote operation
21
AsGa LightB
you need to configure an IP management address. The IP address for this switch is unassigned by
default. To change this address, see “Setting Management IP address” on page 31.
The switch, CLI interface configuration program agent allows you to perform the following
management functions:
• Set user names and passwords.

• Set an IP interface for a management VLAN.
• Configure SNMP parameters.
• Enable/disable any port.
• Set the speed/duplex mode for any port.
• Configure up to 4096 IEEE 802.1Q VLANs.
• Upload and download system software via TFTP.
• Upload and download switch configuration files via TFTP.
• Configure Spanning Tree parameters for all STPx supported.
• Enable port mirroring.
• Set broadcast storm control on any port.
• Display system information and statistics.
• Others.
3.8 Connecting to the switch
3.8.1 Local Configuration

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for
monitoring and configuring the switch. To do this you will need a RS232 (no cross over cable) cable;
attach a VT100-compatible terminal or a PC running your favorite terminal emulation program with the
following parameters configured:
• Select the appropriate serial port (COM port 1 or COM port 2).
• Set the profile to the default switch profile.
• Once you have set up the terminal correctly, the console login screen will be displayed.
• Refer to “Line Commands” for a complete description of console configuration options.
The following picture show the DB9 switch “Pin out”:
Figure 3.2 – DB9 switch Pin out.
3.8.2 Remote Connections

By default your LightBolt switch does not accept any remote configuration neither telnet nor
ssh. You need specifically enable those features trough configuration mode. The following lines
describe those commands in order to enable the Telnet service.
COMMAND DESCRIPTION
AsGa> enable To enter in configuration mode ingress the enable command
22
AsGa LightB
and press enter.
AsGa# service telnet (enable | Disable) Enable or disable the Telnet Service
AsGa# wr Save the current configuration
SSH Service:
COMMAND DESCRIPTION
To enter in configuration mode ingress the enable
AsGa> enable
command and press enter.
AsGa# service ssh (enable | disable) Enable or Disable the SSH Service
As well to gain access to onboard management agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and route (when it is needed) using a console
connection. The IP address for this switch is unassigned by default; see “Setting Management IP
address” on page 31.
This switch supports five simultaneous Telnet sessions. After configuring the switch’s IP
parameters, you can access the onboard configuration program from anywhere within the attached
network. The onboard configuration program can be accessed using Telnet (port 23 by default) or
SSH from any computer attached to the network.
3.9 Configuring the Switch
3.9.1 Basic Configuration – Console Connection

The CLI program provides different command levels — normal access level (Normal Exec)
View mode; privileged access level (Privileged Exec) and configuration mode. The commands
available at the Normal Exec level are a limited subset of those available at the Privileged Exec level
and allow you to only display information and use basic utilities. To fully configure the switch
parameters, you must access the CLI at the privileged Exec level. Access to both CLI levels are
controlled by users names and passwords. The switch has no default user name and password
configured.
Connected to the console port to initiate your console connection, just press <Enter>. At the
first time you will not be prompted for a user name and password. You will have the default prompt
name witch will be “AsGa> “ witch indicate the normal Exec mode operation (or View mode).
At this level you can enter at the configuration mode issuing the following commands:
COMMAND DESCRIPTION
AsGa> Default hostname and prompt will be displayed
To enter in configuration mode ingress the enable command and
AsGa> Enable
press enter (by default this mode has no password protection).
AsGa# Now you are into configuration mode or privileged mode.
If you have configured a user name and password you will be prompted:
COMMAND DESCRIPTION
After connect your terminal you will be prompted for a user name
and password.
User name: Enter your configured User name.
Password: Enter Your Configured Pass.
AsGa> Default hostname and password.
AsGa> enable Now you can issue the command enable.
AsGa# The prompt will change to “#”. Now you are into the privileged
mode or configuration mode.
23
AsGa LightB
3.9.2 Displaying system configuration
In order to verify your current configuration you need to type the command “show
running” under the privileged Exec level (enable mode). This command displays your
configuration stored into NVRAM and actually running on your system. A typical view of this command
can be summarized:
AsGa#sh run
!
no service password-encryption
!
hostname AsGa
!
spanning-tree mst config
bridge instance 1 vlan 100
bridge region test
!
maximum-paths 8
bridge protocol mstp
bridge acquire
vlan classifier rule 1 ipv4 40.40.40.40/24 vlan 300
vlan classifier rule 2 mac 00.0c4.012 vlan 300
vlan classifier rule 3 proto 8192 encap ethv2 vlan 300
vlan classifier group 1 add rule 1
bridge spanning-tree errdisable-timeout interval 1
bridge cisco-interoperability enable
!
interface ge1
switchport
switchport mode access
switchport access vlan 100
flowcontrol send on
flowcontrol receive on
bridge-group instance 1
spanning-tree portfast
!
interface ge2
switchport
bridge-group
!
interface ge3
switchport
!
interface ge4
switchport
24
AsGa LightB
vlan classifier activate 1
!
interface ge5
!
interface ge6
!
interface ge7
!
interface ge8
!
interface ge9
!
interface ge10
!
interface ge11
switchport
!
interface ge12
switchport
switchport mode trunk
switchport mode trunk ingress-filter enable
switchport trunk allowed vlan add 300
!
interface ge13
!
interface ge14
!
interface ge15
!
interface ge16
!
interface ge17
!
interface ge18
!
interface ge19
!
interface ge20
switchport
switchport mode access ingress-filter enable
flowcontrol send on
flowcontrol receive on
!
interface ge21
switchport
!
25
AsGa LightB
interface ge22
!
interface ge23
switchport
switchport trunk native vlan 4094
!
interface ge24
switchport
!
interface lo
mtu 1500
ip address 127.0.0.1/8
ip address 30.30.30.30/24 secondary
!
interface vlan1.1
!
interface vlan1.20
!
interface vlan1.100
ip address 10.10.10.10/24
!
interface vlan1.300
!
interface vlan1.4094
!
line con 0
exec-timeout 0 0
login
line vty 0 4
exec-timeout 0 0
login local
!
end
AsGa#
26
AsGa LightB
3.9.3 Displaying system inventory
The command “show inventory” shows all basic system information including MAC base
system address; software and hardware versions; manufacturing data; etc. A typical view of this
command is:
System Inventory: Lightbolt 28304E

Mac Address: 00:14:fa:00:29:30
Description: Production Sample
Product code: 15097
Serial number: 1
Manufacturing Date: 01/04/2008
Hardware Version: 15
Firmware Version: 1
System Version: N/A
Startup Version: 1.0.0-RC1
AsGOS Version: 1.0.0-RC5
Product Notes: Not for sale
Resets: 113
3.9.4 Defining 802.1Q VLAN

VLANs are a mechanism to allow network administrators to create logical broadcast domains
that can span across a single switch or multiple switches, regardless of physical proximity. This
function is useful to reduce the size of broadcast domains or to allow groups or users to be logically
grouped without the need to be physically located in the same place.
Your LightBolt switch permits up to 4095 VLANs to be defined on a single switch. The
following figure shows a single VLAN tagged packet:
Figure 3.3 – VLAN tagged packet.
3.9.4.1 Creating VLANs into the Switch Database

Use the vlan database into configuration mode command to add a VLAN and enter the config-
vlan mode. Use the no statement of this command to delete the VLAN. The VLAN database will no be
printed into the configuration file.
vlan vlan-id {enable|disable}|[name vlan-name][state {suspend|active}

no vlan vlan-id
vlan-id ID: Of the configured VLAN. Valid IDs are from 1 to 4095. Do not enter leading zeros.
Name: vlan-name (Optional): Specify the VLAN name, an ASCII string from 1 to 32
characters.
State: {suspend | active} (Optional) Specify the VLAN state:
• If active, the VLAN is operational.
• If suspend, the VLAN is suspended. Suspended VLANs do not traffic
packets.
27
AsGa LightB
• Create the VLANs into the VLAN switch database:
COMMAND DESCRIPTION
AsGOS (config)# vlan database Enter the VLAN configuration mode.
Enable VLAN number 5. Specifying the enable
AsGOS (config-vlan)# vlan 5 state enable state allows forwarding of frames on this VLAN-
aware bridge.
AsGOS (config-vlan)# exit Exit the VLAN configuration mode and enter
Configuration mode.
3.9.5 Switch Port Roles

Physical ports in a switch can have two defined roles:
switched ports: ports which cannot accept an IP address or

routed ports: ports which can accept an IP address.
Note: By default all ports are switched (no routed) access ports with the default per port VLAN ID
(PVID) equal to one (PVID=1). By default the system run classical STP on all those access port.
Use the switchport interface configuration command with no keywords to put an interface
that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. Use the no statement of this
command to put an interface in Layer 3 mode.
switchport
no switchport
Use the no switchport command (without parameters) to set the interface to the routed-
interface status and to erase all Layer 2 configurations. You must use this command before assigning
an IP address to a routed port.
COMMAND DESCRIPTION
AsGa>config t Enter into configuration mode.
AsGa#interface ge1 Enter into interface ge1 configuration mode.
AsGa(interface)# Now you are into the interface configuration mode.
AsGa(interface)# swtchport Put the interface into the default switchport mode.
AsGa(interface)#end Exit from interface configuration mode.
AsGa# wr Save the configuration.
COMMAND DESCRIPTION
AsGa>config t Enter into configuration mode
AsGa#interface ge1 Enter into interface ge1 configuration mode.
AsGa(interface)# NO swtchport Put the interface into the routed port mode, ready to
accept an IP address.
3.9.6 Switchport Mode

When the switch receives a frame, it classifies the frame in one of two ways. If the frame is
untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the
receiving port). But if the frame is tagged the switch use the Tagged VLAN ID to identify the port
broadcast domain for the frame.
28
AsGa LightB
In order to identify the ports where the frame must be sent first at all you need to define the
switch port mode of a port.
Ports can be 3 types:
• Access Ports.
• Trunk Ports.
• Hybrid ports.
Use the switchport mode interface configuration command to configure the mode of a port. Use
the <no> statement of this command to reset the mode to the appropriate default for the device.
switchport mode {access | trunk | hybrid}

no switchport mode {access| trunk | hybrid}
Access: Set the port to access mode. The port is set to access unconditionally and operates as a
nonetrunking, single VLAN interface that sends and receives none capsulated (non-tagged) frames.
An access port can be assigned to only one VLAN.
Trunk: Set the port to trunk unconditionally. The port is a trunking VLAN Layer-2 interface. The port
sends and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a
point-to-point link between two switches or between a switch and a router.
Hibrid: This mode set the trunk in an hybrid mode which means that the port acting as a trunk has a
default VLAN for all those packets that arrive at the port untagged. Under this mode the user must
specify the untagged VLAN for all those arriving non tagged packets. Packet going outward for the
specified VLAN ID will go from this trunk in an untagged form.
• Setting an interface into switched port mode access:
COMMAND DESCRIPTION
AsGa>config t Enter in configuration mode.
AsGa#interface ge1 Enter in interface ge1 configuration mode.
AsGa(interface)# swtchport mode access Put the interface in the accces switch port mode.
• Setting an interface in switched port mode trunk:
COMMAND DESCRIPTION
AsGa(interface)# swtchport mode trunk Put the interface in the trunk switch port mode.
3.9.7 Assigning a VLAN to an Access port

Use the “switchport access” interface configuration command to configure a port as a VLAN
assigned static-access port. If the mode is set to access, the port operates as a member of the
configured VLAN.
switchport access vlan [VLAN-ID]

no switchport access vlan
29
AsGa LightB
COMMAND DESCRIPTION
AsGa(interface)# Now you are in the interface configuration mode.
AsGa(interface)# swtchport access vlan 300 Assign Pert Port VLAN ID to an access port.
3.9.8 Adding VLANs to a Trunk Port

Ports can be access port or trunk port. The table shows the steps necessaries for adding a
VLAN in an trunk port.
• Enabling all VLANs on a trunk port.

COMMAND DESCRIPTION
AsGOS# configure terminal Enter the Configure mode.
AsGOS(config)# Interface GE24 Enter into the Ge24 Interface context.
AsGOS (config_if)# switchport mode trunk Set the switching characteristics of this interface to
trunk mode.
AsGOS (config_if)# switchport trunk allowed
vlan all. Enable all VLANs on this trunk port.
Exit the interface configuration mode and enter
AsGOS (config-if)# exit
configuration mode.
• Adding a particular VLAN to a trunk port.

COMMAND DESCRIPTION
AsGOS(config)# Interface GE24 Enter into the Ge24 Interface context.
AsGOS (config_if)# switchport mode trunk Set the switching characteristics of this interface to
trunk mode.
AsGOS (config_if)# switchport trunk add Enable VLAN ID 100 on this trunk port. Any other
vlan 100 vlan than 100 will be filtered by this trunk port.
Exit the interface configuration mode and enter
AsGOS (config-if)# exit
configuration mode.
3.9.9 Displaying VLAN information

In order to display the VLAN port assignment you need to issue the command “show vlan all”
specifying the bridge number. The system will show the following list:
AsgOS#show vlan all
Bridge VLAN ID Name State Member ports

(u)-Untagged,
(t)-Tagged
================================================================
1 1 default ACTIVE
ge1(u)ge2(u)ge3(u)
ge4(u)ge5(u)ge6(u)
ge7(u)ge8(u)ge9(u)ge10(u)
ge23(u)ge24(u)
xe1(u)xe2(u)xe3(u)xe4(u)
30
AsGa LightB
3.9.10 Setting Management IP address
You must define an IP address for the switch to obtain management access through a external
network. At this time you can set the management IP address manually. No DHCP is supported.
Remote management is taken from any IP interface defined into the switch, Routed IP
interfaces and Switched Virtual interfaces (SVI´s) are suitable of receive an IP address. Those IP
address can be used as Management interfaces as they appear as directed connected IP interfaces
to the global L3 routing table.
Use the ip address interface configuration command to set an IP address for the Layer 2 switch
or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch.
Assuming that your LightBolt switch has just one default vlan (VLAN1) and its respective
switched virtual interface (SVI) VLAN1.1; the following commands shows how to set up an IP address
for these particular default SVI; which can be reached from any interface belonging to those VLAN.
COMMAND DESCRIPTION
AsGa>config t Enter in configuration mode
Enter in interface vlan1.1 configuration mode.
AsGa#interface VLAN1.1 VLAN1.1 is the default switched virtual interface which
represent the routed interface for the default VLAN 1
AsGa(interface)# Now you are in the interface configuration mode
AsGa(interface)#ipaddress x.x.x.x/y Enter the IP address
AsGa(interface)#end Exit from interface configuration mode
AsGa# wr Save the configuration
In Order to negate this IP address uses the <no> statement of this command. The example use
the SVI VLAN1.1 which is created by default into the system. By default SVI´s created by the user
does not contain any IP address.
3.9.11 Creating a Switched Virtual interface.

You cannot delete the VLAN1.1 interface. This is the default system SVI.
SVIs are created the first time you enter the “interface vlan 1 [VLAN ID]” command for a
particular vlan. The vlan corresponds to the VLAN-tag associated with data frames on an 802.1q
encapsulated trunk or the VLAN ID configured for an access port.
If you delete an SVI by entering the “no interface vlan 1 [VLAN ID]” command, the deleted
interface is no longer visible in a show interface command.
If the VLAN is no created at the VLAN Database It will be created automatically with its
parameters set to the default values and in active mode.
COMMAND DESCRIPTION
AsGa> enable Enter in enable mode
AsGa# configure terminal Enter into configuration mode
AsGa#interface VLAN1.1000 VLAN1.1000 will be created and VLAN 1000 will be
addred to VLAN database automatically,
Interface VLANs will be used as a routing point between VLANS. See “Configuring IP
addresses on Switched Virtual Interfaces SVI´s”.
31
AsGa LightB
3.9.12 Specifying Host Name
To assign your host name use the following steps at your privileged command line.
COMMAND DESCRIPTION
AsGOS(config)#hostname LighetBolt Specify your host name.
LightBolt (config)# Your host name will appear as a new prompt in your system.
Exit from configuration mode.
LightBolt# Write Save your changes into permanent memory.
3.10 Managing file System
3.10.1 File types

Your LightBolt System storage different file types. By default the system has an image file that
runs your current system, this image file is identified by the extension .BIN. You can maintain up to 3
software versions in your system. Also Binary (BIN) files can be from three types:
• AsGos: Binary Files that contain all mayors control planes and switching/routing software. Naming
convention for this file is:
LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
• System: Binary files that contain no switching / routing control planes software but have some
other software pices. Naming convention for this file is:
LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
• Sanity: Binary files that contain sanity check code. Naming convention for this file is:
LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
In addition to this system file there are configuration files identified by the extension .CONF this
file type storage in a plain text format all configuration rules. There is no limit to the quantity of
configuration files sorted into your system (only the Disk capacity limits the quantity of stored files).
Only one will be active at time.
Another file type is the .LOG file this file type storage all system sanity test information under
this extension you can find a default file which name is production.log this file storage all factory
sanity log, this file is a read only file and cannot be deleted. The user can decide at startup time run a
new sanity test; its result will be storage under a new file name.
LighBOLT flash system has a flash memory capacity of 32 Mb. This memory cannot be
formatted by the user. Use the dir command at privilege level to inspect your file system.
The following shows a typical file system:
AsGa-LAB-1#dir
3.8M Wed Jan 2 01:15:59 2002 LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
3.8M Mon Jul 21 17:13:49 2036 LightBolt-28322-E1-L2-AsGOS-1.0.0---RC4.bin
1.4M Wed Jan 2 01:18:32 2002 LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
708.8k Mon Jul 21 17:16:06 2036 LightBolt-28322-E1-L2-System-1.0.0---RC4.bin
708.8k Wed Jan 2 01:16:49 2002 LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
3.5k Thu Jul 24 10:59:22 2036 default.conf
0 Mon Jul 14 17:34:08 2036 julio
Flash disk space:
32
AsGa LightB
Used Available Use%
11.8M 31.2M 27%
3.10.2 Loading new files into your system

In order to load files into your system you have a total free disk space of 32 Mb. The system
load files into this free memory space using TFTP transfer; to do it you need to make available a
TFTP server and issue the following commands at the privilege level:
For copying from a TFTP server to system memory:

AsGa# copy [TFTP server address: A.B.C.D] [file name] flash
For copying to TFTP server:

AsGa# copy flash [file name] [TFTP server address: A.B.C.D]
Examples:
First at all you must have defined a management VLAN with an IP configured into the respective SVI:
COMMAND DESCRIPTION
AsGa>config t Enter in configuration mode
AsGa#interface VLAN1.1 VLAN1.1 is the default switched virtual interface which
represent the routed interface for the default VLAN 1
AsGa(interface)#ipaddress Enter the IP address
102.168.3.2/24
In order to load files into your lightbolt platform execute the following steps:
COMMAND DESCRIPTION
AsGa>enable Enter in configuration mode
AsGa# copy from tftp 192.168.3.1 Execute the copy from TFTP server to flash
LightBolt-28322-E1-L2-AsGOS-1.0.0- command. The system will inform yo the copy
RC4.bin flash progress as a serie of dots int the screen
3.10.3 Saving and restoring system Files

In order to store or restore bin images or different configuration files you must use the previous
mentioned commands, You can change your booting image at any time by assigning it as a new
booting image, next reload time it will take effect.
All TFTP saved configuration files can be loaded at any time and will take effect after you
configure as a configuration boot file, at next booting time it will take effect.
3.10.4 Configure your booting process.

Your LightBolt switch boot use an image file plus a configuration file plus a System image in
order to operate. In addition to those files types there is a configuration file named default.txt which is
your default system configuration file. You can assign at any time and any combination of booting files
plus a bin image to boot your system. To display your booting information use of the following
commands:
33
AsGa LightB
ASGA_1#sh boot
Config File:
Startup: AsGa-conf-1
Running: AsGa-conf-1
Last Modified: Mon Apr 7 12:56:13 2036
AsGOS Image:
Startup: LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
Running: LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
Last Modified: Thu Apr 3 08:34:12 2036
System Image:
Startup: LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
Running: LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
Last Modified: Tue Apr 1 08:45:23 2036
Sanity Image:
Startup: LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
To change your actual booting configuration files use this commands:
• Changing your AsGOS bin File
COMMAND DESCRIPTION
AsGOS(config)# boot LightBolt-28322-E1-
Specify the booting AsGOS image file name.
L2-AsGOS-1.0.0-RC5.bin
AsGOS (config)# exit Exit from configuration mode.
• Changing your config File
COMMAND DESCRIPTION
AsGOS(config)# boot config AsGa-conf-2 Specify the booting configuration file name.
• Changing your System File
COMMAND DESCRIPTION
AsGOS(config)# boot systemLightBolt-
Specify the booting system file name.
28322-E1-L2-System-1.0.0-RC3.bin
Under those changes the show boot command will display the show boot command will display
the following changes:
34
AsGa LightB
ASGA_1#sh boot
Config File:
AsGOS Image:
System Image:
Sanity Image:
On next booting time the switch will load the new AsGOS; System and config files.
3.10.5 Creating a Default configuration File

In order to create a default configuration file you must follow these steps:
COMMAND DESCRIPTION
AsGOS(config)# write erase <filename.conf> Specify de default file name. It must be
defined with de .conf extension.
AsGOS (config)# boot config <filename.conf> Redefine your conf file for next booting time.
LightBolt# exit Exit from config
LightBolt# reload Reload process for the new default config file.
3.11 Configuring System Logs

All system actions can be logged in an internally file for future analysis. All Log files when
created and activated are first stored into RAM and must be explicitly copied to flash by the
user. Log can be sent to a standard view or a sys log server.
AsgOS(config)#log ?
file Logging to file
monitor Copy debug output to the current terminal line
stdout Logging goes to stdout
syslog Logging goes to syslog
trap Limit logging to specified level
3.11.1 System Log Configuration

Logging is enabled each time you specify a logging method. When logged on, it can send
messages to specific locations in addition to the console. Under privileged EXEC mode, use one or
more of the following commands to specify the locations that receive messages:
35
AsGa LightB
• Logging to a file:
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configure mode.
AsGOS(config)# log <file> Specify the logging file name.
Your file will be stored in RAM; if you need save it you need to type issue the following command:
COMMAND DESCRIPTION
AsGOS# write log Write your log file into permanent memory.
• Logging to a log server:
COMMAND DESCRIPTION
AsGOS(config)# log syslog <IP address> Specify the logging server IP address.
• Logging to a log monitor
COMMAND DESCRIPTION
AsGOS(config)# log monitor Specify logging method eq monitor
3.12 Configuring your console port

You can access the onboard configuration program by attaching a VT100 compatible device to
the switch’s serial console port. Management access is controlled by the console port parameters,
including a password, timeouts, and basic communication settings.
3.12.1 Console attributes

Data Bits: Sets the number of data bits per character that are interpreted and generated by the
console port. If parity is being generated, specify 7 data bits per character. If no parity is required,
specify 8 data bits per character. (Default: 8 bits).
Parity: Defines the generation of a parity bit. Communication protocols provided by some terminals
can require a specific parity bit setting. Specify Even, Odd, None, Mark or space. (Default: None)
Speed: Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set
the speed to match the baud rate of the device connected to the serial port. (Default: 9600 bps).
Stop Bits: Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit).
Session-timeout: Sets the interval that the system waits until user input is detected. If user input is
not detected within the timeout interval, the current session is terminated.
Limits: Timeout in minutes <0-35791> - Timeout in seconds <0-2147483>.
36
AsGa LightB
Exec-timeout: Sets the interval that the system waits until user input is detected. If user input is not
detected within the timeout interval, the current
EXEC session is terminated. Limits: Timeout in minutes <0-35791> - Timeout in seconds <0-
2147483>.
Flowcontrol: Sets the current flow control mechanism; it can be set by hardware, software or no flow
control. Direction can be in; out or both. Default No flow control.
Start-character: Sets the current start character used when software flow control mechanism is
activate ( possible ASCII values are 1-255 )
Stop-character: Sets the current stop character used when software flow control mechanism is
activate ( possible ASCII values are 1-255 )
Width: Sets the current screen column width valid values are 0-60.
Length: Sets number of lines on a screen valid values are 0-512.
Privilege level Changes privilege level for line <1-15>.
Escape-character: Changes the current escape character possible values are ASCII from 1-255.
To configure any of those parameters you must issue the following commands. The table
shows just some of those commands.
COMMAND DESCRIPTION
AsGOS(config)# line console Enter in console configuration mode.
AsGOS (config)# speed
<(115200|57600|38400|19200|9600|4800|2400) Change the console speed.
AsGOS (config)# parity (none|even|odd|space|mark) Change the console parity.
AsGOS (config)# flowcontrol (none|software
(in|out)|hardware) Change the console flow control mode.
AsGOS (config)# databits <5-8> Change the console data bits.
AsGOS (config)# exec-timeout <0-35791> (<0-2147483>|) Change the Exec time out for a session
started from console.
AsGOS (config)# session-timeout <0-35791> (<0- Change the session time out for the
2147483>|) console.
3.12.2 Enabling Telnet connections and SSH connections

In order to enable those services on your LightBolt platform you need specifically configure it. If
it is not configured those services will not be available for external connections.
Service Telnet {Enable | disable}

Service SSH {enable | Disable}
COMMAND DESCRIPTION
AsGOS(config)# service SSH enable Enable SSH service.
AsGOS(config)# service telnet enable Enable Telnet Service.
37
AsGa LightB
• Disabling Telnet or SSH services:
COMMAND DESCRIPTION
AsGOS(config)# service SSH disable Disable SSH service.
AsGOS(config)# service telnet disable Disable Telnet Service.
3.13 Configuring Remote or Local Logon Authentication

Use the Authentication commands to restrict management access based on specific user
names and passwords. You can manually configure local access rights on the switch, or you can use
a remote access authentication server based on RADIUS or TACACS+ protocols. Remote
Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System
(TACACS) are logon authentication protocols that use software running on a central server to control
access to RADIUS-aware or TACACS -aware devices on the network.
RADIUS uses UDP while TACACS usesTCP. UDP only offers best effort of packets delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password
in the access-request packet from the client to the server, while TACACS encrypts the entire body of
the packet.
3.13.1 Enabling a RADIUS Server

In order to provide remote user and password authentication you need to configure a RADIUS
server properly.
To specify a RADIUS server host, use the radius-server host command in global configuration
mode. To delete the specified RADIUS host, use the <no> statement of this command.
radius-server host HOSTNAME {key STRING | retransmit RETRIES | timeout SEC

| auth-port PORTNO}
HOSTNAME Hostname or dotted IP notation.

key <STRING> Specifies the authentication and encryption key.
Used between the switch and the RADIUS daemon running on a
RADIUS server. This key overrides the global setting of the radius-
server key. If no key string is specified, the global value is used.
retransmit < RETRIES> The number of times a RADIUS request is re-sent to a server, if that
server is not responding or responding slowly. Enter a value in the
range 1 to 100.
timeout <SEC> (Optional) The time interval (in seconds) that the switch waits for the
RADIUS server to reply before retransmitting. This setting overrides
the global value of the radius-server If no timeout value is specified,
the global value is used. Enter a value in the range 1 to 1000.SEC.
auth-port < PORTNO> Specifies the UDP destination port for authentication requests port-
number (Optional) . If unspecified, the port number sets default to
1645.
radius-server key STRING
This command specify the global key string used between the switch and the Radius Server.
38
AsGa LightB
Key Set default radius server key
STRING Shared secret among radius server and client.
3.13.2 Enabling a TACACs Server

In order to provide remote user and password authentication you need to configure a TACACS
server properly.
TACACS is a security application that provides centralized validation of users attempting to
gain access to a switch. In order to configure a TACACs client apply the following commands at
configuration prompt.
tacacs-server host HOSTNAME {key STRING | timeout SEC | auth-port PORTNO }
host <HOSTNAME> SET host server. Hostname or dotted IP notation.

key <STRING> SET TACACS+ server key. Key-string.
timeout <SEC> SET TACACS+ server timeout. Timeout in secs <1-1000>.
auth-port < PORTNO> SET TACACS+ server port. Port number (default 49).
3.13.3 Configuring User and Passwords

You can restrict and define management access to this switch using the following options:
• Defining Users:
Locally defined User Accounts: Manually configure access rights on the switch for specific users.
RADIUS User accounts: Configure RADIUS user accounts for remote authentication.
• Defining control access methods.

IP Filter: Filters management access SSH or Telnet interface.
3.13.3.1 Setting locally defined users and passwords.

Your system has no default user name or password neither for user account nor for privileged
EXEC commands. In order to set locally a administrative User and Password use the following
commands:
username <name> [privilege level] {password <encryption-type> password}
name Specify the user ID as one word. Spaces and quotation marks are not allowed.
level For level, specify the privilege level the user has after gaining access. At
this software revision AsGOS 2.0.0 just level 15 is allowed.
encryption-type Enter 0 to specify that an unencrypted password follows. Enter 5 to specify

that a hidden password follows. In Order to specify an encrypts password
you must have Service encryption enable command at config global.
password Specify the password the user must enter to gain access to the switch
COMMAND DESCRIPTION
AsGOS(config)# user <user-name>
privilege <privilege> password Enter the local database, and establish a username-
<Encryption-level> <password> based authentication system.
39
AsGa LightB
AsGOS(config)# end Go to privilege level mode
AsGOS# copy running–config startup-
config Copy running config into startup config.
3.13.3.2 Setting remotly authenticated users using an external server.
In order to make login authentication in a Raduis server you need to configure the following
commands:
aaa new-model
aaa Authentication, Authorization and Accounting.

new-model Enable new access control commands and functions (disable old
configurations)
This command specifies a new model for the authentication process; if not the default
authentication will be used. The default method is: locally defined users. Under this method user
names and passwords will be defined locally at the switch.
aaa authentication login (default|WORD) {local | none | group (WORD |

radius | tacacs)}
aaa Authentication, Authorization and Accounting.

authentication Authentication configurations parameters
login Set authentication lists for logins (local, ssh and telnet)
default The default authentication list.
WORD Named authentication list
local Uses the local username database for authentication
none Uses no authentication
group Uses a list of servers for authentication
WORD Group name servers list for authentication
radius RADIUS servers list for authentication
tacacs TACACS+ servers list for authentication
COMMAND DESCRIPTION
AsGOS(config)# aaa new model Enable a new model for authentication process.
AsGOS(config)# aaa authentication Enable Radius authentication, over a Raduis Server. If
default radius the authentication process fails no other authentication
method is applied.
Enable Radius telnet authentication, over a Raduis
AsGOS(config)# aaa authentication login
default group radius local Server. If the authentication process fails a local
authentication process is applied.
• Applying the authentication rule on a com port
COMMAND DESCRIPTION
AsGOS(config)# line console Enter in console config mode
AsGOS(config)# ogin authentication Define the default authentication method fa a session
default opened in a console port
AsGOS(config)# exit
Return to the privilege Exec mode
AsGOS# wr Save configs
40
AsGa LightB
• Applying The authentication rule on VTY Sessions
COMMAND DESCRIPTION
AsGOS(config)# line vty 0 5 Enter in vty config mode (for all sessions from 0 to 5)
AsGOS(config)# ogin authentication Define the default authentication method for a session
default opened on any VTY session from 0 to 5
AsGOS(config)# exit
Return to the privilege Exec mode
AsGOS# wr
Save configs
3.14 Configuring SNMP

SNMP is based on three concepts: managers, agents, and the Management Information Base
(MIB). In any configuration, at least one manager node runs SNMP management software. Network
devices to be managed, such as bridges, routers, servers and workstations, are equipped with an
agent software module. The agent is responsible for providing access to a local MIB object that
reflects the resources and activities at its node. The agent also responds to the manager commands
to retrieve values from the MIB and to set values in the MIB. An example of an object that can be
retrieved is a counter that keeps track of the number of packets sent and received over a link. An
example of an object that can be set is one that represents the state of a link; the manager could
disable the link by setting the value of the corresponding object to the disabled state.
Such capabilities are fine for implementing a basic network-management system. To enhance
this basic functionality, a new version of SNMP was introduced in 1993 and revised in 1996. SNMPv2
added bulk transfer capability and other functional extensions. However, neither SNMPv1 nor
SNMPv2 offers security features. Specifically, SNMPv1/v2 can neither authenticate the source of a
management message nor provide encryption. Without authentication, it is possible for no authorized
users to exercise SNMP network management functions.
LightBolt system has support for the three SNMP versions (V1, V2C, V3) In addition to this
features LightBolt Family of switches support OIDs view names according to RFC 2575.
3.14.1 Configuring SNMP V1

The following example shows a typical configuration. For more detailed configuration
parameters please refer to the alphabetic index.
COMMAND DESCRIPTION
Set the 192.168.1.1 as the server for receiving
AsGOS# snmp-server manager 192.168.1.1 traps-
version 1 community ASGA traps with community name ASGA. Traps will be
send as SNMP traps version 1.
AsGOS# snmp-server community ASGA rw remote Specify the community name and de IP address
192.168.1.1 for all RW operations.
AsGOS# snmp-server contact ASGA Specify the SNMP contact name.
AsGOS# snmp-server location Rodovia RM Km 4 Specify the SNMP location name.
AsGOS# snmp-server enable trap all Enable all trap sending.
3.14.2 Configuring SNMP V3

To correct the security deficiencies of SNMPv1/v2, SNMPv3 was issued as a set of Proposed
Standards (Table 3.2). This set of documents does not provide a complete SNMP capability but rather
defines an overall SNMP architecture and a set of security capabilities.
41
AsGa LightB
RFC NUMBER TITLE
2571 An Architecture for Describing SNMP Management Frameworks.
2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP).
2573 SNMPv3 Applications.
2574 User-Based Security Model for SNMPv3.
2575 View-Based Access Control Model (VACM) for SNMP.
Table 3.2: SNMPv3 RFCs.

AsGa LightBolt series switches cover all the subjects detailed into those RFC´s. The following
example shows a typical SNMP V.3 configuration, for a more detailed command description please
refer to the alphabetic SNMP commands description.
COMMAND DESCRIPTION
AsGOS (config)# snmp-server users create
Dguerri auth md5 brasil3x0 priv naargentina Create the user name.
AsGOs(config)#snmp-server users access
Dguerri ro priv Give the access type to the configured user.
AsGOS(config)# snmp-server manager Set the 192.168.1.1 as the server for receiving
192.168.1.1 traps-version 3 priv Dguerri traps with user Dguerri.
3.15 Port Configuration
3.15.1 Configuring specific basic physical port settings
3.15.1.1 Speed
To change the negotiated speed of the port use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in the interface configuration mode.
AsGOs(interface)#speed <auto|10|100|1000> You can modify the Speed to auto negotiation;
or 10Mbps or 100Mbps or 1000 Mbps.
Note1: On LightBolt platform is not possible modify the negotiating parameters. All Speeds are
negotiated. And the final seed is the best negotiated one.
Note 2: On LightBolt Optical switches series all Optical ports have a Fixed Speed value of 1000
Mbps. No speed setting is allowed on optical ports.
3.15.1.2 Duplex
To change the negotiated mode of one interface use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in interface configuration mode.
AsGOs(interface)# duplex < half|full|auto> You can modify the duplex mode to full or half or
auto. In 1000Mbps there is no duplex mode.
42
AsGa LightB
Note 1: On LightBolt Optical switches series all Optical ports have a Fixed full duplex mode of
operation.
3.15.1.3 Flow Control

Use the flow control interface configuration command to set the receiving or send flow-control
value for an interface. When flow control sends a device and detects some congestion at the end, it
notifies the link partner or the remote device by transmitting a pause frame. When the flow control
receives it from the remote device, it receives a pause frame and stops transmitting any data packets.
Note 1: Under input police rate limit configuration flow control must be enabled in order
to realize the input rate limit condition. Flow control is negotiated per port basis; so if your
“peer” port does not have this capability you cannot achieve police rate limit correctly.
To configure flow control on a interface use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in interface configuration mode.
You can modify the flow control mode to send
(on|off) or receive (on|off). Receive on means
AsGOs(interface)# send on receive on that the switch honors the flow control. Send on
means that the switch will send flow control
when needed.
Note2: on Optical LightBolt switches, all optical ports have no flow control enable by default.
3.16 Configuring IP addresses on Switched Virtual Interfaces

SVI´s
A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing
function into the system. Only one SVI can be associated with a VLAN, but you need to configure an
SVI for a VLAN when you wish to route between VLANs or if you wish to create a management
interface.
By default, an SVI “interface VLAN1.1” (VLAN 1) is created to permit remote switch
administration. VLAN number one is the default system VLAN and has associated its interface
VLAN1.1.
Into the SVI representation the first number has an internal meaning and the second one
corresponds to the VLAN tag associated with data frames on 802.1Q encapsulated trunk or the VLAN
ID configured for an access port. The last is true for all SVI´s.
SVI´s provide IP host connectivity; you can configure routing across multiple SVI´s. All those IP
SVI´s addresses appear as directly connected IP address into the global L3 routing Table.
Creating SVIs interfaces:
COMMAND DESCRIPTION
AsGOS(config)# VLAN database Enter in the VLAN database mode.
AsGOS (VLAN)# VLAN 200 Create the VLAN 200.
AsGOS (VLAN)# exit Return.
AsGOS(config)# interface vlan1.200 Enter in the SVI interface configuration mode.
AsGOS (config_if)# ip address 20.20.20.20/24 Assign an IP address.
AsGOS (config_if)# end Exit configuration mode.
AsGOS#
43
AsGa LightB
Displaying the global IP routing table:
AsgOS#show ip route
Codes: C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
* - candidate default
C 20.20.20.0/24 is directly connected, vlan1.200
Now any port (trunk or access) associated to VLAN 200 has direct L3 access to this virtual
switched interface VLAN1.200. Any default gateway can be configured using commands to add static
routes to the routing table in order to reach those networks.
To add Routes use the following commands:
COMMAND DESCRIPTION
AsgOS(config)#ip route 192.168.1.0/24 10.10.10.1 Configuring a static route.
AsGOS(config)# end
3.17 MAC Address Table

LightBolt switches have different MAC address tables’ capabilities according to the platform
acquired:
• LightBolt family 2x5xx has a total MAC address capacity of 16.384 MACs.
• LightBolt 2x3xx has a total MAC address capacity of 8.192 MACs.
MAC address learning process is an automatic hardware base process, all learned address are
subject to the aging process; this process ensure that after 300 seconds of no hearing a particular
source MAC this will be deleted from the table.
All lookup process into the LightBolt platform is done by hardware. This feature allows wire line
rates for all packet sizes and conditions. For switching decisions the MAC-SA, VID is used to search
the L2 table. When a match is found the packet is forwarded to the specific port indicated into the
same table. When the address is not found the packet generates a Destination Lookup Failure (DLF)
signal and it is flooded to all port member of that VLAN.
3.17.1 Displaying MAC address tables

Command used to show the mac address table has the following semantics.
show mac-address-table(dynamic | static | interfaceIFNAME | vlan <1-4094>|)
You must specify which Static; Dynamic; interface; or vlan portion of the table, in order to
display the entries associated with it.
Take as an example the following displays
LightBolt#show mac-address-table
VLAN address type interface Hit

200 0000.C003.0102 Dynamic ge4 Yes
All 0036.0A4B.0002 Static L3 CPU No
44
AsGa LightB
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
Total address matching this criteria: 4
LightBolt#show mac-address-table interface ge2

200 0000.C001.0102 Dynamic ge2 Yes
LightBolt#show mac-address-table vlan 200

200 0000.C003.0102 Dynamic ge4 Yes
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
The hit bit column shows if the MAC address (Source or Destination) has being hide during the
last aging period.
3.17.2 Setting the aging time

Use the mac address-table aging-time global configuration command to set the length of time
that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the
<no> statement of this command to return to the default setting. The aging time applies to all VLANs.
The default value for this time is 300 seconds. To modify the aging time issue the following command:
COMMAND DESCRIPTION
AsGOS# configure terminal Enter the Configure mode
AsGOS (config)# mac-address-table aging-time Configure the Aging time in seconds. It is
200 applied to all VLANs/MACs in the table.
3.17.3 Setting a Static MAC address

Making a MAC entry static means that this address has no aging process associated with it.
This MAC address will persist all the time into the MAC address table. Static MAC address must be
associated with a VLAN and Port pairs
COMMAND DESCRIPTION
AsGOS(config)# mac-address-table static Configure the static entry MAC address
0000.0101.0202 vlan 122 interface ge2 associated with a VLAN and Port.
3.18 Access List

Typically, when you think in an access-list you think about permitting or denying certain type of
traffic to ingress or egress from your system. You can think this type of process as protecting your
network from certain traffic types. But this is not the only use for access-list; access-lists have many
other purposes. For example with access-lists, you can mark traffic from a specific source and/or
destination addresses and prioritize that traffic over other traffic. With access-lists, you can allow or
disallow certain routes to be added in your routing, etc.
45
AsGa LightB
3.18.1 Access-Lists Categories
There are two main categories of access-lists, Standard and Extended. What do we mean by
standard or extended type of access-list? Standard and Extended access-lists allow different type of
control.
Standard Access-Lists x Extended Access-Lists
Standard Access-List: With standard access-lists you can check just the source IP address of the
packet, meaning, you can check to see if the source address happens to be a specific IP address (or
IP subnet), then you can permit or deny that packet.
Extended Access-List: With extended access-list, there are many things that can be checked.
Besides source L3 addresses, you can check for destination L3 addresses, source/destination port
number, or source/destination protocol number just for mention some examples.
Named Access-Lists
Standard Access Lists are in the range from 1- 99. Extended access-lists are in the range from
100-199. That would mean that you can only have 99 standard access-lists or 100 extended access-
lists on any given equipment. If you really wanted more than 99 standard access-lists or more than
100 extended access-lists, you can use Named access-list.
With named access-list, you can classify it to be standard or extended, and then you will follow
the same rules (meaning standard named access-list can check for source address only and
extended named access-list can check for all those other things mentioned earlier). In order to argue
the number of standard and extended access list we provide an expanded range for each. The
expanded range for standard access-list is 1300-1999 and for extended it is 2000-2699.
3.18.2 Wildcard Mask

With both standard and extended access-lists you could use something called wildcard mask.
Let us understand the wildcard mask first, before we go into the details of the implementations of
standard or extended access-list. The wild card mask functions in reverse manner to a subnet mask.
Many times they are named “inverse mask”.
A wildcard mask is used to mark-specific bit patterns in an address. Since we are now talking
about bits (i.e., binary), then we need to know that there are two possibilities - 0 and 1. The binary 0 is
used to represent a match and a binary 1 is used to represent a "don't care" condition. So:
0 means must match!!

1 means don't care!!!
The Table shows an example of wildcard or inverse mask use:
IP Address 172 16 32 0
Binary format 10101100 00010000 00100000 00000000
Network Mask 11111111 11111111 11100000 00000000
Wildcard 00000000 00000000 00011111 11111111

Take only
Take all bits Take all bits the first 3
Result as match as match bits as Dont care
creteria criteria matching
criteria
Table 3.3 – Wildcard Mask
46
AsGa LightB
3.18.3 Configuring IP standard Access List
COMMAND DESCRIPTION
AsGOS (config)# access-list Define a standard IP access list by using a source address
<standard access-list-number> (deny and wildcard.
| permit) source = <IP Address> The access-list-number is a decimal number from 1 to 99 or
<source-wildcard> 1300 to 1999.
Enter deny or permit to specify whether to deny or permit
access if conditions are matched.
The source is the source address of the network or host from
which the packet is being sent specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for source
and source-wildcard
of 0.0.0.0 255.255.255.255. You do not need to
enter a source-wildcard.
• The keyword host as an abbreviation for source
and source-wildcard of source 0.0.0.0.
3.18.4 Configuring IP extended Acees List

Use the no access-list access-list-number global configuration command to delete the entire ACL.
COMMAND DESCRIPTION
AsGOS(config)#access-list Define a extended IP access
<extended access-list-number> The access-list-number is a decimal number from 100-to
(deny|permit|remark) 199 or 2000 to 2699.
protocol <Portocol ID> Enter deny or permit to specify whether to deny or permit
(A.B.C.D A.B.C.D|any|host access if conditions are matched.
Enter remark to indicate an access list entry comment
A.B.C.D) (A.B.C.D
The protocol indicate a valid protocol ID specified as a single
A.B.C.D|any|host A.B.C.D)
number o a character set:
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
A.B.C.D: Source address A.B.C.D Source wildcard bits.
Any: Specify Any source host.
host : Specify A single source host A.B.C.D Source address
A.B.C.D Destination address A.B.C.D Destination wildcard
bits.
any: Specify any destination host.
host : Specify a single destination host A.B.C.D Destination
address.
Extended ACLs specifying the source and Destination ports for TCP/UDP sessions.
47
AsGa LightB
COMMAND DESCRIPTION
AsGOS(config)# access-list<extended Define a extended IP access number
access-list-number>
(deny|permit|remark) (tcp|udp) Deny: Specify packets to reject
(A.B.C.D A.B.C.D | any | host permit: Specify packets to forward
A.B.C.D)
Remark: Access list entry comment
(A.B.C.D A.B.C.D |any | host
A.B.C.D) tcp:Transmission Control Protocol
Src (eq|gt|lt|neq) PORT dst udp: User Datagram Protocol
(eq|gt|lt|neq) PORT A.B.C.D: Source address
A.B.C.D: Source wildcard bits
any: Any source host
host: A single source host
A.B.C.D: Source address
A.B.C.D: Destination address
A.B.C.D: Destination wildcard bits
Any: Any destination host
host: A single destination host
A.B.C.D: Destination address
Src: Source (TCP/UDP) port
eq: Equal
gt: Greater than
lt: Less than
neq: Not equal
PORT: Port number <0-65535>
dst: Destination (TCP/UDP) port
eq: Equal
gt: Greater than
lt: Less than
neq: Not equal
PORT: Port number <0-65535>
For a complete syntax of access list please refer the alphabetic session.
3.18.5 Istaling IP based Access List
In order to control access to an interface, use the ip access-group command in interface

configuration mode. To remove a specific access group use the <no> statement of this command.
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configuration mode
AsGOS (config)# interface <IF- Enter into Interface configuration mode.enter a Valid
NAME> Interface ID.
AsGOS(config-if)# ip access- Ip Interface Internet Protocol config commands
group <ACL-Number> (in|out) access-group Specify access control for packets
ACL-number IP access list number (Standard or
Extended)
in This ACL is installed for inbound packets
Out This ACL is installed for outbound packets
Note: In AsGOS ACLs can be installed on an interface as in; out or both.
48
AsGa LightB
3.18.6 Configuring MAC Bases Access List
COMMAND DESCRIPTION
AsGOS (config)# access-list deny Specify packets to reject
<MAC-ACeess-List Number> permit Specify packets to permit
(deny|permit) <MAC ; MAC-MASK | MAC Source host's MAC address in
any > <MAC; MAC-MASK | any;> HHHH.HHHH.HHHH format
any Source any
MASK Source mask in HHHH.HHHH.HHHH format
MAC Destination host's MAC address in
HHHH.HHHH.HHHH formatce
any Destination any
MASK Destintion mask in HHHH.HHHH.HHHH format
3.18.7 Instilling MAC based Access List
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configure mode
AsGOS (config)# interface <IF- Enter into Interface configuration mode.enter a Valid
NAME> Interface ID.
AsGOS(config-if)# mac access- Mac config commands
group <ACL-Number> (in) access-group Specify access control for packets
ACL-number IP access list number (Standard or
Extended)
in This ACL is installed for inbound packets
Note: MAC access List cannot be installed as OUT into a Interface context.
3.18.8 Aplaying multiple entries to an ACL
Access list can be generated with multiple entries. Assuming the following rules:
access-list 100 deny ip any any

access-list 100 permit ip any host 10.10.10.10
In this case; the last statement has the bigger priority. All parquets with destination IP address
that match with 10.10.10.10 will be switched.
access-list deny ip host 10.10.10.10 any

access-list deny tcp any any dst eq 80
access-list permit ip any host 20.20.20.20
In this case a packet with src-ip 10.10.10.10 dst-ip 20.20.20.20 tcp port 80 will be not blocked,
because all statement have a “match” for this packet but the last one permit it, the entries with big
priority.
49
AsGa LightB
3.19 Denial of service attack prevention (DoS Prevention)
LightBolt family of switches have a hardware base built in mechanisms in order to detect and
refuse some of the most common DoS attacks. The following lines can be used to little understanding
some of the most common attacks and explain the settings to prevent those attacks.
Denial of service definition: It is an attempt to make a computer resource unavailable to its intended
users.
3.19.1 IP packet with invalid “First-fragment”
A type of attack involving fragments is known as the “tiny fragment attack”. Two TCP fragments
are created. The first fragment is so small that it does not even include the full TCP header,
particularly the destination port number. The second fragment contains the reminder of the TCP
header, including the port number. Some firewalls and intrusion detection systems may let one or
both fragments pass through, particularly if they do not perform packet reassembly. Under this setting
if the first fragment of the packet does not have a full TCP header length the packet will be dropped.
COMMAND DESCRIPTION
AsGOS(config)# denial-of-service Enter into Dos mode configuration
AsGOS(config-dos)# first-fragment-ip-packets
Enable the first fragment DoS Checking.
enable
All packets detected under those conditions will be discarded.
3.19.2 Fragmented ICMP packets- icmp-attack-check

This type of attack sends the victim's computer series of highly fragmented, oversized ICMP
data packets over the connection. The computer receiving the data packets locks when it tries to put
the fragments together.
If the TCP/IP stack was not built properly, when it tries to keep track and put together several
packets, the result is a memory overflow, which in turn causes the machine to stop responding.
Usually, the attacker only needs to send few packets, locking the victim's computer instantaneously.
When the victim restarts the computer, the connection with the attacker is lost and the attacker
remains anonymous.
Under this setting the system will check for highly ICMP fragmented packet and ICMP Ping
Packets with payloads mayors than those specified by “minimun-icmp-packet-over-size”. Default
value 256.
COMMAND DESCRIPTION
AsGOS(config)# denial-of-service Enter into Dos mode configuration.
AsGOS(config-dos)# icmp-attack-check enable Enable ICMP DoS attack checking.
AsGOS(config-dos)# minimun-icmp-packet-over- Modify the minimum packet oversize ICMP
size 512 packet size.
AsGOS(config-dos)# end
3.19.3 TCP fragment attack

The attack consists of requesting a TCP connection fragmented into two IP packets. The first IP
packet of 68 bytes only holds the 8 first bytes of the TCP header (source and destination ports and
50
AsGa LightB
sequence number). The data in the second IP packet then holds the TCP connection request (SYN
flag is 1 and ACK flag is 0).
However, IP filters apply the same rule to all the fragments in a packet. The filter of the first
fragment (Fragment Offset = 0) defines the rule, accordingly it applies to the other fragments
(Fragment Offset = 1) without any other type of control. So, when defragmenting at IP level on the
target machine, the connection request packet is rebuilt and passed to the TCP layer. The connection
is established despite the IP filter in between which should have prevented it.
Under this setting the system will check for highly TCP fragmented packet and with payloads minors
than those specified by “minimun-tcp-header-allowed”. Default value 20.
COMMAND DESCRIPTION
AsGOS(config-dos)# tcp-fragment-attack enable Enable TCP fragment protection.
AsGOS(config-dos)# minimun-tcp-header-allowed 20 Modify the minimum TCP header allowed.
3.19.4 Source IP equal to destination IP attack

This type of attack named LAND attack involves IP packets where the source and destination
address are set to address the same device. The attack involves sending a spoofed TCP SYN packet
(connection initiation) with the target host's IP address and an open port as both source and
destination. The reason a LAND attack works is because it causes the machine to reply to itself
continuously.
UDP/TCP packets where destination ports are the same as source ports are also
considered land type attacks.
Under this setting the system will check for SIP equal to DIP and UDP and TCP source and
destination equals ports.
COMMAND DESCRIPTION
AsGOS(config-dos)# sip-dip-protection enable SAIP = DAIP checking.
AsGOS(config-dos)# tcp-udp-sp-equal-dp enable Source and Destination TCP/UDP checking.
3.19.5 Check on invalid TCP flags

TCP is an abbreviation for the Transmission Control Protocol, defined in RFC 793 which was
released in September of 1981. TCP is a connection oriented protocol that can reliably get information
from one host to another across a network. By reliable, we mean that TCP guarantees that all data
will arrive uncorrupted at the remote host, automatically detecting dropped or corrupted packets and
resending them as needed.
Every TCP packet includes a header, which is defined by the RFC as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
51
AsGa LightB
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Programs utilize TCP by passing it buffers of data. TCP breaks this data into packages known
as segments, and then uses IP to further package these segments into datagrams. Finally, the
datagrams are embedded into a network packet which can be routed across a network.
When the packet arrives at its destination, the IP stack on the remote host extracts the
datagram from the packet, then the segment from the datagram. The segment is then passed up to
the TCP stack, where it can be validated. Ultimately the TCP stack can reassemble all the segments
into the complete buffer which is then passed to the application. TCP provides two way
communication, so this same process occurs in both directions.
Inside of the packet there are some bits related with control structures. Particularly there are six
'control bits' defined in TCP, one or more of which is defined in each packet. The control bits are
'SYN', 'ACK', 'PSH', 'URG', 'RST', and 'FIN'. TCP uses these bits to define the purpose and contents
of a packet. We will briefly define them.
• URG means out of band data. For example in the telnet session if you press ctr-c tcp stack will
send a packet, which has this flag set.
• SYN bit has meaning only when establishing connection e.g. in the handshaking procedure.
Both sides of the connection need to send this special packet with SYN flag on.
• When the ACK flag is on the Acknowledgement field in the tcp packet contains the number of
the next acknowledgeable tcp packet with this sequence number. This bit is on almost in every
packet. ACK flag tells to the target machine that the sending machine has approved all
packets with sequence number below the Ack number in the packet.
• If the reset flag (RST) is on then the connection is destroyed and all data structures in memory
for the connection must be freed.
• With interactive connections PSH (push) flag is used to gain rapid and smooth interaction. The
packet is not queued but rather sent as soon as possible. Interactive programs should thus
use this flag.
• FIN flag tells to the target machine that it should not take any more data packets from the
sending machine. E.g. the sending machine tells that it won’t send anymore packets but can
still receive packets by himself.
AsGa LightBolt Switches have a hardware based built in mechanism to detect malicious control
flag bit combinations. The detected combinations are:
• TCP SYN FLAG = 1 and Source Port < 1024.

• TCP Control Flags =0 and sequence number 0.
• TCP FIN, PUSH, URG bit set and sequence =0.
• TCP SYN, FIN sets.
Under this setting the system will check for those malicious combinations.
COMMAND DESCRIPTION
AsGOS(config)#denial-of-service Enter into Dos mode configuration.
AsGOS(config-dos)#tcp-on-invalid-flags enable Enable the TCP invalid Flag checking.
52
AsGa LightB
3.20 Spanning Tree Protocols.
3.20.1 Common Spanning Tree Protocol Commands

All commands in this chapter can be used in the Spanning Tree Protocol (STP), Rapid
Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) daemons.
3.20.1.1 Bridge forward-time

Use this command to set the time (in seconds) after which (if this bridge is the root bridge) each
port changes states to learning and forwarding. This value is used by all instances. Use the <no>
statement with this command to restore the default value of 15 seconds.
Command Syntax
bridge forward-time FORWARD_DELAY

no bridge forward-time
FORWARD_DELAY = <4-30> the forwarding time delay in seconds.
Command Mode
Configure mode
Default
The default value is 15 seconds.
Usage
The allowable range for forward-time is 4-30 seconds. Care should be exercised if the value is to be
made below 7 seconds.
Examples
AsGOS# configure terminal

AsGOS(config)# bridge forward-time 6
Related Commands
bridge protocol ieee
3.20.1.2 Bridge hello-time

Use this command to set the hello-time, the time in seconds after which (if this bridge is the root
bridge) all the bridges in a bridged LAN exchange Bridge Protocol Data Units (BPDUs). A very low
value of this parameter leads to excessive traffic on the network, while a higher value delays the
detection of topology change. This value is used by all instances. Use the <no> parameter to restore
the default value of the hello time.
Command Syntax
bridge hello-time HELLOTIME

no bridge hello-time
HELLOTIME = <1-10> The hello BPDU interval in seconds.
53
AsGa LightB
Default
Default value is 2 seconds.
Command Mode
Configure mode
Usage
Configure the bridge instance NAME before using this command. The allowable range of values is 1-
10 seconds. However, make sure that the value of hello time is always greater than the value of hold
time (1 second by default).
Examples

AsGOS(config)# bridge hello-time 3
3.20.1.3 bridge max-age

Use this command to set the max-age for a bridge. This value is used by all instances. Use the
<no> statement with this command to restore the default value of max-age.
Command Syntax
bridge max-age MAXAGE

no bridge max-age
MAXAGE = <6-40> The maximum time, in seconds, to listen for the root
bridge.
Command Mode
Configure mode
Default
The default value of bridge max-age is 20 seconds.
Usage
Max-age is the maximum time in seconds for which (if a bridge is the root bridge) a message is
considered valid. This prevents the frames from looping indefinitely.
The value of max-age should be greater than twice the value of hello time plus one, but less than
twice the value of forward delay minus one. The allowable range for max-age is 6-40 seconds.
Configure this value sufficiently high, so that a frame generated by root can be propagated to the lead
nodes without exceeding the max-age.
Examples

AsGOS(config)# bridge max-age 12
54
AsGa LightB
3.20.1.4 bridge priority
Use this command to set bridge priority for the common instance. Using a lower priority
indicates a greater likelihood of the bridge becoming root.
Command Syntax
bridge priority PRIORITY

PRIORITY = <0-61440> The bridge priority.
Command Mode
Configure mode
Default
The default priority is 32678 (or hex 0x8000).
Usage
This command must be used to set the priority of the bridge. The priority values can be set only in
increments of 4094.
Examples

AsGOS(config)# bridge priority 200
3.20.1.5 Bridge spanning-tree errdisable-timeout enable

Use this command to enable the errdisable-timeout facility, which sets a timeout for ports that
are disabled due to the BPDU guard feature.
Command Syntax
bridge spanning-tree errdisable-timeout enable
Default
By default, the port is enabled after 300 seconds.
Command Mode
Configure mode
Usage
The BPDU guard feature shuts down the port on receiving a BPDU on a BPDU-guard enabled port.
This command associates a timer with the feature such that the port gets enabled back without
manual intervention after a set interval.
This interval can be configured by the user using the bridge spanning-tree errdisable-
timeout interval command.
Example
55
AsGa LightB
AsGOS(config)# bridge spanning-tree errdisable-timeout enable
3.20.1.6 Bridge spanning-tree errdisable-timeout interval

Use this command to specify the time interval after which a port is brought back up.
Command Syntax
bridge spanning-tree errdisable-timeout interval <10-1000000>

<10-1000000> Specify the errdisable-timeout interval in seconds.
Default
By default, the port is enabled after 300 seconds.
Command Mode
Configure mode
Example

AsGOS(config)# bridge 4 spanning-tree errdisable-timeout interval 34
3.20.1.7 bridge spanning-tree portfast bpdu-filter

Use this command to set portfast BPDU filter for the bridge. All ports that have their BPDU filter
set to default take the same value of bpdu-filter as that of bridge. Use the <no> statement with this
command to disabled the BPDU filter for the bridge.
Command Syntax
(no) bridge spanning-tree portfast bpdu-filter
Command Mode
Configure mode
Usage
The Spanning Tree Protocol sends BPDUs from all ports. Enabling the BPDU Filter feature ensures
that PortFastenabled ports do not transmit or receive any BPDUs. Use the show spanning tree
command to display administratively configured and currently running values of the bpdu-filter
parameter for bridge and port.
Example

AsGOS(config)# bridge spanning-tree portfast bpdu-filter
Related Commands
spanning-tree portfast bpdu-filter
56
AsGa LightB
3.20.1.8 bridge spanning-tree portfast bpdu-guard
Use this command to enable the BPDU (Bridge Protocol Data Unit) Guard feature on a bridge. Use
the <no> statement with this command to disable the BPDU Guard feature on a bridge.
Command Syntax
(no) bridge spanning-tree portfast bpdu-guard
Command Mode
Configure mode
Usage
When the BPDU Guard feature is set for a bridge, all portfast-enabled ports of the bridge that have
bpdu-guard set to default shut down the port on receiving a BPDU. In this case, the BPDU is not
processed. You can either bring the port back up manually by using the no shutdown command, or
configure the errdisable-timeout feature to enable the port after the specified time interval.
Use the <show spanning-tree> command to display the bridge and port configurations for the
BPDU Guard feature. It shows both the administratively configured and currently running values of
bpdu-guard.
Example

AsGOS(config)# bridge spanning-tree portfast bpdu-guard
Related Commands
spanning-tree portfast bpdu-guard, show spanning-tree
3.20.1.9 bridge-group path-cost

Use this command to set the cost of a path associated with a bridge-group. The lower the path
cost, the greater the likelihood of the bridge becoming root.
Command Syntax
bridge-group path-cost PATHCOST

no bridge-group path-cost
PATHCOST = <1-200000000> The cost to be assigned to the group.
Default
The default bridge-group path cost is 0.
Command Mode
Interface mode
Examples

AsGOS(config)# interface eth1
57
AsGa LightB
AsGOS(config-if)# bridge-group path-cost 123
3.20.1.10 bridge-group priority

Use this command to set the port priority for a bridge. The lower priority indicates a greater
likelihood of the bridge becoming root.
Command Syntax
bridge-group priority PRIORITY

PRIORITY = <0-240> The priority to be assigned to the group.
Default
The default priority is 1.
Command Mode
Interface mode.
Examples

AsGOS(config-if)# bridge-group 4 priority 100
3.20.1.11 spanning-tree guard root

Use this command to enable the Root Guard feature for the port. The root guard feature
disables reception of superior BPDUs. Use the <no> statement with this command to disable the root
guard feature for the port.
Command Syntax
(no)spanning-tree guard root
Command Mode
Interface mode
Usage
The Root Guard feature makes sure that the port on which it is enabled is a designated port. If the
Root Guard enabled port receives a superior BPDU, it goes to a Listening state (for STP) or
discarding state (for RSTP and MSTP).
Example
AsGOS(config)# interface ge0
AsGOS(config-if)# spanning-tree guard root
3.20.2 STP Commands

This chapter lists the commands that are exclusive to the Spanning Tree Protocol (STP). For
other commands useful in the Spanning Tree Protocol, see the Common Spanning Tree Protocol
Commands chapter.
58
AsGa LightB
Related Commands
Bridge instance
3.20.2.1 Bridge spanning-tree enable

Use this command to enable the Spanning Tree Protocol on a bridge. Use the <no> statement
to disable the Spanning Tree Protocol on the bridge.
Command Syntax
(no) bridge spanning-tree enable
Command Mode
Configure mode
Default
There is no default value.
Example

AsGOS(config)# bridge 2 spanning-tree enable
3.20.2.2 debug stp

Use this command to turn on, and turn off, debugging and echoing data to the console, at
various levels. Use the <no> statement with this command to turn off debugging.
Command Syntax
debug stp (all|cli|event|PACKET|protocol|timer)

all echoes all STP debugging levels to the console.
cli echoes STP commands to the console.
event echoes events to console.
PACKET = packet rx|tx echoes STP packets to the console.
rx received packets.
tx transmitted packets.
protocol echoes protocol changes to the console.
timer echoes timer start to the console.
Command Mode
Configure mode
Examples

AsGOS(config)# debug stp all
AsGOS(config)# debug stp cli
AsGOS(config)# debug stp packet rx
AsGOS(config)# debug stp protocol detail
AsGOS(config)# debug stp timer
59
AsGa LightB
3.20.2.3 Show spanning-tree
This command shows the state of the spanning tree for all named bridge groups. Use the |
(output modifier token) to modify the lines displayed, and the > (output redirection token) to save the
output to a file. For more information, see AsGOS Command Line Interface Environment.
Command Syntax
show spanning-tree interface <ifname>
Command Mode
Privileged Exec, Configure and Interface modes.
Examples
AsGOS# show spanning-tree interface ge23
Usage
The following is an output of this command displaying the spanning tree.
switch-02#sh spanning-tree interface ge23

% 1: spanning tree enabled
% 1: root path cost 60000 - priority 32768
% 1: forward-time 15 - hello-time 2 - max-age 20 - root port 33696
% 1: root id 80000014fa003e6d
% 1: bridge id 80000014fa00611d
% 1: hello timer 0 - tcn timer 0 - topo change timer 0
% 1: 0 topology changes - last topology change Thu Jan 1 00:00:00 1970
% 1: portfast bpdu-filter disabled
% 1: portfast bpdu-guard disabled
% 1: portfast errdisable timeout disabled
% 1: portfast errdisable timeout interval 1 sec
% ge23: id 839f - path cost 20000 - designated cost 40000
% ge23: designated port id 83a0 - state Blocked - priority 128
% ge23: designated root 80000014fa003e6d
% ge23: designated bridge 80000014fa005888
% ge23: forward-timer 0 - hold-timer 0 - msg age timer 14
% ge23: forward-transitions 0
% ge23: portfast disabled
% ge23: portfast bpdu-guard default - Current portfast bpdu-guard off
% ge23: portfast bpdu-filter default - Current portfast bpdu-filter off
% ge23: no root guard configured - Current root guard off
3.20.3 RSTP Commands

This chapter lists the commands that are exclusive to the Rapid Spanning Tree Protocol. For
other commands useful in the RSTP, see the Common Spanning Tree Protocol Commands chapter.
3.20.3.1 Bridge rapid-spanning-tree enable

Use this command to enable the Rapid Spanning Tree Protocol on a bridge. Use the <no>
statement to disable the Rapid Spanning Tree Protocol on the bridge.
Command Syntax
<no> bridge rapid-spanning-tree enable
60
AsGa LightB
Bridge-group ID used for bridging.
Command Mode
Configure mode
Default
Examples

AsGOS(config)# bridge rapid-spanning-tree enable
3.20.3.2 Clear spanning-tree detected protocols

Use this command to clear the detected protocols for a specific bridge or interface.
Command Syntax
clear spanning-tree detected protocols [bridge]|[interface IFNAME]

IFNAME Specify the name of the interface on which protocols have to be
cleared.
Command Mode
Privileged Exec mode
Example
AsGOS# clear spanning-tree detected protocols bridge
3.20.3.3 debug rstp

various levels. Use the no parameter with this command to turn off debugging.
Command Syntax
debug rstp (all|cli|PACKET|PROTOCOL|TIMER)

all echoes all RSTP debugging levels to the console.
cli echoes RSTP commands to the console.
PACKET = packet rx|tx echoes RSTP packets to the console.
PROTOCOL = protocol (detail) echoes protocol changes to the console.
TIMER = timer (detail) echoes timer start to the console.
detail displays detailed output.
Command Mode
Configure mode
Examples
61
AsGa LightB
AsGOS(config)# debug rstp all
AsGOS(config)# debug rstp cli
AsGOS(config)# debug rstp packet rx
AsGOS(config)# debug rstp protocol detail
AsGOS(config)# debug rstp timer
3.20.3.4 show spanning-tree

This command shows the state of the spanning tree for all named bridge-groups. To modify the
lines displayed use the | (output modifier token); to save the output to a file, use the > (output
redirection token).
Command Syntax
show spanning-tree interface <ifname>
Command Mode
Privileged Exec, Configure and Interface modes.
Examples
AsGOS# show spanning-tree interface ge23
Usage
The following is an output of this command displaying the state of the spanning tree.
switch-02#sh spanning-tree interface ge23

% 1: Spanning Tree Enabled
% 1: Ageing Time 300 - Root Path Cost 60000 - Priority 32768
% 1: Forward Delay 15 - Hello Time 2 - Max Age 20 - Root Port 5024
% 1: Root Id 80000014fa003e6d
% 1: Bridge Id 80000014fa00611d
% 1: 0 topology changes - last topology change Thu Jan 15 16:32:27 2037
% ge23: Id 839f - Role Alternate - State Discarding
% ge23: Configured path cost 400000 - Designated path cost 40000
% ge23: Designated port id 83a0 - Priority 128
% ge23: Designated Root 80000014fa003e6d
% ge23: Designated Bridge 80000014fa005888
% ge23: Message Age 2 - Max Age 20
% ge23: Hello Time 2 - Forward Delay 15
% ge23: Forward Timer 0 - Msg Age Timer 5 - Hello Timer 0
% ge23: Version Rapid Spanning Tree Protocol - Received RSTP - Send RSTP
% ge23: No portfast configured - Current portfast off
% ge23: portfast bpdu-guard default - Current portfast bpdu-guard off
% ge23: portfast bpdu-filter default - Current portfast bpdu-filter off
% ge23: no root guard configured - Current root guard off
% ge23: Configured Link Type point-to-point - Current point-to-point
% ge23: forward-transitions 1
62
AsGa LightB
3.20.3.5 spanning-tree force-version
Use this command to specify the version. A version identifier of less than a value of 2 enforces
the spanning tree protocol. Although the command supports an input range of 0-3, for RSTP, the valid
range is 0-2. Use the no parameter with this command to set the default protocol version.
Command Syntax
(no) spanning-tree force-version VERSION

VERSION <0-3> Version identifier. (0 - STP, 1- Not supported, 2 - RSTP, 3 - MSTP)
Command Mode
Interface mode
Examples
Set the value to enforce the spanning tree protocol:

AsGOS(config-if)# spanning-tree force-version 1
Set the default protocol version:

AsGOS(config-if)# no spanning-tree force-version
3.20.3.6 Spanning-tree link-type

Use this command to enable or disable point-to-point or shared link types. Use the <no>
statement with this command to disable rapid transition.
Command Syntax
(no) spanning-tree link-type point-to-point

(no) spanning-tree link-type shared
shared: Disable rapid transition.

point-to-point: Enable rapid transition.
Command Mode
Interface mode
Usage
RSTP has a backward-compatible STP mode, spanning-tree link-type shared. An

alternative is the spanning-tree force-version 0.
Examples

AsGOS(config-if)# spanning-tree link-type point-to-point
63
AsGa LightB
3.20.4 MSTP Commands
This chapter lists the commands that are exclusive to the Multiple Spanning Tree Protocol
(MSTP). For other commands useful in the MSTP, see the Common Spanning Tree Protocol
Commands chapter.
3.20.4.1 bridge cisco-interoperability

Use this command to enable/disable Cisco interoperability for MSTP.
Command Syntax
bridge cisco-interoperability (enable | disable)

enable: Enable Cisco interoperability for MSTP bridge.
Disable: Disable Cisco interoperability for MSTP bridge
Default
If this command is not used, Cisco interoperability is disabled.
Command Mode
Configure mode
Usage
If Cisco interoperability is required, all AsGOS boxes in the switched LAN must be Cisco-
interoperability enabled. When AsGOS is interoperating with Cisco, the only criteria used to classify a
region are the region name and revision level. VLAN to instance mapping is not used to classify
regions when interoperating with Cisco.
Examples
To enable Cisco interoperability on a Layer-2 switch for a particular bridge (bridge 2 in this example):

AsGOS(config)# bridge cisco-interoperability enable
To disable Cisco interoperability on a Layer-2 switch for a particular bridge:

AsGOS(config)# bridge cisco-interoperability disable
3.20.4.2 bridge instance priority

Set the bridge priority for an MST instance to the value specified. Use this command with the
<no> statement to restore the default value of the bridge priority.
Command Syntax
bridge <1-32> instance INSTANCE_ID priority BRIDGE_PRIORITY

no bridge <1-32> instance INSTANCE_ID priority
<1-32> Specify the bridge-group ID.

INSTANCE_ID Specify the instance ID.
64
AsGa LightB
BRIDGE_PRIORITY <0-61440> Specify the bridge priority (a lower priority indicates a greater
likelihood of the bridge becoming root).
Command Mode
Configure mode.
Default
The default value of the priority for each instance is 32768.
Usage
The lower is the priority of the bridge, the better are the chances of the bridge becoming a root bridge
or a designated bridge for the LAN. The permitted range of values is 0-61440. The priority values can
be set only in increments of 4094.
Examples

AsGOS(config)# bridge 4 instance 3 priority 3
3.20.4.3 bridge instance vlan

Use this command to create an instance of a VLAN. This command can be used only after the
VLAN is defined.
Command Syntax
bridge <1-32> instance INSTANCE_ID vlan VLAN_ID

no bridge <1-32> vlan VLAN_ID

INSTANCE_ID Specify the instance ID.
VLAN_ID <1-4094> Specify a VLAN ID to be associated to the instance.
Command Mode
MST Configuration Mode
Usage
The permitted range of instances is 0-15. Instance 0 refers to the internal spanning tree. The VLANs
must be created before being associated with an MST instance (MSTI). If the VLAN range is not
specified, the MSTI will not be created.
Example

AsGOS(config)# bridge 2 protocol mstp
AsGOS(config)# spanning-tree mst configuration
AsGOS(config-mst) bridge 2 instance 2 vlan 30
65
AsGa LightB
3.20.4.4 bridge max-hops
Use this command to specify the maximum allowed hops for a BPDU in an MST region. This
parameter is used by all the instances of the MST. To restore the default value, use the no parameter
with this command.
Command Syntax
bridge <1-32> max-hops HOP_COUNT

no bridge <1-32> max-hops

HOP_COUNT Maximum hops the BPDU will be valid for.
Command Mode
Configure Mode
Default
The default max-hops in a MST region are 20.
Usage
Specifying the max hops for a BPDU prevents the messages from looping indefinitely in the network.
When a bridge receives a MST BPDU that has exceeded the allowed max-hops, it discards the
BPDU.
Examples

AsGOS(config)# bridge 3 max-hops 25
3.20.4.5 bridge multiple-spanning-tree enable

Use this command to enable the Multiple Spanning Tree Protocol on a bridge. Use the <no>
statement to disable the command.
Command Syntax
(no) bridge <1-32> multiple-spanning-tree enable

Command Mode
Configure mode
Default
Example

AsGOS(config)# bridge 2 multiple spanning-tree enable
66
AsGa LightB
3.20.4.6 bridge region
Use this command to create an MST region, and specify a name to it. MST bridges of a region
form different spanning trees for different VLANs.
Command Syntax
bridge <1-32> region REGION_NAME

no bridge <1-32> region REGION_NAME

REGION_NAME Specify the name of the region.
Command Mode
MST Configuration mode
Default
By default, each MST bridge starts with the region name as its bridge address. This means each MST
bridge is a region by itself, unless specifically added to one.
Examples

AsGOS(config-mst)# bridge 3 region IPI
3.20.4.7 bridge revision

Use this command to specify the number for configuration information.
Command Syntax
bridge <1-32> revision REVISION_NUM

REVISION_NUM <0-255> Revision number.
Command Mode
MST Configuration Mode
Default
The default value of revision number is 0.
Examples

AsGOS(config-mst)# bridge 3 revision 25
67
AsGa LightB
3.20.4.8 bridge-group instance
Use this command to assign a Multiple Spanning Tree instance to a port. Use the <no>
statement with this command to remove the instance.
Command Syntax
bridge-group <1-32> instance INSTANCE_ID

no bridge-group <1-32> instance
<1-32> Specify the bridge-group number for bridging.

INSTANCE_ID <1-16> Specify the instance ID.
Command Mode
Interface mode
Examples

AsGOS(config-if)# bridge-group 4 instance 3
3.20.4.9 bridge-group instance path-cost

Use this command to set the cost of a path associated with an interface. Use the <no>
statement with this command to restore the default cost value of the path.
Command Syntax
bridge-group <1-32> instance INSTANCE_ID path-cost PATH_COST

no bridge-group <1-32> path-cost
<1-32> Specify the bridge-group number for bridging

PATH_COST <1-200000000> Specify the cost of path in the range of <1-200000000> (a lower path-
cost indicates a greater likelihood of the specific interface becoming a root)
Command Mode
Interface mode
Default
Assuming a 10 Mb/s link speed, the default value is configured as 200,000.
Examples

AsGOS(config-if)# bridge-group 4 instance 3 path-cost 1000
3.20.4.10 bridge-group instance priority

Use this command to set the port priority for a bridge group. Use the <no> statement with this
command to restore the default priority value.
68
AsGa LightB
Command Syntax
bridge-group <1-32> instance INSTANCE_ID priority PRIORITY

no bridge-group <1-32> instance priority INSTANCE_ID
<1-32> Specify the bridge-group number for bridging.

INSTANCE_ID Specify the identifier.
PRIORITY <0-240> Specify the port priority in a range of <0-240> (a lower priority indicates greater
likelihood of the interface becoming a root).
Command Mode
Interface mode
Default
The default value of port priority for each instance is 128.
Usage
The Multiple Spanning Tree Protocol uses port priority as a tiebreaker to determine which port should
forward frames for a particular instance on a LAN, or which port should be the root port for an
instance. A lower value implies a better priority. In the case of the same priority, the interface index
will serve as the tiebreaker, with the lower-numbered interface being preferred over others. The
permitted range is 0-240. The priority values can only be set in increments of 16.
Examples

AsGOS(config-if)# bridge-group 4 instance 3 priority 121
3.20.4.11 clear spanning-tree detected protocols

Use this command to clear the detected protocols for a specific bridge or interface.
Command Syntax
clear spanning-tree detected protocols [bridge <1-32>]|[interface IFNAME]

<1-32> Specify the number of the bridge group on which protocols have to be cleared.
IFNAME Specify the name of the interface on which protocols have to be cleared
Command Mode
Default
The default value of revision number is 0.
Examples
AsGOS# clear spanning-tree detected protocols bridge 2
69
AsGa LightB
3.20.4.12 debug mstp
various levels. Use the no parameter with this command, to turn off debugging.
Command Syntax
debug mstp (all|cli|PACKET|PROTOCOL|TIMER)

all echoes all STP debugging levels to the console.
cli echoes STP commands to the console.
PACKET = packet rx|tx echoes MSTP packets to the console.
PROTOCOL protocol (detail) echoes protocol changes to the console.
TIMER timer (detail) echoes timer start to the console.
detail detailed output.
Command Mode
Exec, Privileged Exec and Configure modes
Examples

AsGOS(config)# debug mstp all
AsGOS(config)# debug mstp cli
AsGOS(config)# debug mstp packet rx
AsGOS(config)# debug mstp protocol detail
AsGOS(config)# debug mstp timer
3.20.4.13 show spanning-tree mst

Use this command to display the filtering database values. This command displays the number
of instances created, and VLANs associated with it.
Command Syntax
show spanning-tree mst
Command Mode
Enable mode and Interface mode
Usage
The following is a display of this command showing the number of instances created, and the VLANs
associated with it.
AsGOS# show spanning-tree mst

% b: Bridge up - Spanning Tree Enabled
% b: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768
% b: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% b: CIST Root Id 8000000475e93ffe
% b: CIST Reg Root Id 8000000475e93ffe
% b: CST Bridge Id 8000000475e93ffe
%
% Instance VLAN
% 0: 1
70
AsGa LightB
% 2: 4
3.20.4.14 Show spanning-tree mst config

Use this command to display MSTP configuration information for a bridge.
Command Syntax
show spanning-tree mst config
Command Mode
Usage
The following show output displays the MSTP configuration information for bridge b.
AsGOS# show spanning-tree mst config

%
% MSTP Configuration Information for bridge b :
%------------------------------------------------------
% Format Id : 0
% Name : My Name
% Revision Level : 0
% Digest : 0x80DEE46DA92A98CF21C603291B22880A
%------------------------------------------------------
3.20.4.15 Show spanning-tree mst detail

Use this command to display the filtering database values. The <show spanning-tree
mst> detail prints the detailed information about each instance, and all interfaces associated with that
particular instance.
Command Syntax
show spanning-tree mst detail
Command Mode
Usage
The following is a display of this command showing displaying detailed information about each
instance, and all interfaces associated with them.
AsGOS# show spanning-tree mst detail
% 1: Bridge up - Spanning Tree Enabled
% 1: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 0
% 1: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% 1: CIST Root Id 0000009027342b72
% 1: CIST Reg Root Id 0000009027342b72
% 1: CST Bridge Id 0000009027342b72
% eth2: Port 4 - Id 8004 - Role Designated - State Forwarding
% eth2: Designated External Path Cost 0 -Internal Path Cost 0
71
AsGa LightB
% eth2: Configured Path Cost 200000 - Add type Explicit ref count 2
% eth2: Designated Port Id 8004 - CST Priority 128 -
% eth2: CIST Root 0000009027342b72
% eth2: Regional Root 0000009027342b72
% eth2: Designated Bridge 0000009027342b72
% eth2: Message Age 0 - Max Age 20
% eth2: CIST Hello Time 2 - Forward Delay 15
% eth2: CIST Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
% eth2: Version Multiple Spanning Tree Protocol - Received None - Send STP
% eth2: No portfast configured - Current portfast off
% eth2: portfast bpdu-guard default - Current portfast bpdu-guard off
% eth2: portfast bpdu-filter default - Current portfast bpdu-filter off
% eth2: no root guard configured - Current root guard off
% eth2: Configured Link Type point-to-point - Current point-to-point
%
% eth1: Designated External Path Cost 0 -Internal Path Cost 0
% eth1: Configured Path Cost 200000 - Add type Explicit ref count 2
% eth1: Designated Port Id 8003 - CST Priority 128 -
% eth1: CIST Root 0000009027342b72
% eth1: Regional Root 0000009027342b72
% eth1: CIST Hello Time 2 - Forward Delay 15
% eth1: CIST Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
% eth1: Version Multiple Spanning Tree Protocol - Received STP - Send STP
% eth1: No portfast configured - Current portfast off
% eth1: portfast bpdu-guard default - Current portfast bpdu-guard off
% eth1: portfast bpdu-filter default - Current portfast bpdu-filter off
% eth1: no root guard configured - Current root guard off
% eth1: Configured Link Type point-to-point - Current point-to-point
%
% Instance 1: Vlans: 2
% 1: MSTI Root Path Cost 0 - MSTI Root Port 0 - MSTI Bridge Priority 32768
% 1: MSTI Root Id 8001009027342b72
% 1: MSTI Bridge Id 8001009027342b72
% eth2: Designated Internal Path Cost 0 - Designated Port Id 8004
% eth2: Configured Internal Path Cost 200000
% eth2: Configured CST External Path cost 200000
% eth2: CST Priority 128 - MSTI Priority 128
% eth2: Designated Root 8001009027342b72
% eth2: Hello Time 2 - Forward Delay 15
% eth2: Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
%
3.20.4.16 Show spanning-tree mst instance

The <show spanning-tree mst instance> displays detailed information for the specified
instance, and all interfaces associated with that instance.
Command Syntax
show spanning-tree mst instance INSTANCE_ID

INSTANCE_ID Specify the instance ID for which information needs to be
displayed.
72
AsGa LightB
Command Mode
Usage
The following is a display of this command showing detailed information for instance 2.
AsGOS# show spanning-tree mst instance 2
% 1: Bridge up - Spanning Tree Enabled
% 1: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 0
% 1: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% 1: CIST Root Id 0000009027342b72
% 1: CIST Reg Root Id 0000009027342b72
% 1: CST Bridge Id 0000009027342b72
%
% 1: MSTI Root Path Cost 0 - MSTI Root Port 0 - MSTI Bridge Priority 32768
% 1: MSTI Root Id 8002009027342b72
% 1: MSTI Bridge Id 8002009027342b72
% eth2: Port 4 - Id 8004 - Role Designated - State Discarding
%
% eth1: Port 3 - Id 8003 - Role Designated - State Discarding
3.20.4.17 Spanning-tree force-version

Use this command to specify the spanning-tree force (STP) version. A version identifier of less
than a value of 2 enforces the spanning tree protocol. Use the no parameter with this command to set
the default protocol version.
Command Syntax
(no) spanning-tree force-version VERSION

VERSION <0-3> Version identifier. (0 - STP, 1- Not supported, 2 - RSTP, 3 - MSTP)
Command Mode
Interface mode
Examples
Set the value to enforce the spanning tree protocol:
73
AsGa LightB
AsGOS(config-if)# spanning-tree force-version 1
Set the default protocol version:

AsGOS(config-if)# no spanning-tree force-version
3.20.4.18 link-type
Use this command to enable or disable point-to-point or shared link types.
Command Syntax
(no) spanning-tree link-type point-to-point

(no) spanning-tree link-type shared
shared Disable rapid transition.

point-to-point Enable rapid transition.
Command Mode
Interface mode
Usage
MSTP has a backward-compatible STP mode, spanning-tree link-type shared. An

alternative is the spanning-tree force-version 0.
Examples

AsGOS(config-if)# spanning-tree link-type point-to-point
3.20.4.19 spanning-tree mst configuration

Use this command to enter the Multiple Spanning Tree Configuration mode.
Command Syntax
spanning-tree mst configuration
Command Mode
Configure mode
Examples

AsGOS(config-mst)#
74
AsGa LightB
3.21 Link Agregation Control Protocol Commands Set.
Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that allows
to bundle physical ports into a single logical channel. LACP allows a switch to negotiate an automatic
bundle by sending special PDUs named LACP packets to the peer.
Link Aggregation provides several benefits: Increased bandwidth, load balancing, and allows
you to create redundant Ethernet links. If a link in a Ethernet channel goes down, the switches on
which is configured to use LACP will automatically fail over to the links that are still up and remain
connected
3.21.1 Channel-group
Assign the interface to a channel group, and specify the LACP mode. For channel-group-
number, the range is 1 to 32. Each Channel can have up to eight compatibly configured Ethernet
interfaces.
When you configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the
channel-group interface configuration command, the system creates the port-channel logical
interface. Each Ethernet Interfaces pertaining to the same LACP Group will heritage port-channel
interface characteristics.
Command Syntax
channel-group [ channel-group-number ] <1-32> mode ( lacp

(active|passive) | static)
For channel-group-number, the range is 1 to 32. Each
For mode, select one of these keywords:
Lacp: Select this port channel as a LACP port channel.
active: Enables LACP only if an LACP device is detected. It places an interface into an active
negotiating state, in which the interface starts negotiations with other interfaces by sending LACP
packets.
passive: Enables LACP on an interface and places it into a passive negotiating state, in which the
interface responds to LACP packets that it receives, but does not start LACP packet negotiation.
Command Mode
Interface mode
Usage
channel-group [ channel-group-number ] <1-32> mode ( lacp (active|passive)

| static)
Examples

AsGOS(config-if)# channel-group 20 mode lacp active

75
AsGa LightB
AsGOS(config-if)# channel-group 21 mode lacp static
Related commands
no channel-group
show etherchannel lacp <1-32>
show etherchannel static
3.21.2 port-channel load-balance

This command can be used to specify the load balance method used on a Particular Port
Channel. You can use one of several hashing methods for a particular port trunk. It’s not necessary
for other switch share the same port channel load balance method. This parameter is not negotiated
during the port channel LACP procedure.
Command Syntax
port-channel load-balance (dst-mac | src-mac | src-dst-mac | dst-ip | src-

ip | src-dst-ip)
dst-mac Use Destination Mac address based load balancing

src-mac Use Source Mac address based load balancing
src-dst-mac Use Source and Destination Mac address based load balancing
dst-ip Use Destination IP address based load balancing
src-ip Use Source IP address based load balancing
rc-dst-ip Use Source and Destination IP address based load balancing
Command Mode
Interface mode
Usage
port-channel load-balance (dst-mac | src-mac | src-dst-mac | dst-ip | src-

ip | src-dst-ip)
Examples

AsGOS(config-if)# port-channel load-balance dest-mac
3.21.3 lacp port-priority

Sets the priority for an Ethernet member link, also known as an Ethernet port in an IEEE
802.3ad link aggregation group (LAG) bundle. The member link with the lowest numerical priority
value has the highest priority. The Ethernet member link with the highest priority is selected first to
join the LAG bundle. The <no version> command restores the default priority value, 32768.
Command Syntax
lacp port-priority <priority-value>
76
AsGa LightB
priority-value, the range is 1 to 65535. By default, the priority value is 32768. The lower the
range, the most likely the interface will be used for LACP transmission.
Command Mode
Interface mode
Usage
lacp port-priority <priority-value>
Examples

AsGOS(config)# port-channel load-balance dest-mac
AsGOS(config)# lacp port-priority 20000
3.21.4 lacp timeout

Periodic transmissions of LACP PDUs occur at either a slow or fast transmission rate,
depending upon the expressed LACP timeout variable (Long Timeout or Short Timout).
Command Syntax
lacp timeout (short|long)
timeout Number of seconds before invalidating a received LACP data unit (DU).
short LACP short timeout. Default short timeout value is 3 seconds.
long LACP long timeout. Default long timeout value is 90 seconds.
Command Mode
Config global mode
Examples

AsGOS(config)# channel-group 20 mode lacp active
AsGOS(config)# port-channel load-balance dest-mac
AsGOS(config)# lacp port-priority 20000
AsGOS(config)# lacp timeout short
3.21.5 lacp system-priority

The LACP system ID is the combination of the LACP system priority value and the MAC
address of the switch. This command set the System ID for the LACPPDU´s to be exchanged.
Command Syntax
lacp system-priority [System –Priority] <1-65535>

system-priority LACP system priority
SYS-Priority LACP system priority <1-65535> default 32768
77
AsGa LightB
Command Mode
Config Global mode
Examples
AsGOS(config)# lacp system-priority 20000
3.21.6 Show lacp counters

This command show all lacp related counters.
Command Syntax
show lacp <Port-channel ID> counters
Command Mode
Exec mode
Examples
AsgOS#show lacp 1 counters

% Traffic statistics
Port LACPDUs Marker Pckt err
Sent Recv Sent Recv Sent Recv
% Aggregator port-channel1 1000000
ge10 6 10 0 0 0 0
ge12 6 7 0 0 0 0
3.21.7 Show etherchannel detail

This command shows the ethernet channel details.
Command Syntax
show etherchannel detail
Command Mode
Exec mode
Examples
AsgOS#show etherchannel detail

% Mac address: 00:14:fa:00:29:d5
% Admin Key: 0001 - Oper Key 0001
% Receive link count: 1 - Transmit link count: 0
% Individual: 0 - Ready: 1
% Partner LAG- 0x8000,00-14-fa-00-2a-08
% Link: ge10 (5010) sync: 1
% Link: ge12 (5012) sync: 1
78
AsGa LightB
3.21.8 Show etherchannel summary
Command Syntax
Show etherchannel summary
Command Mode
Exec mode
Examples
AsgOS#show etherchannel summary

% Admin Key: 0001 - Oper Key 0001
% Link: ge10 (5010) sync: 1
% Link: ge12 (5012) sync: 1
3.21.9 show port etherchannel

Command Syntax
Show port etherchannel ge10
Command Mode
Exec mode
Examples
AsgOS#show port etherchannel ge10

% LACP link info: ge10 - 5010
% LAG ID: 0x8000,00-14-fa-00-29-d5
% Partner oper LAG ID: 0x8000,00-14-fa-00-2a-08
% Actor priority: 0x8000 (32768)
% Admin key: 0x0001 (1) Oper key: 0x0001 (1)
% Physical admin key:(1)
% Receive machine state : Current
% Periodic Transmission machine state : Slow periodic
% Mux machine state : Collecting/Distributing
% Oper state: ACT:0 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
% Partner oper state: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
% Partner link info: admin port 0
% Partner oper port: 5010
% Partner admin LAG ID: 0x0000-00:00:00:00:0000
% Admin state: ACT:0 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
% Partner admin state: ACT:0 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
% Partner system priority - admin:0x8000 - oper:0x8000
% Aggregator ID: 1000000
79
AsGa LightB
3.22 VLAN Classifier.
3.22.1 Introduction
Vlan classifier is a feature that tags arriving packets with a specified vlan tag based in some
packet parameters. It is an extension to the IEEE 802.1v, VLAN Classification by Protocol and Port.
This feature can be used too with Q-in-Q and, in this case, the vlan classifier is used to select the new
packet outer-tag.
The packet parameters that are used to select the packet vlan can be separated in three
classes: MAC, Ipv4 Subnet and Protocol. The last one, Protocol based vlan classifier, is associated
with IEEE 802.1v specification. Rules can be created for all the three classes and these rules can be
associated together in groups but the action differ from Protocol based to MAC/Subnet based rules
when installing a group into an interface. We can select which Protocol rules we can enable in an
interface but for MAC/Subnet we can't; when a group with MAC/Subnet rules is installed into an
interface, all MAC/Subnet rules are installed into that interface. In commands description we will see
this aspect in more details.
When a group have all three classes rules, the hierarchy of rules is this: first MAC, than Subnet
and then Protocol.
3.22.2 Exec mode commands

In Exec mode we have information commands that shows rules created, groups created and
so.
3.22.2.1 Show Vlan Classifier Rules

Command:
Show vlan classifier rule (<1-1298>|<cr>)

<1-1298> Vlan classifier rule id
<cr> All rules
Description:
Show vlan classifier rules created. If a rule number is specified, display only the configuration of
rule with that number. If no rule number is given, than display the configuration of all rules.
3.22.2.2 Show Vlan Classifier groups

Command:
show vlan classifier group (<1-16>|<cr>)

<1-16> Group Id
<cr> All groups
Description:
Show vlan classifier groups created and the rules associated. If a group number is specified,
display only the configuration of group with that number. If no group number is given, than display the
configuration of all groups.
3.22.2.3 Show Vlan Classifier Groups interface configuration

Command:
80
AsGa LightB
show vlan classifier interface group (<1-256>|<cr>)
<1-256> Group Id
<cr> All groups
Description:
Show interfaces with vlan classifier groups configured. If a group number is specified, display
only interfaces with this group number installed. If no group number is given, display all interfaces with
an group installed, showing the group number that is installed.
3.22.3 Configure mode commands

In Configuration mode we have commands to create and remove rules and groups and
associate or disassociate rules to groups.
3.22.3.1 Create a Vlan Classifier Protocol rule

Command:
vlan classifier rule <1-16> proto PROTO encap ENCAP vlan <2-4094>
<1-16> Vlan classifier protocol rule id
PROTO Specify an ethernet protocol classification (see Table 1
for all options)
ENCAP Specifify packet encapsulation (see Table 2 for all
options)
<2-4094> Vlan Identifier
Description:
Create an Ethernet protocol based rule. The first parameter identifies the rule. PROTO and
ENCAP parameters specify which Ethernet protocol and encapsulation must match to assign the vlan
configured by the last parameter. To see all options to PROTO and ENCAP, see Table 3.4 and Table
3.5 respectably.
<0-65535> ethernet decimal

arp Address Resolution
atalkaarp Appletalk AARP
atalkddp Appletalk DDP
atmmulti MultiProtocol Over ATM
atmtransport Frame-based ATM Transport
dec DEC Assigned
deccustom DEC Customer use
decdiagnostics DEC Diagnostics
decdnadumpload DEC DNA Dump/Load
decdnaremoteconsole DEC DNA Remote Console
decdnarouting DEC DNA Routing
declat DEC LAT
decsyscomm DEC Systems Comms Arch
g8bpqx25 G8BPQ AX.25
ieeeaddrtrans Xerox IEEE802.3 PUP Address Translation
ieeepup Xerox IEEE802.3 PUP
ip Internet Protocol
ipv6 Internet Protocol version 6
ipx IPX
pppdiscovery PPPoE discovery
pppsession PPPoE session
rarp Reverse Address Resolution
81
AsGa LightB
x25 CCITT X.25
xeroxaddrtrans Xerox PUP Address Translation
xeroxpup Xerox PUP
Table 3.4: Protocol options
ethv2 ethernet v2
nosnapllc llc without snap encapsulation
snapllc llc snap encapsulation
Table 3.5: Encapsulation options
3.22.3.2 Create a Vlan Classifier MAC rule

Command:
vlan classifier rule <17-1037> mac MAC vlan <2-4094>

<17-1037> Vlan classifier MAC rule id
MAC Vlan classifier SRC MAC address
Description:
Create an MAC based rule. The first parameter identifies the rule. MAC parameter specify the
source MAC address that must match to assign the vlan specified in the last parameter to the packet.
3.22.3.3 Create a Vlan Classifier Subnet rule

Command:
vlan classifier rule <1038-1293> ipv4 IP/M vlan <2-4094>

<1038-1293> Vlan classifier IP rule id
IP/M Vlan classifier IPv4 address and subnet mask
Description:
Create an Subnet based rule. The first parameter identifies the rule. IP/M parameter specify the
source subnet (in A.B.C.D/M format) that must match to assign the vlan specified in the last
parameter to the packet.
3.22.3.4 Delete Vlan Classifier rule

Command:
no vlan classifier rule <1-1293>

<1-1293> Vlan classifier rule id
Description:
Delete rule identified by the number given. The rule is remove from all groups associated ant
interfaces too.
82
AsGa LightB
3.22.3.5 Associate a Vlan Classifier Protocol rule to a Vlan Classifier
Group
Command:
vlan classifier group <1-16> add rule <1-16>

<1-16> Vlan classifier group id
Description:
Add to group identified by the first parameter the protocol based rule identified by the second
parameter. We can select which protocol based rules we want to associate with the group. If the
group doesn't exist, it is created.
3.22.3.6 Associate all Vlan Classifier MAC rules to a Vlan Classifier

Group
Command:
vlan classifier group <1-16> add rule mac

Description:
Add to group identified by the first parameter all MAC based rules created. When a new MAC
based rule is created, it is automatically associat with all groups that have this configuration. We can't
select which MAC based rules we want to associate with the group, it is all or none. If the group
doesn't exist, it is created.
3.22.3.7 Associate all Vlan Classifier Subnet rules to a Vlan Classifier

Group
Command:
vlan classifier group <1-16> add rule ipv4

Description:
Add to group identified by the first parameter all Subnet based rules created. When a new
Subnet based rule is created, it is automatically associate with all groups that have this configuration.
We can't select which Subnet based rules we want to associate with the group, it is all or none. If the
group doesn't exist, it is created.
3.22.3.8 Disassociate a Vlan Classifier Protocol rule to a Vlan Classifier

Group
Command:
no vlan classifier group <1-16> add rule <1-16>

83
AsGa LightB
Description:
Remove from group identified by the first parameter the protocol based rule identified by the
second parameter. The rule is automatically removed from all interfaces that has this group installed.
3.22.3.9 Disassociate all Vlan Classifier MAC rules to a Vlan Classifier

Group
Command:
no vlan classifier group <1-16> add rule mac

Description:
Remove from group identified by the first parameter all MAC based rules created. All rules are
automatically removed from all interfaces that has this group installed.
3.22.3.10 Disassociate all Vlan Classifier Subnet rules to a Vlan Classifier

Group
Command:
no vlan classifier group <1-16> add rule ipv4

Description:
Remove from group identified by the first parameter all Subnet based rules created. All rules
are automatically removed from all interfaces that has this group installed.
3.22.3.11 Delete a Vlan Classifier group
Command:
no vlan classifier group <1-16>

Description:
Delete group identified by the given parameter. The group is automatically removed from all
interfaces that it is installed.
3.22.4 Interface mode commands
3.22.4.1 Install a Vlan Classifier group into interface

Command:
vlan classifier activate <1-16>

84
AsGa LightB
Description:
Install into the interface the vlan classifier group identified by the given parameter. If there was
an old group installed, the old group is removed and the new one is installed.
3.22.4.2 Uninstall a Vlan Classifier group into interface

Command:
no vlan classifier activate <1-16>

Description:
Remove from the interface the vlan classifier group identified by the given parameter.
85
AsGa LightB
3.23 Private VLAN Support
3.23.1 Introduction
Private VLANs provide a mechanism to control which devices can communicate within a single
subnet. The private VLAN uses isolated secondary VLANs to control how devices communicate. The
secondary VLANs are assigned to the primary VLAN, and ports are assigned to the secondary
VLANs. Ports in an isolated VLAN cannot communicate with any device in the VLAN other than the
promiscuous port or interswitch link port (*). The figure 3.4 shows these concepts:
Figure 3.4 – Private VLAN Support
The following table describes the communication possibilities between ports in a private vlan domain.
Table 3.6 - Communication possibilities in a private vlan domain.
(*) Please note that this asymmetric behavior is for traffic traversing inter-switch link ports over an
isolated VLAN only. Traffic from an inter-switch link port to an isolated port will be denied if it is in the
isolated VLAN. Traffic from an inter-switch link port to an isolated port will be permitted if it is in the
primary VLAN.
3.23.2 Configuring Private VLANs.
3.23.2.1 Creating an Associated Private VLAN.
Command:
vlan <VLAN-ID> associate isolated <VLAN-ID>
86
AsGa LightB
Description:
This command makes the association between a VLAN ID and an isolated one. An isolated VLAN is
a secondary VLAN whose distinctive characteristic is that all hosts connected to its ports are isolated
at Layer 2.
Command Mode:
Configuration mode
VLAN Database context
Examples:
SW-1(config)#vlan database
SW-1(config-vlan)#vlan 1000 associate isolated 1100
3.23.2.2 Setting interfaces as Host or Promiscuous mode.

Command:
switchport mode private-vlan <host | promiscuous>
host Set private-vlan mode as host

Promiscuous Set private-vlan mode as promiscuous
Description:
This command associate a port as a Host port or a Promiscuous port
Command Mode:
Configuration mode
Interface Context
Examples

AsGOS(config) #interface Ge1
AsGOS(config_if) # switchport mode private-vlan host
Port Ge1 has been configurated as host port

AsGOS(config_if) # switchport mode private-vlan promiscuous
Port Ge1 has been configurated as Promiscuous port
3.23.2.3 Associating VLANs to Host or Promiscuous interfaces.

Command:
switchport private-vlan (host-association | mapping ) <VLAN-ID> <VLAN-ID>
host-association: Set the primary and secondary VLANs in host mode to

Xmit/TX through the Layer2 interface
87
AsGa LightB
mapping : Set the primary and secondary VLANs in promiscuous
mode to Xmit/TX through the Layer2 interface
VLAN-ID <2-4094> Primary VLAN that will be added
VLAN-ID <2-4094> Primary VLAN that will be added
Description:
Ths command associate VLANs IDs to host ports or promiscuous ports.
Command Mode:
Configuration mode
Interface context
Examples

AsGOS(config_if) # switchport mode private-vlan host
AsGOS(config_if) # switchport private-vlan host-association 1000 1100
Or

AsGOS(config_if) # switchport mode private-vlan promiscuous
AsGOS(config_if) # switchport private-vlan mapping 1000 1100
3.23.2.4 A complete configuration example

The following picture show a typical example for private VLAN configuration with two host port
an one promiscuous port. Traffic will be only permitted through the promiscuous port. Traffic will not
be permitted through hosts ports.
Figure 3.5 - Private VLAN configuration with two host port and one promiscuous port.
Configuration
VLAN Database configuration:
SW-1#show vlan database

!
88
AsGa LightB
vlan database
vlan 500 name VLAN0500

vlan 2000 associate isolated 2100
Interfaces Configuration
interface ge12
switchport
switchport mode private-vlan promiscuous
switchport private-vlan mapping 2000 2100
!
interface ge13
switchport
switchport mode private-vlan host
switchport private-vlan host-association 2000 2100
!
interface ge14
switchport
switchport mode private-vlan host
switchport private-vlan host-association 2000 2100
!
89
AsGa LightB
3.24 VLAN Translation
3.24.1 Selective Queue-in-queue

Selective Queue-in-queue is a feature that translates incoming customer vlans into a new
carrier network vlan, without removing the original customer tag. The result from this process is a
double tagged packet, with the customer tag as the inner tag and the new carrier tag as the outer tag.
The following picture schematizes the operation.
Figure 3.6 - Selective Queue-in-queue operation.
To enable selective Q in Q on a particular interface, AsGOS provides the following commands

in the AsGOS command line:
Command Syntax
Enable the Q in Q mechanism with the command:
switchport vlan-translate
Configure the translation rule:
switchport translate qinq from <OLDVID> to <NEWVID>
OLDVID: is the original custumer vlan id that will be translated from.

NEWVID: is the new carrier vlan id that translation will add.
90
AsGa LightB
Command Mode.
Interface Context.
Default
No defaults to this command.
Examples
The following picture describes a simple setup. The idea of this setup is to double tag an incoming
packet based in its original customer tag (ct) adding a carrier tag (st).
Figure 3.7 – Setup operation.
In this setup we have a flow of tagged packets entering in a switch access port, port ge1, and
exiting in a switch trunk port, port ge23. The abstraction of this setup is that in port ge1 we have the
customer network and in port ge24 we have the carrier network connected. The customer traffic
wants to enter carrier network, and for that, the switch adds a new tag to the packet that will be used
to switch the traffic inside the carrier network. The packet that exits in ge23 has two tags, as show in
Figure 3.7. The following commands show the configuration steps:
COMMAND DESCRIPTION
To enter in configuration mode ingress
AsGa> enable
the enable command and press enter.
AsGa# interface Ge1 Enter into interface configuration mode
AsGa(config-if)#switchport access
Configure the default access VLAN
vlan 333
AsGa(config-if)# switchport vlan- Define the switch port mode as vlan
translate translate
AsgOS(config-if)#switchport Define the translation rule. VLAN 33
translate qinq from 13 to 33 will be mapped to VLAN 13 (Note1)
NOTE1: Different rules can be mapped to a single interface. LightBolt switches support up to 768
VLAN translates rules.
This configuration translate customers vlan 13 to carrier vlan 33. After this configuration take
effect ; the switch starts to add vlan 33 as carrier tag only to packets that match the rules. All other
tagged packets that arrive in port ge1 are double tagged with interface default vlan id (VLAN ID 333)
as untagged packets are single tagged with interface default vlan id as well. Trunk port ge23 must
have vlan id 33 added as an allowed vlan.
91
AsGa LightB
Traffic arriving from the carrier network with a double-tag that goes out through customer port,
but single-tagged. The configuration is the same from the previous test.
3.24.2 Vlan Translate Swap

Vlan swap is a different process that adds a new carrier tag in a customer packet. The
difference between vlan translation and vlan swap is that in vlan swap the customer vlan tag is
removed and the carrier vlan tag is added. The following figure (Figure 3.8) show what happens to a
customer packet before and after vlan swap.
Figure 3.8 – Vlan Translate Swap.

The main difference in “vlan swap mode” is that the customer tag information is lost after the
swap process. This means that, when the packet arrives in a customer port in the other network side,
to recover the original customer tag, we must use the Vlan Translate Egress.
To use Vlan Translate Swap, AsGOS provides the following commands in the AsGOS
command line:
Command Syntax

switchport translate swap from <OLDVID> to <NEWVID>
OLDVID is the original customer vlan id that will be translated from and then will be removed.
NEWVID is the new carrier vlan id that translation will add.
Command Mode.
Interface Context.
92
AsGa LightB
Default
Examples
The following picture (Figure 3.9) describes the test setup created. The idea of this setup was
to swap an incoming packet based in his original customer tag (ct), swapping to a carrier tag (st).
Figure 3.9 – Setup operation.
In this setup a flow of tagged packets enter in access switched port, port ge1, and exiting in a
switch trunk port, port ge23. The abstraction of this setup is that in port ge1 we have the customer
network and in port ge24 we have the carrier network connected. The customer traffic wants to enter
carrier network, and for that, the switch changes its original customer tag to a new carrier tag. Notice
that the original tag is removed and a new is added when using this process and not a new tag is
added over the original tag like when using vlan translate.
Commands for this configuration are:
COMMAND DESCRIPTION
AsGa> enable
Configure the default access VLAN.
vlan 333
translate translate
AsgOS(config-if)# switchport
Define the translation swap rule.
translate swap from 13 to 33
This configuration changes (swap) the customer tags 13 to a new carrier tag 33. The old tags
are not preserved inside the packet; only the new tag will take effect. Trunk on port ge23 must have
vlan id 33 added as an allowed vlan.
3.24.3 Vlan Translate Egress

Vlan Translate Egress is a process that recovers the customer tag by adding the customer tag
and removing the carrier tag when the packet exits the switch. The main advantage of this is that the
switch doesn't need to have the customer tag in its vlan id table.
93
AsGa LightB
To use Vlan Translate Egress, AsGOS provides the following commands in the AsGOS
command line:
Command Syntax


switchport translate swap egress from <OLDVID> to <NEWVID>
OLDVID is the carrier vlan id that will be translated from and will be removed
NEWVID is the original customer vlan id that translation will recover
Command Mode
Interface Context.
Default
Examples
The next test is a returning packet that arrives in a carrier port with a carrier vlan tag and exits
in a customer tag; remember that all switching is done using the carrier tag, even the customer port.
Figure 3.10 describes this test.
Figure 3.10 – Returning packet test.
In this setup we have a flow of tagged packets entering in a switch trunk port, port ge23, and
exiting in a switch access port, port ge1. The abstraction of this setup is that in port ge1 we have the
customer network and in port ge23 we have the carrier network connected. The customer traffic
wants to receive traffic from carrier network, and for that, the switch recovers the original customer
tag. Notice that the carrier tag is removed and customer tag added when using this process.
Commands for this configuration are:
COMMAND DESCRIPTION
AsGa> enable
94
AsGa LightB
Configure the default access VLAN.
vlan 333
translate translate
AsgOS(config-if)# switchport
Define the translation rule.
translate swap egress from 33 to 13
This configuration changes (swap) the carrier tag 33 to customer tag 13. Remember that the
old tags are not preserved inside the packet, only the new tag. Trunk port ge23 must have vlan id 33
added as an allowed vlan, but the switch doesn't need to have customer vlan 13 added on its vlan
table.
3.25 Quality of Service
3.25.1 Introduction
Quality of Service (QoS) refers to the capability of a network to provide better service to select
(classify) network traffic. The primary goal of QoS is to provide priority including dedicated bandwidth,
controlled jitter and latency (required by some real-time and interactive traffic), and improved loss
characteristics. Also important is making sure that providing priority for one or more flows does not
make other flows fail.
The main building blocks of QoS concepts, inside of a network element are:
• Classification
• Congestion Management
• Congestion Avoidance
• Policing and Shaping
Figure 3.11 – QoS concepts.
95
AsGa LightB
Figure 3.12 – QoS concepts.
3.25.2 Ethernet Marking

The IEEE 802.1p standard provides traffic class expediting. It enables Layer 2 switches to
prioritize traffic. The 802.1p defines 3 bits in the header for classification, which helps classifying
traffic into eight different traffic classes. It should be noted that 802.1p is an extension of 802.1Q
standard and they work together. The following figure shows an Ethernet 802.1q frame and the TAG
byte where the Priority bits are located.
Figure 3.13 - Ethernet 802.1q frame and the TAG byte where the Priority bits are located.
IEEE has put forth recommendations on various traffic types, corresponding traffic classes, and
priorities to be used with 802.1p standard. They are listed in the following table:
Traffic class Priority
Default priority tagged 0
Background 1
Voice 2
Video 3
Controlled Load 4
Excellent Effort 5
Best Effort 6
Network Control 7
Table 3.7 - Traffic class
Internally, switches will use those bits in order to map different traffic classes to different priority
queues. So almost all COS classes can be mapped to a Queue.
96
AsGa LightB
3.25.3 L3 Packet Markings
Similar to Layer 2 headers, the IP header has fields that can be used to classify traffic groups.
The most widely used L3 marking techniques are Type of Service (ToS) and DSCP. The figure below
shows a typical IP header making reference to a ToS or DSCP Bits.
Figure 3.14 - IP header making reference to a ToS or DSCP Bits.
3.25.3.1 ToS
ToS was originally defined in RFC 791 and 795 and was further modified/updated by other
RFCs like RFC 1122, RFC 1123, and RFC1349. Although the field has been there for quite some
time, it has not been widely used. Its use has been superseded by DSCP today.
Figure 3.15 – ToS
• IP precedence—three bits (P2 to P0)

• Delay, Throughput and Reliability—three bits (T2 to T0)
• ECN — two bits
Binary Decimal Classification

000 0 Routine
001 1 Priority
010 2 Immediate
011 3 Flash
100 4 Flash Override
101 5 Critical
110 6 Internetwork Control
111 7 Network Control
Table 3.8 - ToS precedence meaning
• Delay - when set to 1, the packet requests low delay.

• Throughput - when set to 1, the packet requests high throughput.
• Reliability - when set to '1,' the packet requests high reliability.
97
AsGa LightB
3.25.3.2 Differentiated Service Code Point (DSCP)
Differentiated Services (DiffServ) is a model in which traffic is treated by intermediate systems
with relative priorities based on the type of services (ToS) IPV4 field. Defined in RFC 2474 and RFC
2475, the DiffServ standard supersedes the original specification for defining packet priority described
in RFC 791. DiffServ increases the number of definable priority levels by reallocating bits of an IP
packet for priority marking.
The DiffServ architecture defines the DiffServ (DS) field, which supersedes the ToS field in
IPv4 to make per-hop behavior (PHB) decisions about packet classification and traffic conditioning
functions, such as metering, marking, shaping, and policing.
The RFCs do not dictate the way to implement PHBs; this is the responsibility of the vendor..
Based on DSCP or IP precedence, traffic can be put into a particular service class (Queue). Packets
within a service class are treated the same way.
The six most significant bits of the DiffServ field is called as the DSCP. The last two Currently
Unused (CU) bits in the DiffServ field were not defined within the DiffServ field architecture; these are
now used as Explicit Congestion Notification (ECN) bits. Equipments at the edge of the network
classify packets and mark them with either the IP Precedence or DSCP value. Other network devices
in the core that support Diffserv use the DSCP value in the IP header to select a PHB behavior for the
packet and provide the appropriate QoS treatment.
The following figure specify the DS bits and ECN bits positions.
Figure 3.16 - DS bits and ECN bits positions.
• DSCP—six bits (DS5-DS0)

• ECN—two bits; Explicit Congestion Notification
The DiffServ standard utilizes the same precedence bits (the most significant bits—DS5, DS4
and DS3) for priority setting, but further clarifies the definitions, offering finer granularity through the
use of the next three bits in the DSCP. DiffServ reorganizes and renames the precedence levels (still
defined by the three most significant bits of the DSCP) into these categories.
Precedence Level Description

7 Stays the same (link layer and routing protocol keep alive)
6 Stays the same (used for IP routing protocols)
5 Express Forwarding (EF)
4 Class 4
3 Class 3
2 Class 2
1 Class 1
0 Best effort
Table 3.9 - DiffServ standard
With this system, a device prioritizes traffic by class first. Then it differentiates and prioritizes
same-class traffic, taking the drop probability into account.
The DiffServ standard does not specify a precise definition of "low," "medium," and "high" drop
probability. Not all devices recognize the DiffServ (DS2 and DS1) settings; and even when these
settings are recognized, they do not necessarily trigger the same PHB forwarding action at each
network node. Each node implements its own response based on how it is configured.
98
AsGa LightB
3.25.3.2.1 Assured Forwarding
RFC 2597 defines the assured forwarding (AF) PHB and describes it as a means for a provider
DS domain to offer different levels of forwarding assurances for IP packets received from a customer
DS domain. There are four AF classes, AF1x through AF4x. Within each class, there are three drop
probabilities. Depending on a given network's policy, packets can be selected for a PHB based on
required throughput, delay, jitter, loss or according to priority of access to network services.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for
specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and
DS1 specify the drop probability; bit DS0 is always zero.
Drop Class 1 Class 2 Class 3 Class 4
001010 010010 011010 100010
Low AF11 AF21 AF31 AF41
DSCP 10 DSCP 18 DSCP 26 DSCP 34
001100 010100 011100 100100
Medium AF12 AF 22 AF32 AF42
001110 010110 011110 100110
High AF13 AF23 AF33 AF43
Table 3.10 - DSCP coding for specifying the AF class with the probability.
3.25.3.2.2 Expedited Forwarding
RFC 2598 defines the Expedited Forwarding (EF) PHB: "The EF PHB can be used to build a
low loss, low latency, low jitter, assured bandwidth, end-to-end service through DS (Diffserv) domains.
Such a service appears to the endpoints like a point-to- point connection or a "virtual leased line."
This service has also been described as Premium service." Codepoint 101110 is recommended for
the EF PHB, which corresponds to a DSCP value of 46.
Again, vendor-specific mechanisms need to be configured to implement these PHBs. Refer to
RFC 2598 for more information about EF PHB.
3.25.3.3 Classification
Packet classification features provide the capability to “partition” network traffic into multiple
priority levels or classes of service. For example, using the three precedence bits in the type of
service (ToS) field of the IP packet header—two of the values are reserved for other purposes—you
can categorize packets into a limited set of up to six traffic classes. After you classify packets, you can
utilize other QoS features to assign the appropriate traffic handling policies including congestion
management, bandwidth allocation, and delay bounds for each traffic class.
LightBolt switches utilize the most advanced processing technology for classifying flows. Highly
parallel processors specifically designed for that process are allocated per port base. Those
processors work independently from all CPU activities. So the total CPU load can be maintained at
very low utilization index also in situations in which all ACL and content aware procedures are fully
matched on 10GigE ports (for example).
The following table summarizes the available methods for classifying packets.
Feature Direction
Ingress Egress
Marking YES YES
Match with ACL YES YES
Match with DSCP YES YES
Match with IP Precedence YES YES
Match with COS YES YES
Trust on DSCP YES NO
Trust on COS YES NO
Trust on IP Precedence YES NO
Table 3.11 - Methods for classifying packets.
99
AsGa LightB
3.25.3.3.1 Using ACL as clasification method.
You can use IP standard, IP extended, and Layer 2MAC ACLs to define a group of packets
with the same characteristics (class).
If a match with a permit action is encountered (first-match principle), the specified QoS-related action
is taken.
Examples of ACLs classification:
This example shows how to allow access for only those hosts on the three specified networks.
The wildcard bits apply to the network portions of the network addresses. Any host with a source
address that does not match the access list statements is rejected and no QoS action will be taken.
Step#1 Define the ACLs
AsGoS(config)# access-list 1 permit 192.5.255.0 0.0.0.255

AsGoS config)# access-list 1 permit 128.88.0.0 0.0.255.255
AsGoS (config)# access-list 1 permit 36.0.0.0 0.0.0.255
Step#2 Aplying Access list to a class map and then policy map.
class-map match-all CLASS-1

match access-group 1
policy-map POLICE-1
class CLASS-1
set cos 5
Step#3 Aplying the policer to an interface
AsgOS#sh run int ge4

!
interface ge4
switchport
service-policy input POLICE-1
!
AsgOS#
3.25.3.3.2 Trust as classification method.
Command Syntax
AsGos(config)#QOS trust
By default, switch ports on the LightBolt are not trustable with respect to QoS. This means that
the 802.1p value or the DSCP value in packets received on the port is ignored. In addition the 802.1p
and DSCP values in frames received under the untrusted mode of operation are reset to zero.
When a port is configured to be trusted, the QoS settings in the 802.1p and DSCP fields are
preserved and are used to define the priority of the packet as it passes through the switch and also
determines the CoS queue assignment on the egress port unless the packet matches a QoS policy
rule. If the packet matches a QoS policy rule, the priority of the packet is determined by the. Action
defined in the policy rule.
The trust or untrusted modes are set at global configuration mode.
100
AsGa LightB
Command Mode
Global configuration mode.
Default
All ports are in untrusted mode
Examples
AsGos# configure terminal

AsGos(config_t)# QoS trust
AsGoS(config_t)# exit
3.25.4 Queuing
LightBolt switches have been designed using the best technology available in today Ethernet
switching. LightBolt architecture is base on two concepts named “Output Queuing” (OQ) and “Shared
Memory Switching” (SMS) architectures.
Shared Memories architectures offer the optimal approach to exploit the benefits of output
queuing without being limited by poor burst absorption capabilities.
Output buffer architectures offer the best switching characteristics in terms of delay and
throughput. In an output queue switch every arriving packet will be transported to its output queue
without delay and enqueued at that queue. In terms of performance this architecture offers the
following advantages:
• Lower switching delay

• Highest switching throughput.
• Excellent burst absobtion
A shared memory switch is an output queue switch in which all ingress and egress ports have
access to a common memory pool of buffer resources. This architecture can significantly improve the
available amount of buffer resources available to any port and improve the burst absorption.
Lightbolt switches have shared memory architecture in addition to a small static buffer
allocation per port. During normal operation Static buffer Resources are consumed and under high
load interval shared buffer resources can be used.
3.25.4.1 Scheduling modes.

LightBolt switching architecture provides the following scheduling architectures:
• strict-priority
• round-robin
• weight-round-robin
• deficit-round-robin
Those scheduling methods can be independently applied per port basis.
101
AsGa LightB
3.25.4.1.1 Strict Priority
The strict priority scheduler provides strict access to the egress port across COS Queues from
de highest cos Queue to the lowest. The purpose of strict priority is to provide low latency service to
higer COS class of traffics.
Queues are serviced in strict order of queue priority, so the high queue always is serviced first,
then the next-lower priority and so on.
If a lower-priority queue is being serviced and a packet enters a higher queue, that queue is serviced
immediately. This mechanism is good for important traffic, but can lead to queue starvation.
3.25.4.1.2 Round-Robin
The round robin (RR) scheduling mode provides round robbing arbitration mode across
different COS queues. The scheduler visit each backlogged queue servicing a single packet at each
queue before moving to the next one. The purpose of the round robbing scheduler is to provide fair
access to the egress port bandwidth. This scheduler work well when the packet size is approximately
comparable.
3.25.4.1.3 Weight Round Robin
The Weighted Round Robbing (WRR) scheduler provides a weighted round robbing scheme
across the CoS queues. The purpose of WRR is to provide weighted access to the egress port
bandwidth.
In WRR mode, the scheduler provides access to each CoS in Round Robbing order. When the
scheduling process is providing access to a particular CoS queue it service a configurable number of
back-to-back of packets before moving on the subsequent CoS Queue. Each CoS queue has an
associated value of weights coming from 1 to 15 (Cero value has an internal meaning). These values
are used to indicate that between 1 and 15 back-to-back packet are to be serviced when the
scheduler is servicing a particular CoS queue. If the weight setting is N but if there are < N parquets
in the queue, the scheduler continue working and move to the next backlogged queue.
3.25.4.1.4 Deficit Round Robin
An inherent limitation of WRR method is that bandwith is allocated in terms of packets. WRR
works well if the packet size for each coarse-grained CoS queue flow is know. In most instances
however, this attribute is traffic dependent and can vary over time. The Deficit round robbing (DRR)
mode is aimed at addressing this issue. DRR provide bandwith allocation scheduler mode that take
into account the variability-sized packet issue by maintaining sufficient state information when
arbitrating across the CoS queues.
The goal of DRR is to provide coarse-grained flow isolation and bandwith sharing when
arbitrating access to a link among contending CoS flows. This is accomplished by using a modified
form of round robbing service. A set of queues is service by the RDD scheduler, where each queue is
associated with a particular CoS. These queues are serviced in round robbing order while taking into
account two state variables: “the quantum” and “the credit counter”. Each CoS queue has associated
with it a configurable quantum, similar to a WRR weight values. However, the unit for the quantum is
in bytes. The purpose of the credit counter is to track the overuse of bandwith by a particular CoS
queue relative to its specified quantum.
DRR operates by servicing the set of backlogged queues in packet round robin order. Initially,
each queue sets its credits counters to its associated (and configurable) quantum values. Every time
a packet from CoS queue is sent, the size of the packet is subtracted from the corresponding credit
counter. When the credit counter drop below 0, the queue is no longer serviced until its credits are
replenished. All queues are serviced until either they are empty or their counters credit is negative.
102
AsGa LightB
When this occurs, the credits are replenished. When the credits are replenished, a quantum of credit
are added to each CoS queue credit counter. The quantum for each CoS queue may differ based on
the configuration.
3.25.5 Queuing commands
3.25.5.1 Queuing profile

In order to encapsulate some queuing definitions AsGOS define a “queuing profile” which will
be applied then on interfaces for Queuing. Queuing profile is a named definition which can be used on
interface context to define its queuing characteristics. Queuing profile have the following syntaxes and
procedure included.
Command Syntax
#qos queue-profile WORD

queue-profile Configure QoS Queue Profile
WORD Queue Profile name
Command Mode
Configuration mode
Default
No default
Examples

AsGOS(config)# qos queue-profile PROFILE-1
AsgOS(config-queue-profile)#
3.25.5.1.1 Scheduling configurations
Inside of a queuing profile is possible define a unique Scheduler for queue attendant. The
following commands show the configuration steps.
Command Syntax
set scheduler <deficit-round-robin|round-robin|strict-priority|weight-

round-robin>
scheduler queue serve mode
round-robin: Set the scheduling mode in Round Robin

strict-priority: Set the schedulign mode in strict preiority mode.
weight-round-robin: Set the scheduling mode in Weight Round Robin.
deficit-round-robin: Set the scheduling mode in Deficit Weight Round
Robin.
3.25.5.1.2 Defining Weights Case WRR
Command Syntax
# set weight packets (strict |<1-15>) (strict |<1-15>) (strict |<1-

15>) (strict |<1-15>) (strict |<1-15>) (strict |<1-15>) (strict |<1-15>)
(strict |<1-15>)
103
AsGa LightB
Set the weight from 1 to 15 for each COS queue in packet units or Strict priority. Those
weights are assigned in sequence from queue number 0 to queue number 7.
Command Mode
Configuration mode.
Queuing profile context.
Default
No default
Examples

AsgOS(config-queue-profile)# set weight packets 2 2 3 4 5 10 15 15

AsgOS(config-queue-profile)# set weight packets 2 2 3 4 6 8 strict
strict
3.25.5.1.3 Defining Weights Case DRR
Command Syntax
set weight kilobytes <5-300000> <5-300000> <5-300000> <5-300000> <5-300000>

<5-300000> <5-300000> <5-300000>
Set the weight for each COS queue in Kilobyte units. Those weights are assigned in sequence from
queue number 0 to queue number 7.
Command Mode
Configuration mode.
Default
No default
Examples

AsgOS(config-queue-profile)# set weight kilobytes 30000 20000 2000
1000
104
AsGa LightB
3.25.5.1.4 Defining Badwith for each Queue
Command Syntax
Set bandwidth (0|<64-10500000>) (0|<64-10500000>) (0|<64-10500000>)

(0|<64-10500000>) (0|<64-10500000>) (0|<64-10500000>) (0|<64-10500000>)
(0|<64-10500000>)
This command set the committed bandwith for each COS queue bandwith is specified in Kbps
(Kilo Bits per second), and is configures in sequence. Zero value means no bandwith specified.
Those bandwith values are assigned in sequence from queue number 0 to queue number 7.
Command Mode
Configuration mode.
Default
No default
Examples

AsgOS(config-queue-profile)# set bandwidth 5000000 20000000 1000000
500000 256000 128000 64 64
3.25.5.1.5 Defining Maximum Badwith for each Queue

NOTE: This command will be introduce in AsGOS 1.3.2
3.25.5.1.6 Defining Minimum Badwith for each Queue

NOTE: This command will be introduce in AsGOS 1.3.2
3.25.5.2 DSCP to COS default mapping

LightBolt switches support a default DSCP to CoS mapping which is shown on table below,
these mapping can be modified (see “Changing DSCP to COS mapping”).
DSCP value 0-7 8-15 16-23 24-31 32-39 40-47 48-55 56-63
CoS value 0 1 2 3 4 5 6 7
Table 3.12 – DSCP to COS default mapping.
In order to show the actual mapping of DSCP to COS uses the following command “SHOW
QOS” the output of these command is:
AsgOS#show qos
Global configuration:
Switch is in untrust mode
Map DSCP 0 1 2 3 4 5 6 7 to CoS 0
Map DSCP 8 9 10 11 12 13 14 15 to CoS 1
Map DSCP 16 17 18 19 20 21 22 23 to CoS 2
105
AsGa LightB
Map DSCP 24 25 26 27 28 29 30 31 to CoS 3
Map DSCP 32 33 34 35 36 37 38 39 to CoS 4
Map DSCP 40 41 42 43 44 45 46 47 to CoS 5
Map DSCP 48 49 50 51 52 53 54 55 to CoS 6
Map DSCP 56 57 58 59 60 61 62 63 to CoS 7
3.25.5.3 Changing DSCP to COS mapping.

To modify the map content (DSCP to COS), you can use the following command.
Command Syntax
qos map dscp-to-cos <0-63> <0-63> <0-63> <0-63> <0-63> <0-63> <0-63> <0-63>
to <0-7>
<0-63> Specify the DSCP value corresponding to a CoS Value.

<0-7> Specify the CoS valur corresponding to a DSCP value.
Command Mode
Configuration mode
Default (as presented on table)
Default DSCP to CoS
3.25.5.4 DSCP to DSCP mutation map

Default mapping is 1:1. To modify the map content, we specify new DSCP values for specified
old DSCP values. Use the following command to change the default mapping.
Command Syntax
qos map dscp-to-dscp <0-63> <0-63> <0-63> <0-63> <0-63> <0-63> <0-63> <0-
63>
to <0-63>
<0-63> Specify the DSCP to be muted

To <0-63> Specify the DSCP muted.
Command Mode
Configuration mode
Default
No defaults
Examples
AsgOS(config)#qos map dscp-to-dscp 45 32 16 5 20 to 15
106
AsGa LightB
3.25.5.5 CoS to egress queue map
Command Syntax
qos map to-queue <0-7> cos <0-7> <0-7> <0-7> <0-7> <0-7> <0-7> <0-7> <0-7>
<0-7> indicate the Queue number

Cos <0-7> indicate the CoS Values to be mapped t a single Queue, up to
eight CoS values can be mapped to a Single Queue.
Command Mode
Configuration mode.
Global context.
Default
The default mapping is 1:1 so CoS 0 is mapped to Queue 0; CoS 1 is

mapped to queue 1; and so on.
Examples
AsgOS(config)#qos map to-queue 3 cos 2

The example show a single mapping of CoS 2 to a queue 3
AsgOS(config)#qos map to-queue 3 cos 2 4 5 6

The example show a multiple mapping of CoS 2 4 5 6 to a Queue number 3
3.25.5.6 Queuing Show commands
3.25.5.6.1 Show queue profile
The command shows the different queuing profiles available on the system (Available on
AsGos 1.3.2).
AsgOS#show queue-profile
QoS Queue Profile queue1
Scheduler round-robin
Minimum Maximum
Queue Bandwidth Bandwidth
0 10000 100000
1 - -
2 - -
3 - -
4 - -
5 - -
6 - -
7 20000 100000
107
AsGa LightB
QoS Queue Profile queue2
Scheduler weight-round-robin
Weight
Queue Packets
0 1
1 2
2 3
3 4
4 5
5 6
6 7
7 15
3.25.5.6.2 Show queue
AsGOS# show queue (IFNAME)

IFNAME Interface name
This command shows all queuing status for one interface or all interfaces if no interface name
is used. This command only makes sense for physical interfaces.
The command shows information about the mechanisms for memory administration for port.
Each port have eight queues for a better traffic distribution.
Each interface have two mechanism associated with it, at the ingress to control the ingress
traffic with the main objective of prevent congestion on output ports and other at the output witch deal
with possible queue congestion. The input mechanism the control is materialized using control frames
and only under severe congestion situation discarding of frames is applied. At the output, discarding
of frames is the only method for congestion control.
Several counters have been implemented to show the Queuing status. For example:
Interface...................................... xe4
Ingress buffer utilization

Pause threshold utilization..............................................64.0% (sending pause)
Discard threshold utilization...........................................0.0%
Pause reset at................................. ……………………50.0%
Egress buffer utilization

Queue 0 maximum available memory utilization... …..0.0%
Queue 0 static memory utilization.............. …………..0.0%
Queue 0 port shared memory utilization......... ………..0.0%
Queue 0 discard reset at.................................................50.0%
Queue 1 maximum available memory utilization..........33.0% (discarding)
Queue 1 static memory utilization.................................77.0%
Queue 1 port shared memory utilization........................20.0%
Queue 1 discard reset at.................................................50.0%
Queue 2 maximum available memory utilization.........0.0%
Queue 2 static memory utilization................................0.0%
Queue 2 port shared memory utilization...................... 0.0%
Queue 2 discard reset at................................................50.0%
Queue 3 maximum available memory utilization.........0.0%
Queue 3 static memory utilization................................0.0%
108
AsGa LightB
Queue 3 port shared memory utilization......................0.0%
Queue 3 discard reset at...............................................50.0%
Queue 4 maximum available memory utilization........0.0%
Queue 4 static memory utilization.............. …………0.0%
Queue 4 port shared memory utilization......... ………0.0%
Queue 4 discard reset at....................... ……………...50.0%
Queue 5 maximum available memory utilization........0.0%
Queue 5 static memory utilization...............................0.0%
Queue 5 port shared memory utilization......................0.0%
Queue 5 discard reset at..............................................50.0%
Queue 6 maximum available memory utilization……0.0%
Queue 6 port shared memory utilization.....................0.0%
Queue 7 maximum available memory utilization.......0.0%
Queue 7 port shared memory utilization.....................0.0%
Matters at the input process:
Pause threshold utilization: this number give an idea about the pause frame threshold status at the input
process on an interface. So when this number reach the 100% the interface star to sending pause frames, and
stop to send it when this number reach the value defines on “Pause reset at”. Keep in mind that this number
represents a “real time” value so at high traffic load it can´t show the “most recent” circumstance.
Discard threshold utilization: This number define the maximum limit before a discarding process start at the
ingress process on a interface. The number result of a real time division between the actual number of packet
on memory and the maximum value accepted before a discarding process start. When this number reach 100%
a discarding process starts.
Pause reset at: This value is a fixed one that defines the value at which the interface stop sending pause
frames and/or stop to discard frames at the ingress process on a interface. By default this value is 50%.
Matters at the output process:
Queue X maximum available memory utilization: this command shows the ratio between the actual total
memory utilization (Static plus dynamic for a particular Queue) and the maximum memory utilization for a
particular queue. This value is used internally by the switch to determinate the future of new packets arriving to
this queue.
When this utilization goes to a lower value than the “discard reset” (fixed by default) parameter the queue free
its discarding state.
Queue X static memory utilization: This command shows the ratio between the actual static memory
utilization and the maximum static memory available for a particular queue.
Queue X port shared memory utilization: This command show the ratio between the actual shared memory
utilization for a particular queue and the maximum shared memory utilization available for that queue.
Queue X discard reset at: this value define a value below a particular queue stop to discard packets, by
defas value is set at 50%.
109
AsGa LightB
3.25.6 Multicast
3.25.6.1 IGMP Multicast Snooping
By default, layer 2 devices such as LightBolt switches treat IP multicast traffic in the same
manner as broadcast traffic – namely by forwarding frames received on one interface to all other
interfaces. This may create excessive traffic on the network and degrade the performance of hosts
attached to the switches. Every frame received by each host generates an interrupt that the host must
process, robbing cycles that might instead be used by applications.
Layer 3 devices have less of a problem with rampant broadcast and multicast traffic because of
their ability to segment networks and forward traffic only to actual destination interfaces.
Consider the example of a heterogeneous Layer 2 and Layer 3 network that does not use
IGMP snooping. The figure 3.15 below shows a simple network in which eight hosts connect to four
Layer 2 switches. The switches in turn connect to one router in the middle.
Figure 3.17 – Multicasting without IGMP snooping
IGMP snooping is the ability for switches to learn witch ports there are hosts interested in
receive multicast traffic for a specific multicast group. Multicast groups are identified by the old Class
D IPs. Important fact: IGMP snooping can be considered as a L2 process that analysis a L3
parameter of traffic.
The learning process is done by listening to the IGMP traffic. By listening to the IGMP Report
and Leave, the switch can learn ports which are hosts that want to join or leave a multicast group. By
listening to the IGMP Query, the switch can also learn ports connect to Mrouters (multicast routers).
The first time that the switch receives an IGMP report for a specific group, it creates an internal
record for this group and add the receive port to it. All others reports received from other ports and all
the Mrouter ports are also added to this group. These processes only occur inside the Vlan domain.
When the switch receives an IGMP leave, it sends a specific IGMP query to that port to verify if
there is another host interested on the group. If not, the switch removes the port from the group and, if
110
AsGa LightB
it is the last port, the group is deleted internally. Every single port of internal information group has an
aging time; if no IGMP report of this group is received until the port aging time, the port is removed
from the group record.
The IGMP queries received are flooded to all Vlan ports. The IGMP reports are forwarded just
to Mrouter ports, and only the IGMP leave generated from the last group host is forwarded to Mrouter
ports.
The switch can act like a fake Mrouter, generating IGMP queries inside the Vlan domain. This
ability is called IGMP queried and it’s very useful to keep the generation of IGMP reports in hosts.
The following figure shows the effect of running IGMP snooping on a network:
Figure 3.18 - Network running IGMP snooping
Applications that use IP multicast, such as those involving streaming media, automatically
handle IP multicast group membership. Users do not have to manually send IGMP messages.
Over time, the IETF has defined three versions of IGMP:
IGMPv1: IETF Request for Comments 1112 (RFC 1112) defines the original version of IGMP. RFC
1112 defines the join message that hosts use to join an IP multicast group. However, IGMPv1 does
not define a method for hosts to leave a multicast group. With IGMPv1, routers must use a timer to
determine which hosts are still members of the group.
IGMPv2: RFC 2236 defines “group leave” messages that enable IP multicast-aware devices to keep
current information on group membership.
IGMPv3: RFC 3376 represents a major revision of IGMP. Instead of the one-transmitter/many-
receiver model of IGMP versions 1 and 2, hosts using IGMPv3 specify lists of transmitters to listen to.
This version is not supported actually by LightBolt switches.
111
AsGa LightB
3.25.6.2 IGMP Snooping show commands.
3.25.6.2.1 Show igmp groups
Show learned groups information, such as VLAN, switch port and aging time. If no parameter
is given, than all entries are displayed. The entries can be filtered by switch interface or group
address. If the detail parameter is given, than the information is displayed in a more complete way.
Command Syntax
show ip igmp groups [A.B.C.D group-address | interface-name] [detail]
A.B.C.D Address of the multicast group. This is a multicast IP address in fou part, dotted-
decimal notation.
IFNAME Interface name.
detail Provides a detailed description of the sources known through IGMP Version
IGMPv3 source information.
<cr> All
Command Mode
Configure mode
3.25.6.2.2 Show mrouter
Show all Mrouters learned or statically added in SVI.
Command Syntax
show ip igmp snooping mrouter < Ifname>
IFNAME VLAN Interface Name
Command Mode
Configure mode
3.25.6.2.3 Show interface IGMP configuration
It shows the IGMP configuration of a SVI. If no parameter is given, than it is displayed the
configuration of all SVIs. If a Vlan interface is specified, than only the configuration of this SVI is
displayed.
Command Syntax
show ip igmp interface <Ifname>
IFNAME SVI Interface Name

<cr> All SVIs
112
AsGa LightB
Command Mode
Configure mode
3.25.6.3 IGMP Snooping configuration comands

3.25.6.3.1 Enable IGMP snooping functionality
Start the IGMP snooping process globally in the switch. By default, IGMP snooping is globally
enabled. Use the No format of this command in order to disable igmp snooping functionality.
Command Syntax
ip igmp snooping
no ip igmp snooping
Default
By default IGMP snooping is enable on LightBollt switches.
Command Mode
Configure mode
Global context
Example
COMMAND DESCRIPTION
AsGa> enable
AsGa# configure terminal Enter in configuration mode.
AsGa(config)# no ip igmp snooping Disable igmp snooping process.
AsGa(config)# end Exit from configuration mode.
3.25.6.3.2 Number of groups-specific IGMP queries sent
Configure the number of group-specific IGMP query sent when a host send a IGMP leave.
Default value is 2. Use the no form of this command to return to the default value.
Command Syntax
ip igmp last-member-query-count <count>
<Count: 2-7> Last Member Query Count value (Default: 2)
Or
no ip igmp last-member-query-count
Command Mode
Configure mode
Interface context or
SVI context
113
AsGa LightB
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config)# interface ge2 Enter into interface configuration context
AsGa(config-if)# ip igmp last-member- Configure the query count to 3
query-count 3
AsGa(config-if)# end Exit from configuration mode.
COMMAND DESCRIPTION
AsGa> enable
AsGa(config)# interface vlan1.200 Enter into SVI configuration context.
AsGa(config-if)# ip igmp last-member- Configure the query count to 3
query-count 3
3.25.6.3.3 Timeout between groups-specific
Configure the time between group-specif IGMP query sent when a host send a IGMP leave, in
miliseconds. Default value is 1000ms. Use the No form of this command to set the default value.
Command Syntax
ip igmp last-member-query-interval < interval>
<interval: 1000-25500> Last Member Query Interval value (Default: 1000

ms)
Or
no ip igmp last-member-query-interval Set the default value of 1000 ms
Command Mode
Configure mode
SVI context
Examples
COMMAND DESCRIPTION
AsGa> enable To enter in configuration mode ingress the enable

AsGa(config-if)# ip igmp last-member-
query-interval 1500 Configure the interval to 1500 ms
114
AsGa LightB
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp last-member-
query-interval 1500 Configure the interval to 1500 ms
3.25.6.3.4 Timeout for IGMP querier reelection
Configure the time to wait for a IGMP query from the network querier router until call for a
querier router reelection, in seconds. Default value is 255s.
Command Syntax
ip igmp querier-timeout <time out value>
<60-300>IGMP previous querier timeout value (Default: 255s)
Or
no ip igmp querier-timeout Return the time to wait for a IGMP query from the network
querier route until call for a querier router reelection to default value of 255s.
Default
The default time is 255 seconds
Command Mode
Configure mode
SVI context
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp querier-
timeout 200 Configure the igmp querry time outo to 200 seg
COMMAND DESCRIPTION

AsGa(config-if)# ip igmp querier- Configure the igmp querry time outo to 200 seg
115
AsGa LightB
timeout 200
3.25.6.3.5 IGMP query interval
Configure the interval between IGMP general queries sent by the switch, in seconds. These
queries are sent when the switch is configured as a querier. The IGMP query interval timer is only
updated after the timeout if the previously configuration. Default value is 125s. Use the No from of this
command to return the default value.
Command Syntax
ip igmp query-interval <interval>
<1-18000> Query Interval value (Default: 125 s)
Or
no ip igmp query-interval Return the interval between IGMP general queries sent by the
switch to the default value
Default
By default the querry interval is set to 125s
Command Mode
Configure mode
SVI context
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp query-
interval 50 Configure the igmp querry interval to 50 seconds
COMMAND DESCRIPTION

AsGa(config-if)# ip igmp query-
interval 50 Configure the igmp querry interval to 50 seconds
116
AsGa LightB
3.25.6.3.6 Query maximum response time
Configure the max-response-time parameter of IGMP query packet sent by the switch, in 1/10
of seconds. Default value is 10s. Use the no forma of this command to set its default value
Command Syntax
ip igmp query-max-response-time <time>
<time: 1-240> Query Response Time (Default: 10 s)
Or
no ip igmp query-max-response-time Return the max-response-time parameter of IGMP

query packet sent by the switchto the default value .
Default
By default the querry interval is set to 10s
Command Mode
Configure mode
SVI context
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp query-max- Configure the igmp query max response time to 15
response-time 15 seg
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp query-max- Configure the igmp query max response time to 15
response-time 15 seg
3.25.6.3.7 IGMP version
Configure the maximum IGMP version that the switch will operate on. Default value is IGMP
version 2. Use the no forma of this command to return to its default value.
117
AsGa LightB
Command Syntax
ip igmp version <igmp version>
<1-2> Version Number (Default: 2)
no ip igmp version Return the maximum IGMP version that the switch will operate on to the
default value of IGMP version 2.
Default
The IGMP snooping version by default is Version 2
Command Mode
Configure mode
Interface context
Examples
COMMAND DESCRIPTION

AsGa(config-if)# igmp version 1 Enable IGMP version 1 on interface Ge2
3.25.6.3.8 Enable IGMP snooping locally
Start the IGMP snooping process locally in this SVI. By default, IGMP snooping is globally
enabled. Use the no format of this command to return to its default values.
Command Syntax
ip igmp snooping Start IGMP en That SVI interface.
Or
no ip igmp snooping Stop the IGMP snooping process locally in this SVI.
Command Mode
Configuration mode
Interface SVI Context
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp snooping Enable igmp snooping on a SVI.
118
AsGa LightB
3.25.6.3.9 IGMP snooping host fast leave
Enable fast-leave for this SVI. Fast-leave is a process that automatically remove an interface
from a group when a IGMP leave is received, without send any group-specific IGMP query. By default
the SVI operates in a normal leave way, sending group-specific IGMP queries. Use the no forma of
this command to return to its default value.
Command Syntax
ip igmp snooping fast-leave
or
no ip igmp snooping fast-leave Disable fast-leave for this SVI. This is the default
configuration.
Command Mode
Configuration mode
Interface SVI context
Examples
COMMAND DESCRIPTION
AsGa> enable
AsGa(config-if)# ip igmp snooping
fast-leave Enable igmp snooping fast leave on a SVI.
3.25.6.3.10 Add IGMP snooping static Mrouter port
Add a static Mrouter switch port to a SVI. This command must be used carefully, because, if
you add a port with no querier element and you don't have another Mrouter port with a querier
element, all group entries will eventually age and will be removed. Use the no form of this command
to remove a static entry.
Command Syntax
ip igmp snooping mrouter interface <if name>

ifname: Interface name
no ip igmp snooping mrouter interface <if name>

ifname: Interface name
Command Mode
Configuration mode
119
AsGa LightB
Interface SVI context
Examples
AsgOS#show ip igmp snooping mrouter vlan1.1

VLAN Interface
1 ge24
3.25.6.3.11 Start IGMP snooping querier
Start the IGMP snooping querier process. IGMP snooping querier is the ability of the switch to
act like a Mrouter sending general IGMP queries in a L2 domain. This is very useful when you have
all multicast host in the same L2 domain and you want to have a querier element on this domain to
avoid groups entries to age. By default this process is disabled. Use the no forma of this command to
remove the snooping querier.
Command Syntax
ip igmp snooping querier: Set the IGMP snooping querier.
Or
no ip igmp snooping querier. Remove the IGMP snooping querier. Default

configuration
Command Mode
Configuration mode
Global contex
Examples
AsgOS#show ip igmp interface vlan1.1

Interface vlan1.1 (Index 31)
IGMP Active, Non-Querier, Version 2 (default)
IGMP interface has 0 group-record states
IGMP activity: 0 joins, 0 leaves
IGMP querying router is 13.13.13.13
IGMP query interval is 125 seconds
IGMP querier timeout is 255 seconds
IGMP max query response time is 100 1/10 seconds
Last member query response interval is 1000 milliseconds
Group Membership interval is 260 seconds
Robustness variable 2
IGMP Snooping is globally enabled
IGMP Snooping is not enabled on this interface
IGMP Snooping fast-leave is not enabled
IGMP Snooping querier is not enabled
IGMP Snooping report suppression is enabled
120
AsGa LightB
User Guide Commands
4 COMMANDS IN ALPHABETIC ORDER
A
4.1 Access-list
An ACL is a sequential collection of permit and deny conditions. The switch tests packets
against the conditions in an access list one by one. The first match determines whether the switch
accepts or rejects the packet. Because the switch stops testing conditions after the first match, the
order of the conditions is critical. If no conditions match, the switch denies the packet.
In LightBolt switches all ACL processing is absolutely accomplished in hardware with no impact in
CPU processing time.
These are the steps to use IP ACLs:
Step 1: Create an ACL by specifying an access list number or name and access conditions.
Step 2: Apply the ACL wethever you need it.
The software supports these styles of ACLs or access lists for IP:
• Standard IP access lists use source addresses for matching operations.

• Extended IP access lists use source and destination addresses for matching operations and
optional protocol-type information for finer granularity of control.
4.1.1 Access List Numbers

The number you use to denote your ACL shows the type of access list that you are creating
The LightBolt 28xxx switch supports IP standard and IP extended access lists, numbers 1 to 199 and
1300 to 2699.
The table lists the access-list number and corresponding access list type:
<1-99> IP standard access list

<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
WORD IP AsGOS access-list name
4.1.2 Access List Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and
denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large
values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask.
Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse
mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the
121
AsGa LightB
User Guide Commands
results determine which address bits are to be considered in processing the traffic. A 0 indicates that
the address bits must be considered (exact match); a 1 in the mask is a "don't care".
The Table shows an example of wildcard or inverse mask use:
IP Address 172 16 32 0
Binary format 10101100 00010000 00100000 00000000
Network Mask 11111111 11111111 11100000 00000000
Wildcard 00000000 00000000 00011111 11111111

Take only
Take all bits Take all bits the first 3
Result as match as match bits as Dont care
creteria criteria matching
criteria
4.1 – Wildcard mask.
Command Syntax
• Syntax for MAC ACls
AsGa (config)# access-list <MAC ACL number> (deny|permit) [(Source =

<SMAC> | Any); SMASK] [(destination = <DMAC>; MASK)].
deny Specify packets to reject.

permit Specify packets to permit
SMAC Source host's MAC address in HHHH.HHHH.HHHH format.
SMASK Source mask in HHHH.HHHH.HHHH format.
any Source any.
DMAC Destination host's MAC address in HHHH.HHHH.HHHH format.
DMASK Destintion mask in HHHH.HHHH.HHHH format.
• Syntax for Standard ACL
AsGa(config)# access-list < standar ACL number> (deny|permit|remark) [SA-

IP = <A.B.C.D> wildcards = <A.B.C.D> | host <A.B.C.D>].
deny Specify packets to reject.

permit Specify packets to forward.
remark Access list entry comment.
host A single host address. In this case no wildcards is needed.
A.B.C.D Address to match.
A.B.C.D Wildcard bits.
• Syntax for Extended ACL
AsGa (config)# access-list < extended ACL number> (deny|permit|remark);

protocol = <protocol ID>; [(SA-IP = <A.B.C.D> wildcard = <A.B.C.D> | any |
host <A.B.C.D>)]; [DA-IP = <A.B.C.D> wildcards = <A.B.C.D> | any | host
<A.B.C.D>)]
deny Specify packets to reject

permit Specify packets to forward
remark Access list entry comment
122
AsGa LightB
User Guide Commands
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
A.B.C.D Source address
A.B.C.D Source wildcard bits
any Any source host
host A single source host
A.B.C.D Destination address
A.B.C.D Destination wildcard bits
any Any destination host
host A single destination host
AsGa (config)# access-list < extended ACL number> (deny|permit|remark);

<tcp|udp>; ID>; [(SA-IP = <A.B.C.D> wildcard = <A.B.C.D> | any | host
<A.B.C.D>)]; [DA-IP = <A.B.C.D> wildcards = <A.B.C.D> | any | host
<A.B.C.D>)]; <src | dest> (eq|gt|lt|neq) PORT
deny Specify packets to reject

permit Specify packets to forward
remark Access list entry comment
A.B.C.D Source wildcard bits
any Any source host
host A single source host
A.B.C.D Destination wildcard bits
any Any destination host
host A single destination host
src Source (TCP/UDP) port
eq Equal
gt Greater than
lt Less than
neq Not equal
PORT Port number <0-65535>
123
AsGa LightB
User Guide Commands
Command Mode
Config mode
Default
No access lists are configured.
Related Commands
Mac access-group
Ip access-group
Class maps
4.2 Acces-Group commands
4.2.1 mac access-group

Use the mac access-group interface configuration command to apply a MAC access control list
(ACL) to a interface. Use the <no> statement of this command to remove all MAC ACLs or the
specified ACL from the interface. Create the MAC ACL by using the mac access-list extended global
configuration command.
When an inbound packet is received on an interface with a MAC ACL applied, the switch
checks the match conditions in the ACL. If the conditions are matched, the switch forwards or drops
the packet, according to the ACL action.
If the specified ACL does not exist, the switch forwards all packets.
Command Syntax
mac access-group <mac-ACL number> in

no mac access-group <mac-acl number>
Command Mode
Interface configuration
Related Commands
Mac access-list
4.2.2 ip acc ess-Group

Use the ip access-group interface configuration command to control access to a Layer 2 or
Layer 3 interface. Use the <no> statement of this command to remove all access groups or the
specified access group from the interface.
You can apply any kind of standard or extended access lists to an interface. To define an
access list by name, use the ip access-list global configuration command. To define a numbered
access list, use the access list global configuration command. You can use numbered standard
access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199
and 2000 to 2699.
For standard inbound access lists, after the switch receives a packet, it checks the source
address of the packet against the access list. IP extended access lists can optionally check other
fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access
list permits the packet, the switch continues to process the packet. If the access list denies the packet,
the switch discards the packet.
124
AsGa LightB
User Guide Commands
Command Syntax
ip access-group <access-list-number | name>; <{in | out>

no ip access-group <access-list-number | name>; <in | out>
access-list-number: The number of the IP access control list (ACL), from 1 to 199 or from 1300
to 2699
name: The name of an IP ACL, specified in the ip access-list global configuration command
in: Specify filtering on inbound packets
out:Specify filtering on outbound packets
Command Mode
Related Commands
Access-list
Mac-access-group
B
4.3 Boot
Use this command to change your booting parameters:
Command Syntax
Boot {system | config | AsGOS } file-name
System change your booting system image.

Config change your current booting configuration file.
AsGos change your AsGos booting file.
Command Mode
Exec mode
Default
By default the system boot using a default.txt configuration file and its default system image file.
Examples
AsgOS(config)#boot
AsgOS(config)#boot system LightBolt-28322-E1-L2-System-1.0.0-RC3.bin
AsgOS(config)# show boot
Config File:
AsGOS Image:
125
AsGa LightB
User Guide Commands
System Image:
Sanity Image:
AsgOS(config)#
Related Commands
show boot
C
4.4 Clear counters
Use this privileged command to clear all system counters.
Command Syntax
Clear counters { <IFNAME> | all}
IFNAME: Specify a particular interface name (GE or XE)

All: Clear all system counter
Command Mode
Eexec
Default
No default for this command
Examples
AsGOS# clear counters ge1
Or
AsGOS# clear counters all
Related Commands
No related commands.
126
AsGa LightB
User Guide Commands
4.5 Clear mac-address-table
Command Syntax
clear mac-address-table (dynamic | static)(address mac-address | interface ifname

| vlan vilan-id <1-4094>|)
clear "Reset functions"

mac-address-table "MAC forwarding table"
static "Static entries"
dynamic "Dynamic entries"
address "Address keyword"
MAC "MAC address in HHHH.HHHH.HHHH format"
interface "Interface keyword"
IFNAME "Interface name"
vlan "VLAN keyword"
<1-4094> "VLAN id"
Command Mode
Exec mode
Related Commands
Show mac-address
4.6 Class Map Command

Use the class-map global configuration command to name and to isolate a specific traffic
flow from all other traffic. The class map defines the criteria to use to match against a specific traffic
flow to further classify it. Match statements can include criterion such as an ACL, IP precedence
values, or DSCP values. The match criterion is defined with one match statement entered within the
class-map configuration mode.
Command Syntax
class-map [match-all | match-any | match-all-flows] class-map-name
match-all: (Optional) Perform a logical-AND of all matching statements under this class map. All
criteria in the class map must be matched.
match-any: (Optional) Perform a logical-OR of the matching statements under this class map. One
or more criteria must be matched.
match-all-flows: (Optional) used to define a full matching for all flows no other statements are
defined when this type of matching is used.
class-map-name: Name of the class map.
Command Mode
Global configuration mode
Default
No class maps are configured by default.
127
AsGa LightB
User Guide Commands
Usage
Use this command to specify the name of the class for which you want to create or modify class-map
match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, as part of a
globally named service policy applied on a per-interface basis.
description: describes the class map. The show class-map privileged EXEC command displays
the description and the name of the class-map.
exit: exits from QoS class-map configuration mode.
match: configures classification criteria used under the named Class-map:
Use the match class-map configuration command to define the match criteria to classify traffic. Use
the <no> statement of this command to remove the match criteria.
match {access-group acl-index-or-name | class-map class-map-name | ip dscp

dscp-list | ip precedence ip-precedence-list | vlan vlan-list}
no match {access-group acl-index-or-name | class-map class-map-name | ip

dscp dscp-list | ip precedence ip-precedence-list | vlan vlan-list}
access-group acl-index-or-name: Number or name of an IP standard or extended access

control list (ACL) or MAC ACL.
class-map class-map-name: Name of predefined class map for classification that is performed
on a per-port per-VLAN basis.
ip dscp dscp-list: List of up to eight IP Differentiated Services Code Point (DSCP) values to
match against incoming packets. Separate each value with a space. The range is 0 to 63.
ip precedence ip-precedence-list: List of up to eight IP-precedence values to match
against incoming packets. Separate each value with a space. The range is 0 to 7.
vlan vlan-list: List of VLANs to match against incoming packets. You can enter up to 30 VLAN
IDs. Use a hyphen for a range of VLANs. A VLAN range is counted as two VLAN IDs. Use a space to
separate individual VLANs. The range is 1 to 4094.
no: removes a match statement from a class map.
rename: renames the current class map. If you rename a class map with a name that is already in
use, this message appears:
A class-map with this name already exists
D
4.7 Dir
Use the <dir> command to display a list of files on your system.
Command Syntax
Dir
Command Mode
Exec mode
128
AsGa LightB
User Guide Commands
Default
No default
Examples
AsGOS#dir
-rw-r--r-- 1 1000 users 7.5M Jul 10 2007 asgos-ver1.0.bin
-rw-r----- 1 root root 3.1k Jul 10 2007 AsGOS.conf
-rw-r--r-- 1 root root 2.4k Jun 29 19:05 sanity.log
-rw-r--r-- 1 root root 2.4k Jun 19 11:51 production.log
-rw-r----- 1 root root 2.3k Jun 15 19:18 default.conf
Flash disk space:
Used Available Use%
7.7M 24.3M 24%
Related Commands
4.8 Duplex
Use the duplex interface configuration command to specify the duplex mode of operation for
Gigabit Ethernet ports. Use the <no> statement of this command to return the port to its default value.
Command Syntax
duplex {full | half | auto}
full Port is in full-duplex mode.

Half Port is in half-duplex mode.
Auto Port automatically detects whether it should run in full- or half-duplex mode.
no duplex
Command Mode
Interface
Default
All interfaces are set to auto as default command.
Examples

AsGOS(interface)# duplex half
Related Commands
129
AsGa LightB
User Guide Commands
E
4.9 Erase
Use this command to erase the configuration file and restore it to its defaults values.
Command Syntax
erase
Command Mode
Configure mode
Default
Examples
LightBolt(config)# erase
LightBolt(config)#
4.10 Exit
Use the exit VLAN configuration command to implement the proposed new virtual LAN (VLAN)
into the local database.
Command Syntax
No special arguments for this command
Command Mode
Vlan database
Default
This command has no default values.
Examples
AsGOS(config-vlan)# exit
AsGOS#
Related Commands
Vlan database
130
AsGa LightB
User Guide Commands
F
4.11 Flowcontrol
Use the flowcontrol interface configuration command to set the receive or send flow-control
value for an interface. When flow control send is on for a device and it detects any congestion at its
end, it notifies the link partner or the remote device of the congestion by transmitting a pause frame.
When flow control receive is on for the remote device and it receives a pause frame, it stops
transmitting any data packets. This prevents any loss of data packets during the congestion period.
Use the <receive off> and <send off > keywords to disable flow control.
Command Syntax
flowcontrol < send | receive > <on | off>

flowcontrol IEEE 802.3x Flow Control
send Flow control on send
receive Flow control on receive
on Turn on flow control
off Turn off flow control
Command Mode
Interface
Usage
Flowcontrol send on
Flowcontrol receive on
Examples
LightBolt# configure t
LightBolt(configure) interface ge1
LightBolt(interface) flowcontrol send on
LightBolt(interface) flowcontrol receive on
Related Commands
No flowcontrol
I
4.12 Interface
Use the interface global configuration command to enter in the configuration mode for a
physical interface or to create or access switch virtual interface (SVI) and automatically enter interface
configuration mode. Use the no interface vlan form of this command to delete an SVI.
SVIs are created the first time you enter the interface vlan vlan command for a particular vlan.
The vlan corresponds to the VLAN-tag associated with data frames 802.1q encapsulated trunk or the
VLAN ID configured for an access port.
131
AsGa LightB
User Guide Commands
interface {interface-id | vlan vlan-id}
no interface {interface-id | vlan vlan-id}
Command Mode
Configure mode
Default
No default value.
Examples

AsGOS(interface)#

AsGOS(config)# interface vlan1.200
AsGOS(interface-vlan)#
Related Commands
show interface
shutdown
4.13 Ip address
Use the ip address interface configuration command to set an IP address for the Layer 2 switch
or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the
<no> statement of this command to remove an IP address or to disable IP processing.
Command Syntax
ip address <ip-address>/< subnet-mask>

no ip address [ip-address / subnet-mask]
Command Mode
Interface
Default
No default sets for this command.
Examples

AsGOS(interface)# ip address 10.10.10.10/23

AsGOS(config)# interface vlan1.200
AsGOS(interface-vlan)# ip address 10.10.10.10/23
132
AsGa LightB
User Guide Commands
4.14 Ip-access-group
Use the ip access-group interface configuration command to control access to a Layer 2
interface. Use the <no> statement of this command to remove all access groups or the specified
access group from the interface.
Command Syntax
ip access-group {access-list-number } {in | out}

no ip access-group [access-list-number] {in | out}
Command Mode
Default
Examples
LightBOLT(config)# interface ge1

LightBOLT (config-if)# ip access-group 101 in
Related Commands
access list
M
4.15 Mac-address-table aging-time
Use the mac address-table aging-time global configuration command to set the length of time
that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the
<no> statement of this command to return to the default setting. The aging time applies to all VLANs.
The default value for this time is 300 seconds.
Command Syntax
mac-address-table aging-time (<0-0>|<10-1000000>)

mac-address-table MAC forwarding table"
aging-time Time a learned mac address will persist after
last update:
<0-0> Enter 0 to disable aging"
<10-1000000> Aging time in seconds"
Command Mode
Config mode
Usage
mac-address-table aging-time 10
133
AsGa LightB
User Guide Commands
Examples
LightBolt(configure)# mac-address-table aging-time 10
Related Commands
no mac-address-table aging-time
show mac-address-table aging-time
4.16 Mac-address-table freeze

This command permits to freeze the learning process of the mac table. All mac address learned
will persist until the <no> statement of this command will be issue or a reboot process occurs.
Command Syntax
mac-address-table freeze
mac-address-table MAC forwarding table
freeze Freeze changes in mac-address table
Command Mode
Exec mode
Usage
mac-address-table freeze
Examples
LightBolt (configure)# mac-address-table freeze
Related Commands
no mac-address-table freeze
4.17 Mac-address-table static

Use the mac address-table static global configuration command to add static addresses to the
MAC address table. Use the <no> statement of this command to remove static entries from the table.
Command Syntax
mac-address-table static MAC vlan <1-4094> interface IFNAME

mac-address-table MAC forwarding table
static Add a static entry
MAC MAC address in HHHH.HHHH.HHHH format
vlan Select a VLAN id
<1-4094> VLAN id
interface Select a interface
Command Mode
Exec mode
134
AsGa LightB
User Guide Commands
Usage
mac-address-table static 0001.fa09.0909 vlan 20 interface ge1
Examples
LightBolt#configure t
LightBolt(configure)# mac-address-ta
S
4.18 Switchport
Use this command to put a port as switched port. By default all ports in LightBolt switches are
switched ports. You can negate this using <no switchport> command and put the interface in routed
mode operation.
Command Syntax
Switchport
Command Mode
Configure mode interface mode
Default
No switchport.
At Startup all port are switched port and all port are access port attached to VLAN 1. All ports are also
attached to Bridge Group 1 running classic Spanning Tree Protocol (802.1D).
Examples

AsGOS(interface)# switchport.
4.19 Switchport mode

Use the switchport mode interface configuration command to configure the VLAN membership
mode of a port. Use the <no> statement of this command to reset the mode to the appropriate default
for the device.
Command Syntax
Switchport mode {access | trunk | hybrid}

no switchport mode
Access: Set the port to access mode. The port is set to access unconditionally and operates as a
nontrunking, single VLAN interface that transmits and receives non-tagged frames. An access port
can be assigned to only one VLAN.
135
AsGa LightB
User Guide Commands
Trunk: Set the port to trunk unconditionally. The port is a trunking VLAN Layer-2 interface. The port
transmits and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a
point-to-point link between two switches or between a switch and a router. AsGa LightBolt switches
use 802.1Q tag encapsulation method.
Hibrid: This mode set the trunk in an hybrid mode which means that the port acting as a trunk has a
default VLAN for all those packet witch arrive at the port untagged. Under this mode the user must
specify the untagged VLAN for all those arriving non tagged packets. Outgoing packet for the
specified VLAN ID will go out from this trunk in an untagged form.
In addition: for this VLAN; this port act as an access port.

Under the hybrid mode the default VLAN is specified using the following sentence:
AsGos (interface ge16) switchport hybrid vlan <VLAN ID>

VLAN ID = 1-4095
And then the user must specify the non tagged nature of this VLAN for this port using the following
command:
AsGos (interface ge16) switchport hybrid allowed vlan add <VLAN ID> egress-
tagged disable
VLAN ID =1-4095
Command Mode
Default
No default.
Examples

AsGOS(interface)# switchport mode trunk
AsGOS(interface)# switch port allowed vlan all
AsGos (interface ge16)

AsGos (interface ge16) switchport
AsGos (interface ge16) switchport mode hybrid
AsGos (interface ge16) switchport hybrid vlan 101
AsGos (interface ge16) switchport mode hybrid acceptable-frame-type all
AsGos (interface ge16) switchport hybrid allowed vlan add 100 egress-tagged enable
AsGos (interface ge16) switchport hybrid allowed vlan add 101 egress-tagged
disable
AsGos (interface ge16) switchport hybrid allowed vlan add 200 egress-tagged enable
Related Commands
Switchport
4.20 Switchport access

Use the switchport access interface configuration command to configure a port as a static-
access If the mode is set to access, the port operates as a member of the configured virtual LAN
(VLAN). Use the <no> statement of this command to reset the access mode to the default VLAN for
the switch.
136
AsGa LightB
User Guide Commands
Command Syntax
switchport access { vlan <vlan-id> | vlan-staking}
vlan ID: Per port VLAN ID configured for this port. Range 2:4093.
Vlan-staking: use this command to enable vlan staking on a particular port (Q in Q method). All
frames will be tagged on top of the existing tag (Customer Tag) with the VLAN ID configured under
this port. Port must be an access port in order to enable vlan staking on it.
Command Mode
Default
No default.
Examples

AsGOS(interface)# switchport access vlan 200
AsGOS(interface)#switchport access vlan-staking
Related Commands
vlandatabase
VLAN
Switchport mode
4.21 Switchport trunk

Use the switchport trunk interface configuration command to set the trunk characteristics when
the interface is in trunking mode. Use the <no> statement of this command to reset all of the trunking
characteristics to the defaults. Use the no form with keywords to reset that characteristic to the
defaults. The encapsulation method for AsGa switches is based on 802.1Q tagging.
Command Syntax
switchport trunk [allowed vlan <allowed vlan ID list>]

vlan ID: 2:4093
Command Mode
Default
All VLAN´s ID are allowed by default
Examples

AsGOS(interface)# switchport trunk allowed vlan 2,3,4,300
137
AsGa LightB
User Guide Commands
Related Commands
vlandatabase
VLAN
Switchport mode
4.22 Switchport mode trunk ingress filter

Use the switchport mode trunk interface configuration command to configure the VLAN filtering
mode of a port. Under this command just only those VLANs defined will be accepted by this trunk
port. Any non taggued frame will be discarded.
Command Syntax
Switchport mode trunk ingress filter <enable | disable>
Command Mode
Interface mode
Default
The ingress filter is disable by default
Examples
interface ge12
switchport
bridge-group 1
bridge-group 1 instance 1
!
4.23 Speed
Use the speed interface configuration command to specify the speed of a port. Use the <no> or
default form of this command to return the port to its default value. 10 GigE interfaces has no option
for this command. Those interfaces works only at 10Gig Ethernet standard.
Command Syntax
speed <10 | 100 | 1000| auto>
10 Port runs at 10 Mbps.

100 Port runs at 100 Mbps.
1000 Port run at 1000 Mbps
auto Port automatically detects the speed it should run at based on the
port at the other end of the link
no speed
Command Mode
Interface
138
AsGa LightB
User Guide Commands
Default
All interfaces are set to auto as default command.
Examples

AsGOS(interface)# speed 100
Related Commands
Interface
4.24 Show Interface

Use the show interface privileged EXEC command to display the administrative and operational
status of a port.
Command Syntax
show interface <interface-id>
Command Mode
Default
No default sets for this command.
Examples
AsGOS# show interface
hw link speed/ auto max link MAC

interface type stat duplex neg? frame scan address
ge1 ETH down - yes 1522 SW -
ge4 ETH down - yes 1522 RT 00.f6.04.aa.00.06
ge8 ETH down - yes 1522 RT 00.f6.04.aa.00.0a
ge9 ETH down - yes 1522 RT 00.f6.04.aa.00.0b
ge10 ETH down - yes 1522 RT 00.f6.04.aa.00.0c
ge11 ETH down - yes 1522 RT 00.f6.04.aa.00.0d
ge12 ETH down - yes 1522 RT 00.f6.04.aa.00.0e
ge13 ETH down - yes 1522 RT 00.f6.04.aa.00.0f
139
AsGa LightB
User Guide Commands
lo LB up - yes 1500 RT 00.00.00.00.00.00
vlan1.1 VLAN - - yes 1522 - 00.f6.04.aa.00.02
vlan1.20 VLAN - - yes 1522 - 00.f6.04.aa.00.02
vlan1.100 VLAN - - yes 1522 - 00.f6.04.aa.00.02
xe1 ETH down 10G FD no 1522 RT 00.f6.04.aa.00.1b
xe2 ETH down 10G FD no 1522 RT 00.f6.04.aa.00.1c
AsGOS# show interface ge1
hw link speed/auto max link MAC

interface type stat duplex neg? frame scan address
4.25 Show Interfaces

Use the <show interfaces> privileged EXEC command to display various counters for the
switch or for all interfaces o for a specific interface.
Command Syntax
AsGOS# show interfaces ge1

AsGOS# show interfaces
Command Mode
EXEC
Default
Examples
AsGOS#show interfaces
-----------------------------------------------------
Interface name.................................: ge1
Total Packets Received (Octets)................: 0
Total Packets Received Without Errors..........: 0
Total Packets Received Discarded...............: 0
Total Packets Transmitted (Octets).............: 5312
Total Packets Transmitted Successfully.........: 83
Total Packets Transmitted Errors...............: 0
-----------------------------------------------------
-----------------------------------------------------
140
AsGa LightB
User Guide Commands
Still showing all other interfaces counters.
AsGOS# show interfaces ge1

Unicast Packets Received.......................: 0
Multicast Packets Received.....................: 0
Broadcast Packets Received.....................: 0

Unicast Packets Transmitted....................: 0
Multicast Packets Transmitted..................: 112
Broadcast Packets Transmitted..................: 0
Total RX and TX Octets.........................: 7168

Packets RX and TX 64 Octets....................: 112
Packets RX and TX 65-127 Octets................: 0
Packets RX and TX 128-255 Octets...............: 0
Packets RX and TX 256-511 Octets...............: 0
Packets RX and TX 512-1023 Octets..............: 0
Packets RX and TX 1024-1518 Octets.............: 0
Packets RX and TX > 1518 Octets................: 0
802.3x Pause Frames Received...................: 0

802.3x Pause Frames Transmitted................: 0
Total Packets Received Not Forwarded...........: 0

Jabbers Received...............................: 0
Fragments/Undersize Received...................: 0
Oversized packets..............................: 0
Alignment Errors...............................: 0
FCS Errors.....................................: 0
Too Long Frames Errors.........................: 0

Total Packets Transmitted Discarded............: 0
Single Collision Frames........................: 0
Multiple Collision Frames......................: 0
Excessive Collision Frames.....................: 0
4.26 Shutdown
Use the shutdown interface configuration command to disable an interface. Use the <no>
statement of this command to restart a disabled port or switch virtual interface (SVI).
The <shutdown> command for a port causes it to stop forwarding. You can enable the port
with the <no shutdown> command. The <shutdown> command disables all functions on the specified
interface.
141
AsGa LightB
User Guide Commands
Command Syntax
shutdown
no shutdown
Command Mode
Interface
Default
No default for this command.
Examples

AsGOS(interface)# shutdown
Related Commands
Interface
Interface vlan1<VLAN ID>
4.27 Show VLAN

Use the show vlan user EXEC command to display the parameters for all configured virtual
LANs.
Command Syntax
AsGOS# show vlan <all | VLANID> bridge <bridge ID>
Command Mode
EXEC
Default
No Default for this command.
Examples
AsgOS#show vlan all bridge 1
Bridge VLAN ID Name State

Member ports
(u)-Untagged, (t)-Tagged
----------------------------------------------------------------------------------
1 1 default ACTIVE ge1(u) ge2(u) ge3(u) ge4(u)
ge5(u) ge6(u) ge7(u) ge8(u)
ge9(u) ge10(u) ge11(u) ge12(u)
ge13(u) ge14(u) ge15(u)
ge16(u) ge17(u) ge18(u)
ge19(u) ge20(u) ge21(u)
ge22(u) ge23(u) ge24(u) xe1(u)
xe2(u) xe3(u) xe4(u)
142
AsGa LightB
User Guide Commands
4.28 Show outbound access-priority-table
Use this command to display data about the access-priority table. To modify the lines
displayed, use the | (output modifier token); to save the output to a file, use the > output redirection
token. For more information, see the AsGOS Command Line Interface Environment chapter.
Command Syntax
show outbound access-priority-table interface IFNAME

IFNAME Specify the name of the interface.
Command Mode
Usage
AsGOS# show outbound access-priority-table interface eth4

802.3 Format Outbound Access Priority
1
0
0
0
0
0
0
4.29 Show traffic-class-table

Use this command to display the data in the traffic class table.
To modify the lines displayed, use the | (output modifier token); to save the output to a file,
use the > (output redirection token). For more information, see AsGOS Command Line Interface
Environment.
Command Syntax
show traffic-class-table interface IFNAME

IFNAME Specify the name of the interface.
Command Mode
Usage
In sequence, it is presented a display of this command showing the traffic class table for interface
eth1.
AsGOS# show traffic-class-table interface eth1
User Prio / Num Traffic Classes
1 2 3 4 5 6 7 8
0 0 0 0 0 0 0 0 0
1 0 0 0 0 0 0 0 0
2 0 0 0 0 0 0 0 0
3 0 0 0 0 0 0 0 0
4 0 0 0 0 0 0 0 0
5 0 0 0 0 0 0 0 0
6 0 0 0 0 0 0 0 0
143
AsGa LightB
User Guide Commands
Examples
AsGOS# show traffic-class-table interface eth1
4.30 Show user-priority

Use this command to display the user priority data. To modify the lines displayed, use the |
(output modifier token); to save the output to a file, use the > (output redirection token). For more
information, see AsGOS Command Line Interface Environment.
Command Syntax
show user-priority interface IFNAME
Command Mode
Usage
The following is output display of this command showing set user priority for interface eth4.
AsGOS# show user-priority interface eth4

Default user priority : 7
Examples
AsGOS# show user-priority interface eth0
4.31 Storm Control

To enable broadcast, multicast, or Destination Lookup Failure (DLF) storm control on a
particular port, use the <storm-control> command in interface configuration mode. To disable storm
control for broadcast, multicast, or DLF traffic, use the <no> statement of this command.
Command Syntax
storm-control < broadcast | dlf | multicast> < level>
broadcast: type this key to limit the maximum broadcast traffic to be admitted by a specific port.
dlf: is the maximum throughput of dlf (destination lookup failure) to be forwarded/admitted by a
specific port. A dlf occur each time that a no MAC address match is accomplished.
multicast: use this key to limit the maximum multicast traffic to be admitted by a specific port.
level: specify the maximum level of the specific traffic admitted by a specific port. This level is
intended to be a % of the maximum speed of the port.
Command Mode
Interface mode
Usage
AsGOS(config-if)#storm-control broadcast <% of the maximum Speed Port>
Examples
AsGOS(config-if)#storm-control broadcast 30
144
AsGa LightB
User Guide Commands
AsGOS(config-if)#storm-control dlf 50
AsGOS(config-if)#storm-control multicast 10
4.32 Snmp-server manager

Use the snmp-server host global configuration command to specify the recipient (host) of a
Simple Network Management Protocol notification operation. Use the <no> statement of this
command to remove the specified host. UP to five host can be provisioned.
Command Syntax
snmp-server manager ip-address traps-version ( ( 1 | 2c ) community

community | 3 ( noauth | auth | priv ) username ) ( udp-port port | )
snmp-server Configure parameters to SNMP Agent

manager Set manager configuration to send traps
ip-address IP address of a manager
traps-version Set the traps version
1 Traps version 1
2c Traps version 2
community: Set the community string for
SNMPv1/v2c transactions
community Communnity string
3 Traps version 3
noauth No authorization
auth Authorization
priv Privative
username Username
udp-port Set the port to send SNMP traps
port UDP Port number
Command Mode
Config mode
Usage
LightBOLT(config)# snmp-server manager ip-address (traps-version ( 1 | 2c | 3 user

username (auth | noauth | priv) | ) (community string | ) (upd-port port | )
Examples
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 1 community AsGa

upd-port 162
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 2c community AsGa

upd-port 162
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 3 user ASGA auth

community AsGa upd-port 162
4.33 Snmp-server trap-source

This command specify the interface (with the corresponding IP address) from which a Simple
Network Management Protocol (SNMP) trap should originate, use the <snmp-server trap-source>
command in global configuration mode. To remove the source designation, you can use the <no>
statement of the command.
145
AsGa LightB
User Guide Commands
Command Syntax
snmp-server trap-source <IFNAME>

IFNAME: is any valid interface with a valid IP address
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server trap-source <IFNAME>
Examples
LightBOLT(config)# snmp-server trap-source loopback 0

LightBOLT(config)# snmp-server trap-source GE1
LightBOLT(config)# snmp-server trap-source vlan1.400
4.34 Snmp-server enable-traps

To configure the system to send these SNMP notifications, you must enter at least one <snmp-
server enable traps> command. If you enter the command with no keywords, all notification types are
enabled. If you enter the command with a keyword, only the notification type related to that keyword is
enabled. To enable multiple types of notifications, you must issue a separate <snmp-server enable>
traps command for each notification type and notification option.
Command Syntax
snmp-server <enable | Disable> trap ( linkUp | linkDown | coldstart | warmreset |

config | bridge | vlancreate | vlandelete | copy-config | snmp-notify | all )

enable Enable SNMP traps configuration
disable Disable SNMP traps configuration
trap Turn On SNMP traps
linkUp LinkUp trap
linkDown LinkDown trap
coldstart coldstart trap
warmreset warmreset trap
config config trap
bridge bridge trap
vlancreate vlancreate trap
vlandelete vlandelete trap
copy-config copy-config trap
snmp-notify notify snmp configuration change trap
all All traps
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server enable traps

LightBOLT(config)# snmp-server enable traps <trap list>
146
AsGa LightB
User Guide Commands
Examples
LightBOLT(config)# snmp-server enable traps linkdown

LightBOLT(config)# snmp-server enable traps linkup
LightBOLT(config)# snmp-server enable traps coldstart
LightBOLT(config)# snmp-server enable traps warmstart
LightBOLT(config)# snmp-server enable traps config
LightBOLT(config)# snmp-server enable traps bridge
LightBOLT(config)# snmp-server enable traps vlancreate
LightBOLT(config)# snmp-server enable traps vlandelete
LightBOLT(config)# snmp-server enable traps copy-config
4.35 Snmp-server community

This command set up the community access string to permit access to the Simple Network
Management Protocol (SNMP), use the <snmp-server community> command in global configuration
mode. To remove the specified community string, use the <no> statement of this command
Command Syntax
snmp-server community string (ro | rw) (remote ip-addres | ) (view view-name | )
<string> Community string that consists of 1 to 32 alphanumeric characters much like a password,
permitting access to SNMP. Blank spaces are not permitted in the community string.
ro: (Optional) Specifies read-only access. Authorized management stations can retrieve only MIB
objects.
rw: (Optional) Specifies read-write access. Authorized management stations can both retrieve and
modify MIB objects.
remote: Specify the remote SNMP management system. When specify the system check for snmp
messages coming from the server.
view: specify the particular view associated to the community string.
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server community <string> <ro | rw>
Examples
LightBOLT(config)# snmp-server community ready2u ro
4.36 Snmp-server name

Use this command in order to specify the administrative SNMP server name. Use the <no>
statement of this command to negate a name.
Command Syntax
snmp-server name name

snmp-server "Configure parameters to SNMP Agent"
name "Change administrative name"
name "Administrative name"
147
AsGa LightB
User Guide Commands
Command Mode
Config
Usage
snmp-server name name TEST
Examples
LightBolt(configure)# snmp-server name name TEST
4.37 Snmp-server contact

To set the system contact (sysContact) string, use the <snmp-server contact> command in
global configuration mode. To remove the system contact information, use the <no> statement of this
command.
Command Syntax
snmp-server contact <text>

no snmp-server contact
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server contact <text>.
Examples
LightBOLT(config)# snmp-server contact AsGa.S.A.
4.38 Snmp-server location

To set the system location string, use the <snmp-server location> command in global configuration
mode. To remove the location string, use the <no> statement of this command.
Command Syntax
snmp-server location <text>

text: String that describes the system location information
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server location <text>
Examples
LightBOLT(config)# snmp-server location Rodovia Roberto Moreira KM4
148
AsGa LightB
User Guide Commands
4.39 Snmp-server view
This command can be used to create different views of different OIDs trees. Using this
command a snmp server can gain access just to those OIDs assigned to it. The rest of OIDs will not
be displayed. Use the no form of this command to negate it.
Command Syntax
snmp-server view view-name oid-tree (included | excluded)

view-name: specify a particular name of the view.
oid-tree: specify the oid of a particular view which can be included or excluded
Command Mode
Exec mode
Usage
snmp-server view <name of the view> <oid tree> <include | exclude>
Examples
LightBOLT(config)# snmp-server view System 1.3.6.1.2.1.1 included
Related Commands
no snmp-server view view-name

snmp-server community string (ro | rw) (remote ip-addres ) (view view-name )
show snmp view
4.40 Snmp-server engineID

Use this command to specify the SNMP V3 server engine ID. This command can be used to
specify the Local and remote server engine name; when remote server engine; the remote IP server
address must be specified.
Command Syntax
snmp-server engineID <local | remote ip-address > engine-string
engineID Configure a name for either the local/remote SNMP engine

remote Specifies the remote copy of SNMP engine
ip-address Ip-address of remote
engine-name The name of a copy of SNMP engine (hexadecimal)
Command Mode
Exec mode
Usage
snmp-server engineID local engine-string

snmp-server engineID remote ip-address engine-string
149
AsGa LightB
User Guide Commands
Examples
LightBOLT(config)# snmp-server engineID local SYTEM

LightBOLT(config)# snmp-server engineID remote 192.168.1.1 SYSTEM
Related Commands
no snmp-server engineID (local | remote ip-address)

show snmp engineID ( local | remote )
4.41 Snmp-server user create

Use this command to define the users under SNMP V3 mode.
Command Syntax
snmp-server users create username auth ( md5 | sha ) auth-password ( priv priv-
password | )

users Users configurations
create Create a new user
username Name of the user on the host that connects to the
agent
auth Which authentication level should be used
md5 HMAC-MD5-96 authentication level
sha HMAC-SHA-96 authentication level
auth-password Specifies th authentication user password
priv Use of the User-based Security Model
priv-password Specifies the privacy user password
Command Mode
Exec
Examples
LightBOLT(config)#
Related Commands
show snmp users

no snmp-server user ( access ( ro | rw ) | base ) username
4.42 Show snmp view

Use This command to display how OIDs are assigned to different Views.
Command Syntax
show snmp view
Command Mode
Exec
150
AsGa LightB
User Guide Commands
Examples
LightBolt#show snmp view
View Name Oid-tree Type

interfaces .1.3.6.1.2.1.2 included
interfaces .1.3.6.1.2.1.31.1.1 included
vlan .1.3.6.1.2.1.17 included
vlan .1.3.6.1.2.1.17.6 excluded
Related Commands
snmp-server view
no snmp-server view viewname
4.43 show all-files

This command show all stored files types. Those files can be Configuration Files, Image Files,
and log files.
Command Syntax
Show all-files
Command Mode
Exec mode
Usage
LightBOLT# show all-files
Examples
LightBOLT# show all-files

File name File type
teste2.log Log file
teste.conf Config file
teste.log Log file
AsGOS.conf Config file
4.44 Show log-files

This command shows all log files stored in permanent memory.
Command Syntax
show log-files
Command Mode
Exec mode
Usage
LightBOLT# show log-files
151
AsGa LightB
User Guide Commands
Examples
LightBOLT# show log-files

File name File type
teste2.log Log file
teste.log Log file
4.45 Show config-files

This command shows all configuration files stored in permanent memory. Specifying witch of
those files are used al startup time.
Command Syntax
show config-files
Command Mode
Exec mode
Usage
LightBOLT# show config-files
Examples
LightBOLT# show config-files
List of available files:

File name File type Startup Running
teste.conf Config file no no
AsGOS.conf Config file yes yes
4.46 Show mac-address-table

Use the show mac address-table user EXEC command to display MAC address table
information for the specified MAC address.
Command Syntax
show mac-address-table (dynamic | static | interface IFNAME | vlan <1-

4094>|)
show Show running system information
mac-address-table MAC forwarding table <cr> All table
dynamic Show only dynamic entries
static Show only static entries
interface Show by interface
vlan Show by vlan id <1-4094>VLAN id
Command Mode
Enable mode
Usage
Show mac-address-table dynamic
152
AsGa LightB
User Guide Commands
Show max-address-table vlan 40
Show mac-address-table interface ge24
Examples
LightBolt#show mac-address-table

200 0000.C003.0102 Dynamic ge4 Yes
All 0036.0A4B.0002 Static L3 CPU No
200 0000.0101.0202 Static 1 No
200 0000.C001.0102 Dynamic ge2 Yes
LightBolt#show mac-address-table interface ge2

200 0000.C001.0102 Dynamic ge2 Yes
LightBolt#show mac-address-table vlan 200
200 0000.C003.0102 Dynamic ge4 Yes
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
4.47 Storm-control
Use this command to select the appropriate storm control level for broadcast multicast packets or for
a Destination Lookup Failure DLF . Use the <no> statement of this command to negate its actions.
Command Syntax
storm-control (broadcast | multicast | dlf) level LEVEL
storm-control Set the switching characteristics of Layer2 interface

broadcast Set Broadcast Rate Limiting
multicast Set Multicast Rate Limiting
dlf Set DLF Broadcast Rate Limiting
level LEVEL Threshold Percentage (0.0-100.0)
Command Mode
Interface
Usage
storm-control broadcast level 0.9

storm-control multicast level 1
storm control dlf level 5
Examples
LightBolt(Configure)# interface ge1
LightBolt(interface)# storm-control broadcast 5
153
AsGa LightB
User Guide Commands
Related Commands
no storm-control (broadcast|multicast|dlf) level

show storm-control (IFNAME|)
V
4.48 VLAN Database
Use the vlan database privileged EXEC command to enter virtual LAN (VLAN) configuration
mode. From this mode, you can add, delete, and modify VLAN configurations.
Command Syntax
VLAN database <NO ARGUMENTS>
Command Mode
Configure mode
Default
No Default
Examples

AsGOS(config)# vlan database
AsGOS(VLAN)#
Related Commands
VLAN
4.49 VLAN
Use the VLAN configuration command to configure virtual LAN (VLAN) characteristics for a
specific VLAN. Use the <no> statement of this command without additional parameters to delete a
VLAN. All VLANs created under this command are Ethernet 802.1Q VLAN’s.
Command Syntax
VLAN <VLAN ID> Bridge <Bridge ID> name <VLAN Name>
VLAN ID: <2-4093>

Bridge ID <1-32> Bridge group at witch this VLAN is attached.
VLAN name: a text VLAN reference name
Command Mode
Configure mode Vlan Database mode
154
AsGa LightB
User Guide Commands
Default
The default VLAN ID is 1. By Default at power on the system start with all ports as access port with
per port VLAN equal to 1 and attached to Bridge Group 1. The Bridge Group 1 run classic STP
(802.1D).
Examples

AsGOS(config)# vlan database
AsGOS(VLAN)# VLAN 200 bridge 1 name TEST
Related Commands
bridge protocol ieee
4.50 Vlan classifier

Use The VLAN classifier command in global and Interface context in order to create a classifier
rule/group and assign it to an interface.The vlan classifier command permit creates a group and
assigns different classification rules inside of it. Then this group can be applied to an interface.
Use the <no vlan> classifier in an interface context in order to eliminate this classification group from
an interface context.
Use the <no vlan classifier group> <group number> in order to eliminate a complete group.
Use the vlan classifier group <group number> delete rule <rule number> to delete a particular rule
inside a group.
Up to 255 rules can be configured on a single group.
Up to 16 groups can be configured.
Command Syntax
vlan classifier <group | rule>

vlan classifier group <group number> <add | delete> rule <rule number>
vlan classifier rule <rule number> < ipv4 | mac | proto >
ipv4 format: A.B.C.D/M ipv4 address in A.B.C.D/M format
mac format: HHHH.HHHH.HHHH
proto: <0-65535> ethernet decimal
arp protocol - Address Resolution
atalkaarp protocol - Appletalk AARP
atalkddp protocol - Appletalk DDP
atmmulti protocol - MultiProtocol Over ATM
atmtransport protocol - Frame-based ATM Transport
dec protocol - DEC Assigned
deccustom protocol - DEC Customer use
decdiagnostics protocol - DEC Diagnostics
decdnadumpload protocol - DEC DNA Dump/Load
decdnaremoteconsole protocol - DEC DNA Remote Console
decdnarouting protocol - DEC DNA Routing
declat protocol - DEC LAT
decsyscomm protocol - DEC Systems Comms Arch
g8bpqx25 protocol - G8BPQ AX.25
ieeeaddrtrans protocol - Xerox IEEE802.3 PUP Address
Translation
ieeepup protocol - Xerox IEEE802.3 PUP
ip protocol - IP
ipv6 protocol - IPv6
ipx protocol - IPX
pppdiscovery protocol - PPPoE discovery
155
AsGa LightB
User Guide Commands
pppsession protocol - PPPoE session
rarp protocol - Reverse Address Resolution
x25 protocol - CCITT X.25
xeroxaddrtrans protocol - Xerox PUP Address Translation
xeroxpup protocol - Xerox PUP
Command Mode
Config mode
Interface mode
Default
No default
Examples
!
bridge 1 protocol mstp
bridge 1 acquire
vlan classifier rule 1 mac 0000.c004.0102 vlan 300
vlan classifier rule 2 ipv4 40.40.40.40/24 vlan 300
vlan classifier rule 3 proto 8192 encap ethv2 vlan 300
!
vlan database
vlan 300 bridge 1 name TEST3
vlan 300 bridge 1 state enable
!
interface ge4
switchport
bridge-group 1
vlan classifier activate 1
!
Related Commands
Vlan Database
Interface
W
4.51 Write
Use this command to transfer into or from permanent memory all system files. File types can
be: configuration files log files or image files.
Command Syntax
Write <config-file | log-file | image_file> <File name> <from-tftp | to-tftp>

<server: IPaddress>
156
AsGa LightB
User Guide Commands
Command Mode
Configure mode
Default
Examples
LightBolt(config)#write config-file 1.0.1LightBolt29304.txt from-tftp server

192.168.1.1
157
AsGa LightB
LightBolt
olt 10G Switch
User Guide Warranty
WARRANTY
This product is guaranteed against production defects for a

period of 12 months to count starting from the date of the product’s
invoicing.
In case a production defect has been verified, AsGa will decide
on changing or repairing the defective equipment.
The transportation expenses related to the Customer's
equipment for AsGa will run due to the Customer. The shipment
expenses concerning the repaired / replaced equipment of AsGa for the
Customer will run due to AsGa.
This warranty is not extensive to the defects or damages caused
by inappropriate handling, inadequate maintenance, non authorized
modification, wrong use or operation in an environment outside of the
specifications of the equipment, as well as defects provoked by
atmospheric discharges.
This product is certified by Anatel, in accordance with the
procedures regulated by the Resolution No. 242 / 2000.
For consulting products certified by Anatel visits:

http://sistemas.anatel.gov.br/sgch/
13/07/2010 – ED.01.7
AsGa LightB
LightBolt
olt 10G Switch
User Guide Warranty
22/06/2009 – ED.01.5.γ

Manual LightBolt - 1.7 - Inglês

Uploaded by

Copyright:

Available Formats

You might also like

Manual LightBolt - 1.7 - Inglês

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual LightBolt - 1.7 - Inglês

Uploaded by

Copyright:

Available Formats

AsGa LightB

Light Bolt 10G Switch

4 COMMANDS IN ALPHABETIC ORDER .................................................................................................. 121

LightBolt family of switches is composed by:

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports

Layer 2 protocol support:

Figure 1.1: Front Panel.

1.2 Rear Panel

Figure 1.2: Rear Panel.

1.6 ENVIRONMENTAL CONDITIONS

1.7 LED SYSTEM INFORMATION

Figure 1.3: Led System Information (LightBolt Eletrical switches)

Figure 1.4: Led description for 10 GigE Ports.

3.2 Conventions Used in this Guide

CONVENTION DESCRIPTION SYNTAX

3.3 Command Line Interface Primer

3.3.2 Syntax Help

[IFNAME] Interface name

Is the abbreviation for the “show interface command”.

3.3.4 Command Line Errors

If a command is incomplete it displays the following message:

3.4 Modes Common to Protocols

Figure 3.1 – Modes common to protocols.

3.6 Format used for Command Description

3.7 Initial Configuration

• Set user names and passwords.

3.8 Connecting to the switch

3.8.1 Local Configuration

The following picture show the DB9 switch “Pin out”:

Figure 3.2 – DB9 switch Pin out.

3.8.2 Remote Connections

3.9 Configuring the Switch

3.9.1 Basic Configuration – Console Connection

System Inventory: Lightbolt 28304E

3.9.4 Defining 802.1Q VLAN

Figure 3.3 – VLAN tagged packet.

3.9.4.1 Creating VLANs into the Switch Database

vlan vlan-id {enable|disable}|[name vlan-name][state {suspend|active}

3.9.5 Switch Port Roles

switched ports: ports which cannot accept an IP address or

3.9.6 Switchport Mode

switchport mode {access | trunk | hybrid}

• Setting an interface into switched port mode access:

• Setting an interface in switched port mode trunk:

3.9.7 Assigning a VLAN to an Access port

switchport access vlan [VLAN-ID]

3.9.8 Adding VLANs to a Trunk Port

• Enabling all VLANs on a trunk port.

• Adding a particular VLAN to a trunk port.

3.9.9 Displaying VLAN information

Bridge VLAN ID Name State Member ports

3.9.11 Creating a Switched Virtual interface.